Simple setup instructions for TCP Wrappers for FreeBSD.

1. Add the TCP Wrappers port from /usr/ports/security/tcp_wrappers, or add it as a package from /stand/sysinstall.

2. Set up banners.

Banners contain the message displayed, if any, when tcpd is called for a particular service. Create the banners directory if necessary, and create the banner files as shown below.

% cd /usr/local/etc/banners
% ls
fingerd ftpd    telnetd
% cat fingerd
This finger request has been logged.

Set up your banners appropriately. If you don’t want a banner message, you can simply omit the corresponding file.

3. Edit /usr/local/etc/hosts.allow for your specific needs. Here is an example hosts.allow file:

ALL: spawn (echo "Access from %h using %d." | sendmail root): DENY 
telnetd: ALL : banners /usr/local/etc/banners/
fingerd: ALL : banners /usr/local/etc/banners/
ftpd: ALL : banners /usr/local/etc/banners/

This setup will deny any connections from any host *, it will allow and log telnet, finger and ftp connections, and it will deny all other services called by inetd.conf. For more information type: man 5 hosts_access.

Note that I use hosts.deny for my daemon/banner entries, and I reserve my hosts.allow file, which is checked by TCPD before hosts.deny, for any specifically denied hosts. By doing this, you can have additional security programs drop newly denied host entries into hosts.allow. It seems backward to have hosts.allow deny connections while host.deny allows connections, but it works well. For more info, use:

man 5 hosts_access

4. Edit your /etc/syslog.conf file so tcpd can log properly.

Here are the first few lines of a typical distribution /etc/syslog.conf:

# more /etc/syslog.conf
*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;kern.debug;;mail.crit;news.err /var/log/messages                                       /var/log/maillog

Here are the first few lines of my edited /etc/syslog.conf:

# more /etc/syslog.conf
*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;kern.debug;;mail.crit;news.err; /var/log/messages                                       /var/log/maillog

Notice the only change is the added line for logging to /var/log/messages.

5. Edit /etc/inetd.conf to point your services to tcpd.

Here is an example with the distribution lines commented out and the modified tcpd lines inserted.

#ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l -a
ftp     stream  tcp     nowait  root    /usr/local/libexec/tcpd       ftpd -l -a
#telnet stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd
telnet  stream  tcp     nowait  root    /usr/local/libexec/tcpd       telnetd
#finger stream  tcp     nowait  nobody  /usr/libexec/fingerd    fingerd -s
finger  stream  tcp     nowait  nobody  /usr/local/libexec/tcpd       fingerd -s

Make the appropriate changes. Be sure to verify that your tcpd is actually in /usr/libexec, as some versions put it into /usr/local/libexec.

Consider disabling rsh, rlogin and so on. Use _only_ those services which you absolutely need.

6. Restart your syslogd and inetd daemons with a kill -1.


Post By Editor (2,827 Posts)

Website: →