|
Overview
TCP Wrappers has been around for many years. It is
used to restrict access to TCP services based on host name, IP address, network address,
and so on. For more details on what TCP Wrappers is and how you can use it, see
man tcpd.
The original code was written by Wietse Venema at
the Eindhoven University of Technology, The Netherlands, between 1990 and
1995.
TCP Wrappers support in Secure Shell is given by using the library
libwrap, which is a free software program library that implements generic TCP
Wrapper functionality for network service daemons to use (rather than, or in addition to,
their own host access control schemes).
To see if sshd is dynamically linked against libwrap, or has
support build-in, use the following command:
ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0
(0x00b22000)
Logging of SSH Logins
Normally, the Port for SSH is open to the Internet World, can pass
Firewalls and is therefore a door for Hackers. TCP Wrappers relies on the standard syslog
facility to log connections, which can be checked in /etc/syslog.conf
# The authpriv file has
restricted access.
authpriv.* /var/log/auth.log
If you look into this file with tail
-f you will be noticed, that there are many (hopefully failed) SSH
Connections. So, how to avoid this unnecessary traffic to your system?
TCP Wrapper Configuration Files
To determine if a client machine is allowed to connect to SSH, TCP
wrappers reference the following two files, which are commonly referred to as hosts
access files:
- /etc/hosts.allow
- /etc/hosts.deny
When a client request is received by a TCP wrapped service, it
takes the following basic steps:
- The service references /etc/hosts.allow. — The TCP wrapped service sequentially
parses the /etc/hosts.allow file and applies the first rule
specified for that service. If it finds a matching rule, it allows the connection. If
not, it moves on to step 2.
- The service references /etc/hosts.deny. — The TCP wrapped service sequentially
parses the /etc/hosts.deny file. If it finds a matching rule
is denies the connection. If not, access to the service is granted.
The following are important points to consider when using TCP
wrappers to protect network services:
- Because access rules in hosts.allow
are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored.
- Since the rules in each file are read from the top down and the
first matching rule for a given service is the only one applied, the order of the rules
is extremely important.
- If no rules for the service are found in either file, or if
neither file exists, access to the service is granted.
- TCP wrapped services do not cache the rules from the hosts
access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network
services.
The recommended setting is to deny anything not explicitly allowed.
This is done by adding the following line in /etc/hosts.deny
# hosts.deny
#
# This file describes the names of the hosts which are
# not allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: ALL
Then, explicitly list in /etc/hosts.allow all hosts/domains you want access to your
machine. A recommended hosts.allow looks like:
# hosts.allow
#
# This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: 192.168.67.0/255.255.255.0,
193.78.135.208/255.255.255.240
|
