Kmaiti

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 1 November 2010

Secure Linux Using TCP Wrappers or Protect the daemons using TCP wrappers on Linux??

Posted on 04:28 by Unknown
Guys,

TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network. It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny .

Let us consider this scenario: A remote machine remote_mc trying to connect to your local machine local_mc using ssh.

When the request from the remote_mc is received by the tcp wrapped service (SSH in this case), it takes the following basic steps:

1. It checks the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule , it allows the connection. If no rule is found, it moves on to step 2.

2. It checks the /etc/hosts.deny file and if a matching rule is found, it deny's the connection.

Points to remember

Rules in hosts.allow takes precedence over rules in hosts.deny . Which means if a matching rule is found in hosts.allow file, the remote_mc is allowed access to the service even if there is a matching deny rule in hosts.deny file.
You can have only one rule per service in hosts.allow and hosts.deny file.
If there are no matching rules in either of the files or if the files don't exist, then the remote_mc is allowed access to the service.
Any changes to hosts.allow and hosts.deny file takes immediate effect.

Rule Syntax
The syntax for both hosts.allow and hosts.deny file takes the following form:

daemon : client [:option1:option2:...]

Where daemon can be a combination of ssh daemon, ftp daemon, portmap daemon and so on. Basically any service which has support for libwrap.a library compiled into it is a good candidate for utilizing the services of TCP Wrappers.

client is a comma separated list of hostnames, host IP addresses, special patterns or special wildcards which identify the hosts effected by that rule.

options is an optional action like say sending mail to the administrator when this rule is matched, log to a particular file and so on. It can be a colon separated list of actions too.

Examples of using TCP Wrappers

I want to allow SSH access to hosts in a particular domain say xyz.com and deny access to all the others. I enter the following rule in the hosts.allow file.

sshd : .xyz.com

... and in the hosts.deny file I include the rule:

sshd : ALL

The next rule denys FTP access to all the hosts in the abc.co.in domain as well as hosts in the 192.168.1.0 network.

#FILE: /etc/hosts.deny
vsftpd : 192.168.1. , .abc.co.in : spawn /bin/echo `/bin/date` access denied >> /var/log/vsftpd.log : deny

The backslash (\) in the above rule is used to break the line and prevents the failure of the rule due to length.

spawn and deny are options. Spawn launches a shell command as a child process. In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in the hosts.deny file.

Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
For example, you can use spawn option to send mail to the admin when ever a deny rule is matched.

Wildcards :-

You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

ALL - Matches everything
LOCAL - Matches any host that does not contain a dot (.) like localhost.
KNOWN - Matches any host where the hostname and host addresses are known or where the user is known.
UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID - Matches any host where the hostname does not match the host address.
Patterns

You can also use patterns in the client section of the rule . Some examples are as follows:

ALL : .xyz.com

Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.

ALL : 123.12.

Matches all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule.

ALL : 192.168.0.1/255.255.255.0

IP address/Netmask can be used in the rule.

ALL : *.xyz.com

Asterisk * matches entire groups of hostnames or IP addresses.

sshd : /etc/sshd.deny

If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the file sshd.deny for all SSH connections.

sshd : ALL EXCEPT 192.168.0.15

If the above rule is included in the /etc/hosts.deny file, then it will allow ssh connection for only the machine with the IP address 192.168.0.15 and block all other connections. Here EXCEPT is an operator.

Note: If you want to restrict use of NFS and NIS then you may include a rule for portmap . Because NFS and NIS depend on portmap for their successful working. In addition, changes to portmap rules may not take effect immediately.

Suppose I want to log all connections made to SSH with a priority of emergency. See my previous post to know more on logging. I could do the following:

sshd : .xyz.com : severity emerg

Note: You can use the options allow or deny to allow or restrict on a per client basis in either of the files hosts.allow and hosts.deny

in.telnetd : 192.168.5.5 : deny
in.telnetd : 192.168.5.6 : allow

Shell Commands :-

As mentioned above, you can couple the rules to certain shell commands by using the following two options.

spawn - This option launches a shell command as a child process. For example, look at the following rule:

sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny

Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.

twist - This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.

sshd : client1.xyz.com : twist /bin/echo "You are prohibited from accessing this service!!" : deny

When using spawn and twist, you can use a set of expressions. They are as follows :
%a — The client's IP address.
%A — The server's IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client's hostname (or IP address, if the hostname is unavailable).
%H — The server's hostname (or IP address, if the hostname is unavailable).
%n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client's username. If unavailable, unknown is printed.

