Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
61626364656667686970
TCP Wrappers Configuration Files
53
Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools,
most network services within Red Hat Enterprise Linux are linked to the libwrap.a library. Some
such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd.
Note
To determine if a network service binary is linked to libwrap.a, type the following command as
the root user:
ldd <binary-name> | grep libwrap
Replace <binary-name> with the name of the network service binary.
If the command returns straight to the prompt with no output, then the network service is not
linked to libwrap.a.
The following example indicates that /usr/sbin/sshd is linked to libwrap.a:
[root@myServer ~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib/libwrap.so.0 (0x00655000)
[root@myServer ~]#
2.3.1.1. Advantages of TCP Wrappers
TCP Wrappers provide the following advantages over other network service control techniques:
Transparency to both the client and the wrapped network service — Both the connecting client and
the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are
logged and connected to the requested service while connections from banned clients fail.
Centralized management of multiple protocols — TCP Wrappers operate separately from the
network services they protect, allowing many server applications to share a common set of access
control configuration files, making for simpler management.
2.3.2. TCP Wrappers Configuration Files
To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two
files, which are commonly referred to as hosts access files:
/etc/hosts.allow
/etc/hosts.deny
When a TCP-wrapped service receives a client request, it performs the following steps:
1. It references /etc/hosts.allow — The TCP-wrapped service sequentially parses the /etc/
hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it
allows the connection. If not, it moves on to the next step.
2. It references /etc/hosts.deny — The TCP-wrapped service sequentially parses the /etc/
hosts.deny file. If it finds a matching rule, it denies the connection. If not, it grants access to the
service.
The following are important points to consider when using TCP Wrappers to protect network services: