Post: tcpwrapper Manual

Document directory

• 3.2.1 content format of the hosts. allow file
• 3.2.2 configuration example
• 3.2.3 configure the syslog. conf file

From

Http://echo.sharera.com/blog/BlogTopic/9379.htm

 

1 Preface

If you don't need tcpwrapper for a long time, you forget how to configure it and fail. It seems that the conditions are indeed much better now. Either there is a hardware firewall or a software firewall, and we can't use this pediatrics stuff. I 'd like to share this post with you. Ipv_^ tcpwrapper, as its name implies, is used to encapsulate a TCP/IP application, for example, telnet, FTP, ssh, exec, RSH, rlogin, finger, talk. What is the encapsulation? Do address filtering so that people you don't know can access the host, which is also known as access control list. Tcpwrapper's working principle is actually very simple. For example, if telnet, FTP, ssh and other tools are used to enter the host door, tcpwrapper is the old man who keeps the door. When someone wants to access the host via Telnet, FTP, or SSH, the old man who keeps the door is not easy, it Rummages over the information (that is, the Client IP address) from the information you provided by the host to access and the list (hosts. allow and hosts. deny file), if you come to this place in the allowed list, put you in, and then display a welcome card. ^ _ ^. If you are not in the allowed list, or you are simply added to the allowed list (hosts. deny) Well, hey, he won't miss you anymore. You can hit the door from someone there. In the early days, we did not have that much money on small projects and could not afford to buy hardware firewalls, on Solaris, iptables is not as powerful as in later Linux systems. (I tried to compile iptables on Solaris yesterday and found that this cute little thing rooted in the Open Source soil of Linux, I don't want to transplant it to Solaris, so I have to use the Linux kernel to support it ...), I had to use the soil equipment-tcpwrapper, which blocks many low-level customers (note that it is low-level, and even doesn't know whether it blocks high-level customers. :). Get down to the truth!