Try :)
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • unable connect to socket: No route to host (113)
    Guys, This error message usually comes when you try to access remote linux desktop using vncviewer. Please check the firewall in the linux s...
  • NDMP communication failure error
    Guys, Issue : Netbackup server sends alert NDMP communication failure once everyday. But there is no issue to run scheduled backup jobs. Env...
  • what does it mean by "cman expected_votes="1" two_node="1" in cluster.conf ?
    For two node clusters ordinarily, the loss of quorum after one out of two nodes fails will prevent the remaining node from continuing (if bo...
  • How to make bridge over VLAN?
    How to make bridge over VLAN? Bridging over VLAN's : By constructing a bridge between a "normal" and a "VLAN" ethern...
  • How to verify UDP packet communication between two linux system?
    Guys, Today, I had to check UDP packet communication between linux and a windows system. Main purpose of the windows system was to capturing...
  • How to install pdo_mysql module with php on 64 bit linux machine?
    Guys, The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Each database driver ...
  • configure: error: C preprocessor "/lib/cpp" fails sanity check + Resolved
    Guys, I got that error messages when I was going to configure any software on the linux server. I was unable to execute easyapache or ./conf...
  • configure: error: could not find library containing RSA_new
    Guys, It seems you have enabled the SSL option during configuring the package. Please either resolve that dependency or disable the SSL opti...
  • Cannot find config.m4 + phpize +Resolved
    Guys, I got the same error messages and sorted out it. Here is the error that I got. ===== root@server [/home/cpeasyapache/src/php-5.2.9/ext...
  • How to redirect output of script to a file(Need to save log in a file and file should be menioned in the script itself?
    Expectation : @subject Steps : 1. Create a bash script. 2. add line : exec > >(tee /var/log/my_logfile.txt) That's it. All output ...

Categories

  • ACL
  • ESX
  • Linux
  • Storage
  • UCS

Blog Archive

  • ►  2013 (5)
    • ►  May (1)
    • ►  April (3)
    • ►  February (1)
  • ►  2012 (10)
    • ►  July (1)
    • ►  June (1)
    • ►  April (1)
    • ►  March (3)
    • ►  February (3)
    • ►  January (1)
  • ►  2011 (86)
    • ►  December (3)
    • ►  November (2)
    • ►  September (19)
    • ►  August (9)
    • ►  July (5)
    • ►  June (9)
    • ►  May (12)
    • ►  April (3)
    • ►  March (4)
    • ►  February (5)
    • ►  January (15)
  • ▼  2010 (152)
    • ►  December (9)
    • ▼  November (34)
      • Configuration files of Directadmin?
      • How to convert from ext3 to ext2 file system?
      • How to convert ext2 to ext3 file system?
      • How to enable swap space on xen VPS?
      • ftp: connect: Connection refused
      • How to stop core file generation in the server fro...
      • eth0 errors +WARNINGs: packets is + outside range
      • How to access the webalizer from the outside of th...
      • kernel panic - not syncing: Attempted to kill init!
      • How to capture the network packet?
      • How to change admin password in the table of the m...
      • Plesk configuration files path + linux?
      • Links for linux commands?
      • How to use grep,find,sor,pg,ip,wget commands in linux
      • How to delete file using inode number?
      • Install firewalls on linux?
      • How to secure linux server?
      • How to setup loop device?
      • How to create tmp partition on linux server?
      • [a fatal error or timeout occurred while processin...
      • How to use strace command in linux?
      • How to view binary file in linux?
      • What's the exact path of system call functions in ...
      • How to add shared libraries on linux?
      • mysql query chache clear
      • Linux + firewall + iptables configuring ?
      • How to install xinetd on linux ?
      • how to integrate TCP wrapper with xinetd + linux ?
      • How do I examine TCP wrapper config file?
      • How do I predict how the TCP wrapper would handle ...
      • Default Log Files of TCPwrapper ?
      • Configuring TCP Wrapper Config Files?
      • How to install tcpwrapper on linux server?
      • Secure Linux Using TCP Wrappers or Protect the dae...
    • ►  October (20)
    • ►  September (14)
    • ►  August (24)
    • ►  July (19)
    • ►  June (3)
    • ►  May (25)
    • ►  April (3)
    • ►  January (1)
Powered by Blogger.