Security: Tcp_wrappers and FreeBSD 4
(last edit: 2001-06-28)
                   
Introduction

Tcp_wrappers is a method of allowing or denying hosts/users to specific daemons. This is
offcourse a simple explanation but this is no tcp_wrappers papper (see 
Wietse Venema's site for papers). This document will
explain what daemons can work with tcp_wrappers and how.


FreeBSD 4

In FreeBSD 4.X tcp_wrappers is part of the base system. This means: it's already there,
in the form of '/usr/lib/libwrap.so.3'. Nowadays allot of daemons come with build in
support for tcp_wrappers, including 'inetd' an 'sshd'. I guess it could be possible to 
download the latest source and install it as a standalone daemon but I haven't tried it 
out. 

If you want to read more about tcp_wrappers in the manpages try these:

    
  
  • man 5 hosts_access
  
  • man 5 hosts_options 
  
  • man 8 tcpdchk
  
  • man 8 tcpdmatch



You can find out if a daemon is supporting tcp_wrappers with the 'ldd' command:

root@host:~/#ldd `which inetd`
/usr/sbin/inetd:
        libutil.so.3 => /usr/lib/libutil.so.3 (0x2806b000)
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28074000)
        libipsec.so.1 => /usr/lib/libipsec.so.1 (0x2807c000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28082000)

root@host:~/#

The command "ldd `which inetd`" has the same result as "ldd /usr/sbin/inetd". As you can
see inetd has a shared object named 'libwrap.so'.

If you try 'ftp' you'll get:

root@host:/usr/libexec#ldd ftpd
ftpd:
        libskey.so.2 => /usr/lib/libskey.so.2 (0x28073000)
        libmd.so.2 => /usr/lib/libmd.so.2 (0x2807a000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28084000)
        libutil.so.3 => /usr/lib/libutil.so.3 (0x28099000)
        libpam.so.1 => /usr/lib/libpam.so.1 (0x280a2000)
        libc.so.4 => /usr/lib/libc.so.4 (0x280ab000)

root@host:~/#

As you can see there is no support for tcp_wrappers. But normaly you would run tcpd from
inetd and inetd has support build in :-)


Configuration

A good document to read before you start is the sample '/etc/hosts.allow' file. Before you
start changing that file make sure you have a way to get into the system when you lock
yourself out (e.g. ordinary keyboard/monitor access).

The '/etc/hosts.deny' file is depreciated bij FreeBSD and it is better (IMHO) to have all
these rules in one file: '/etc/hosts.allow'.

Because of the size of the default '/etc/hosts.allow' file I alway completely empty it.
Then put in the line "ALL : ALL : DENY" . This wil block out everything. Now start 
allowing services, make sure the above line is the last one in the file, here are some
examples:

  sshd : ALL : ALLOW                    allow ssh from everywhere
  sshd : 192.168.1. 127.0.0.1 : ALLOW   allow ssh from localhost and the subnet 192.168.1
  sshd : evil.crackers.org : DENY       deny ssh from evil.crackers.org


So an example file would be something like this:

  sshd : ALL        : ALLOW
  ftpd : 192.168.1. : ALLOW
  ALL  : ALL        : DENY

There are allot more options to use, read the previous mentioned manpages to find out.

Click here to go back to the index.