tcp_wrappers-7.6 (Monitor and filter incoming requests)

  1. Introduction
  2. Confirmation
  3. Stop the network service that does not use it
  4. Configration
  5. Check
  6. Log file

Introduction

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services

Confirmation

# grep 'telnet' /etc/inetd.conf
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd

Stop the network service that does not use it

  • Stop the network service that does not use it.
  • Edit /etc/inetd.conf 
    ...
#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn
...
#time   stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.timed
#time   dgram   udp     wait    nobody  /usr/sbin/tcpd  in.timed
...
  • Check a current configration 
    # tcpdchk -v
Using network configuration file: /etc/inetd.conf

    Configration

  • /etc/hosts.deny
  • /etc/hosts.allow
    format
    daemon_list: client_list
    Format of host access control files
    daemon_list is a list of one or more daemon process names (argv[0] values) or wildcards.
    client_list is a list of one or more host names, host addresses, patterns that will be matched against the client host name or address.

  • PATTERNS
    The access control language implements the following patterns:
    1. A string that begins with a `.' character. A host name is matched if the last components of its name match the specified pattern. For example, the pattern `.tue.nl' matches the host name `wzv.win.tue.nl'.
    2. A string that ends with a `.' character. A host address is matched if its first numeric fields match the given string. For example, the pattern `131.155.' matches the address of (almost) every host on he Eindhoven University network (131.155.x.x).
    3. A string that begins with an `@' character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.
    4. An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a `net/mask' pair. A host address is matched if `net' is equal to the bitwise AND of the address and the `mask'. For example, the net/mask pattern `131.155.72.0/255.255.254.0' matches every address in the range `131.155.72.0' through `131.155.73.255'.
  • /etc/hosts.deny 
    ALL: ALL
  • /etc/hosts.allow 
    ALL: .hoge.bt
in.ftpd: ALL
ipop3d: ALL
imap: ALL

    Check

  • Check a current configration 
    # tcpdchk -v
Using network configuration file: /etc/inetd.conf

>>> Rule /etc/hosts.allow line 6:
daemons:  ALL
clients:  .hoge.bt
access:   granted

>>> Rule /etc/hosts.allow line 7:
daemons:  in.ftpd
clients:  ALL
access:   granted

>>> Rule /etc/hosts.allow line 8:
daemons:  ipop3d
clients:  ALL
access:   granted

>>> Rule /etc/hosts.allow line 9:
daemons:  imapd
clients:  ALL
access:   granted

>>> Rule /etc/hosts.deny line 11:
daemons:  ALL
clients:  ALL
access:   denied
  • Check network servises and client permission 
    # tcpdmatch in.ftpd hoge
warning: hoge: hostname alias
warning: (official name: hoge.hoge.bt)
client:   hostname hoge.hoge.bt
client:   address  192.168.1.10
server:   process  in.ftpd
matched:  /etc/hosts.allow line 6
access:   granted
# tcpdmatch in.telnetd www.druknet.net.bt
warning: : www.druknet.net.bt hostname alias
warning: (official name: www.druknet.net.bt)
client:   hostname www.druknet.net.bt
client:   address  ***.***.***.***
server:   process  in.telnetd
matched:  /etc/hosts.allow line 6
access:   denied

    Log file

  • /var/log/secure 
    ...
Aug 20 13:49:03 hoge in.telnetd[3035]: connect from 192.168.1.5
Sep  1 17:31:29 hoge login: FAILED LOGIN 1 FROM 192.168.1.117 FOR root, Authentication failure
...

    Safe Finger

    If sombody try to access your host, you can check host name , user name, time, ... and you can receive a mail.
  • /etc/hosts.deny 
    ALL: ALL: spawn (/usr/sbin/safe_finger -l @%h \
	| /bin/mail -s "** ATTENTION ** wrapper_%d" hoge@hoge.bt) &
  • parameter
    % Description
    %a(%A) Client(Server) host address
    %d Deamon process name
    %h(%H) Cliant(Server) host name or IP address
    %p Deamon process id
    %u Client user name. If can not, return unknown
    %% a % word

  • Sample receive message 
    [210.167.212.20]
Login: devil	Name:
Directory: /home/devil	Shell: /bin/bash
On since Sun Feb 20 06:23 (JST) on pts/0 from devil.com (messages off)
No mail.
No Plan.
    Back
    Google
    Web www.grape-info.com