2 Installation

There are two ways to install tcpwrapper. One is to directly install the tcpwrapper using the compiled Binary Package, and the other is to compile the makefile with your own customized variable. Here is a brief introduction to both methods. 2.1 Binary Package installation the installation of Binary Package is very simple. Solaris provides a binary installation package format, which is similar to the executable file of .exe executed on Windows. These Binary packages can be found on the SunFreeware website. They are shared by some enthusiastic people who compile the software packages. By default, common GNU tools are installed in the/usr/local environment, including solaris7, solaris8, and solaris9. After obtaining the package file, run the following command to complete the installation: pkgadd-D <package_name> 2.2 source code package compilation and installation if you want to enhance the tcpwrapper function (such as logging, or let the publisher see the nice-looking welcome information ^_^) or do not want to install it in the/usr/local directory, You need to download the source package to compile and install it yourself. The authors of tcpwrapper must be irresponsible ..., Its source code package does not have the configure file, and it does not even have the make install target... Changing the MAKEFILE file on your own is really painful for anyone who knows nothing about C. So although I have always had a good habit of taking notes, I didn't leave a few words after tcpwrapper compilation... Ke and ran off the question. Continue. Such a name. 1. one annoying point of unlocking the tar.gz package gzip-D tcp_wrappers-7.6.tar.gz tar xvf tcp_wrappers-7.6.tar Solaris tar is that the Z option is not supported, so scores into 2 commands to unbind this package, even if you install GNU Tar directly, replace the tar directly. ^_^ 2. edit makefile1) Open the comment before # real_daemon_dir =/usr/sbin 2) Add the following configuration item workdir =/usr/security sbindir = $ (workdir)/binlibdir = $ (workdir) /libincdir = $ (workdir)/includemandir = $ (workdir)/manbanners = $ (workdir)/banner and modify the value of the tables parameter: tables =-dhosts_deny = "" $ (workdir)/etc/hosts. deny ""-dhosts_allow = "" $ (workdir)/etc/hosts. allow "" These Parameters specify the installation path, execution path, library file path, include file path, man file path, welcome information file path, and access control Lis configuration. The path of the file T information; 3) Add the install item (the master doesn't laugh at this section, even the method is very earthy...: $ Or leave your clever install method behind when you laugh at it and let me learn and learn it. ^_^) install: mkdir-p $ (sbindir) $ (libdir) $ (incdir) $(Mandir)/man3 $(Mandir)/man5 $(Mandir)/man8 $ (banners) CP tcpd tcpdchk tcpdmatch safe_finger try-from $ (sbindir) CP libwrap. A $ (libdir) CP tcpd. h $ (incdir) Cp *. 3 $(Mandir)/man3 Cp *. 5 $(Mandir)/man5 Cp *. 8 tcpdmatch.8 $(Mandir)/man8 make cc = gcc-F banners. makefile CP in. * $ (banners) 4) Enhancement option configuration change facility to log_local2 To allow tcpwrappers to record logs, You need to modify syslog accordingly. CONF configuration; 5) display the welcome information. If you want your host to display the welcome information to the visitor, you need to manually edit a prototype file for example: ************************************* Hello % c, welcome you here ************************************* of course, if you are interested, you can add your favorite text. OK, this MAKEFILE file, which was occasionally used for countless times to vomit blood, was finally completed. Next we will compile and install 3. Compile and install make style =-dprocess_options sunos5make install in the directory specified by workdir? All those files are in place. 3. How to encapsulate tcpwrapper In the inetd. conf file configured in 3.1? Tips in inetd. in the conf file, replace _ ^ does not describe inetd much here. conf files play a great role in the Unix environment. If you are interested, you can Google them on the inetd. in the conf file, you can see the configuration item: Telnet stream tcp6 Nowait root/usr/sbin/in. telnetd in. telnetd if you want to use tcpwrapper to encapsulate telnet, you need to change it to the following: Telnet stream tcp Nowait root/usr/security/bin/tcpd in. in this way, all Telnet access to the host is controlled by the tcpd, or the tcpwrapper. Is it very easy? Then, do not forget to let inetd repeat your modified configuration PS-Ef | grep inetdkill-hup inetd_pid3.2 and configure hosts. allow and hosts. the two most important configuration files of the deny file tcpwrapper are hosts. allow and hosts. deny file, the two files do not exist, or are empty, the old man will be lazy, let people get in. First, you must follow the tables =-dhosts_deny = "" $ (workdir)/etc/hosts specified in makefile. deny ""-dhosts_allow = "" $ (workdir)/etc/hosts. allow "" to create hosts. allow and hosts. deny files can be stored in hosts. specify all: All: deny in the Allow file, so you do not need to configure hosts. 3.2.1 hosts in the deny file. the content format of the Allow file is all: All: banners/usr/security/banner/All: allowall: All: deny, the second line of the configuration of the banner that displays the welcome information is the third line of the address list that is allowed to enter. That is to say, it is not allowed to access the addresses in the list. 3.2.2 configuration example if you want to apply the same address filtering rules to all TCP/IP applications managed by tcpwrapper, the first all of the first and second rows can remain unchanged; the second all in the first and second rows must be replaced with a list of IP addresses that are allowed to access. IP addresses are separated by commas. These IP addresses can also be added as CIDR blocks. For example, all: 192.168.0.0/255.255.0.0, 127.0.0.1: banners/usr/security/banner/All: 192.168.0.0/255.255.0.0, 127.0.0.1: allowall: All: Deny if you want to apply address filtering rules for TCP/IP protocol applications managed by tcpwrapper, you can post on the first All in the first and second rows. For example, telnet: 192.168.0.0/255.255.0.0, 127.0.0.1: banners/usr/security/banner/ftp: 192.168.1.0/255.255.255.0, 127.0.0.1: banners/usr/security/banner/telnet: 192.168.0.0/255.255.0.0, 127.0.0.1: allowftp: 192.168.1.0/255.255.255.0, 127.0.0.1: allowall: All: deny. In this way, you can control the access IP address. Isn't it easy? 3.2.3 configure the syslog. conf file. In general, we also need to configure the tcpwrapper log file to record all attempts to connect to and successfully enter the host information. In this case, you need to modify syslog. add the following information to the conf file: local2.info/var/log/tcpd. log remembers local2.info and/var/log/tcpd. log files should be separated by the tab key, which is also the location where I was about to vomit blood. Finally, let's repeat syslogd's configuration file PS-Ef | grep syslogkill-hup syslog_pid4.

There is an xinetd on Linux. The job is tcpwrapper + inetd, which is also a good job. However, Linux is a talented person in the Jiangshan generation. Now, an iptables is born, and few people are using xinetd or tcpwrapper. This post is only used to commemorate the days when I was depressed and almost vomited blood. Pai_^