Thu. Apr 2nd, 2020

How to protect your system with TCP Wrappers

2 min read
TCP Wrappers
TCP wrappers are host-based access control systems. It is used to prevent unauthorized access and only allow specific customers to access services on your server.

Why use TCP wrappers

TCP wrappers create an extra layer of security between your server and any potential attackers. In addition to access control capabilities, it also provides logging and hostname verification. TCP wrappers can be used out of the box on most Linux or UNIX-like systems, which makes it easy to configure and is a perfect complement to existing firewalls.
How to determine if a program supports TCP wrappers

Not all programs support TCP wrappers. The program must be compiled with the libwrap library. Common services like sshd, ftpd, and telnet support TCP wrappers by default. We can use the following command to check if TCP wrappers are supported:

ldd /path-to-daemon | grep libwrap.so

The ldd command prints a list of executable file sharing dependencies. Pipe the output of the ldd command to grep to find out if it contains libwrap.so. If there is output, TCP wrappers are supported.

How to use TCP wrappers

TCP wrappers rely on two files /etc/hosts.allow and /etc/hosts.deny. If these files do not exist, create them first.

The rules in hosts.deny are matched from top to bottom. If the above rules match, the search will no longer be performed and the down ones will be ignored. The syntax of a rule is as follows:

daemons : hostnames/IPs

Multiple daemons or multiple hostnames/IPs can be separated by spaces.
Example
Reject all:
This hosts.deny file will prevent all clients from accessing all processes.
ALL : ALL
Allow access:
Rules in the hosts.allow file take precedence over rules in hosts.deny. This allows us to use hosts.allow to make exceptions to disable rules. The following rules indicate that 192.168.1.33 is allowed to access the sshd service:
sshd : 192.168.1.33
Wildcard
TCP wrappers support wildcards, allowing you to set rules on a batch of IP addresses or hostnames. You can use wildcard characters for ALL, LOCAL, UNKNOWN, KNOWN, and PARANOID.