HOWTO Setup tcpwrappers (tcpd) for controlling access: Difference between revisions
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Purpose == | == Purpose == | ||
TCPWrappers can effectively control access to | TCPWrappers can effectively control access to services which have tcpwrapper support compiled in. The controlling daemon is '''tcpd''', which is automatically pulled in whenever the '''tcpd''' USE flag in enabled (Gentoo Linux). | ||
== Setup == | == Setup == | ||
In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.<br> | |||
First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example): | First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example): | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh''' | <font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv net-misc/openssh''' | ||
[ebuild <font color=yellow>R</font> ] <font color=green>net-misc/openssh-4.3_p2-r5</font> USE="<font color=red>ipv6 ldap pam tcpd</font><font color=blue> -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static</font>" | [ebuild <font color=yellow>R</font> ] <font color=green>net-misc/openssh-4.3_p2-r5</font> USE="<font color=red>ipv6 ldap pam '''tcpd'''</font><font color=blue> -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static</font>" | ||
== Configure == | == Configure == | ||
Line 21: | Line 22: | ||
# We want SSH only from on-campus machines; deny everyone else | # We want SSH only from on-campus machines; deny everyone else | ||
sshd : 142.58. : ALLOW | sshd : 142.58. : ALLOW | ||
sshd : 209.87.56. : ALLOW | |||
sshd : ALL : DENY | sshd : ALL : DENY | ||
Line 27: | Line 29: | ||
== Operation == | == Operation == | ||
In use, this will prevent | In use, this will prevent off-campus folks from using SSH, and accessing their home-directories. Typically, on a file-server for example, this is a Good Thing(tm). For Admins, we will have to hit another on-campus box first, then perform a second hop over the the restricted server. |
Latest revision as of 22:30, 26 October 2006
Purpose
TCPWrappers can effectively control access to services which have tcpwrapper support compiled in. The controlling daemon is tcpd, which is automatically pulled in whenever the tcpd USE flag in enabled (Gentoo Linux).
Setup
In this example, we'll use the SSH (Secure Shell) daemon, because it's one of the first services we want to have secured.
First, verify that SSH has tcpwrapper support (tcpd flag indicates it does, in this example):
hostname ~ # emerge -pv net-misc/openssh [ebuild R ] net-misc/openssh-4.3_p2-r5 USE="ipv6 ldap pam tcpd -X -X509 -chroot -hpn -kerberos -libedit (-selinux) -sftplogging -skey -smartcard -static"
Configure
The goal with SSH and tcpwrappers is to allow anyone within the SFU IP-address range to have access to SSH, and deny everyone else. We'll do this by editing the /etc/hosts.deny file (which won't initially exist, but once created - it will be in effect. There is no need to re-start the sshd daemon, because hosts.deny is consulted on each connect-attempt, and is therefore immediately in-effect after saving). Here's an example:
# /etc/hosts.deny This file describes the names of the hosts which are # *not* allowed to use the specified services, as decided # by the '/usr/sbin/tcpd' server. # Authour: Gordon Pritchard <gordonp@sfu.ca> # We want SSH only from on-campus machines; deny everyone else sshd : 142.58. : ALLOW sshd : 209.87.56. : ALLOW sshd : ALL : DENY # End of hosts.deny
Operation
In use, this will prevent off-campus folks from using SSH, and accessing their home-directories. Typically, on a file-server for example, this is a Good Thing(tm). For Admins, we will have to hit another on-campus box first, then perform a second hop over the the restricted server.