USAH and LAH

TCP Wrappers Installation Checklist

TCP_WRAPPERS FTP Site: ftp://ftp.win.tue.nl/pub/security

Install Notes:

	If you need to get the source and build:

		beast:/beast/info/src/security/tcp_wrappers_(version).tar.gz

		Or get from: ftp://ftp.win.tue.nl/pub/security

	uncompress and untar archives

	cd into tcp_wrapper directory:

	edit the Makefile

		uncomment the following:

		REAL_DAEMON_DIR=/usr/libexec (path for inetd daemons)
		STYLE = -DPROCESS_OPTIONS	# Enable language extensions.

		Note the default log facility for syslog is MAIL_LOG if
		you want to change this then change:
		FACILITY = LOG_MAIL -> FACILITY = LOG_LOCAL1 (or what ever)

	add the following to /etc/syslog.conf

---------	

# wrapper logs
local1.info						/var/log/wrap.log

---------	

	touch /var/log/wrap.log

	make bsdos
		use the sys-type for the system you're compiling on

	sudo cp safe_finger tcpd tcpdchk tcpdmatch try-from /usr/libexec
	sudo cp hosts_access.3 /usr/local/man/man3 
	sudo cp hosts_access.5 /usr/local/man/man5 
	sudo cp tcpd.8 tcpdchk.8 tcpdmatch.8 /usr/local/man/man8 

	edit /etc/inetd.conf

---------	
Here is an example /etc/inetd.conf file.  Note identd is not using tcpd.
---------	

ftp	stream	tcp	nowait	root	/usr/libexec/tcpd	ftpd -l -a
telnet	stream	tcp	nowait	root	/usr/libexec/tcpd	telnetd -h
shell	stream	tcp	nowait	root	/usr/libexec/tcpd	rshd
login	stream	tcp	nowait	root	/usr/libexec/tcpd	rlogind -a
finger	stream	tcp	nowait	nobody	/usr/libexec/tcpd	fingerd
pop	stream	tcp	nowait	root	/usr/libexec/tcpd	popper
imap	stream	tcp	nowait	root	/usr/libexec/tcpd	imapd
amanda	dgram	udp	wait	operator /usr/libexec/tcpd	amandad
ident	stream	tcp	nowait	sys	/usr/libexec/identd	identd -l

---------	
setup /etc/host.allow
---------	

---------	
Here is an example hosts.allow file:
---------	

amandad:	192.108.21.0/255.255.255.0
fingerd:	.xor.com
ftpd:		192.108.21.1,\
		192.225.32.2
imapd:		192.108.21.0/255.255.255.0,\
		192.225.32.0/255.255.255.0
popper:		beast.xor.com,
		chimchim.xor.com
rlogind:	192.108.21.0/255.255.255.0,\
		192.225.32.0/255.255.255.0
rshd:		192.108.21.0/255.255.255.0,\
		192.225.32.0/255.255.255.0
telnetd:	192.108.33.0/255.255.255.0,\
		192.108.21.0/255.255.255.0,\
		192.225.32.0/255.255.255.0,\
		205.169.69.2
ALL:		LOCAL
ALL:		ALL:				DENY

---------	

		run tcpdchk to check for config errors
		tcpdmatch is useful to verify /etc/hosts.allow is
		setup correctly:

			/usr/libexec/tcpdmatch ftpd foo.com

		Verify that the logging is working (cat /var/log/wrap.log)

SEE README for more details.


Unix System Administration Handbook	\| Linux Administration Handbook
FAQ \| Errors \| Goodies \| Purchase \| Register \| Send Email
Hosting for admin.com provided by Applied Trust Engineering.