Tcp wrapper

UNIX for Advanced & Expert Users
1

I installed tcp wrappers version 7.6

and

modify my inetd.conf file from

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd

to

ftp stream tcp6 nowait root /usr/local/bin/tcpd /usr/sbin/in.ftpd -l

created /etc/hosts.allow file
and
modify it to only allow ftp from mydomain only

but this is denying ftp traffic from everywhere
including mydomain

every time I attempt to ftp it sends a warning message to syslog

warning: can't verify hostname: gethostbyname failed

I issued tcpdmatch in.ftpd 127.0.0.1 it report permit

can you help?

Thanks in Advance

2

What did you put in hosts.allow? What is your host IP? Are you using DNS? Are you ftping from one system to another or from the same system to itself?

Give an exact example if you don't want to post real IPs and subnets.

Example: if your subnet is 10.140.16.x and server IP is 10.140.16.10 but you don't want to post it

put 1.14.1.x for subnet and 1.14.1.10 as the IP

Post your hosts.allow (or the portion you changed)
Example

in.ftpd: 10.
in.ftpd: 172.16.

3

in my hosts.allow file

I have

in.ftpd: 191.95.x.x/255.255. 0.0

my host ip is 191.95.x.x

and I am ftping from a pc in my local area network, ip adrress
191.95.x.x

4

Change your hosts.allow entry - I set up mine for my local subnet to look like yours (using my numbers) and it failed with service not available right after it worked before the change.

I believe it's the x.x you have in there:
in.ftpd: 191.95.x.x/255.255. 0.0

I changed it (a couple of times) and found this to work;

in.ftpd: 191.95. /255.255. 0.0

in.ftpd: 191.95./255.255. 0.0 will not work - needs that space - I still am looking to see if the /255.255.0.0 is valid (will post back)

5

Thanks RTM, I tried your suggestions

in.ftpd: 191.95. /255.255. 0.0

but this still does not work.

still getting the same warning in syslog "warning can't verity hostname: gethostbyname failed.

nslookup can resolve the ip address.

6

Do the following to verify DNS - if you don't get anything back on the PTR then DNS is messing you up:

% nslookup
Default Server: which1.mycom.com
Address: 1.14.1.2

> medusa
Server: which1.mycom.com
Address: 1.14.1.2

Name: medusa.mycom.com
Address: 1.14.64.76

> set type=ptr
> 1.14.64.76
Server: which1.mycom.com
Address: 1.14.1.2

76.64.14.1.in-addr.arpa name = medusa.mycom.com
64.14.1.in-addr.arpa nameserver = which1.mycom.com
64.14.1.in-addr.arpa nameserver = which2.mycom.com
which1.mycom.com internet address = 1.14.1.2
which2.mycom.com internet address = 1.14.2.2

7

my Dns is resolving ip address, I carried out your suggestion to test the dns and the Dns work fine.

when I disabled tcp wrappers in /etc/inetd.conf
I was able to ftp from anywhere and no warning message in syslog

but with tcp wrappers enable in /etc/inetd.conf
that is

ftp stream tcp6 nowait root /usr/local/bin/tcpd /usr/sbin/in.ftpd -l

then ftp from my LAN does not work hence error message in syslog

8

The only other thing I would suggest is changing the entry in /etc/inetd.conf.

Your original:
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd

Your tcp entry:
ftp stream tcp6 nowait root /usr/local/bin/tcpd /usr/sbin/in.ftpd -l

Put
ftp stream tcp6 nowait root /usr/local/bin/tcpd in.ftpd -l

Then kill -HUP on inetd

9

Thanks again, Tried your suggestion but still does not work.

10

Hassan2 - what is the OS and version?

11

my os is solaris 8

12

Where did you download the tcp wrappers from? Found the following at kempston.net

  1. Download the source code:
    The source of TCP Wrappers is available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/. At the time of writing, the latest version is V7.6 and the source code is provided as a compressed tar archive in the file tcp_wrappers_7.6.tar.gz.

This version is suitable for Solaris 7 and earlier but not for Solaris 8. Solaris 8 contains support for IPv6 and the standard TCP wrappers program is not yet compatible with the IPv6 implementation in Solaris 8. However, Casper Dik, a Network Security Engineer with Sun Microsystems, has modified the standard version 7.6 to make it compatible with Solaris 8 and has kindly made his modified version available at ftp://playground.sun.com/pub/casper in the file tcp_wrappers_7.6-ipv6.tar.gz.

Solaris 8 would require you use the one with ipv6.

13

Thanks, I will try this and let you know the out come.

14

Another easy workaround is to change the tcp6 & udp6 entries in /etc/inetd.conf to use tcp & udp.

Chances are that you do not have ip6 enabled on your network anyhow, so enabling tcp6 & udp6 on your box is quite unnecessary...

15

Try this

/etc/hosts.deny
-------------------------
ALL:ALL

/etc/hosts.deny
---------------------------
ALL: 192.168.0.0/255.255.0.0

If that works, then that means it may be the designation for in.ftpd that is setup incorrectly.

16

The solution require proper configuration in hosts.allow & hosts.deny, but that alone will NOT overcome this problem. I know of only 2 ways to overcome this...

1) Install TCP Wrappers IPv6 (tcp_wrappers_7.6-ipv6.tar.gz)

2) Or change /etc/inetd.conf - by changing all occurrances of the following...

============================================

tcp6 --> tcp (see example below)
------------------------------------------
FROM:
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
TO:
ftp stream tcp nowait root /usr/local/bin/tcpd /usr/sbin/in.ftpd -l

udp6 --> udp (see example below)
------------------------------------------
FROM:
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
TO:
tftp dgram udp wait root /usr/local/tcpd in.tftpd -s /tftpboot

============================================

Since there is (in most cases) no need for IPv6, I prefer option #2.

Benefiting from IPv6 means that you replace all the company's network equipment with IPv6 compatiples (i.e. since everything that is not IPv6 will not handle it) ... and this can be rather expensive.

The Solaris OE comes with IPv6 capability, but the benefits of having this in Solaris will probably not be seen for a few years to come, as networking equipment gets replaced by either attrition, necessity, or a extra income that the company doesn't know what to do with... :wink:

17

To keep in line with your inetd.conf format, I should probably change the one example to...

udp6 --> udp (see example below)
------------------------------------------
FROM:
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
TO:
tftp dgram udp wait root /usr/local/tcpd /usr/sbin/in.tftpd -s /tftpboot

18

mslightn:

Don't do that. TCP wrappers, when used through inetd.conf, only work for services using the TCP protocol. By doing the above, you have probably broken his tftp server, which uses the udp protocol.

Please note, udp services can use the tcp libraries and hosts.allow/hosts.deny, however, it cannot be done through inetd.conf like you stated in your example above. It must be coded directly into the service (like UCD-SNMP for example).

19

There's no need to make an issue of this...

But for hassan2's sake, the following are excerps from the TCP Wrapper README file:

===========================================

1 - Introduction
----------------

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise yourself lucky if you don't know what that means.

...

===========================================

This is also stated in the man pages (`man tcpd`)...

** Most importantly, I have tested this.

hassan2 - this works very well, so don't let anyone daunt your efforts on this. You're on the right track.

20

Thanks everyone I finally got tcp wrappers working by installing

tcp_wrappers_7.6-ipv6.tar.gz for ipv6

and modifying inetd.conf

Thanks again