Securing your network: An introduction to TCP wrappers
TCP wrappers are intended to provide wrapper daemons that can be installed without any changes to existing software. Most TCP/IP applications depend on the client/server model -- i.e., when a client requests a connection, a server process is started on the host. TCP wrappers work by interposing an additional layer, or wrapper, between client and server.
In the basic service, the wrapper simply logs the name of the client host and requested service, then hands this information over to the real daemon; it neither exchanges information with the client or server nor imposes overhead on the actual conversation between the two. Optional features may be enabled, including access control, client-user name lookups, and additional protection against hostname spoofing.
(The current version of the software, 7.6, can be obtained via FTP. See the Resources section below for the URL.)
Compilation
Many Unix flavors are supported by TCP wrappers, so you shouldn't have any trouble building from source. There are, however, a few decisions to make at compile time. Features, for example, can be turned on or off through definitions. Here is a list, with default values shown where appropriate:
STYLE = -DPROCESS_OPTIONS: |
Enable language extensions. This is disabled by default. |
FACILITY = LOG_MAIL: |
Where do log records go? I prefer to set this to LOG_DAEMON so that everything goes to /var/log/daemon. |
SEVERITY = LOG_INFO: |
Indicates what level to give to the log message. The default, LOG_INFO, is fine. |
HOSTS_ACCESS: |
When compiled with this option, wrapper programs support a simple form of access control. Because this is the raison d'être of the suite, it's defined by default. |
PARANOID: |
When compiled with -DPARANOID, wrappers will always try to look up and double-check the client hostname, and will always refuse service in the case of a discrepancy between hostname and IP address. This is a reasonable policy for most systems. When compiled without -DPARANOID, wrappers still perform hostname lookup; however, where such lookups give conflicting results for hostname and IP address, hosts are not automatically rejected. They can be matched with the PARANOID wildcard in the access files, and a decision is made on whether or not to grant access. |
DOT = -DAPPEND_DOT: |
This appends a dot to every domain name -- transforming example.com into example.com. for instance. This is done because on many Unix systems
Post a comment
Free books
Featured Sponsor
AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.
In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.
On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now. Marketplace
Sponsored links
|














