Wrap a Security Blanket Around Your Computer

TCP_wrappers provide a simple, elegant and effective means to safeguard your network services.

With the Internet growing by leaps and bounds, the security of computer systems has become a major focus of large corporations, small businesses and individuals alike. Hardly a week goes by without a security flaw being discovered in some network. Many companies are reducing the threat by installing firewalls between their internal networks and the Internet, but this option is generally too expensive and cumbersome for single users running Linux from home or office. TCP_wrappers was written by Wietse Venema, Eindhoven University of Technology, The Netherlands. It provides a simple, elegant and effective means to safeguard your network services from being accessed and possibly abused by intruders.

In this article we will discuss what TCP_wrappers are and how they work, and how to configure TCP_wrappers to protect your machine from unauthorized access. We'll also discuss some of the more advanced features of TCP_wrappers which provide detailed logging and can even help track attempts to break into your machine.

What are TCP_wrappers and How Do They Work?

First, we need to know how a transmission control protocol (TCP) connection, such as telnet, is accomplished. TCP network connections are based on the “client/server” model. The telnet program is a client that communicates with a server program, or daemon, called telnetd or in.telnetd, depending on how your machine is set up. Since most Linux distributions use the name in.serviced in the directory /usr/sbin for network daemons, I will use that naming convention for the remainder of this article.

All requests for network services first go through the “Internet daemon”, inetd. (As with all things in life, there are exceptions to this rule, see “What TCP_wrappers Cannot Do” below.) This daemon uses two configuration files to determine how to respond to requests for network connections. The file /etc/services lists the names of particular services and the port numbers for those services. The file /etc/inetd.conf lists the names of the services and the names of the programs or daemons providing the services. Listing 1 and Listing 2 contain some sample lines from the /etc/services and /etc/inetd.conf files.

If I sit down at my.linux-box.com and type the command:

telnet your.machine.com

My telnet client sends a packet of information containing (among other things) the Internet address of the source my.linux-box.com, the Internet address of the destination your.machine.com and the port number for the connection. The port number for telnet is 23. inetd looks up port 23 in /etc/services and finds the service name telnet. It then looks up telnet in /etc/inetd.conf and finds that it needs to run the daemon called in.telnetd, listed in the rightmost column of Listing 2. inetd runs in.telnetd connecting it to port 23 and then goes about the business of listening for more connections. in.telnetd responds to my client, asking for a user name and password and starting up the telnet session.

What if you don't want anyone else to telnet into your computer? You can modify the code for in.telnetd to look at the source address of the connection request and to reject any addresses from outside your local machine or domain. If telnet were the only network service this would be easy, but there are dozens of network services, and it would be a nightmare to modify every daemon to limit access to your machine.

At this point TCP_wrappers comes to the rescue. The wrapper program is a tiny daemon that stands between inetd and network daemons such as in.telnetd and in.ftpd. Since all TCP connections are started up in basically the same fashion, a single wrapper program can be used to control access to almost all TCP network services.

When wrappers are installed, the Internet daemon is reconfigured to run the wrapper instead of the ordinary network daemon. The wrapper checks the source address of the connection and the service it wishes to connect to and decides whether to allow the connection. If your.machine.com denies my request for a telnet session, all I see is a dropped connection. If the request is allowed, everything proceeds normally, and the wrapper never actually interacts with my telnet client. In either case, the wrappers write a note in the system logs to let you know whether I was successful in connecting to your machine.