Introduction
In this opportunity we'd like to demonstrate how to secure your Linux system by restricting access using TCP Wrappers (tcpd). Restricting access to your servers is a critical measure that should not be avoided when setting up your system. It will allow only those networks that you have provided to be safe to be granted access to your server's services that support TCP wrappers. We will be using Centos 6.4 64 Bits as our host operating system. Although this is a universal configuration available on most major Linux distributions.
The rules
The access lists will be validated against two files: /etc/hosts.allow and /etc/hosts.deny. These files require a set of rules to be included an properly formatted to match the requesting clients for access.
Syntax:
<daemon_list>: <client_list>[: <shell_command> ]
Where:
- daemon_list — Is a collection of one or more process names or special wildcards, separated by whitespace.
- client_list — Is one or more hostnames, host addresses, patterns, or wildcards, separated by whitespace, to use when a particular process name matches a requested service.
- shell_command — Is an optional component that specifies something to be done in the event a rule is utilized.
The /etc/hosts.allow file
In this file you will specify the allowed hosts or complete networks. First, open up /etc/hosts.allow file with your favourite editor.
[root@vps ~]$ sudo vi /etc/hosts.allow
You will be presented with an output similar to this:
# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #
You will use this file to enter the allowed networks that can connect to your Linux server. This access control language file is based on client (hostname/address, username) and server (process name, hostname/address) patterns. If you need to get more information for the complete access control language, please, refer to hosts_options man page.
You can also get a complete list of daemon process names in the inetd configuration file. Please consider that access control software consults only two files and at the first match it will stop validation. This means that you should be careful on the order you specify your permitted networks in order not to lock yourself out. Now, let us start by entering our allowed host/network for the SSH service:
# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 123.123.123.1
With this configuration, access to your machine will be denied to all hosts except for the 123.123.123.1 client. This is assuming you deny all on the /etc/hosts.deny file.
The /etc/hosts.deny file
In the /etc/hosts.deny file you will specify hosts and networks to be refused access to desired services. Open up /etc/hosts.deny file with your editor.
[root@vps ~]$ sudo vi /etc/hosts.deny
You will be presented with an output similar to this:
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers #
To deny access to ANY other host that is not in the /etc/hosts.allow file, you must specify the non-permitted networks or the ALL directive in the /etc/hosts.deny file as follows:
[root@vps ~]$ sudo vi /etc/hosts.allow
Output:
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: * #You could have also specify sshd: ALL
This rule will refuse access for SSH service to ALL hosts other than those in the /etc/hosts.allow access. You can use either the * symbol or the ALL directive, both means the same. In the same order you will specify one directive per line. You can add as many rules as you need. but always be careful of the order of precedence and remember that at the first rule match the access control will stop validating.
Deny access to a bigger network targeting more services.
Another, more complete example limiting access to SSH and FTP services could be:
[root@vps ~]$ sudo vi /etc/hosts.allow
Output:
# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # #hosts.allow /etc/hosts.allow file rules sshd: 123.123.123.1 #To allow a single host for SSH sshd: 123.123.123.0/255.255.255.224 #To allow a /27 prefix for SSH sshd: 123.122.0.0/255.254.0.0 #To allow a /15 prefix for SSH vsftpd: 123.123.123.1 #To allow a /single host for FTP vsftpd: 123.123.123.0/255.255.255.224 #To allow a /27 prefix for FTP vsftpd: 123.122.0.0/255.254.0.0 #To allow a /15 prefix for FTP
Deny access to ALL services and networks.
You can deny access to all services and all networks not specified in the /etc/hosts.allow file. For instance:
[root@vps ~]$ sudo vi /etc/hosts.deny
Output:
# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # ALL: ALL #This refuses connections to ALL services and ALL networks
That is it. You should now have a fully operational access control with TCP wrappers (tcpd) running on your VPS server. You can verify that your traffic is being refused or allowed access in the /var/log/secure
[root@vps ~]$ sudo cat /var/log/secure
You should see an output like this:
Oct 20 22:49:14 vps sshd[6559]: refused connect from 123.123.0.5 (123.123.0.5) Oct 21 00:33:11 vps sshd[7136]: refused connect from 10.2.2.1 (10.2.2.1) Oct 21 03:53:24 vps sshd[7287]: refused connect from 192.168.1.1 (192.168.1.1) Oct 22 12:24:08 vps sshd[18548]: Accepted password for root from 123.123.123.1 port 52908 ssh2 Oct 22 12:24:08 vps sshd[18548]: pam_unix(sshd:session): session opened for user root by (uid=0)
If you want to filter the output to only show you the refused connection attempts, input the following command:
[root@vps ~]$ sudo cat /var/log/secure | grep refused
Thank you!
or
