7/01/2011

TCP Wrapper

TCP Wrapper

inetd : it’s daemon listens on specific ports such as (telnet 23 , ftp 21), when it receive a packet ,it's lunches the appropriate program to handle the connection.

Xinetd : it's make the same work , but with more security such as (TCP Wrapper).

TCP Wrapper : it's supports TCP/IP security by using (Access Control List) , it's work with Xinetd to support security for some connections such as (telnet or ftp , even SSH).

when you want to connect to telnet (in.telnetd) , Xinetd consulting TCP Wrapper if this connection is allowed or not.

TCP Wrappers consist of :

1-hosts.allow and hosts.deny files.
2-tcpdmatch : program explain how the TCP Wrapper would handle a specific request.
3-tcpdchk : TCP wrapper configuration checker program.

How it works :

when i want to connect to telnet server (in.telnetd)
1- parse hosts.allow to apply rules on telnet service ,if it found it's allow connection , else , it's moves to step 2.
2- parse hosts.deny to apply rules  on telnet service ,if it found it's deny connection.
3- if no matching in hosts.allow or hosts.deny ,it's grant access.

Securing TCP:

  • TO allow hosts to access by adding rule in hosts.allow ,for example to allow 192.168.0.150 to access my telnet server 
Edit my hosts.allow

nano /etc/hosts.allow

and add rule to allow 192.168.0.150 to access my telnet server

in.telnetd : 192.168.0.150

  • To deny hosts to access my telnet server,by adding rule in hosts.deny,for example if i want deny 192.168.0.160 to access my telnet 

Edit my hosts.deny

nano /etc/hosts.deny

and add rule to deny 192.168.0.160 to access my telnet server

in.telnetd : 192.168.0.160

hint 1: to add more then one address just separate between addresses with space.

in.telnetd : 192.168.0.160 192.168.0.161 192.168.0.162

hint 2: no need to restart or reload any daemons after editing hosts.allow or hosts.deny.

hint 3: to allow all network to access 

in.telnetd : 192.168.0.

or

in.telnetd : 192.168.0.0/255.255.255.0

No comments:

Post a Comment