Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

tcp_wrapper
Linux IPv6 HOWTO
PrevChapter 17. Hints for IPv6-enabled daemonsNext

17.5. tcp_wrapper

tcp_wrapper is a library which can help you to protect service against misuse.

17.5.1. Filtering capabilities

You can use tcp_wrapper for

17.5.2. Which program uses tcp_wrapper

Following are known:

17.5.3. Usage

tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see 

$ man hosts.all

17.5.3.1. Example for /etc/hosts.allow

In this file, each service which should be positive filtered (means connects are accepted) need a line. 

sshd:           1.2.3. [3ffe:ffff:100:200::]/64
daytime-stream: 1.2.3. [3ffe:ffff:100:200::]/64

17.5.3.2. Example for /etc/hosts.deny

This file contains all negative filter entries and should normally deny the rest using 

ALL: ALL

If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. 

ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" 
 | tee -a /var/log/tcp.deny.log | mail root@localhost)

17.5.4. Logging

Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.

17.5.4.1. Refused connection

A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
¬ from=::ffff:1.2.3.4
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap 
 from=3ffe:ffff:100:200::212:34ff:fe12:3456

A refused connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
¬ (::ffff:1.2.3.4)
Jan 2 20:39:33 gate sshd[12345]: refused connect 
 from 3ffe:ffff:100:200::212:34ff:fe12:3456
¬ (3ffe:ffff:100:200::212:34ff:fe12:3456)

17.5.4.2. Permitted connection

A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
¬ from=::ffff:1.2.3.4 
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 
 from=3ffe:ffff:100:200::212:34ff:fe12:3456

A permitted connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
¬ port 33381 ssh2
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user 
 from 3ffe:ffff:100:200::212:34ff:fe12:3456 port 33380 ssh2
PrevHomeNext
Router Advertisement Daemon (radvd)UpProgramming (using API)