16th Chapter Tcp_wrappers

16.1 tcp_wrappers Introduction

The TCP wrappers:transmission Control Protocol wrappers provides enhanced security for services generated by inetd. TCP wrappers is a replacement method for using/ETC/INETD.SEC.

The TCP wrappers provides protection against host name and host address spoofing. Spoofing is a method of masquerading as a valid user or host to gain unauthorized access to the system.

Tcp_wrapper is a layer of access control tools for applications that are developed and serviced based on the TCP protocol.

Tcp_wrapper is generally translated as a TCP wrapper, it can implement listening on a TCP service, check the application that accesses a certain socket in a certain host area and be able to implement authorized access.

16.2 tcp_wrappers Working mode

TCP wrappers uses access control lists (ACLs) to prevent spoofing. ACLs are the list of systems in the/etc/hosts.allow and/etc/hosts.deny files.

TCP wrappers provides some protection against IP spoofing when configured to verify host name-to-IP address mapping and to deny the use of IP-source-routed packages.

16.3 Tcp_wrappers Working principle

Wraps a layer of security detection on the TCP service that the server provides out-of-the-box. The incoming connection request first passes this security detection, obtains the security authentication only then can be accepted by the system service.

As part of the client server model, TCP wrapper relies on/etc/hosts.allow and/etc/hosts.deny files as the basis for a simple access control language that can be used with any daemon program that contains libwrap.so. The rules for access Control Language qualification are: Based on the client address and the daemon program that the client tries to access, selectively allow the client to access the server's daemon program on the local system.

Simply put, tcp_wrapper itself is a daemon that works on the TCP protocol. The iptables works on the TCP/IP stack of the kernel, and Tcp_wrapper works on the TCP protocol of the kernel's TCP/IP protocol stack, and initiates a process at the entrance of TCP to monitor requests for each TCP service, while the message itself is associated with TCP_ The rules in the release rule or deny rule in the wrapper configuration file are compared. Appropriate actions (release or deny access) after matching.

Tcp_wrapper work in a position where TCP pack documentation is to pass, with only one position. Working on the TCP protocol layer is more iptables than working at the network layer, so it can be used in conjunction with Iptables. But after the Tcp_wrapper control is complete, the iptables does not need to control, similarly, iptables control completes, Tcp_wrapper also does not need to control.

So since iptables can also be controlled, why use Tcp_wrapper? One is because the Tcp_wrapper configuration is very simple, tcp_wrapper is a tool for user space, and the other is because Tcp_wrapper can only access control for applications that have developed and called LibWrap Libraries based on the TCP protocol. Iptables, however, has no such limitation.

Tcp_wrapper implements its function based on library calls: Call the LibWrap library

Only applications that develop and invoke the LibWrap library based on the TCP protocol can use Tcp_wrapper to control access to it.

The following two directions are used to determine whether a service can be accessed by Tcp_wrapper:

A) dynamically compiled program: Use the LDD command, which indicates support for Tcp_wrapper control if the LibWrap library is called

b) statically compiled program: Use the string command (String/path/to/program) to view the application file, which results in support for Tcp_wrapper control if the following appears

Hosts.allow

Hosts.deny

16.4 tcp_wrapper Configuration

16.4.1 tcp_wrapper configuration file

There are two configuration files for Tcp_wrapper:/etc/hosts.allow and/etc/hosts.deny

16.4.2 tcp_wrapper Configuration

In the configuration file for each service to define access control rules to implement access control, the rules in the file are immediately effective.

Configuration file Syntax:

Daemon_list:client_list[:options]

Common daemon_list formats:

The file name of the application, not the service name

The list of file names for the application, separated by commas with each other, for example: SSHD,VSFTPD

All: Indicates all services

Common client_list formats:

IP Address

Host Name

Network address: You must use a full-format mask (such as 255.255.255.0), and you cannot use a prefix format mask (such as/24)

Short format Network address: For example, 172.16. Indicates 172.16.0.0/255.255.0.0

All: All Hosts

Known: All hosts that can resolve host names

Unknow: All hosts that cannot resolve host names

PARANOID: The negative and positive results of host names do not match

EXCEPT: Except . As defined in the Hosts.allow file as follows:

vsftpd:172.16. EXCEPT 172.16.100.1 #表示允许172.16 the host (except 172.16.100.1) of the network segment accesses vsftpdvsftpd:172.16. EXCEPT 172.16.100.0/255.255.255.0 EXCEPT 172.16.100.1 #表示允许172.16 Network Segment Host (except 172.16.100.0 subnets) and 172.16.100.1 this host access vsftpd

Commonly used [options]:

Deny: Deny, mainly used in Hosts.allow files, to implement the Deny function

Allow: Allowed, primarily used in hosts.deny files, enabling enable

Spawn: Launches additional applications, often used to implement logging. As defined in the Hosts.deny file as follows:

Vsftpd:all:spawn/bin/echo ' Date ' login attempt from%c to%s,%d >>/var/log/vsftpd.deny.log #表示拒绝所有人访问vsftpd , if someone visits the log to the/var/log/vsftpd.deny.log file

%c:client IP

%s:server IP

%d:daemon Name

Tcp_wrapper Rule Check Logic:

Client-to-/etc/hosts.allow (Y)--Allow

Client--/etc/hosts.allow------/etc/hosts.deny (Y)--and Deny

Client--/etc/hosts.allow (N)--/etc/hosts.deny

is the Tcp_wrapper workflow:

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/9A/54/wKioL1lUchnhc4K2AABzVk_0Kvw324.png "title=" tcp_ Wrapper workflow. png "alt=" Wkiol1luchnhc4k2aabzvk_0kvw324.png "/>

This article is from the "Home" blog, please make sure to keep this source http://itchentao.blog.51cto.com/5168625/1943001

16th Chapter Tcp_wrappers