Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Protect your machine with TCP wrapper Network
TCP Wrapper allows you to protect your machine's daemon, such as FTP, telnet, etc. It's a filter that use IP numbers and hostnames to restrict access. TCP Wrapper is already in MacOS X, but the configuration file is not provided, so there is no protection at all, and there won't be until you create one and edit it to suit your needs.

You can see a sample hosts.allow file at this URL:

http://www.patpro.net/images/hosts.allow

Copy this file into /etc/ and edit it. How to configure the file is pretty obvious as soon as you take a look into it so I don't detail this part (the file is commented with basic instructions).

WARNING: Be really careful when working on a remote machine, messing up the hosts.allow can prevent you from connecting again to that computer.
    •    
  • Currently 1.63 / 5
  You rated: 3 / 5 (8 votes cast)
 
[12,555 views]  

Protect your machine with TCP wrapper | 6 comments | Create New Account
Click here to return to the 'Protect your machine with TCP wrapper' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Doesn't work in 10.0.1 release?
Authored by: gabester on Apr 26, '01 12:36:55PM

I've been trying to do this on the latest release.
I'll grant that the only service I'm currently
using is SSH, but I cannot seem to deny access
from anywhere.

I'm using the following format; what am I
doing wrong?

sshd : localhost 127.0.0.1 : allow
sshd : 192.168.1.10 : allow
sshd : 192.168.1.0/255.255.255.0
sshd : ALL : deny

My limited understanding says this should block
access from all machines using ssh to connect
except localhost and one other on my lan.
However, I can access from any machine on my
lan without difficulty.

Is there something that needs to be done to
activate this in 10.0.1?



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: moby1 on Apr 26, '01 08:05:07PM

Try moving the "Deny" statement BEFORE the "Allow" statement.

Also shouldn't it be "deny: all".

Remember to restart the server after that.

WARNING: I'm just a Linux newbie and by following my advise you may experience diziness, fatigue and sweating. Continued use of my advise may cause wheezing and a general feeling of confusion and disorientation. Use with caution.



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: patpro on Apr 27, '01 07:51:38AM

syntax looks ok except for the 3rd line :

sshd : 192.168.1.0/255.255.255.0

that should be either

sshd : 192.168.1.0/255.255.255.0 : deny

or

sshd : 192.168.1.0/255.255.255.0 : allow

If it does not solve your problem, it may be due to SSH compilation. I guess you are using SSH provided by Apple. Unfortunately SSH must be specificaly compiled to use TCP Wrapper. I don't know if --with-tcp-wrapper was used on Apple's SSH.

h.t.h.



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: Anon on Aug 01, '01 06:23:44PM

You need to create a file called /etc/hosts.deny with the following line:

ALL: ALL

That will deny everything that you haven't allowed



[ Reply to This | # ]
Doesn't work in 10.0.1 release?
Authored by: therav! on Jun 22, '02 04:32:44AM

sshd : localhost 127.0.0.1 : allow
sshd : 192.168.1.10 : allow
sshd : 192.168.1.0/255.255.255.0
sshd : ALL : deny

actually the above syntax is not correct. or at least not if you enter it exactly like that. what you would do is create both a hosts.allow and hosts.deny file in the hosts.deny file you would enter ALL:ALL
in the hosts.allow file you would enter sshd:127.0.0.1,192.168.1.

if in the deny list you don't want to deny all services but just the sshd daemon then alternatively you could enter sshd: ALL in the deny file. But generally, from a security perspective, you should deny everything to everyone and then explicitly allow only what you need to allow in the hosts.allow file.



[ Reply to This | # ]
TCP Wrappers explained
Authored by: rudeboy on Sep 10, '01 03:01:56PM

The best way I have seen to learn about how TCP wrappers can be implemented in OSX is Stepwise.com @ the following link:

http://www.stepwise.com/Articles/Workbench/2000-04-08.01.html

It was written by Jay Swan.



[ Reply to This | # ]