Zurück

TCP Wrapper for added Security on SSH


Overview

TCP Wrappers has been around for many years. It is used to restrict access to TCP services based on host name, IP address, network address, and so on. For more details on what TCP Wrappers is and how you can use it, see man tcpd.

The original code was written by Wietse Venema at the Eindhoven University of Technology, The Netherlands, between 1990 and 1995.

TCP Wrappers support in Secure Shell is given by using the library libwrap, which is a free software program library that implements generic TCP Wrapper functionality for network service daemons to use (rather than, or in addition to, their own host access control schemes).

To see if sshd is dynamically linked against libwrap, or has support build-in, use the following command:

ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00b22000)

Logging of SSH Logins

Normally, the Port for SSH is open to the Internet World, can pass Firewalls and is therefore a door for Hackers. TCP Wrappers relies on the standard syslog facility to log connections, which can be checked in /etc/syslog.conf

# The authpriv file has restricted access.
authpriv.*    /var/log/auth.log

If you look into this file with tail -f you will be noticed, that there are many (hopefully failed) SSH Connections. So, how to avoid this unnecessary traffic to your system?

TCP Wrapper Configuration Files

To determine if a client machine is allowed to connect to SSH, TCP wrappers reference the following two files, which are commonly referred to as hosts access files:

  • /etc/hosts.allow
  • /etc/hosts.deny

When a client request is received by a TCP wrapped service, it takes the following basic steps:

  1. The service references /etc/hosts.allow. The TCP wrapped service sequentially parses the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to step 2.
     
  2. The service references /etc/hosts.deny. The TCP wrapped service sequentially parses the /etc/hosts.deny file. If it finds a matching rule is denies the connection. If not, access to the service is granted.

The following are important points to consider when using TCP wrappers to protect network services:

  • Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored.
     
  • Since the rules in each file are read from the top down and the first matching rule for a given service is the only one applied, the order of the rules is extremely important.
     
  • If no rules for the service are found in either file, or if neither file exists, access to the service is granted.
     
  • TCP wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network services.

The recommended setting is to deny anything not explicitly allowed. This is done by adding the following line in /etc/hosts.deny

# hosts.deny
#
# This file describes the names of the hosts which are
# not allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: ALL

Then, explicitly list in /etc/hosts.allow all hosts/domains you want access to your machine. A recommended hosts.allow looks like:

# hosts.allow
#
# This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: 192.168.67.0/255.255.255.0, 193.78.135.208/255.255.255.240