Title: TCP_WRAPPERS configuration

KBTAG: kben1000039
URL: http://www.securityportal.com/lskb/10000000/kben10000039.html
Date created: 20/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: TCP_WRAPPERS configuration and maintenance
Keywords: Network

Summary:

Many programs run from inetd (and several stand alone daemons) support TCP_WRAPPERS, allowing you to use on central facility to control access to services based on IP address and so forth. Programs must be compiled with support for TCP_WRAPPERS, which is the default in most modern distributions, so you need not worry about it usually.

More information:

TCP_WRAPPERS is controlled from two files:

/etc/hosts.allow
/etc/hosts.deny

hosts.allow is checked first, and the rules are checked from first to last. If it finds a rule that explicitly allows you in (i.e., a rule allowing your host, domain, subnet mask, etc.) it lets you connect to the service. If it fails to find any rules that pertain to you in hosts.allow, it then goes to check hosts.deny for a rule denying you entry. Again it checks the rules in hosts.deny from first to last, and the first rule it finds that denies you access (i.e., a rule disallowing your host, domain, subnet mask, etc.) means it doesn't let you in. If it fails to find a rule denying you entry it then by default lets you. If you are paranoid like me the last rule (or only rule if you are going to a default policy of non-optimistic security) should be:
in hosts.deny:

ALL: 0.0.0.0/0.0.0.0

which means all services, all locations, so any service not explicitly allowed is then blocked (remember the default is to allow). You might also want to just default deny access to say telnet and leave ftp wide open to the world. To do this you would have:

in hosts.allow:

in.telnetd: 10.0.0.0/255.255.255.0 # allow access from my internal network of 10.0.0.*
in.ftpd: 0.0.0.0/0.0.0.0 # allow access from anywhere in the world

in hosts.deny:

in.telnetd: 0.0.0.0/0.0.0.0 # deny access to telnetd from anywhere

or if you wish to be really safe:

ALL: 0.0.0.0/0.0.0.0 # deny access to everything from everywhere

This may affect services such as ssh and nfs, so be careful! 

You may wish to simply list all the services you are using separately:

in.telnetd: 0.0.0.0/0.0.0.0
ipop3d: 0.0.0.0/0.0.0.0

If you leave a service on that you shouldn't have in inetd.conf, and DO NOT have a default deny policy, you could be up the creek. It is safer (and a bit more work, but in the long run less work then rebuilding the server) to have default deny rules for firewalling and TCP_WRAPPERS, thus is you leave something on by accident, by default there will be no access to it. If you install something that users need access and you forget to put allow rules in, they will quickly complain that they can't get access and you will be able to rectify the problem quickly. Erring on the side of caution and accidentally denying something is a lot safer then leaving it open. 

The man pages for TCP_WRAPPERS are very good and available by:

man hosts.allow
man hosts_allow

and/or (they are the same man page):

man hosts.deny
man hosts_deny

One minor caveat with TCP_WRAPPERS that recently popped up on Bugtraq, TCP_WRAPPERS interprets lines in hosts.allow and hosts.deny in the following manner:

1) strip off all \'s (line continuations), making all the lines complete (also note the max length of a line is about 2k, better to use multiple lines in some cases).

2) strip out lines starting with #'s, i.e. all commented out lines. Thus:

# this is a test
# in.ftpd: 1.1.1.1 \
in.telnetd: 1.1.1.1

this means the "in.telnetd: 1.1.1.1" line would be ignored as well.