Table of Contents
Advertisement
Chapter 17.
TCP Wrappers and xinetd
Controlling access to network services is one of the most important security tasks facing a
server administrator. Red Hat Enterprise Linux provides several tools which do just that. For
instance, an
iptables
network stack. For network services that utilize it, TCP wrappers add an additional layer of
protection by defining which hosts are or are not allowed to connect to "wrapped" network
services. One such wrapped network service is the
super server because it controls connections to a subset of network services and further refines
access control.
Figure 17.1, "Access Control to Network Services"
together to protect network services.
Figure 17.1. Access Control to Network Services
This chapter focuses on the role of TCP wrappers and
services and reviews how these tools can be used to enhance both logging and utilization
management. For a discussion of using firewalls with
1. TCP Wrappers
The TCP wrappers package (
access control to network services. The most important component within the package is the
/usr/lib/libwrap.a
compiled against the
libwrap.a
When a connection attempt is made to a TCP wrapped service, the service first references the
hosts access files (
/etc/hosts.allow
client host is allowed to connect. In most cases, it then uses the syslog daemon (
write the name of the requesting host and the requested service to
.
/var/log/messages
If a client host is allowed to connect, TCP wrappers release control of the connection to the
requested service and do not interfere further with communication between the client host and
the server.
In addition to access control and logging, TCP wrappers can activate commands to interact with
the client before denying or releasing control of the connection to the requested network
service.
Because TCP wrappers are a valuable addition to any server administrator's arsenal of security
tools, most network services within Red Hat Enterprise Linux are linked against the
library. Some such applications include
.
/usr/sbin/xinetd
-based firewall filters out unwelcome network packets within the kernel's
) is installed by default and provides host-based
tcp_wrappers
library. In general terms, a TCP wrapped service is one that has been
library.
and
/etc/hosts.deny
/usr/sbin/sshd
super server. This service is called a
xinetd
is a basic illustration of how these tools work
in controlling access to network
xinetd
, refer to
Chapter 18,
iptables
) to determine whether or not the
/var/log/secure
,
/usr/sbin/sendmail
.
iptables
) to
syslogd
or
libwrap.a
, and
309
Advertisement
Table of Contents
