tcpwrappers

System Overview

General Public Domain

Bind

DHCP

Emacs

ftpd

gcc & libg++

Ghostscript & Ghostview

GNUPLOT

GNU Enscript

LAPACK & BLAS

Logstats

Netscape

nmh

perl

samba

sendmail

ssh Admin

ssh Use

local ssh Use

tcp wrappers

tcsh

teTeX

Xanim

Xfig

XMgr

Xntpd

tcp wrappers

Get the source Please check the signatures for the file to make sure that it is a legit copy of the tcp wrappers tar file.

Edit the Makefile: Change

FACILITY= LOG_MAIL

FACILITY= LOG_LOCAL2

so that the tcp_wrapper logs are seperate from our maillog.

compile:

make REAL_DAEMON_DIR=/usr/sbin sunos5 
make REAL_DAEMON_DIR=/usr/sbin osf
make REAL_DAEMON_DIR=/usr/sbin linux
make REAL_DAEMON_DIR=/usr/etc next
make REAL_DAEMON_DIR=/usr/etc irix6

cp the tcpd, tcpdchk, safe_finger, tcpdmatch, try-from, binaries to /usr/sbin (or on the NeXT and SGI to /usr/etc)

cp the man files to /usr/local/man3, man5, and man8

cp the library libwrap.a to /usr/local/lib

cp the header file tcpd.h to /usr/local/include

Edit /etc/syslog.conf and add the line:

local2.debug      /var/adm/syslog.dated/wrapper.log

local2.debug      /var/log/wrapper.log

on the loghost machine. On the machines that are sending syslog messages to the loghost the line looks like:


local2.debug                    ifdef(`LOGHOST', /var/log/wrapper.log, @loghost)

Remember that there are no spaces allowed in the syslog file, tabs are the only seperators between fields!

send a HUP to syslogd

On machines without syslog.dated make sure that the logs get rotated. On Solaris 2.6 probably you will want to look at /usr/lib/newsyslog and copy that script to /usr/local/adm and modify it. While you are doing this change the chmod 644 entries to chmod 600. Then add an entry to the root crontab. On RedHat Linux probably add an entry in /etc/logrotate.d/
Here is an example /usr/local/adm/newsyslog:


#! /bin/sh
#
# Copyright(c) 1997, by Sun Microsystems, Inc.
# All rights reserved.
#
#ident @Z%newsyslog     1.3     97/03/31 SMI
#
# Modified on 11/29 1998 by Dan Roscigno (ddr@phys.ufl.edu) to
# rotate the wrapper.log file from tcp wrappers and syslog
# notice the "chmod 600" relating to the wrapper.log file, 
# also the "kill -HUP" at the end of the script.  Here are the related
# entries from root's crontab on the loghost machine:
#	#
#       # use a locally modified version of newsyslog, 
#       # /usr/local/adm/newsyslog
#       #10 3 * * 0   /usr/lib/newsyslog
#       10 3 * * 0   /usr/local/adm/newsyslog
#
LOG=wrapper.log
cd /var/log
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG   $LOG.0
cp /dev/null $LOG
chmod 600    $LOG
#
LOG=messages
cd /var/adm
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG   $LOG.0
cp /dev/null $LOG
chmod 644    $LOG
#
LOGDIR=/var/log
LOG=syslog
if test -d $LOGDIR
then
        cd $LOGDIR
        if test -s $LOG
        then
                test -f $LOG.6 && mv $LOG.6  $LOG.7
                test -f $LOG.5 && mv $LOG.5  $LOG.6
                test -f $LOG.4 && mv $LOG.4  $LOG.5
                test -f $LOG.3 && mv $LOG.3  $LOG.4
                test -f $LOG.2 && mv $LOG.2  $LOG.3
                test -f $LOG.1 && mv $LOG.1  $LOG.2
                test -f $LOG.0 && mv $LOG.0  $LOG.1
                mv $LOG    $LOG.0
                cp /dev/null $LOG
                chmod 644    $LOG
                sleep 40
        fi
fi
#
kill -HUP `cat /etc/syslog.pid`

Edit the /etc/inetd.conf file. First change the entry for finger from

finger stream tcp nowait root /usr/sbin/fingerd fingerd

finger stream tcp nowait root /usr/sbin/tcpd fingerd

send a HUP to inetd.

finger the machine from another host and check the log file.

