The hosts.allow and hosts.deny files located under the /etc directory are collectively known as tcpwrappers. tcpwrappers along with iptables is an effective solution to protecting your network and individual servers.
The hosts.allow and hosts.deny files have some fairly simple syntax rules to follow. They both accept the keywords or wildcards of ALL and EXCEPT. Each of these files contains two or more colon separated fields. The first field contains a comma delimited list of executable names. Note that these must be the executable name not the service name and can contain the wildcards previously mentioned.
The second field contains comma separated lists of client specifications using IP addresses, hostnames, trailing dot networks, leading dot domains and network/netmask pairs. This field can also use the wildcards ALL and EXCEPT.
Executables that can be used in tcpwrappers use the shared object library libwrap.so. Determining if the application is “eligible” to work with tcpwrappers means that we must find out if it contains the libwrap.so library. To do so issue a command like the following:
[root@centos5-dev ~]# strings `which sshd` |grep libwrap.so
Here we can see that sshd contains the libwrap.so library. This means that we can use tcpwrappers to control access to the secure shell daemon.
Now we need to make sure that we have the proper executable name. Generally speaking this will be the name of the executable unless it is a daemon run out of xinetd. In that case you must look in the service file under the /etc/xinetd,d directory. For instance I have telnet setup to run under xinetd.d and the binary name located in /etc/xinetd.d/telnet is in.telnetd. This would be the service name that you would use in tcpwrappers.
tcpwrappers first checks the hosts.allow and then the hosts.deny files. tcpwrappers implements a stop on first match policy. Therefore if you have in.telnetd in the hosts.allow then the machine will allow a telnet connection. If it doesn’t find a reference in either of the tcpwrappers files then it will allow the connection. This is known as “by fault of omission” meaning that the connection request meets no rule restrictions. Note that changes made in either of the tcpwrappers files are effective immediately on any new connections.
Once you have all of the allowed connections that you want in your hosts.allow file you should then make the following entry into your hosts.deny:
ALL : ALL
By making this entry you insure that you haven’t missed anything and that only the services mentioned in the hosts.allow file are going to be allowed.
Now that we have the basics down lets take a look at making some entries in the hosts.allow file. Our first entry should be for our local machine. After all we don’t want to lock ourselves out of our own machine. This entry looks like this:
ALL : 127.0.0.1 [::1}
The entry [::1] is for IPv6 addresses.
For our next entry let’s use sshd. We’ve already checked above that sshd will use tcpwrappers so now we must decide from which machines or networks we will allow the ssh connection. If I am on the 192.168.0.0/24 network I may want all of the machines on the network to be able connect to my machine over ssh. In that case I would make an entry like the following:
sshd : 192.168.0.
Notice the dot at the end of the ip. This must be in place to insure that all of the machines can connect.
Using the same scenario I want all of the machines on the network to connect except for 192.168.0.10 and 192.168.0.44. I would then make an entry like the following:
sshd : 192.168.0. EXCEPT 192.168.0.10,192.168.0.44
I am now letting everyone on the network login via ssh except for those two machines.
This should help you get started in locking down your machines so that only the services you want are allowed. Don’t forget that you can use hostnames and leading dot domains such as .example.com.