tcpwrappers-7.6

Introduction to tcpwrappers

Download location (HTTP):       http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.tar.gz
Download location (FTP):       
Version used:                   7.6
Package size:                   100 KB
Estimated Disk space required:  720 KB
Estimated build time:           0.16 SBU

Required patch:
Download location (HTTP):        http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.diff.gz

The tcpwrappers package provides daemon wrapper programs that report the name of the client requesting network services and the requested service.

Installation of tcpwrappers

Install tcpwrappers with the following commands:

patch -Np1 -i ../tcp_wrappers_7.6.diff &&
make REAL_DAEMON_DIR=/usr/sbin linux &&
cp libwrap.a /usr/lib &&
cp tcpd.h /usr/include &&
cp safe_finger /usr/sbin &&
cp tcpd /usr/sbin &&
cp tcpdchk /usr/sbin &&
cp tcpdmatch /usr/sbin &&
cp try-from /usr/sbin &&
cp -av *.3 /usr/share/man/man3 &&
cp -av *.5 /usr/share/man/man5 &&
cp -av *.8 /usr/share/man/man8

Command explanations

patch -Np1 -i ../tcp_wrappers_7.6.diff : This patch alters the original path and logging facility of the original tcpwrappers program.

Configuring tcpwrappers

Config files

/etc/hosts.allow, /etc/hosts.deny

File protections: the wrapper, all files used by the wrapper, and all directories in the path leading to those files, should be accessible but not writable for unprivileged users (mode 755 or mode 555). Do not install the wrapper set-uid.

Then perform the following edits on the /etc/inetd.conf configuration file :
finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
becomes:
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd

Note: The finger server is used as an example here.

Similar changes must be made if xinetd is used, with the emphasis being on calling /usr/sbin/tcpd instead of calling the service daemon directly, and passing the name of the service daemon to tcpd.

Contents

The tcpwrappers package contains safe_finger tcpd tcpdchk tcpdmatch try-from tcpd, tcpdchk, tcpdmatch, try-from and safe_finger.

Description

tcpd

tcpd is the main access control daemon for all internet services, which inetd or xinetd will run instead of running the requested service daemon.

tcpdchk

tcpdchk is a tool to examine a tcpd wrapper configuration and report problems with it.

tcpdmatch

tcpdmatch is used to predict how the tcp wrapper would handle a specific request for a service.

try-from

try-from can be called via a remote shell command to find out if the host name and address are properly recognized.

safe_finger

safe_finger is a wrapper for the finger utility, to provide automatic reverse name lookups.