Controlling access to network services can be a challenge. Firewalls are
useful for controlling access in and out of a particular network, but they
can be difficult to configure. TCP wrappers and xinetd
control access to services by hostname and IP addresses. In addition,
these tools also include logging and utilization management capabilities
that are easy to configure.
Many modern network services, such as SSH, Telnet, and FTP, make use of
TCP wrappers, a program that is designed to stand
between an incoming request and the requested service. TCP wrappers is
installed by default with a server-class installation of Red Hat Linux,
providing many advantages over running a variety of different services,
each with their own access control methods.
The idea behind TCP wrappers is that client requests to server
applications are "wrapped" by an authenticating service, allowing a
greater degree of access control and logging of who is attempting to use
the service, rather than the usual method of direct client connections
to a service.
The functionality behind TCP wrappers is provided by
libwrap.a, a library that network services, such as
xinetd, sshd, and
portmap, are compiled against. Additional network
services, even networking programs you may write, can be compiled
against libwrap.a to provide this
functionality. Red Hat Linux bundles the necessary TCP wrapper programs and
library in the
tcp_wrappers-<version>
RPM file.
When a user attempts to gain client access to a network service that
is using TCP wrappers, a small wrapper program reports the name of the
service requested and the client's host information. The wrapper
program does not directly send any information back to the client, and
after the access control directives are satisfied, the wrapper is
unloaded and frees any resources associated with it. The client and
the server can then resume actions without further wrapper
intervention.
TCP wrappers provide two basic advantages over other network service
control techniques:
The connecting client is unaware that TCP wrappers are
in use. Legitimate users will not notice anything
different, and attackers never receive any additional information
about why their attempted connections have failed.
TCP wrappers operate in a manner that is separate from
the applications the wrapper program protects. This
allows many applications to share a common set of configuration
files for simpler management.
