Unix Network Admin
TCP wrappers
Assignment 4
Carefully read each step and perform the required commands. Grading will be based on completion of the lab including how well you
follow instructions. Remember to backup all configuration files before modifying them (use cp -p). You are expected to log all settings
using your journal.bash script. Only include relevant information in your journal. Include all changes to configuration files.
Motivation: There is always a trade off between securing a server while providing access to valid users. TCP wrappers were created to
provide added security and logging to the original inetd server and other network server programs. Wrappers provide extra features even to
the more advanced xinetd server and other servers that support wrappers.
TCP wrappers work based on two files: /etc/hosts.allow and /etc/hosts.deny. These two files have an identical format. A line in one of the
files would look like: sshd: 10.0.1. (note the ending dot) or, in.ftpd,in.telnetd: 172.16.1.X 192.168.2.X amazon.com : tcpwraplog.sh
If the first example was in the /etc/hosts.deny file, then all users on the 192.168.roomnum. network would be denied ssh access. If the line was in the
/etc/hosts.allow then those users would be allowed ssh access. The recommend secure setting would be to put the line ALL:ALL into the /etc/hosts.deny file
(This should be the only line in this file, never put any other lines in this file!). This would deny access to all services that use the TCP wrappers security
mechanism. You can then open up limited access to various services by putting specific lines in the /etc/hosts.allow file. Changes to these files take effect
without restarting any daemons. Other keywords recognized inside these configuration files are LOCAL, KNOWN, UNKNOWN, PARANOID, EXCEPT.
Shell scripts can use various expansions for logging users, hosts, pids, etc. Read the hosts_access man page for a detailed description.
1 Have your classmate verify that they can SSH into your server on both the 172.16.1. and 192.168.2 networks.
Verify that they are logged on, and find the log(s) where their connection acceptance or refusal is recorded. Record
the output of the who command (who |grep user | j 4.1.1 --cmd “desc”) and log (j 4.1.2 --log secure 5) entry
showing the connections in your journal. (Remember, “desc” means that you have to give a description explaining
what this journal entry shows.)
2 Create a ssh config file so you can access your account on your classmate's PC from your default user account
1. Add entries to connect using both the 172.x and 192.x networks. This is a new file, use the command ( j 4.2.1
--list ~/.ssh/config) to list the entire file.
2. Generate and install an rsa key to connect to your classmate's PC (into your personal account on their machine)
without a password. Document the local key files using ( j 4.2.21 --dir ~/.ssh/) and document the remote using
( ssh user@remote ls -l .ssh | j 4.2.22 --cmd ”desc”) (Note, I highly recommand setting up this key for use
with the linux.starkstate.net server also. This will prevent you from having to enter your password during the
upload phase your journal.)
3. Test and record into your journal the output of your connections showing that no password was asked for. Use
the command ( j 4.2.30 --journal) command and then paste the lines of code showing the connection without a
requiest for password into the journal area.
3 Copy the contents of your default user's .ssh directory into the root user's .ssh directory setting ownership. Include
an ls -l of the root user's .ssh directory. ( j 4.3 --dir ~root/.ssh/) This will allow you to use the keys and
configuration file as the root user as well as your default user.
4 Configure the TCP wrappers to deny all (almost all). NOTE at this point, DO NOT LOGOUT OF THIS
TERMINAL UNTIL YOU HAVE allowed connections for the 10.0.1.X network. You will have to use a separate
terminal for testing. If you log out of this terminal, you may not be able to reconnect. Two points will be deducted
if you lock yourself out of the VM. (Backup files before making changes then add changes to your journal using
the --diff option.)
1. Add the line sshd : 10.0.1.251 to the /etc/hosts.allow to allow connections from the linux.starkstat.net server.
Warning, if this line is not correct, you will lock yourself out of your VM in the following step. (j 4.4.1 --diff
/etc/hosts.allow{,.0})
2. Modify your /etc/hosts.deny file to deny everything (ALL : ALL). (j 4.4.2 --diff /etc/hosts.deny
/etc/hosts.deny.0)
3. Have your classmate try to connect from their VM using both networks (172. and 192.) . Include log entries in
your journal verifying the denials from both networks. (j 4.4.3 --log /var/log/secure 4)
4. From a different terminal, Verify that you can connect from the linux.starkstate.net server, i.e. the 10.0.1.X
network to your VM. If you can login from linux.starkstate.net, it is safe to logout of the other terminal if not,
you need to correct your files and test again.
5 Allow the trusted 192.x network:
Page 1 of 2
1. Remember backup files before modifying. Add the 192.168.2. network to the sshd line in the /etc/hosts.allow
file to allow users to connect to your machine using SSH only on the 192 IP network. (j 4.4.1 --diff
/etc/hosts.allow{,.1})
2. Verify that your classmate can connect from the 192.x but not from the 172.x network. Include a log entry in
your journal showing that connection was allowed over the 192.x network but not the 172.x network.
6 Now that this lab is finished, we will reset the configuration files. Make a copy of the hosts.allow and hosts.deny
files called hosts.{allow,deny}.lab04 then copy (cp -p) the original (.0) files over top of the working files. Add the
output of the command ls -lt /etc/hosts* | j 4.6 --cmd “desc” into your journal showing the copies were made.
Verify you can connect to your server from the linux.starkstate.net server using a separate terminal then logout.
7 Finish: To complete your journal, be sure to run the command j # --viewall, and carefully review the journal and
make any corrections using the --edit option. You must re-run with --viewall to see changes. When you are
comfortable with the journal, run the j # --upload, command to copy the journal to the linux.starkstate.net server,
then login to ANGEL and submit the Assignment for that journal.
Page 2 of 2