|
Overview
TCP Wrappers has been around for
many years. It is used to restrict access to TCP services based on host
name, IP address, network address, and so on. For more details on what
TCP Wrappers is and how you can use it, see
man tcpd.
The original code was written by
Wietse Venema at the Eindhoven University of Technology, The
Netherlands, between 1990 and 1995.
TCP Wrappers support in Secure Shell is given by
using the library libwrap, which
is a free software program library that implements generic TCP Wrapper
functionality for network service daemons to use (rather than, or in
addition to, their own host access control schemes).
To see if sshd is dynamically linked
against libwrap, or has support build-in, use the following command:
ldd /usr/sbin/sshd | grep
libwrap
libwrap.so.0 => /usr/lib/libwrap.so.0
(0x00b22000)
Logging of SSH Logins
Normally, the Port for SSH is open to the Internet
World, can pass Firewalls and is therefore a door for Hackers. TCP
Wrappers relies on the standard syslog facility to log connections,
which can be checked in /etc/syslog.conf
# The
authpriv file has restricted access.
authpriv.* /var/log/auth.log
If you look into this file with
tail -f you will be noticed, that
there are many (hopefully failed) SSH Connections. So, how to avoid this
unnecessary traffic to your system?
TCP Wrapper Configuration Files
To determine if a client machine is allowed to
connect to SSH, TCP wrappers reference the following two files, which
are commonly referred to as hosts access files:
- /etc/hosts.allow
- /etc/hosts.deny
When a client request is received by a TCP
wrapped service, it takes the following basic steps:
- The service references
/etc/hosts.allow. — The TCP wrapped
service sequentially parses the
/etc/hosts.allow file and applies the first rule specified for
that service. If it finds a matching rule, it allows the connection.
If not, it moves on to step 2.
- The service references
/etc/hosts.deny. — The TCP wrapped
service sequentially parses the /etc/hosts.deny
file. If it finds a matching rule is denies the connection. If not,
access to the service is granted.
The following are important points to consider
when using TCP wrappers to protect network services:
- Because access rules in
hosts.allow are applied first, they take precedence over rules
specified in hosts.deny. Therefore, if
access to a service is allowed in hosts.allow,
a rule denying access to that same service in
hosts.deny is ignored.
- Since the rules in each file are read from
the top down and the first matching rule for a given service is the
only one applied, the order of the rules is extremely important.
- If no rules for the service are found in
either file, or if neither file exists, access to the service is
granted.
- TCP wrapped services do not cache the rules
from the hosts access files, so any changes to
hosts.allow or hosts.deny take effect
immediately without restarting network services.
The recommended setting is to deny anything not
explicitly allowed. This is done by adding the following line in
/etc/hosts.deny
# hosts.deny
#
# This file describes the names of the hosts which are
# not allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: ALL
Then, explicitly list in
/etc/hosts.allow all hosts/domains
you want access to your machine. A recommended hosts.allow looks like:
#
hosts.allow
#
# This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
ALL: 192.168.67.0/255.255.255.0,
193.78.135.208/255.255.255.240
|
