Nuffnang

Sunday, September 18, 2011

Host Based Firewall - TCP Wrapper

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) Operating System such as Linux or BSD. It allows host or subnetwork IPAddress, names and/or ident query replies, to be used as tokens on which to filter access control for purposes.

The original code was written by Wietse Venema in 1990 to monitor a cracker's activities on the Unix workstations at the Dept. of Math and Computer Science at the Eindhoven University of Technology. He maintained it until 1995, and on June 1, 2001, released it under its own BSD-style license.

Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless. TCP_WRAPPERS is controlled from two files:

/etc/hosts.allow
/etc/hosts.deny

hosts.allow is checked first, and the rules are checked from first to last. If it finds a rule that explicitly allows you in (i.e., a rule allowing your host, domain, subnet mask, etc.) it lets you connect to the service. If it fails to find any rules that pertain to you in hosts.allow, it then goes to check hosts.deny for a rule denying you entry.

Again it checks the rules in hosts.deny from first to last, and the first rule it finds that denies you access (i.e., a rule disallowing your host, domain, subnet mask, etc.) means it doesn't let you in. If it fails to find a rule denying you entry it then by default lets you. If you are really paranoid for security (or only rule if you are going to a default policy of non-optimistic security) should be in hosts.deny:

ALL: 0.0.0.0/0.0.0.0

which means all services, all locations, so any service not explicitly allowed is then blocked (remember the default is to allow). You might also want to just default deny access to say telnet and leave ftp wide open to the world. To do this you would have in hosts.allow:

in.telnetd: 10.0.0.0/255.255.255.0 # allow access from my internal network of 10.0.0.*
in.ftpd: 0.0.0.0/0.0.0.0 # allow access from anywhere in the world

in hosts.deny:

in.telnetd: 0.0.0.0/0.0.0.0 # deny access to telnetd from anywhere

or if you wish to be really safe:

ALL: 0.0.0.0/0.0.0.0 # deny access to everything from everywhere

This may affect services such as ssh and nfs, so be careful!

No comments:

Post a Comment