I thought today I would outline a few tips on network security with tcpwrappers or, as you’re probably more familiar, the hosts.allow and hosts.deny files. How you can use them? What applications are compatible? etc. I know network security is a really broad topic, but this will hopefully be enough to get you going and understand some more basics of securing your machine.
The first thing to remember is that not every network-based application on your machine is compatible with tcpwrappers. The restrictions on hosts.allow or hosts.deny are only valid if they refer to the tcpwrappers library. How can you find out if your application is compatible? Use this command:
ldd /path/to/binary | grep libwrap (general example)
ldd /usr/sbin/sshd | grep libwrap (shows that the sshd refers to libwrap)
ldd /usr/sbin/apache2 | grep libwrap (show that apache does not refer to libwrap)
In the basic example above we see that the sshd (ssh server) is referring to the libwrap.so, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service. We also see that apache2 does not refer to libwrap.so, so any restrictions outlined there do not apply to apache2 connections. (ie; you could lock down ssh but apache2 is still wide open)
hosts.allow and hosts.deny
These two files, located in your /etc/ folder, allow you to limit or permit connections from specific hosts or ips. Using these two files you could setup a whitelisting firewall or blacklist. Remember, as mentioned in the compatibility section, this only applies to the services referring to libwrap. If you are running services outside of the scope of libwrap.so this may not be the best solution for you in terms of firewalling.
ALL: 127.0. [::1] (the 127.0. range is allowed, as well as the localhost ipv6 address)
sshd : 192.168.0.5 (specific IP) 192.168.0. (specific range) EXCEPT 192.168.0.10 (range exceptions)
ALL : ALL (denying all services to all hosts)
This example would allow connections from localhost on ipv4 and ipv6 for all services and also explicitly allow ssh connections from the 192.168.0.5 address, the entire 192.168.0. range, but excluding the 192.168.0.10 host. The hosts.deny then outright denies all services for all hosts. This is a very basic example but hopefully it gets the idea across. You could also reverse the contents of the two files in the example above and do blacklisting. ALL : ALL are allowed with the exceptions of services and ips listed in the hosts.deny.
The syntax of the hosts.allow and hosts.deny files are:
service(s) : ips or hosts
You can comma separate the list of services you want to allow or deny and make a similar list of hosts/ips to allow or deny. Very simple syntax.
The hosts.allow and hosts.deny files are very flexible and allow you to lock down your network in very granular ways. The limitation of some applications not honoring hosts.allow and hosts.deny is the biggest thing to remember. Make sure the service you are trying to block refers to libwrap.so before you start writing rules or you may sit and wonder why your rules don’t work, when its really the application itself not being compatible.