CentOS Linux Server Guide

CentOS Linux Security Quick Tips

TCP Wrapper

 

Using TCP wrapper is the easiest way to filter unauthorized access to your system. It is the host-based Access Control List that enable the host itself to filter IP based traffic to your server service such ass FTP, rsync, email etc. TCP wrappers utilizes both inetd and xinetd services to monitor on /etc/host.deny and /etc/host.allow.

 

For CentOS  machines,  TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services.

 

Does all the services support TCP wrapper?

The answer is NO.

NOT all the TCP services that supported by TCP wrapper. Basically those services/application that not support/linked to TCP Wrapper library(/usr/lib/libwrap.a) are not able to monitored by TCP wrapper.

 

 

To determine if a network service binary is linked to libwrap.a, type the following command as the root user. The example below clearly shows that ssh is support TCP wrapper, while httpd is not able to support TCP wrapper.

 
[root@srv1 ~]# ldd $(which sshd ) |grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0x00c07000)


[root@srv1 ~]# ldd $(which httpd ) |grep libwrap
[root@srv1 ~]#
 

 

For the following example, I am going to show you how to configure TCP wrapper so that we only allow our network 192.168.1.0/24 to VSFTP services

 

step1: configure /etc/host.allow with your favorite text editor
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

#allow all the access from 192.168.1.0/24 access to the server
ALL:192.168.1.
#allow the clients from 192.168.1.0/24 to use vsftp services.
vfstpd:192.168.1.
 

 

 

Step2: configure /etc/host.deny to restrict all IP network (other than 192.168.1.0/24) for using services than we specified at /etc/host.allow

#
#hosts.deny This file describes the names of the hosts which are
#*not* allowed to use the local INET services, as decided
#by the '/usr/sbin/tcpd' server.
#
#The portmap line is redundant, but it is left to remind you that
#the new secure portmap uses hosts.deny and hosts.allow. In particular
#you should know that NFS uses portmap!
 

ALL:ALL
 

 

 

Now I want to check if any hacker do a port scanning on my system. Can I use TCP wrapper to perform some addition security features? Yes.

 

In your /etc/host.deny put the following

vsftpd   : ALL: spawn (echo "security notice from host $(/bin/hostname)" ;\
	echo; /usr/sbin/safe_finger @%h ) | \
	/bin/mail -s "%d-%h security" adminuser & \
	: twist ( /bin/echo -e "\n\nWARNING connection not allowed.\n\n" )

The example above the system will detect if any unauthorized login and senty an email including date and ip from the attacker to user account adminuser, then the system will sent out at "Warning connection not allowed back on attacker screen"

 

 

 

Back to CentOS Linux Security Quick Tips


Copyright 2011 http://www.1a-centosserver.com All Rights Reserved

All trademarks are the property of their respective owners.

Contact Us | Terms of Use | Privacy Policy