Objective 5: TCP Wrappers
TCP wrappers allows you to check the origin of a connection when another machine connects to your own, because you may not want to talk to that machine. Using the /etc/hosts.allow and /etc/hosts.deny configuration files, you can specify who can and cannot use specific services. TCP wrappers is most commonly used to protect services that are controlled by inetd, but other services such as SSH and the portmapper, as well as most of the NFS service suite, also respect the settings. If you use xinetd instead of inetd, there is another way to restrict access, described later in this Objective.
To activate checks by TCP wrappers of access to services, make sure that your /etc/inetd.conf has tcpd in the command line, as shown here:
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd
When a connection request arrives at a service guarded by TCP wrappers, the request origin and the service name will be checked against the contents of /etc/hosts.allow and /etc/hosts.deny. The checking works as follows:
Do the service and origin have a match in /etc/hosts.allow? If so, allow the connection to continue at once.
Do they have a match in /etc/hosts.deny? If so, the connection is closed without reading any input.
Otherwise, the connection is allowed to continue.
/etc/hosts.allow and /etc/hosts.deny
The entries in the /etc/hosts.allow and /etc/hosts.deny files have the general syntax of service: granted_to, where service specifies the name of the service and granted_to ...
Get LPI Linux Certification in a Nutshell, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
