Simple setup instructions for TCP Wrappers for FreeBSD.
1. Add the TCP Wrappers port from /usr/ports/security/tcp_wrappers, or add it as a package from /stand/sysinstall.
2. Set up banners.
Banners contain the message displayed, if any, when tcpd is called for a particular service. Create the banners directory if necessary, and create the banner files as shown below.
% cd /usr/local/etc/banners % ls fingerd ftpd telnetd % cat fingerd This finger request has been logged. %
Set up your banners appropriately. If you don’t want a banner message, you can simply omit the corresponding file.
3. Edit /usr/local/etc/hosts.allow for your specific needs. Here is an example hosts.allow file:
ALL: .umn.edu: spawn (echo "Access from %h using %d." | sendmail root): DENY telnetd: ALL : banners /usr/local/etc/banners/ fingerd: ALL : banners /usr/local/etc/banners/ ftpd: ALL : banners /usr/local/etc/banners/
This setup will deny any connections from any host *.umn.edu, it will allow and log telnet, finger and ftp connections, and it will deny all other services called by inetd.conf. For more information type: man 5 hosts_access.
Note that I use hosts.deny for my daemon/banner entries, and I reserve my hosts.allow file, which is checked by TCPD before hosts.deny, for any specifically denied hosts. By doing this, you can have additional security programs drop newly denied host entries into hosts.allow. It seems backward to have hosts.allow deny connections while host.deny allows connections, but it works well. For more info, use:
man 5 hosts_access
4. Edit your /etc/syslog.conf file so tcpd can log properly.
Here are the first few lines of a typical distribution /etc/syslog.conf:
# more /etc/syslog.conf *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages mail.info /var/log/maillog
Here are the first few lines of my edited /etc/syslog.conf:
# more /etc/syslog.conf *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit;news.err;auth.info /var/log/messages mail.info /var/log/maillog
Notice the only change is the added line for auth.info logging to /var/log/messages.
5. Edit /etc/inetd.conf to point your services to tcpd.
Here is an example with the distribution lines commented out and the modified tcpd lines inserted.
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -a ftp stream tcp nowait root /usr/local/libexec/tcpd ftpd -l -a #telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp nowait root /usr/local/libexec/tcpd telnetd #finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s finger stream tcp nowait nobody /usr/local/libexec/tcpd fingerd -s
Make the appropriate changes. Be sure to verify that your tcpd is actually in /usr/libexec, as some versions put it into /usr/local/libexec.
Consider disabling rsh, rlogin and so on. Use _only_ those services which you absolutely need.
6. Restart your syslogd and inetd daemons with a kill -1.