The principle by which the wrappers operate is simple:
Otherwise, if the host is not explicitly denied access to the service in hosts.deny, it is implicitly allowed and in.tcpd invokes the service daemon.
By default, the TCP Wrapper daemon, in.tcpd logs events via syslog to /var/adm/syslog. This file will contain the log entries of refused connections.
Entries in the log look similar to the following:
date host server[pid]: refused connect from host
You can use the
program to test if a user will be allowed to connect
to a given service with the current rule set. For example, enter
the following command to see if the local host
(127.0.0.1) is allowed to telnet into itself:
tcpdmatch in.telnetd 127.0.0.1
The following output from this command shows that line 46 in /etc/inet/hosts.deny disallows the connection:
client: address 127.0.0.1 server: process in.telnetd matched: /etc/inet/hosts.deny line 46 access: denied
The following example entries in hosts.allow would allow access to all services by all hosts in the local domain (mynet.com):
ALL: .mynet.com : ALLOW ALL: ALL: DENYAlternatively, to prevent access only by hosts in the domain acme.com, the following entries would be needed in hosts.deny:
ALL: .acme.com: DENY ALL: ALL: ALLOWIt is also possible to configure ``booby traps''. These warn you if an attacker may be using a service such as TFTP to try and gain access to files on your system. An example of a booby trap is the following entry from the hosts.deny file:
in.tftpd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s tftp-%d-%h root) &Instead of the requested file, in.tcpd uses the safe_finger program to send a finger probe to the attacking host. It then mails the result to root. Obviously, if the attacker is blocking finger or does not run the finger daemon, the probe will fail but the event will still be logged.
Attempts to hack into a system are sometimes initiated via finger and telnet. The following booby traps will warn you of such events:
in.fingerd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s finger-%d-%h root) & in.telnetd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s telnet-%d-%h root) &
The following entries in hosts.allow would allow normal TFTP, finger and telnet access from hosts in the local domain (mynet.com) without invoking the booby traps:
in.tftpd: .mynet.com in.fingerd: .mynet.com in.telnetd: .mynet.comThe following entries in hosts.allow would allow access to the above services from the domain mynet.com and subdomains such as rivers.mynet.com but block access from seas.mynet.com:
in.tftpd: .mynet.com EXCEPT .seas.mynet.com in.fingerd: .mynet.com EXCEPT .seas.mynet.com in.telnetd: .mynet.com EXCEPT .seas.mynet.com
For more information about using TCP Wrappers to configure access control, please consult the following manual pages.