outsource from india chennai india programmers freelance php coder freelance outsource scripts programming complicated perl patterns php module installation
outsource from india perl installation and configuration php installation linux system administration US$15,US$19,US$11,US$10 cheap programmer
india outsource outsource india chennai india programmers php perl mysql freelance freelance programmer
SHOWCASE of php and perl scripts CONTACT US for php custom perl scripts
HOME
 
Linux IPv6 HOWTO (en)
PrevChapter 20. Hints for IPv6-enabled daemonsNext

20.5. tcp_wrapper

tcp_wrapper is a library which can help you to protect service against misuse.

20.5.1. Filtering capabilities

You can use tcp_wrapper for

  • Filtering against source addresses (IPv4 or IPv6)

  • Filtering against users (requires a running ident daemon on the client)

20.5.2. Which program uses tcp_wrapper

Following are known:

  • Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library)

  • sshd (if compiled using tcp_wrapper)

20.5.3. Usage

tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see 

$ man hosts.allow

20.5.3.1. Example for /etc/hosts.allow

In this file, each service which should be positive filtered (means connects are accepted) need a line. 

sshd:           1.2.3. [3ffe:ffff:100:200::]/64
daytime-stream: 1.2.3. [3ffe:ffff:100:200::]/64

Note: there are broken implementations around, which uses following broken IPv6 network description: [3ffe:ffff:100:200::/64]. Hopefully, such versions will be fixed soon.

20.5.3.2. Example for /etc/hosts.deny

This file contains all negative filter entries and should normally deny the rest using 

ALL: ALL

If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. 

ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" 
 | tee -a /var/log/tcp.deny.log | mail root@localhost)

20.5.4. Logging

Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.

20.5.4.1. Refused connection

A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
¬ from=::ffff:1.2.3.4
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap 
 from=3ffe:ffff:100:200::212:34ff:fe12:3456

A refused connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
¬ (::ffff:1.2.3.4)
Jan 2 20:39:33 gate sshd[12345]: refused connect 
 from 3ffe:ffff:100:200::212:34ff:fe12:3456
¬ (3ffe:ffff:100:200::212:34ff:fe12:3456)

20.5.4.2. Permitted connection

A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
¬ from=::ffff:1.2.3.4 
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 
 from=3ffe:ffff:100:200::212:34ff:fe12:3456

A permitted connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
¬ port 33381 ssh2
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user 
 from 3ffe:ffff:100:200::212:34ff:fe12:3456 port 33380 ssh2
PrevHomeNext
Router Advertisement Daemon (radvd)UpProgramming (using API)

Linux HOWTO full list
   This document, LDP HOWTO-INDEX, is copyrighted (c) 1995 - 2002 by Tim Bynum, Guylhem Aznar, Joshua Drake and Greg Ferguson. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html. If you have questions, please contact the LDP.
Web Design Copyright © 1999-2003. Chrisranjana Software Solutions Pvt Ltd. syndicate rss feed