HOWTO Setup tcpwrappers (tcpd) for controlling access

From Research
Revision as of 18:32, 26 October 2006 by Gordp (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose

TCPWrappers can effectively control access to those services, which have tcpwrapper support compiled in. The controlling daemon is tcpd, which is automatically pulled in whenever the tcpd USE flag in enabled (Gentoo Linux).

Setup

First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example): 

hostname ~ # emerge -pv net-misc/openssh
[ebuild   R    ] net-misc/openssh-4.3_p2-r5  USE="ipv6 ldap pam tcpd -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static"

Configure

The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else. We'll do this by editing the /etc/hosts.deny file (which won't initially exist, but once created - it will be in effect). Here's an example: 

# /etc/hosts.deny    This file describes the names of the hosts which are
#                    *not* allowed to use the specified services, as decided
#                     by the '/usr/sbin/tcpd' server.

# Authour:  Gordon Pritchard <gordonp@sfu.ca>

# We want SSH only from on-campus machines; deny everyone else
sshd : 142.58. : ALLOW
sshd : ALL : DENY

# End of hosts.deny

Operation

In use, this will prevent people from off-campus from accessing SSH, and their home-directories. Typically, on a file-server for example, this is a Good Thing. For Admins, we will have to hit another on-campus box first, then perform a second hop over the the restricted server.

Retrieved from "https://research.wiki.iat.sfu.ca/research/index.php?title=HOWTO_Setup_tcpwrappers_(tcpd)_for_controlling_access&oldid=3518"