4.12. Usando os tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they're still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5) manual page.
Muitos dos serviços instalados no Debian são executados de duas formas:
On the one hand, for services configured in /etc/inetd.conf
(this includes telnet
, ftp
, netbios
, swat
and finger
) you will see that the configuration file executes /usr/sbin/tcpd
first. On the other hand, even if a service is not launched by the inetd
superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh
, portmap
, in.talk
, rpc.statd
, rpc.mountd
, gdm
, oaf
(the GNOME activator daemon), nessus
and many others.
To see which packages use tcpwrappers
try:
$ apt-cache rdepends libwrap0
Take this into account when running tcpdchk
(a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny
and hosts.allow
files, tcpdchk
will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf
(the manpage is not totally accurate here).
Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a
SPAWN
command in
/etc/hosts.deny
that sends mail to root whenever a denied service triggers wrappers:
ALL: ALL: SPAWN ( \
echo -e "\n\
TCP Wrappers\: Connection refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /usr/bin/mail -s "Connection to %d blocked" root) &
Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets.