TCP
Wrappers
On
Linux systems access to specific users, computers or networks can be
blocked through the /etc/hosts.allow
or /etc/hosts.deny
files. The system is known as tcpwrappers,
which is enabled by default and installed through tcp_wrappers.rpm
RPM. The Linux services or commands that can be controlled through
tcp_wrappers are those that use the libwrap library :
# ldd /usr/sbin/sshd | grep -i libwrap
libwrap.so.0 => /lib/libwrap.so.0
In this case the sshd Linux service can be controled through tcpwrappers using the file /etc/hosts.allow and /etc/hosts.deny : sshd is tcpwrapper-aware.
# ldd /usr/sbin/sshd | grep -i libwrap
libwrap.so.0 => /lib/libwrap.so.0
In this case the sshd Linux service can be controled through tcpwrappers using the file /etc/hosts.allow and /etc/hosts.deny : sshd is tcpwrapper-aware.
TCPwrappers dynamics
When the
system receives a network request for a service that is
tcpwrapper-aware, it passes the request to tcpwrappers that checks
its access rules. If there are no restrictions on the particular
host, IP address or user tcpwrappers allows the access and passes
control back to the service.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
* First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
* If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
* Finally if no match is found on either file, access is allowed.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
* First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
* If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
* Finally if no match is found on either file, access is allowed.
/etc/hosts.allow and /etc/hosts.deny
The same
configuration parameters can be used in both /etc/hosts.allow and
/etc/hosts.deny to tell tcpwrappers which clients are allowed or
denied:
daemons : clients
As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:
ALL : ALL
This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.
In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :
# cat /etc/hosts.deny
sshd : 192.168.10.100
The same configuration on /etc/hosts.allow will allow access to sshd services to 192.168.10.100.These files can contain more that one line so order is important, first match is applied :
# cat /etc/hosts.deny
sshd, vsftpd : ALL EXCEPT 192.168.10.1
ALL:ALL
With this configuration access to sshd and vsftpd will be allowed only from 192.168.10.1 and the access to the rest of tcpwrappers services will be denied.
daemons : clients
As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:
ALL : ALL
This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.
In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :
# cat /etc/hosts.deny
sshd : 192.168.10.100
The same configuration on /etc/hosts.allow will allow access to sshd services to 192.168.10.100.These files can contain more that one line so order is important, first match is applied :
# cat /etc/hosts.deny
sshd, vsftpd : ALL EXCEPT 192.168.10.1
ALL:ALL
With this configuration access to sshd and vsftpd will be allowed only from 192.168.10.1 and the access to the rest of tcpwrappers services will be denied.
Client Matching
The
following are the configuration parameters that can be used in order
to match clients on allow/deny rules for the tcpwrappers network
services :
ALL
ALL clients.
.info.net
Match all clients on the info.net domain, the same as *.info.net
192.168.
Match all clients with an IP address of 192.168.Z.Z.
192.168.0.0/255.255.0.0
Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)
user@rhel6.info.net
Match client rhel6.info.net using 'user' account.
ALL
ALL clients.
.info.net
Match all clients on the info.net domain, the same as *.info.net
192.168.
Match all clients with an IP address of 192.168.Z.Z.
192.168.0.0/255.255.0.0
Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)
user@rhel6.info.net
Match client rhel6.info.net using 'user' account.
Exceptions
Parameter
EXCEPT can be used to build exceptions in access rules. For
example the following line on /etc/hosts.deny will deny access to
telnet network service from all hosts on 192.168.10.0/24 LAN EXCEPT
192.168.10.1 :
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 EXCEPT 192.168.10.1
It can be used also on the daemon list part :
# cat /etc/hosts.allow
ALL EXCEPT sshd : .info.net
With this configuration access to all tcpwrappers services except sshd will be allowed from .info.net domain. This is true if sshd is denied on /etc/hosts.deny, if not sshd will be also allowed, keep in mind that /etc/hosts.allow specifies what is explicitly allowed.
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 EXCEPT 192.168.10.1
It can be used also on the daemon list part :
# cat /etc/hosts.allow
ALL EXCEPT sshd : .info.net
With this configuration access to all tcpwrappers services except sshd will be allowed from .info.net domain. This is true if sshd is denied on /etc/hosts.deny, if not sshd will be also allowed, keep in mind that /etc/hosts.allow specifies what is explicitly allowed.
Wildcards
The
following are wildcards that can be used on /etc/hosts.allow/deny
files:
ALL
Matches everything and can be used for both the daemon list and the client list.
LOCAL
Matches any host that does not contain a period (.), such as localhost.
KNOWN
Matches any host where the hostname and host address can be resolved by our DNS.
UNKNOWN
Matches any host where the hostname or host address can not be resolved by our DNS.
PARANOID
Matches any host where the hostname does not match with his IP address.
ALL
Matches everything and can be used for both the daemon list and the client list.
LOCAL
Matches any host that does not contain a period (.), such as localhost.
KNOWN
Matches any host where the hostname and host address can be resolved by our DNS.
UNKNOWN
Matches any host where the hostname or host address can not be resolved by our DNS.
PARANOID
Matches any host where the hostname does not match with his IP address.
Shell Commands
An
optional field can be used on /etc/hosts.allow/deny in order to
execute shell commands when a match is found through the 'spawn'
and 'twist' directives.
spawn
Executes
a shell command as a child process when a match is found. This
feature can be used in order to get client or proccess information.
In the following example all clients attempting to access vsftpd
services are logged to file /var/log/audit_vsftpd.log and the
connection will be allowed.
# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
twist
Replaces
the requested service with the specified command. Useful to send
messages to connection clients :
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.
Expansions
In most
of the cases expansions are used with the spawn and twist operators
in order to retrieve information about the client that is trying to
connect to the tcpwrapped network service. It also provides
information about the server and process in execution :
%a
Prints the client IP address.
%A
Prints the server IP address.
%c
Prints a variety of client information, such as the username and hostname.
%d
Prints the daemon process name.
%h
Prints the client hostname (IP address if the hostname is unknown).
%H
Prints the server hostname (IP address if the hostname is unknown).
%n
Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.
%N
Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.
%p
Prints the daemon process ID.
%s
Prints various types of server information, such as the daemon process and the host or IP address of the server.
%u
Prints the client username. If unavailable, unknown is printed.
Lets have a look on examples explained on the previous section :
# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
In this case all attempts to use vsftpd will be logged on /var/log/audit_vsftpd.log with the date and the client hostname (%h) and the connection will be allowed.
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
Telnet logins from 192.168.10.0/24 will be denied with the message "What are you doing %a !!!" where %a will be replaced with the client IP address.
%a
Prints the client IP address.
%A
Prints the server IP address.
%c
Prints a variety of client information, such as the username and hostname.
%d
Prints the daemon process name.
%h
Prints the client hostname (IP address if the hostname is unknown).
%H
Prints the server hostname (IP address if the hostname is unknown).
%n
Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.
%N
Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.
%p
Prints the daemon process ID.
%s
Prints various types of server information, such as the daemon process and the host or IP address of the server.
%u
Prints the client username. If unavailable, unknown is printed.
Lets have a look on examples explained on the previous section :
# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
In this case all attempts to use vsftpd will be logged on /var/log/audit_vsftpd.log with the date and the client hostname (%h) and the connection will be allowed.
# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
Telnet logins from 192.168.10.0/24 will be denied with the message "What are you doing %a !!!" where %a will be replaced with the client IP address.
No comments :
Post a Comment