The application relies on two main files:
/etc/hosts.allow: Defines the hosts and networks allowed to connect to the server. The TCP Wrappers enabled application searches this file for a matching entry, and if it finds one, then the connection is allowed.
/etc/hosts.deny: Defines the hosts and networks prohibited from connecting to the server. If a match is found in this file, the connection is denied. No match means the connection proceeds normally.
The /etc/hosts.allow file is always read first and both files are always read from top to bottom, therefore the ordering of the entries is important.
The TCP Wrappers File Format:
The format of the file is:
This example allows all traffic from the 192.168.5.0/24 and the 192.168.8.0/255.255.255.0 networks and SSH from only two hosts, 172.16.1.2 and 216.14.169.134. All HTTP Web traffic is allowed. All other TCP traffic to the host is denied. Notice how the subnet masks can use the slash nomenclature or the dotted decimal 255.255.255.0 format.
#
# File: hosts.allow
#
ALL: 192.168.5.0/24 192.168.8.0/255.255.255.0
sshd: 172.16.1.2 216.14.169.134
httpd: ALL
#
# File: hosts.deny
#
ALL: ALL
Determining the TCP Daemon's Name:
The easiest way of determining the name of a daemon is to use the ps command and then use grep to filter for the name of the service. Here, the example quickly determines the daemon name (/usr/sbin/sshd) for the SSH server process. Because TCP Wrappers only requires the program name and not the path, sshd therefore becomes the entry to place in the TCP-daemon-name column of the configuration file.
[root@mysrv1 tmp]# ps -ef | grep -i ssh
root 10053 1 0 Nov06 ? 00:00:00 /usr/sbin/sshd
root 14145 10053 0 Nov13 ? 00:00:02 sshd: root@pts/1
root 18100 14148 0 21:56 pts/1 00:00:00 grep ssh
[root@mysrv1 tmp]#
For a full explanation of all the options available, refer to section 5 of the man pages for hosts_access:
[root@mysrv1 tmp]# man 5 hosts_access
TCP Wrappers is simple to implement, but you have to set them on every host. Management is usually easier on a firewall that protects the entire network.
What do you think about this Article? Add your Opinion..! EmoticonEmoticon