Fork me on GitHub

Project Notes

TCP Wrappers

The basics of TCP wrappers.

Notes

TCP wrappers is an ACL system for services running on a host, and provide basic traffic filtering. It is implemented as a library libwrap that services must link to be used.

As such, it is mainly useful for real-time response to abuse/suspicious activity with well-known services. A more complete solution on a host is a software firewall like iptables or nftables.

These days, most hosts are hidden behind a hardware firewall or load balancer endpoints, so the amount of direct traffic they would receive from the unfiltered Internet may be minimal.

Basic Usage

Checking if a service is using tcp wrappers:

$ ldd $(which sshd) | grep libwrap
  libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f1fea580000)

Rules are defined in

  • /etc/hosts.allow
  • /etc/hosts.deny

e.g.

$ cat /etc/hosts.deny
sshd: 222.186.*

Who was that trying to brute force a root login?

$ whois  222.186.31.166
...
inetnum:        222.184.0.0 - 222.191.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
mnt-irt:        IRT-CHINANET-CN
remarks:        --------------------------------------------------------
remarks:        To report network abuse, please contact mnt-irt
remarks:        For troubleshooting, please contact tech-c and admin-c
remarks:        Report invalid contact via www.apnic.net/invalidcontact
remarks:        --------------------------------------------------------
status:         ALLOCATED PORTABLE
last-modified:  2020-02-04T05:38:43Z
...

Peeking at the source

wget https://ftp.osuosl.org/pub/blfs/conglomeration/tcp_wrappers/tcp_wrappers_7.6.tar.gz
tar zxvf tcp_wrappers_7.6.tar.gz
rm tcp_wrappers_7.6.tar.gz

From a quick read:

  • tcpd is the main wrapper daemon
  • inetd is “tricked” into running tcpd instead of the indended service (like sshd)
  • tcpd accpets requests, filters and logs as appropriate then passes the connection off to the intended service daemon

Credits and References

About LCK#153 linux
Project Source on GitHub Return to the Project Catalog

This page is a web-friendly rendering of my project notes shared in the LittleCodingKata GitHub repository.

LittleCodingKata is my collection of programming exercises, research and code toys broadly spanning things that relate to programming and software development (languages, frameworks and tools).

These range from the trivial to the complex and serious. Many are inspired by existing work and I'll note credits and references where applicable. The focus is quite scattered, as I variously work on things new and important in the moment, or go back to revisit things from the past.

This is primarily a personal collection for my own edification and learning, but anyone who stumbles by is welcome to borrow, steal or reference the work here. And if you spot errors or issues I'd really appreciate some feedback - create an issue, send me an email or even send a pull-request.