Security: Tcp_wrappers and FreeBSD 4

(last edit: 2001-06-28)

Introduction

Tcp_wrappers is a method of allowing or denying hosts/users to specific daemons. This is offcourse a simple explanation but this is no tcp_wrappers papper (see Wietse Venema's site for papers). This document will explain what daemons can work with tcp_wrappers and how.

FreeBSD 4

In FreeBSD 4.X tcp_wrappers is part of the base system. This means: it's already there, in the form of '/usr/lib/libwrap.so.3'. Nowadays allot of daemons come with build in support for tcp_wrappers, including 'inetd' an 'sshd'. I guess it could be possible to download the latest source and install it as a standalone daemon but I haven't tried it out. If you want to read more about tcp_wrappers in the manpages try these:
  • man 5 hosts_access
  • man 5 hosts_options
  • man 8 tcpdchk
  • man 8 tcpdmatch
You can find out if a daemon is supporting tcp_wrappers with the 'ldd' command: root@host:~/#ldd `which inetd` /usr/sbin/inetd: libutil.so.3 => /usr/lib/libutil.so.3 (0x2806b000) libwrap.so.3 => /usr/lib/libwrap.so.3 (0x28074000) libipsec.so.1 => /usr/lib/libipsec.so.1 (0x2807c000) libc.so.4 => /usr/lib/libc.so.4 (0x28082000) root@host:~/# The command "ldd `which inetd`" has the same result as "ldd /usr/sbin/inetd". As you can see inetd has a shared object named 'libwrap.so'. If you try 'ftp' you'll get: root@host:/usr/libexec#ldd ftpd ftpd: libskey.so.2 => /usr/lib/libskey.so.2 (0x28073000) libmd.so.2 => /usr/lib/libmd.so.2 (0x2807a000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28084000) libutil.so.3 => /usr/lib/libutil.so.3 (0x28099000) libpam.so.1 => /usr/lib/libpam.so.1 (0x280a2000) libc.so.4 => /usr/lib/libc.so.4 (0x280ab000) root@host:~/# As you can see there is no support for tcp_wrappers. But normaly you would run tcpd from inetd and inetd has support build in :-)

Configuration

A good document to read before you start is the sample '/etc/hosts.allow' file. Before you start changing that file make sure you have a way to get into the system when you lock yourself out (e.g. ordinary keyboard/monitor access). The '/etc/hosts.deny' file is depreciated bij FreeBSD and it is better (IMHO) to have all these rules in one file: '/etc/hosts.allow'. Because of the size of the default '/etc/hosts.allow' file I alway completely empty it. Then put in the line "ALL : ALL : DENY" . This wil block out everything. Now start allowing services, make sure the above line is the last one in the file, here are some examples: sshd : ALL : ALLOW allow ssh from everywhere sshd : 192.168.1. 127.0.0.1 : ALLOW allow ssh from localhost and the subnet 192.168.1 sshd : evil.crackers.org : DENY deny ssh from evil.crackers.org So an example file would be something like this: sshd : ALL : ALLOW ftpd : 192.168.1. : ALLOW ALL : ALL : DENY There are allot more options to use, read the previous mentioned manpages to find out.

Click here to go back to the index.