Scribd Logo
Upload

Welcome to Scribd!

  • Configure TCP Wrappers

    Uploaded by

    Salman Salu
    15 views3 pages
    solaris

    Original Title

    TCP Wrappers

    Copyright

    © © All Rights Reserved

    Available Formats

    RTF, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    solaris

    Copyright:

    © All Rights Reserved
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    15 views3 pages

    Configure TCP Wrappers

    Uploaded by

    Salman Salu
    solaris

    Copyright:

    © All Rights Reserved
    Download as RTF, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Configure TCP Wrappers

    TCP Wrappers allows access to various network daemons that support it via
    administrator-controlled ACLs based upon remote IP addresses. Therefore, we can use
    this as another layer of security along with network and host-based firewalls if one
    layer is compromised there are still other ACL points. It may mean slightly more
    administration, but its a good pay off in terms of security. It also performs syslog logging
    regarding successful and unsuccessful connection attempts information that would be
    vital in determining the source IP address.
    By default, tcp_wrappers is disabled:

    # inetadm -p | grep tcp_wrappers

    tcp_wrappers=FALSE

    The default can be overridden by individual inetadm enabled services. The following
    command will display a report of the tcp_wrappers variable of each service. These are
    all set to FALSE by default:

    1 # inetadm | awk '/svc/ {print $NF}' | while read svc; do


    2 > echo "svc: ${svc}"
    3 > inetadm -l ${svc} | grep tcp_wrappers;
    4 > done | paste - 5 svc: svc:/application/cups/in-lpd:default default tcp_wrappers=FALSE
    6 svc: svc:/network/finger:default default tcp_wrappers=FALSE
    7 svc: svc:/network/time:dgram default tcp_wrappers=FALSE
    8 svc: svc:/network/time:stream default tcp_wrappers=FALSE
    9 svc: svc:/network/rexec:default default tcp_wrappers=FALSE
    10 ...
    TCP Wrappers for the RPC portmapping service are also disabled by default:

    # svcprop -p config/enable_tcpwrappers rpc/bind

    false

    To implement TCP Wrappers, youll need to create two files: /etc/hosts.allow and
    /etc/hosts.deny. Configure ACLs in /etc/hosts.allow as appropriate for your
    needs. The version of SSH that ships with Solaris 11 supports TCP Wrappers too if these
    files exist, so ensure you have a rule for sshd: <network>/<mask> in

    /etc/hosts.allow.

    # vi /etc/hosts.allow

    service: 192.168.122.0/255.255.255.0

    ...

    And implement a default deny-any policy:

    1 # echo "ALL: ALL" > /etc/hosts.deny


    To enable TCP Wrappers for all services started by inetd, issue the following command
    and verify the results:

    # inetadm -M tcp_wrappers=TRUE

    # inetadm -p | grep tcp_wrappers

    tcp_wrappers=TRUE

    Finally, enable TCP wrappers for the RPC portmapping service, remembering to refresh
    the rpc/bind service:

    1 # svccfg -s svc:/network/rpc/bind setprop config/enable_tcpwrappers=true


    2 # svcadm refresh svc:/network/rpc/bind
    A final check that telnet is disabled, and were done configuring services.

    # svcs -Ho state svc:/network/telnet

    disabled

    svcadm restart svc:/network/ssh:default


    more /etc/hosts.deny
    ALL: ALL
    root@r12apps # more /etc/hosts.allow

    sshd: 10.112.73.106
    sshd: 10.112.73.149

    You might also like