Security: Tcp_wrappers and FreeBSD 4(last edit: 2001-06-28)
Tcp_wrappers is a method of allowing or denying hosts/users to specific daemons. This is
offcourse a simple explanation but this is no tcp_wrappers papper (see
Wietse Venema's site for papers). This document will
explain what daemons can work with tcp_wrappers and how.
In FreeBSD 4.X tcp_wrappers is part of the base system. This means: it's already there,
in the form of '/usr/lib/libwrap.so.3'. Nowadays allot of daemons come with build in
support for tcp_wrappers, including 'inetd' an 'sshd'. I guess it could be possible to
download the latest source and install it as a standalone daemon but I haven't tried it
If you want to read more about tcp_wrappers in the manpages try these:
You can find out if a daemon is supporting tcp_wrappers with the 'ldd' command:
root@host:~/#ldd `which inetd`
libutil.so.3 => /usr/lib/libutil.so.3 (0x2806b000)
libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28074000)
libipsec.so.1 => /usr/lib/libipsec.so.1 (0x2807c000)
libc.so.4 => /usr/lib/libc.so.4 (0x28082000)
The command "ldd `which inetd`" has the same result as "ldd /usr/sbin/inetd". As you can
see inetd has a shared object named 'libwrap.so'.
If you try 'ftp' you'll get:
libskey.so.2 => /usr/lib/libskey.so.2 (0x28073000)
libmd.so.2 => /usr/lib/libmd.so.2 (0x2807a000)
libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28084000)
libutil.so.3 => /usr/lib/libutil.so.3 (0x28099000)
libpam.so.1 => /usr/lib/libpam.so.1 (0x280a2000)
libc.so.4 => /usr/lib/libc.so.4 (0x280ab000)
As you can see there is no support for tcp_wrappers. But normaly you would run tcpd from
inetd and inetd has support build in :-)
- man 5 hosts_access
- man 5 hosts_options
- man 8 tcpdchk
- man 8 tcpdmatch
A good document to read before you start is the sample '/etc/hosts.allow' file. Before you
start changing that file make sure you have a way to get into the system when you lock
yourself out (e.g. ordinary keyboard/monitor access).
The '/etc/hosts.deny' file is depreciated bij FreeBSD and it is better (IMHO) to have all
these rules in one file: '/etc/hosts.allow'.
Because of the size of the default '/etc/hosts.allow' file I alway completely empty it.
Then put in the line "ALL : ALL : DENY" . This wil block out everything. Now start
allowing services, make sure the above line is the last one in the file, here are some
sshd : ALL : ALLOW allow ssh from everywhere
sshd : 192.168.1. 127.0.0.1 : ALLOW allow ssh from localhost and the subnet 192.168.1
sshd : evil.crackers.org : DENY deny ssh from evil.crackers.org
So an example file would be something like this:
sshd : ALL : ALLOW
ftpd : 192.168.1. : ALLOW
ALL : ALL : DENY
There are allot more options to use, read the previous mentioned manpages to find out.
Click here to go back to the index.