If the logs from above look good then you can sart replacing other services in inetd.conf with tcpd. Make sure that if services are not being used that they get commented out. Here is an example inetd.conf file:

# 18 Nov 1998 edited to wrap some processes with tcp wrappers, and to
# remove other processes by commenting them out.
#
# Make sure to have restrictive /etc/hosts.deny and /etc/hosts.allow
# to protect from machines that try to telnet in and have no business here.
# here is an example:
#       # /etc/hosts.deny
#       # By default noone gets access to any of the tcp-wrapper
#       # wrapped services in /etc/inetd.conf.  Services
#       # which are given access to are specified in /etc/hosts.allow
#       ALL:    ALL
#
#
#       # /etc/hosts.allow
#       # By default noone gets access to any of the tcp-wrapper
#       # wrapped services in /etc/inetd.conf.  Services
#       # which are given access to are specified in /etc/hosts.allow
#       #
#       # This line specifies that anyone on a machine that
#       # does not provide a domainname (ie the local machine would 
#       # be localhost with no domainname after) and machines which
#       # are part of the DNS domain phys.ufl.edu (note the leading dot)
#       # are allowed services.  If the /etc/hosts.deny file specifies
#       # ALL: ALL then all services are denied to all users at all machines 
#       # by default and users and machines must be specified in this file.
#       ALL: LOCAL, .phys.ufl.edu
#
ftp   stream  tcp     nowait  root    /usr/sbin/tcpd       in.ftpd -l -t20
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
shell   stream  tcp     nowait  root    /usr/sbin/tcpd          in.rshd
login   stream  tcp     nowait  root    /usr/sbin/tcpd          in.rlogind
exec    stream  tcp     nowait  root    /usr/sbin/tcpd          in.rexecd
comsat  dgram   udp     wait    root    /usr/sbin/tcpd          in.comsat
talk    dgram   udp     wait    root    /usr/sbin/tcpd          in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
#uucp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.uucpd
#
# Tftp service is provided primarily for booting.  Most sites run this
# only on machines acting as "boot servers." 
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd          in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable 
# some or all of these services to improve security.
#
#finger stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
#systat stream  tcp     nowait  root    /usr/bin/ps             ps -ef
#netstat        stream  tcp     nowait  root    /usr/bin/netstat        netstat -f inet
#
# Time service is used for clock synchronization.
#
time    stream  tcp     nowait  root    internal
time    dgram   udp     wait    root    internal
# 
# Echo, discard, daytime, and chargen are used primarily for testing.
#
#echo   stream  tcp     nowait  root    internal
#echo   dgram   udp     wait    root    internal
#discard        stream  tcp     nowait  root    internal
#discard        dgram   udp     wait    root    internal
#daytime        stream  tcp     nowait  root    internal
#daytime        dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
#
#
# Solstice system and network administration class agent server
# Commented out, also added the  " -S 2 " in case we ever use it in the
# future.  See the manpage for descriptions of the security levels
#100232/10      tli     rpc/udp wait root /usr/sbin/sadmind     sadmind -S 2
#
# Rquotad supports UFS disk quotas for NFS clients
#
#rquotad/1      tli     rpc/datagram_v  wait root /usr/lib/nfs/rquotad  rquotad
#
# The rusers service gives out user information.  Sites concerned
# with security may choose to disable it.
#
#rusersd/2-3    tli     rpc/datagram_v,circuit_v        wait root /usr/lib/netsv
c/rusers/rpc.rusersd    rpc.rusersd
#
# The spray server is used primarily for testing.
#
#sprayd/1       tli     rpc/datagram_v  wait root /usr/lib/netsvc/spray/rpc.spra
yd      rpc.sprayd
#
# The rwall server allows others to post messages to users on this machine.
#
#walld/1                tli     rpc/datagram_v  wait root /usr/lib/netsvc/rwall/
rpc.rwalld      rpc.rwalld
#
# Rstatd is used by programs such as perfmeter.
# We don't allow perfmeter to be run.
#rstatd/2-4     tli   rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd 
rpc.rstatd
#
# The rexd server provides only minimal authentication and is often not run
#
#rexd/1          tli  rpc/tcp wait root /usr/sbin/rpc.rexd     rpc.rexd
#
# rpc.cmsd is a data base daemon which manages calendar data backed
# by files in /var/spool/calendar
#
#
# Sun ToolTalk Database Server
#
#
# UFS-aware service daemon
#
#ufsd/1 tli     rpc/*   wait    root    /usr/lib/fs/ufs/ufsd    ufsd -p
#
# Sun KCMS Profile Server
#
100221/1        tli     rpc/tcp wait root /usr/openwin/bin/kcms_server  kcms_ser
ver
#
# Sun Font Server
#
#fs             stream  tcp     wait nobody /usr/openwin/lib/fs.auto    fs
#
# CacheFS Daemon
#
100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
#
# Kerbd Daemon
#
#kerbd/4         tli     rpc/ticlts      wait    root    /usr/sbin/kerbd
 kerbd
#
# Print Protocol Adaptor - BSD listener
#
printer         stream  tcp     nowait  root    /usr/lib/print/tcpd     in.lpd
# dtspcd is the desktop sub process control daemon, controls interprocess
# communication between CDE apps.
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
#xaudio   stream tcp   wait root /usr/openwin/bin/Xaserver Xaserver -noauth -ine
td
#
# tooltalk daemons, keep up to date on patches!
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd /usr/dt/bin/rpc.ttdbserverd

send a HUP to inetd.

After the logs are getting written you can start restricting the hosts which can use your services. This is done through two files /etc/hosts.allow and /etc/hosts.deny. There are examples of both of these in the example inetd.conf above.