TCP-Wrappers

By: James Reynolds - Revised: 2006-05-23 devin

Introduction

Discusses TCP Wrappers and how to configure it.


What is TCP Wrappers?

TCP Wrappers is network security software and configuration files for software like sshd, ftp, telnet, finger, and more (see /etc/inetd.conf and /etc/xinetd.c/* for all of the services this affects). On Mac OS X, all of these services are disabled by default, so TCP Wrappers is not really necessary. However, if you enable something, or in the event that a service is activated by accident or by a cracker, TCP Wrappers functions as a net that can still prevent unauthorized use.

TCP Wrappers functions by conferring a list of network users. Only authorized users are allowed past TCP Wrappers.

The TCP Wrappers application is /usr/libexec/tcpd. The allowed user list is /etc/hosts.allow and the denied list is /etc/hosts.deny.

Configuring TCP Wrappers

TCP Wrappers is pre-installed with Mac OS X. Enabling TCP Wrappers is very easy. You just need to create the user lists. The safest configuration is to deny everyone and then make a small allowed list.

The files do not exist by default, so you will need to create them both. NOTE: both files must exist for this to function, even if one is empty. You can edit the files using BBEdit or the terminal. The deny list is /etc/hosts.deny and the allow list is /etc/hosts.allow. Here is the suggested deny list:

To edit the deny file with pico in the terminal, type:

sudo pico /etc/hosts.deny

Copy and paste this text into the file /etc/hosts.deny

#
# hosts.deny This file describes the names of the hosts which are
# denied the use of local INET services, as decided
# by the '/usr/libexec/tcpd' server.
#
ALL: ALL:deny

To edit the allow file using pico in the terminal, type:

sudo pico /etc/hosts.allow

COMPLETELY CLOSED: Copy and paste this text into the file /etc/hosts.allow

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/libexec/tcpd' server.
#

If you want to allow yourself access to the computers using sshd or add your subnet or IP like this:

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/libexec/tcpd' server.
#
ALL:10.0.
ALL:10.1.2.
ALL:10.2.3.4

Note, in Mac OS X 10.2, you could have "ALL:10.1.2", but in Mac OS X 10.3 (Server) it has to end with a period like: "ALL:10.1.2.". I don't know why.

Links

If you want to do more, such as allow certain users, IP's, or services, read the documentation for the rules syntax: