TCP Wrappers - Part II

The course is part of this learning path

Linux Security and Hardening
7
4
Start course
Overview
Difficulty
Intermediate
Duration
1h 7m
Students
100
Ratings
5/5
starstarstarstarstar
Description

In this course, you'll learn some techniques and strategies to secure network services. You'll also learn how the local firewall works in Linux and how to configure it. We'll talk about information leakage and ways to prevent it. Next, you'll learn how to test for open ports and perform port scans. You'll also learn about xinetd, what it does, and how to secure it. We'll also cover how to secure SSH. This course includes some guided demonstrations so that you can see the concepts being used in real-world environments.

Learning Objectives

  • Learn how to secure SSH
  • Understand the fundamentals of Linux firewall security, including configuring a firewall from the command line and setting up firewall rules
  • Learn how to use TCP wrappers to secure your Linux system

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.

Prerequisites

To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.

Transcript

If you wanna match hosts that share the same initial numeric groups, place a period at the end of that group. For example, to match any hosts that start with the IP address of 10.11.12, use 10.11.12. If you wanted to match any hosts whose IP address starts with 10, use 10. You can also use an IP address and net mask pair. For example, to match any hosts on the 10.11.0.0 network with a subnet mask of 255.255.0.0, you would use 10.11.0.0/255.255.0.0 as the client specification. If you wanna create a separate file that contains a list of hosts, you can provide a path to that file in the client section. For example, the rule sshd : /etc/hosts.sshd will match any clients listed in the etc/hosts.sshd file. And that file you would list client specifications one per line. You can use the all wildcard keyword in the client field as well. Here's a rule that matches any clients connecting to the imapd process. You can also use the except operator in your rules. This applies to services as well as hosts. For example, to allow SSH connections from every host except for hosts in the .hackers.net domain, use sshd : ALL EXCEPT .hackers.net. If you want to know control the facility and severity of the long messages generated by a match, use the severity directive in the action or options field of the rule followed by the desired severity or a facility and severity pair. Here's an example that you could use in the hosts.deny file. It will generate an emergency message when an SSH connection is attempted from 10.11.12.13. If you wanted to use the local zero facility and the alert severity, for example, you would create a rule with severity local0.alert in the options field. Now you can configure your system logger to do whatever you want with that message. Be it, write it to a local log file, send it to a centralized syslog server, both or something else entirely. You can even spawn a new process when a rule is matched. To do that, use the spawn directive in the action section, followed by the command you want to execute. Here's an example that executes the wall command when someone from hackers.net attempts to connect via SSHD. The backslash is the line continuation character. If I had enough room on the screen, I would have admitted it and placed everything on one line. Either way works in the hosts.allow or hosts.deny files. TCP Wrappers allows you to use expansions in your shell commands. For example, %a expands to the client's address. So the wall message in this example might be attack from 10.11.12.13. Here is a list of the available expansions. We've just talked about %a expanding to the client address, %d expanse to the service or daemon, and %p expands to the pit of that daemon, et cetera. There are several options here that you can use if you so want to. Here is a really simple, but effective TCP Wrapper configuration. First, start off by denying absolutely positively everything in the hosts.deny file. Next, explicitly list, any connections to wrap services that you want to allow in the hosts.allow file. For example, you could add a list of allowed IP addresses for the SSHD service. Now, any connections to TCP Wrap services other than those clearly defined in the hosts.allow file will be denied.

About the Author
Avatar
Jason Cannon
Founder, Linux Training Academy
Students
3315
Courses
60
Learning Paths
7

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.