TCP wrappers and xinetd provide additional security layers for network services by controlling access to services based on client hostnames or IP addresses. TCP wrappers work by checking the hosts.allow and hosts.deny files and xinetd manages services like Telnet, FTP and TFTP by configuring service-specific files in /etc/xinetd.d that define access rules and other settings. Administrators can enhance security by running services on non-standard ports, restricting access to trusted addresses, and logging connection attempts.

1. TCP WRAPPERS and XINETD

2. TCP Wrappers and xinetd Controlling access to network services is one of the most important security tasks facing a server administrator: An iptables-based firewall filters out unwelcome network packets within the kernel's network stack. TCP wrappers add an additional layer of protection by defining which hosts are allowed or not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server.

3. TCP Wrappers When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/ etc/hosts.allow and /etc/hosts.deny ) to determine whether or not the client host is allowed to connect. It then uses the syslog daemon ( syslogd ) to write the name of the requesting host and the requested service to / var/log/secure or / var/log/messages . If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server. Because TCP wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Linux are linked against the libwrap.a library. Some such applications include /usr/sbin/sshd , /usr/sbin/sendmail , and /usr/sbin/xinetd.

4. TCP Wrappers Configuration Files To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files : /etc/hosts.allow /etc/hosts.deny When a client request is received by a TCP wrapped service, it takes the following basic steps: The service references /etc/hosts.allow . The TCP wrapped service sequentially parses the / etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to step 2. The service references /etc/hosts.deny . The TCP wrapped service sequentially parses the / etc/hosts.deny file. If it finds a matching rule is denies the connection. If not, access to the service is granted.

5. TCP Wrappers Configuration Files Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny . Therefore, if access to a service is allowed in hosts.allow , a rule denying access to that same service in hosts.deny is ignored. Since the rules in each file are read from the top down and the first matching rule for a given service is the only one applied, the order of the rules is extremely important . If no rules for the service are found in either file, or if neither file exists, access to the service is granted . TCP wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network services .

6. Formatting Access Rules The format for both /etc/hosts.allow and /etc/hosts.deny are identical. Any blank lines or lines that start with a hash mark (#) are ignored, and each rule must be on its own line. Each rule uses the following basic format to control access to network services: < daemonList > : < clientList > [: < option > : < option > : ... ] < daemon list > — A comma separated list of process names ( not service names) or the ALL wildcard . The daemon list also accepts operators to allow greater flexibility. < client list > — A comma separated list of hostnames, host IP addresses, special patterns , or special wildcards which identify the hosts effected by the rule. The client list also accepts operators to allow greater flexibility. < option > — An optional action or colon separated list of actions performed when the rule is triggered. Option fields support expansions , launch shell commands, allow or deny access, and alter logging behavior.

7. Formatting Access Rules - Examples The following is a basic sample hosts access rule: vsftpd : . example . com This rule instructs TCP wrappers to watch for connections to the FTP daemon ( vsftpd ) from any host in the example.com domain. If this rule appears in hosts.allow , the connection will be accepted. If this rule appears in hosts.deny , the connection will be rejected. The next sample hosts access rule is more complex and uses two option fields: sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ : deny

8. Wildcards and Patterns The following wildcards may be used: ALL — Matches everything. It can be used for both the daemon list and the client list. LOCAL — Matches any host that does not contain a period ( . ), such as localhost. The following is a list of the most common accepted patterns for a client list entry: Hostname beginning with a period (.) — Placing a period at the beginning of a hostname, matches all hosts sharing the listed components of the name. The following example would apply to any host within the example.com domain: ALL : .example.com IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example would apply to any host within the 192.168.x.x network: ALL : 192.168.

9. Patterns and Operators IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example would apply to any host with an address of 192.168.0.0 through 192.168.1.255 : ALL : 192.168.0.0/255.255.254.0 The asterisk (*) — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the example.com domain: ALL : *.example.com The EXCEPT operator allows specific exceptions to broader matches within the same rule. ALL: .example.com EXCEPT cracker.example.com ALL EXCEPT vsftpd: 192.168.0.

10. Access Control Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option. For instance, the following two rules allow SSH connections from client-1.example.com , but deny connections from client-2.example.com : sshd : client-1.example.com : allow sshd : client-2.example.com : deny By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny . Some consider this an easier way of organizing access rules.

