Wise people learn when they can; fools learn when they must - Arthur Wellesley

Tuesday, 18 April 2017

RHEL6 - 29 - TCP WRAPPERS


RHEL6-29-TCP WRAPPERS
  
WHAT IS TCP WRAPPER?

As name suggest, wrapping of TCP, protection of services that communicate using the TCP protocol.
The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library.

For network services that utilize it, TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server. This service is called a super server because it controls connections to a subset of network services and further refines access control.


TCP-wrapped service is one that has been compiled against the libwrap.a library
/usr/lib/libwrap.a library

When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.

TCP Wrappers Configuration Files

To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files:

/etc/hosts.allow
/etc/hosts.deny

Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:

·         First searches on /etc/hosts.allow, if tcpwrappers finds a match
access is allowed and no more searches are done.
·         If no match is found on /etc/hosts.allow it searches on
/etc/hosts.deny. If tcpwrappers finds a match access is denied.
·         Finally if no match is found on either file, access is allowed.
·         The wrappers do not work with RPC services over TCP.
·         It uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.
·         TCP Wrapper comes in between the firewall and your network service
·         If you have xinetd configured, then TCP Wrapper will pass control to xinetd after its filtering is done, which will again pass through xinetd specific filters
·         /etc/hosts.allow is always processed first by the system. The first matching rule for a request is only applied, rest is ignored.

If client found in both /etc/hosts.allow and /etc/hosts.deny files then “hosts.allow” will override and grant access to system.


HOW TO KNOW THAT SERVICE IS UNDER LIBWRAP OR NOT?

[root@rhel6-test1 ~]# whereis vsftpd
vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz

[root@rhel6-test1 ~]# ldd /usr/sbin/vsftpd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f12d64c1000)

[root@rhel6-test1 ~]# whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz

[root@rhel6-test1 ~]# ldd /usr/sbin/sshd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f2489295000)

ACCESS RULE TO FORMAT TCP WRAPPER CONFIG FILES

<daemon list>: <client list> [: <option>: <option>: ...]

[root@rhel6-test1 ~]# vi /etc/hosts.deny
ALL: ALL

[root@rhel6-test1 ~]# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

I barred ALL Daemons for ALL hosts,

See the impact,

SSH:
[root@rhel6-server ~]# ssh 192.168.234.200
ssh_exchange_identification: Connection closed by remote host

TELNET:
[root@rhel6-server ~]# telnet 192.168.234.200
Trying 192.168.234.200...
Connected to 192.168.234.200.
Escape character is '^]'.
Connection closed by foreign host.

FTP:
[root@rhel6-server ~]# sftp 192.168.234.200
Connecting to 192.168.234.200...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer


Now I barred only “telnet” from ALL hosts.

See the impact,
SSH: - DONE
[root@rhel6-server ~]# ssh 192.168.234.200
Last login: Mon Apr 17 11:54:34 2017 from 192.168.234.1
[root@rhel6-test1 ~]# exit
logout
Connection to 192.168.234.200 closed.

TELNET: - BARRED
[root@rhel6-server ~]# telnet 192.168.234.200
Trying 192.168.234.200...
Connected to 192.168.234.200.
Escape character is '^]'.
Connection closed by foreign host.

FTP: - DONE
[root@rhel6-server ~]# sftp 192.168.234.200
Connecting to 192.168.234.200...
sftp> bye


I barred ALL Daemons from subnet 192.168.234. ,

[root@rhel6-test1 ~]# vi /etc/hosts.deny
ALL: 192.168.234.

[root@rhel6-test1 ~]# service xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]

See the impact,

SSH:
[root@rhel6-server ~]# ssh 192.168.234.200
ssh_exchange_identification: Connection closed by remote host

TELNET:
[root@rhel6-server ~]# telnet 192.168.234.200
Trying 192.168.234.200...
Connected to 192.168.234.200.
Escape character is '^]'.
Connection closed by foreign host.

FTP:
[root@rhel6-server ~]# sftp 192.168.234.200
Connecting to 192.168.234.200...
ssh_exchange_identification: Connection closed by remote host
Couldn't read packet: Connection reset by peer

Some more possibilities to deny hosts are as follows,

[root@rhel6-test1 ~]# vi /etc/hosts.deny
Vsftpd: .abc.com           [deny all hosts from abc.com]
ALL: .abc.com        [deny all services from abc.com domain]
ALL: 192.168.234.    [deny all services from mentioned subnet]
httpd: ALL           [deny httpd for all]
ALL: localhost       [deny all from localhost]
ALL : 192.168.       [deny all services from host falling in 192.168.x.x]
ALL: *.abc.com
In.telnetd: /etc/telnet.deny    [go and read the file for instructions]
sshd,vsftpd: 192.168.234.144    [this IP will not allowed for given services]
ALL: 192.168.0.0/255.255.254.0

WILDCARDS

Wildcards allow TCP Wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules.

The following wildcards are available:

ALL — matches everything. It can be used for both the daemon list and the client list.
LOCAL — matches any host that does not contain a period (.), such as localhost.
KNOWN — matches any host where the hostname and host address are known or where the user is known.
UNKNOWN — matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID — matches any host where the hostname does not match the host address.

ALLOW:

[root@rhel6-test1 ~]# vi /etc/hosts.allow
sshd: 127.0.0.0,192.168.110.0
in.telnet: local
in.telnet: 192.168.* 127.0.0.1
sendmail: ALL EXCEPT 192.168.*
sshd,httpd,vsftpd: *.abc.com EXCEPT xyz.com
ALL EXCEPT vsftpd: 192.168.110.*
sshd: 192.168.234.*: severity emerg
in.telnet: 192.168.110.0/255.255.255.0 EXCEPT 192.168.110.129

IF WANT TO CONSOLIDATE RULES IN ONE FILE (either hosts.allow or hosts.deny)

sshd : client-1.example.com : allow
sshd : client-2.example.com : deny


References & Good Read:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-tcpwrappers.html#s1-tcpwrappers-access
http://www.linuxsv.org/training/l31_linux_tcpwrappers.html
https://www.cyberciti.biz/faq/tcp-wrappers-hosts-allow-deny-tutorial/
http://www.slashroot.in/linux-access-control-using-tcp-wrappers


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)