Security Handbook/TCP wrappers

From Gentoo Wiki
Jump to: navigation, search
Security Handbook
Pre-installation concerns
Bootloader security
Logging
Mounting partitions
User and group limitations
File permissions
PAM
TCP wrappers
Kernel security
Network security
Securing services
Chrooting and virtual servers
Firewalls
Intrusion detection
Staying up-to-date

TCP wrappers is a way of controlling access to services normally run by inetd (which Gentoo does not have), but it can also be used by xinetd and other services.

Note
The service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information.
FILE /etc/hosts.deny
ALL:PARANOID
FILE /etc/hosts.allow
ALL: LOCAL @wheel
time: LOCAL, .gentoo.org

As you can see the format is very similar to the one in /etc/security/access.conf. Tcpd supports a specific service; it does not overlap with /etc/security/access.conf. These settings only apply to services using TCP wrappers.

It is also possible to execute commands when a service is accessed (this can be used when activating relaying for dial-in users) but it is not recommended, since people tend to create more problems than they are trying to solve. An example could be that you configure a script to send an e-mail every time someone hits the deny rule, but then an attacker could launch a DoS attack by keep hitting the deny rule. This will create a lot of I/O and e-mails so don't do it!. Read the man 5 hosts_access for more information.