11. Shell Commands Option fields allow access rules to launch shell commands through the following two directives: spawn — This option directive can perform tasks to get more information about the requesting client or create special log files using the echo command. In the following example, clients attempting to access Telnet services from the example.com domain are quietly logged to a special file: in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h >> /var/log/telnet.log : allow twist — This directive is often used to set up traps for intruders (also called &quot;honey pots&quot;). It can also be used to send messages to connecting clients. The twist command must occur at the end of the rule line. In the following example, clients attempting to access FTP services from the example.com domain are sent a message via the echo command: vsftpd : .example.com \ : twist /bin/echo &quot;421 Bad hacker, go away!&quot;

12. Expansions Expansions, when used in conjunction with the spawn and twist directives provide information about the client, server, and processes involved. Below is a list of supported expansions: %a — The client's IP address. %A — The server's IP address. %d — The daemon process name. %h — The client's hostname (or IP address, if the hostname is unavailable). %H — The server's hostname (or IP address, if the hostname is unavailable). %u — The client's username. If unavailable, unknown is printed.

13. XINETD Xinetd is a program used to start and stop a variety of Linux data communication applications. Some of these applications, such as Telnet , are installed by default in RedHat and Fedora Core Linux, others such as TFTP , need to be installed afterwards. xinetd Configuration Files /etc/xinetd.conf — The global xinetd configuration file. /etc/xinetd.d/ directory — The directory containing all service-specific files.

14. The /etc/xinetd.d/ Directory The files in the /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf , this file is read only when the xinetd service is started. In order for any changes to take effect, the administrator must restart the xinetd service . To get an idea of how these files are structured, consider the / etc/xinetd.d/telnet file: service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }

15. Service Configuration File service — Defines the service name, usually to match a service listed in the /etc/services file. flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection. socket_type — Sets the network socket type to stream. wait — Defines whether the service is single-threaded (yes) or multi-threaded (no). user — Defines what user ID the process process will run under. server — Defines the binary executable to be launched. log_on_failure — Defines logging parameters for log_on_failure in addition to those already defined in xinetd.conf. disable — Defines whether or not the service is active. only_from — Allows only the specified hosts to use the service. no_access — Blocks listed hosts from using the service. no_access = 10.0.1.0/24 access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM .

16. The TELNET server Setting Up A Telnet Server To set up a Telnet server use the chkconfig command to activate Telnet. root@bigboy tmp# chkconfig telnet on Verifying the telnet service by netstat comand root@bigboy tmp# netstat -a | grep telnet tcp 0 0 *:telnet *:* LISTEN Verifying the telnet service by chkconfig --list command [root@bigboy tmp]# chkconfig --list | grep telnet telnet: on Stopping A Telnet Server Use the chkconfig command to deactivate telnet, even after the next reboot. [root@bigboy tmp]# chkconfig telnet off

17. Basic Telnet Security Let Telnet Listen On Another TCP Port 1) Edit a /etc/services file and add an entry for a new service. Call it stelnet . # Local services stelnet 7777/tcp # &quot;secure&quot; telnet 2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet : [root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet 3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 }

18. Basic Telnet Security 4) Use chkconfig to activate stelnet. [root@bigboy tmp]# chkconfig stelnet on 5) Check to make sure your server is now listening on port 7777 with the netstat command. [root@bigboy tmp]# netstat -an | grep 777 tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN Let Telnet Allow Connections From Trusted Addresses service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }

19. The TFTP Server Software Installing the TFTP Server Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard( the RPM's filename usually starts with the word &quot;tftp-server&quot; followed by a version number like this: tftp-server-0.33-3.i386.rpm ). Configuring The TFTP Server The first step is to the configuration file /etc/xinetd.d/tftp and set disable to &quot;no&quot;. service tftp { socket_type = dgram protocol = udp wait = yes user = root only_from = 192.168.1.1 server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = no }

20. The TFTP Server Software In this example, xinetd will only allow the TFTP server to accept connections from the router / switch / firewall with an address of 192.168.1.1. You can extend this list with commas in between or just comment it out al together for global access. Create a / tftpboot directory with global read write privileges [root@bigboy tmp]# chmod 777 /tftpboot Restart xinetd [root@bigboy tmp]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ]