Barrett D. J., Byrnes R. G., Silverman R. Linux Security Cookbook / Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)

Computers & Technology
Education & Reference
Business & Investing
Science & Math

Linux Security Cookbook
Authors: Barrett D. J., Byrnes R. G., Silverman R.
Published year: 2006
Pages: 66-68/247

<< Previous page
Table of contents
Next page >>

Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)

3.9.1 Problem

You want only particular remote hosts to access a TCP service via xinetd , when xinetd was compiled with libwrap support.

3.9.2 Solution

Control access via /etc/hosts.allow and /etc/hosts.deny . For example, to permit Telnet connections only from 192.168.1.100 and hosts in the example.com domain, add this to /etc/hosts.allow :

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then reset xinetd so your changes take effect. [Recipe 3.3]

3.9.3 Discussion

If you want to consolidate your access control in /etc/hosts.allow and /etc/hosts.deny , rather than use xinetd -specific methods [Recipe 3.8], or if you prefer the hosts.allow syntax and capabilities, this technique might be for you. These files support a rich syntax for specifying hosts and networks that may, or may not, connect to your system via specific services.

This works only if xinetd was compiled with libwrap support enabled. To detect this, look at the output of:

$ strings /usr/sbin/xinetd  grep libwrap
libwrap refused connection to %s from %s
%s started with libwrap options compiled in.

If you see printf -style format strings like the above, your xinetd has libwrap support.

3.9.4 See Also

xinetd(8), hosts.allow(5).

Recipe 3.10 Restricting Access by Remote Hosts (xinetd with tcpd)

3.10.1 Problem

You want only particular remote hosts to access a TCP service via xinetd , when xinetd was not compiled with libwrap support.

3.10.2 Solution

Set up access control rules in /etc/hosts.allow and/or /etc/hosts.deny . For example, to permit telnet connections only from 192.168.1.100 and hosts in the example.com domain, add to /etc/hosts.allow :

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then modify /etc/xinetd.conf or /etc/xinetd.d/servicename to invoke tcpd in place of your service:


Old /etc/xinetd.conf or /etc/xinetd.d/telnet:

service telnet
{
        ...
        flags = ...
        server = /usr/sbin/in.telnetd
        ...
}

New /etc/xinetd.conf or /etc/xinetd.d/telnet:

service telnet
{
        ...
        flags = ...

NAMEINARGS

server =

/usr/sbin/tcpd


server_args = /usr/sbin/in.telnetd

...
}

Then reset xinetd so your changes take effect. [Recipe 3.3]

3.10.3 Discussion

This technique is only for the rare case when, for some reason, you don't want to use xinetd 's built-in access control [Recipe 3.8] and your xinetd does not have libwrap support compiled in. It mirrors the original inetd method of access control using TCP-wrappers. [Recipe 3.11]

You must include the flag NAMEINARGS , which tells xinetd to look in the server_args line to find the service executable name (in this case, /usr/sbin/in.telnetd ).

3.10.4 See Also

xinetd(8), hosts.allow(5), tcpd(8).

Recipe 3.11 Restricting Access by Remote Hosts (inetd)

3.11.1 Problem

You want only particular remote hosts to access a TCP service via inetd .

3.11.2 Solution

Use tcpd , specifying rules in /etc/hosts.allow and/or /etc/hosts.deny . Here's an example of wrapping the Telnet daemon, in.telnetd , to permit connections only from IP address 192.168.1.100 or the example.com domain. Add to /etc/hosts.allow :

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then modify the appropriate configuration files to substitute tcpd for your service, and restart inetd .

3.11.3 Discussion

The control files /etc/hosts.allow and /etc/hosts.deny define rules by which remote hosts may access local TCP services. The access control daemon tcpd processes the rules and determines whether or not to launch a given service.

First set up your access control rules in /etc/hosts.allow and/or /etc/hosts.deny . Then modify /etc/inetd.conf to invoke the service through tcpd :


Old /etc/inetd.conf:

telnet  stream  tcp  nowait  root  /usr/sbin/in.telnetd  in.telnetd

New /etc/inetd.conf:

telnet  stream  tcp  nowait  root

/usr/sbin/tcpd  /usr/sbin/in.telnetd

Finally restart inetd so your changes take effect. [Recipe 3.4]