Tcp_wrapper: A simple host-based access control tool

Source: Internet
Author: User

One, the common host access Control tool

The standalone (stand Alone) daemon (HTTPD,VSFTPD), instantaneous (transient) daemon (rsync,tftp,telnet), both of which support iptables-based control. Which port runs the client access, which port does not allow client access, based on the host firewall, can be controlled.

As a host firewall, some transient daemon, even some independent independent daemon, but also can accept another way, tcp_wrapper, to control.

In many host-based secure access control, Tcp-wrapper is simple and easy to configure.

There are three common tools that can implement host-based access control under Linux: Iptables, Tcp_wrapper, xinetd (Super daemon).

Ii. introduction of Tcp_wrapper

It is obvious that only the software under the TCP protocol can be controlled.

generally translated as a TCP wrapper, the ability to listen to a certain TCP service, access to a certain socket in the host area of the application to check, and to achieve so-called authorized access.

simply put, tcpwrapper itself is a daemon that works on the TCP protocol . iptables works on the TCP/IP stack of the kernel, while Tcp_wrapper works on The TCP protocol of the kernel TCP/IP protocol stack, and is to start a process at the entrance of TCP, monitor the related request of each TCP service, and compare the message itself with the rules of the release rule or deny rule in the Tcp_wrapper configuration file. If a match is given, either release or deny access.

The working process is: TCPD

Work in a position where TCP pack documentation is to pass, with only one position. Working on the TCP protocol layer is more iptables than working at the network layer, so it can be used in conjunction with Iptables. But after the Tcp_wrapper control is complete, the iptables does not need to control, similarly, iptables control completes, Tcp_wrapper also does not need to control. Both can have a control to complete.

Iptables, why do you need tcp_wrapper if you can finish your work? Because the configuration of Tcp_wrapper is very simple.

Configuration file:/etc/hosts.allow,/etc/hosts.deny

But not all services can accept tcp_wrapper control, in fact, Tcp_wrapper is not so much a service as a library more appropriate. Because all daemons are working in user space, it is more appropriate to say that Tcp_wrapper is a daemon rather than a library.

All services are subject to iptables control, but not all are subject to tcp_wrapper control. Only when a user is developing a program, linking to the library, or relying on the library, means that he is under tcp_wrapper control.

Third, the use of Tcp_wrapper control

a). Control can be achieved by simply writing the program name to the configuration file:

Allowed access:/etc/hosts.allow

Access Denied:/etc/hosts.deny

b). Control principle

Program-linked library files are automatically detected when the user accesses the service, based on TCPD

/etc/hosts.allow,/etc/hosts.deny two configuration files and determine if a host can access the service.

c). Matching mechanism

1. First check the/etc/hosts.allow, if allowed, then direct release;

2. If the/etc/hosts.allow does not have a match, check the/etc/hosts.deny and disable access if there is a match;

3. If there is no match, the default is released.

d). configuration file Syntax format

Daemo_list:client_list [: options]daemon_list: Must be the application name, not the process name, if there are multiple, separated by commas; if all is matched, use all;client               _LIST:IP Address: host Name: network address/subnet mask: (subnet mask can only be used in long format) short format: Example:[:options] Deny enables the Hosts.allow to be selected in the Hosts.deny This allows us to simply write a configuration file to get all the configurations done: Vim/etc/hosts.allow In.telnetd:ALL              EXCEPT eny Spawn initiated a command, such as: If someone accesses the server, do not refuse, this is usually a malicious access, or non-normal access, you can use the Spawn echo some commands to save to the log Vim/etc/hosts.allow in.telnetd:172.16 EXCEPT Vim/etc/hosts.den                          Y in.telnetd:ALL:spawn echo ' date ' login attempt from%c to%s >>/var/log/tcp_wrapper.log                        %c:[email protected]%s:[email protected]%h: Client host Name %P: Process PID on server get complete help: Man 5 hosts_access Note: The echo information does not need to be quoted, otherwise the command substitution will not be 

e). Tcp_wrapper has several built-in macros (macro)

For client_list: All,none,unknow (address that cannot be resolved by hostname),                               PARANOID (address not matched by forward and backward parsing) is used for daemon_list: All can be used: EXCEPT (exclude)           Example: Vim/etc/hosts.allow                in.telnetd:172.16. EXCEPT

f). Case

If we want to define a network segment that is only released, then define the/etc/hosts.allow release segment and deny all hosts in the/etc/hosts.deny definition.

Demo Control: Telnet

Yum install telnet-server     ldd ' which in.telnetd '  does not show     ldd ' which xinetd '   display there, Telnet itself does not listen to the program, Instead, it is monitored by xinetd, all of which are subject to tcp_wrapper control.     chkconfig telnet on     service xinetd start     ss-tnl | grep 23 release only 172.16 network segment:     vim/etc/hosts.allow          IN.TELNETD:     172.16.     Vim/etc/hosts.deny          in.telnetd: All does     not restart, immediately takes effect, because the work in the kernel, and iptables as soon as effective


Tcp_wrapper is really simple and easy to configure. Especially when it comes to controlling FTP services, it is highly recommended because iptables-based access control is really too complex compared to tcp_wrapper.

This article is from "Fox hu" blog, please be sure to keep this source

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.