Pick a Free OS

User login

Navigation

TCP Wrappers: Part 2

By default, the wrapper logs go to the same place as the transaction logs of the sendmail daemon. The disposition can be changed by editing the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the syslogd after changing its configuration file. Remember that syslogd, just like sendmail, insists on one or more TABs between the left-hand and right-hand side expressions in its configuration file.

Configuring TCP Wrappers

The first step towards configuring Wrappers on your systems is to make sure your INETD daemon is properly configured to accept and forward connections to the respective SERVER applications through which, you plan to offer various services. Let's have a look at a sample INETD configuration file.

/etc/inetd.conf

# The inetd will re-read this file whenever it gets that signal.

#

#

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -a

This is the inetd daemon configuration file wherein you will specify the server to be monitored. The above entry is for the FTP server, which causes the INETD server to accept connections and pass on the connection to the wrapper program /usr/sbin/tcpd. TCP Wrapper, then depending on the ACL's set from the files /etc/hosts.allow and /etc/hosts.deny, ALLOW or DENY connections to the respective server daemons.

Now, a look at some sample ACL's using our /etc/hosts.deny and /etc/hosts.allow files.

/etc/hosts.allow:

in.tftpd: LOCAL, .foo.bar

ypserv: 127.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0

You could always check out these entries on your machine by editing the configuration files as mentioned above. The first entry in the hosts.allow file is as follows:

in.tftpd: LOCAL, .foo.bar

This very clearly states that all connections to the TFTP server daemon should be allowed if the connection originates from the local machine or the foo.bar domain.

ypserv: 127.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0

This very clearly states that all connections to the YPSERV server daemon should be allowed if the connection originates from the local machine (127.0.0.0/255.0.0.0) or from the IP 10.0.0.0/255.0.0.0.

/etc/hosts.deny:

in.rshd: ALL: /usr/ucb/finger -l @%h 2>&1 | /usr/ucb/mail foobar

in.telnetd: 202.54.11.23 192.168.1.

in.rshd: ALL: /usr/ucb/finger -l @%h 2>&1 | /usr/ucb/mail foobar