Professional Documents
Culture Documents
TCP Wrappers allows access to various network daemons that support it via
administrator-controlled ACLs based upon remote IP addresses. Therefore, we can use
this as another layer of security along with network and host-based firewalls if one
layer is compromised there are still other ACL points. It may mean slightly more
administration, but its a good pay off in terms of security. It also performs syslog logging
regarding successful and unsuccessful connection attempts information that would be
vital in determining the source IP address.
By default, tcp_wrappers is disabled:
tcp_wrappers=FALSE
The default can be overridden by individual inetadm enabled services. The following
command will display a report of the tcp_wrappers variable of each service. These are
all set to FALSE by default:
false
To implement TCP Wrappers, youll need to create two files: /etc/hosts.allow and
/etc/hosts.deny. Configure ACLs in /etc/hosts.allow as appropriate for your
needs. The version of SSH that ships with Solaris 11 supports TCP Wrappers too if these
files exist, so ensure you have a rule for sshd: <network>/<mask> in
/etc/hosts.allow.
# vi /etc/hosts.allow
service: 192.168.122.0/255.255.255.0
...
# inetadm -M tcp_wrappers=TRUE
tcp_wrappers=TRUE
Finally, enable TCP wrappers for the RPC portmapping service, remembering to refresh
the rpc/bind service:
disabled
sshd: 10.112.73.106
sshd: 10.112.73.149