Tcp Wrappers

This is meant as a quick and dirty explanation of tcp_wrappers and how they can work for you. It is by no means a substitute for reading the README. Tcp wrappers helps by giving a nice extensible way to control and monitor the assorted internet services on a computer. In order to understand what this means, one must know a little about the internet daemon, or inetd.

The inetd is, by comparison, that little Dutch boy who kept pushing his fingers into the overflowing dam. The main difference is that the inetd selectively pulls its finger out of assorted places in order to let out the stream of stuff. Every type of connection, telnet, http, ftp, finger, etc... has a particular 'port' on the computer, analagous to a specific place on the face of our mythic dam. These ports and the actions used when they are touched are defined in two files: /etc/services and /etc/inetd.conf. The services file works to give definitions for all the assorted ports on your system while the inetd.conf works to tell you exactly what to do with each definition.

Here is a quick example: Looking in /etc/services you will find something like:

telnet 23/tcp

This signifies that port 23 is called the telnet port and uses a tcp connection (as opposed to a udp connection -- if you care, tcp connections must go through a formal handshake process before any data is passed while udp does not; thus udp is used for stuff like nfs where you do not want to wait even the miniscule time a tcp connection takes.) Now, looking in the inetd.conf we find:

telnet  stream  tcp     nowait  root    /usr/sbin/tcpd          in.telnetd

This tells us that the service names telnet is a stream service (as opposed to a service which works in separate atoms of information), again, it is tcp, it does not wait for input before responding, it is run by root, is controlled by /usr/sbin/tcpd, and uses the /usr/sbin/in.telnetd for its interface to the world.

In most Unix systems, there is one more thing. It is possible to give a rudimentary level of control over where these connections are accepted from in the form of /etc/hosts.allow and /etc/hosts.deny.

So, back to tcp_wrappers. They improve this system in two main ways: giving much improved logging options for these assorted services, and giving huge improvements over the methods of access control. In the setup on my personal computer I did the following: compile tcp_wrappers three separate times. The first time I set its logging to syslog_local0, (man syslog.conf, syslogd and read /usr/include/sys/syslog.h to learn more about them-- it is super easy) the second time to syslog_local1, and the third to syslog_local2. In my syslog.conf I made lines which looks like:

local0.notice                           /dev/null
local1.notice                           /var/log/wrapper_normal
local2.notice                           /var/log/wrapper_suspicious

Now remember, when you edit syslog.conf, you absolutely must not have white spaces, only tabs! Now, when I restart syslogd, anything which logs to local0 will not be logged, local1 will go to wrapper_normal etc...
The three executables created when I compiled tcp_wrappers are named: wrapper_unmonitored, wrapper_normal, and wrapper_suspicious. I made sure to compile them with the extra language option and all the nice bells and whistles. I copied them into /usr/sbin and started editing my inetd.conf.
Let us look at three services and what my modifications have done.
port 139 runs samba, the WindowsNT networking protocol. I do not use it, but the nt boxes on our network talk to everything they possibly can using this. If I wish, I could simply comment this line out of my inetd.conf and services file. (which is actually what I did, but this is an example). But, using the wrapper I could also change the line in my inetd.conf to read
netbios-ssn stream tcp nowait root /usr/sbin/wrapper_unmonitored nmbd
This tells my computer that when a connection is made to the samba port (called netbios-ssn for no good reason) to run immediately as root the program /usr/sbin/wrapper_unmonitored. This will log to /dev/null and then forward the connection to the proper daemon, which is nmbd. Ok, so big deal, this did nothing for me. Now let us look at my /etc/hosts.allow.

nmbd:     129.133.,.wesleyan.edu:    ALLOW
nmbd:     ALL:      spawn (/usr/bin/safe_finger -l @%h | /usr/bin/mail -s %d-%h trey)

The tcp_wrappers give these super cool rules for access. This entry tells me in the first ilne that if a nmbd connection comes from within wesleyan to allow it no questions asked. In the next line, it says that all other connections are denied, _and_ a mail is to be sent to me with some information about the host which attempted the connection. :)
Here is another service I changed.

telnet          stream  tcp     nowait  root    /usr/sbin/wrapper_normal  /usr/sbin/in.telnetd

This line tells me to pass all telnet connections through the normal wrapper to the telnetd. This will log to /var/log/wrapper_normal; thus giving me decent information about who is telnetting to the computer. In my /etc/hosts.allow I have the following:

in.telnetd:     ALL:    ALLOW
in.telnetd:     .home.com:      banners /etc/banners

Now, anyone is allowed to telnet in except people from home.com. In my directory /etc/banners I have a file called in.telnetd which says something like: People from home.com are inherently evil and are not allowed to telnet to my computer, go away. :p
Here is one last example:

imap          stream  tcp     nowait  root    /usr/sbin/wrapper_suspicious  /usr/sbin/in.go_awayd

I do not use imap, but many many hacker/cracker types have attempted to get into my computer using it, so I attempt to discourage such behaivor. If a connection comes into this port, my computer logs it to /var/log/wrapper_suspicious and runs in.go_awayd which is a shell script that does the follwoing:

echo "Who in the hell do you think you are?  Go away, your connection to this computer"
echo " has been logged and the administrator of the domain you connected from will soon"
echo " be receiving a mail from me containing the time you did this."

If I actually care, I can then add a line to /etc/hosts.allow telling it to mail me the output of a finger of their hostname with the time of the connection whenever in.go_awayd is run.

So, the end result is, I now have super easy to configure and amazingly flexible control over the assorted services on my computer. :)

Some other links:
The tcp_wrappers source version 7.6
Wietse Venema's homepage

Ashton T. Belew

Last modified: Thu Mar 11 11:21:15 EST 1999