How to install TCP Wrappers to keep the bad guys out and monitor connection attempts to your computer.
How does tcp_wrappers work?
When a user tries to connect to your computer on a port, inetd looks up the port number in /etc/services, when it finds the port number it looks in the file /etc/inetd.conf for a corresponding service and runs the service. With tcp_wrappers inetd is tricked into running tcpd instead of the service that would normally be called. Tcpd then checks it's rules in the /etc/hosts.allow and /etc/hosts.deny files. It either accepts the connection and runs the service or denies the connection based on it's rules.
Installing TCP Wrappers:
It's very possible the TCP Wrapper package is already installed on
your computer. Look in the directory "/usr/sbin" for a file named "tcpd",
if it's there you most likely have it installed already and you can proceed
to part 4.
The following instructions take you step by step through the installation process of tcp-wrappers from the source code...YES that's right...the source, no sissy-girl rpm's or deb's ;)
1: Download the tcp wrappers source code.
ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz
2: Untar-gz tcp_wrappers_7.6.tar.gz
tar zxvf tcp_wrappers_7.6.tar.gz
3: Compile and Install the wrappers program.
Now we will build and install the program.
cd tcp_wrappers_7.6
make REAL_DAEMON_DIR=/usr/sbin linux
make install <----you'll
need to be logged on as root to run this command !
At this point the tcp-wrapper program is installed
, next we will configure our wrappers.
4: Set up our banners (optional)
Banners contain the message displayed when
tcpd is called for a particular service. Create the banners
directory if necessary.
mkdir /usr/local/etc/banners
For every service you want a message for, you'll
have to edit a file in the banners directory.
/usr/local/etc/banners/in.telnetd <----for
the telnet banner
/usr/local/etc/banners/in.ftpd
<----for the ftp banner
5: Edit your /etc/hosts.allow and /etc/hosts.deny to
limit access to your computer's network services.
One of the nice features of tcp-wrappers is the
ability to control access to your computers network services and log failed
or sucessful attempts. You can also perform certain actions based on the
users hostname.
When someone tries to connect to a network service
on your computer the tcp-wrapper (tcpd) reads the file /etc/hosts.allow
for a rule that matches the the hostname of the person trying to connect,
if /etc/hosts.allow doesn't contain a rule allowing access tcpd reads /etc/hosts.deny
for a rule that would deny access to the hostname. If neither file contains
an accept or deny rule, access is granted by default.
In the following examples we are going to deny all finger request,
deny telnet access to all users from lamers.edu (access can be denied in
the hosts.allow file) and email a user called "auth" with details of every
connection attempt...the format of the hosts.allow/hosts.deny files is
as follows:
service: hostname: banners if needed : options
Our example /etc/hosts.allow looks like the following---->
---------------------------------------------------------
in.fingerd: ALL : banners /usr/local/etc/banners/ : spawn (echo "Access
from %u@%h using %d." | sendmail auth) : DENY
in.telnetd: .lamers.edu : spawn (echo "Access from %u@%h using %d."
| sendmail auth : DENY
ALL: ALL : spawn (echo "Access from %u %h using %d." | sendmail auth)
---------------------------------------------------------
In the first line "in.fingerd" is the service, the hostname is "ALL"
which means the rule applies to all hosts , then we tell tcpd to display
the banner to the user, and finally we tell tcpd to start(spawn) another
program that emails the message "Access from some-user@some.host.com
using in.fingerd" to the user "auth"...finally it tells tcpd the "DENY"
access. For this to work you will need a user on your system called "auth",
many people send it to "root" but then you have to be logged in as root
to read it, also it clutters root's mailbox and makes it difficult to sort
your tcpd mail from other "root" mail.
The second rule follows the same format as the first, it denies access to telnet to all users from "lamers.edu", and sends email to auth.
The third rule allows access to all users from everywhere but email's "auth" with details of the connection.
Each rule goes on it's own unbroken line.
"man 5 hosts_access" for more information.
4. Edit your /etc/syslog.conf to use the syslog with tcpd.
Here are a few lines of a typical /etc/syslog.conf:
*.err;kern.debug;auth.notice;mail.crit
/dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
mail.info
/var/log/maillog
Here are a few lines of our edited /etc/syslog.conf:
*.err;kern.debug;auth.notice;mail.crit
/dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err;auth.info /var/log/messages
mail.info
/var/log/maillog
The difference is the added line for auth.info logging to /var/log/messages.
5. Edit /etc/inetd.conf to point your services to tcpd.
The following example has the original lines commented (#) out and our modified tcpd lines inserted.
#ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l -a ftp stream tcp nowait root /usr/sbin/tcpd ftpd -l -a #telnet stream tcp nowait root /usr/sbin/telnetd telnetd telnet stream tcp nowait root /usr/sbin/tcpd telnetd #finger stream tcp nowait nobody /usr/sbin/fingerd fingerd -s finger stream tcp nowait nobody /usr/sbin/tcpd fingerd -sLinux differs from some *unix's in that the file locations aren't quite "standard", so when you install tcp_wrappers the "tcpd" file may be in the "/usr/libexec" directory, in which case you'll have to change "/usr/sbin/tcpd" to "/usr/libexec/tcpd" in the above example.
6. If everything above is correct you can reboot or restart inetd and
syslogd .
To restart rather that reboot you need the pid#
of both inetd and syslogd...to get this info:
ps -xa | grep inetd
the output --->"19086 ?? IWs
0:00.05 inetd "
19086 is the pid of inetd...to restart inetd:
kill -1 19086
The process is the same for the syslog
daemon and your done...congratulations!
Comments, questions, suggestions, corrections? Drop me a line at fireman@shaw.wave.ca
Copyright © 1998 Rob Sellars (fireman@shaw.wave.ca). All rights reserved. Permission to use, distribute, modify and copy this document is hereby granted provided credit to this document is included in the modifyed document.