TCP wrapper based access List Rules can be included in the two files
- if allow will not check 2
- if not found then go to 2
- if not found allow access.
Points to remember
- You can have only one rule per service in and file.
- Any changes to and file takes immediate effect.
- The last line in the files and must be a new line character. Or else the rule will fail.
The syntax for both and file takes the following form:
daemon : client [:option1:option2:…]
deny access to all the others.
sshd : .
… and in thefile I include the rule:
sshd : ALL
Denys FTP access to all indomain and hosts in the 192.168.1.0 network.
vsftpd : 192.168.1. , .
vsftpd : 192.168.1. , . : spawn /bin/echo `/bin/date` access denied >> /var/log/ : deny
In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in thefile.
For example, you can use spawn option to send mail to the admin when ever a deny rule is matched.
You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.
- ALL – Matches everything
- LOCAL – Matches any host that does not contain a dot (.) like localhost.
- KNOWN – Matches any host where the hostname and host addresses are known or where the user is known.
- UNKNOWN – Matches any host where the hostname or host address are unknown or where the user is unknown.
- PARANOID – Matches any host where the hostname does not match the host address.
ALL : 123.12.
Matches all the hosts in the 18.104.22.168 network. Note the dot (.) in the end of the rule.
ALL : 192.168.0.1/255.255.255.0
IP address/Netmask can be used in the rule.
sshd : /etc/
If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the filefor all SSH connections.
sshd : ALL EXCEPT 192.168.0.15
will allow ssh connection for only the machine with the IP address 192.168.0.15 and block all other connections.
You can use the options allow or deny to allow or restrict on a per client basis in either of the filesand
in.telnetd : 192.168.5.5 : deny
in.telnetd : 192.168.5.6 : allow
As mentioned above, you can couple the rules to certain shell commands by using the following two options.
spawn – This option launches a shell command as a child process. For example, look at the following rule:
sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/: deny
Each time the rule is satisfied, the current date and the clients hostname %h is appended to thefile.
twist – This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.
sshd : client1.: twist /bin/echo “You are prohibited from accessing this service!!” : deny
When using spawn and twist, you can use a set of expressions. They are as follows :
%a — The client’s IP address.
%A — The server’s IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client’s hostname (or IP address, if the hostname is unavailable).
%H — The server’s hostname (or IP address, if the hostname is unavailable).
%n — The client’s hostname. If unavailable, unknown is printed. If the client’s hostname and host address do not match, paranoid is printed.
%N — The server’s hostname. If unavailable, unknown is printed. If the server’s hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client’s username. If unavailable, unknown is printed.