Troubleshooting TCP-wrappers

Troubleshooting TCP-wrappers
	Chapter 11. Network, System and Service Security

There are 2 programs that allow us to test and troubleshoot tcp-wrappers - tcpdchk and tcpdmatch. The former is used to check that the rules have been constructed properly, while the latter is used to match hypothetical connections. Let's try a couple:

Assuming we have the following rules in our hosts.allow:

in.fingerd, sshd : LOCAL : spawn 
(/usr/sbin/safe_finger -l @%h | /usr/bin/logger -t \
                --FINGER-- -p local0.info &quot;%d-%a-%h&quot;
 ) &amp;
sshd : .QEDux.co.za : spawn 
(/usr/bin/logger -t --SSH-- \
                -p local0.info &quot;%d-%a-%h&quot; ) &amp;
vsftpd: 172.16.1.

A tcpdchk -v will produce:

Using network configuration file: /etc/inetd.conf

&gt;&gt;&gt; Rule /etc/hosts.allow line 1:
daemons:  in.fingerd sshd
clients:  LOCAL
option:   spawn 
(/usr/sbin/safe_finger -l @client_hostname | \
                /usr/bin/logger -t --FINGER-- \
                -p local0.info \
                &quot;daemon_name-client_addr-client_hostname&quot; ) \
                &amp;
access:   granted

&gt;&gt;&gt; Rule /etc/hosts.allow line 2:
daemons:  sshd
clients:  .QEDux.co.za
option:   spawn 
(/usr/bin/logger -t --SSH-- \
                -p local0.info \
                &quot;daemon_name-client_addr-client_hostname&quot; ) \
                &amp;
access:   granted

&gt;&gt;&gt; Rule /etc/hosts.allow line 3:
daemons:  vsftpd
clients:  172.16.1.
access:   granted

&gt;&gt;&gt; Rule /etc/hosts.deny line 18:
daemons:  ALL
clients:  ALL
access:   denied

tcpdmatch examples:

	tcpdmatch vsftpd 172.16.1.2

client:   address  172.16.1.2
server:   process  vsftpd
matched:  /etc/hosts.allow line 3
access:   granted

tcpdmatch sshd 172.16.1.2

client:   address  172.16.1.2
server:   process  sshd
matched:  /etc/hosts.deny line 18
access:   denied

tcpdmatch in.fingerd defender  
client:   hostname defender
client:   address  172.16.1.2
server:   process  in.fingerd
matched:  /etc/hosts.allow line 1
option:   
spawn (/usr/sbin/safe_finger -l @defender | \
                /usr/bin/logger -t --FINGER-- \
                -p local0.info &quot;in.fingerd-172.16.1.2-defender&quot; ) \
                &amp;
access:   granted

In conclusion, tcp-wrappers are convenient tools to enable access control to services on your system. It should be noted however that any application (such as vsftpd, sshd, Etc.) should be compiled with the libwrap library in order that tcp-wrappers work. Since tcp-wrappers are centered around services that are started from inetd (or xinetd in more modern Linux's), these wrappers will not work with applications that do not have wrappers enabled.


Configuration of tcp-wrappers		Chapter 12. Network File System (NFS)