TCP Wrapper is a host-based Networking ACL system. This approach allows the system admininstrator to define lists of IP addresses and/or subnets to be specially allowed or denied access to programs (such as ssh, vsftpd (Very Secure FTP Daemon), etc.
Through use of the TCP Wrapper approach to allow/deny access to ssh, it is possible to reduce the number of hits on the ssh port very significantly; in general rogue programs trying to access my ssh server made only two attempts before giving up, whereas previously when they got through to the ssh server they would tend to try brute-force password cracking and make many hundreds, or even more, of attempts to find a password for numerous, common, user account names (such as root, system, admin, oracle, fred, etc).
The following guidance might be useful in helping to configure TCP wrapper on a Linux server.
Configuration is done through the /etc/hosts.allow rules file. A fragment of the /etc/hosts.allow rules file contains:
# more /etc/hosts.allow
ALL: localhost 127.0.0.1 : allow
ALL: 192.168.0.0/255.255.255.0 : allow
sshd: /usr/local/etc/hosts-allow-lists.txt \
: spawn ( /bin/echo "`/bin/date` access GRANTED [process %d, server %H, address %a, client %h, info %c, username %u]" | \
tee -a /tmp/log/my-hosts-allow-allow-rule.log | \
/bin/mail -s "hosts.allow (sshd\:SELECTIVE) GRANTED rule triggered" admin@aaa.bbb.com ) & \
: allow
sshd: ALL \
: spawn ( /bin/echo "`/bin/date` access DENIED [process %d, server %H, address %a, client %h, info %c, username %u]" | \
tee -a /tmp/log/my-hosts-allow-deny-rule.log | \
/bin/mail -s "hosts.allow (sshd\:ALL-remainder) DENIED rule triggered" admin@aaa.bbb.com ) & \
: deny
vsftpd: /usr/local/etc/hosts-allow-lists.txt \
: allow
vsftpd: ALL \
: deny
...
...
While the /usr/local/etc/hosts-allow-lists.txt file contains the list of permitted IPs/subnets, etc along the following lines:
# more /usr/local/etc/hosts-allow-lists.txt *.domainname.org \ *.domainname.dyndns.org \ *.domainname.no-ip.org \ aaa.bbb.cc. \ *.bigpond.net.au \ *btconnect.com \ 213.123. ... ...
I have configured the rules in the the TCP Wrapper to send an email when a rule is triggered so that I get an idea of the level of attack. The nightly system summary log also summarises the number of attempts made to access protected server daemons (e.g. ssh, vsftpd, etc).
I believe that this multiple approach increases security and I am comfortable with the degree of protection provided by it. I know that even if the rogue program gets though the TCP Wrapper stage (i.e. it happens to be in a subnet my wrapper rules permit), then my ssh configuration requires the use of public/private keys in order to access the server; and I physically protect my keys by keeping them on removable media.
The following general links are useful references when setting up ssh:
| URL | Summary/Description |
|---|---|
| http://www.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html | Comprehensive SSH site |
| http://www.experts-exchange.com/Security/Linux_Security/Q_21405710.html | Linux Security |
| http://martybugs.net/smoothwall/puttyvnc.cgi | Smoothwall: Tunnelling VNC over SSH with PuTTY (but useful generally) |