TCP Wrappers (TCPD) Under FreeBSD
Simple setup instructions for TCP Wrappers for FreeBSD.
1. Add the TCP Wrappers port from /usr/ports/security/tcp_wrappers, or add it as a package from /stand/sysinstall.
2. Set up banners.
Banners contain the message displayed, if any, when tcpd is called for a particular service. Create the banners directory if necessary, and create the banner files as
% cd /usr/local/etc/banners
fingerd ftpd telnetd
% cat fingerd
This finger request has been logged.
Set up your banners appropriately. If you don't want a banner message, you can simply omit the corresponding file.
3. Edit /usr/local/etc/hosts.allow for your specific needs. Here is an example hosts.allow file:
ALL: .umn.edu: spawn (echo "Access from %h using %d." | sendmail root): DENY
telnetd: ALL : banners /usr/local/etc/banners/
fingerd: ALL : banners /usr/local/etc/banners/
ftpd: ALL : banners /usr/local/etc/banners/
This setup will deny any connections from any host *.umn.edu, it will allow and log telnet, finger and ftp connections, and it will deny all other services called by
inetd.conf. For more information type: man 5 hosts_access.
Note that I use hosts.deny for my daemon/banner entries, and I reserve my hosts.allow file, which is checked by TCPD before hosts.deny, for any specifically
denied hosts. By doing this, you can have additional security programs drop newly denied host entries into hosts.allow. It seems backward to have hosts.allow deny
connections while host.deny allows connections, but it works well. For more info, use:
man 5 hosts_access
4. Edit your /etc/syslog.conf file so tcpd can log properly.
Here are the first few lines of a typical distribution /etc/syslog.conf:
# more /etc/syslog.conf
Here are the first few lines of my edited /etc/syslog.conf:
# more /etc/syslog.conf*.err;kern.debug;auth.notice;mail.crit /dev/console
Notice the only change is the added line for auth.info logging to /var/log/messages.
5. Edit /etc/inetd.conf to point your services to tcpd.
Here is an example with the distribution lines commented out and the modified tcpd lines inserted.
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -a
ftp stream tcp nowait root /usr/local/libexec/tcpd ftpd -ll -a
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
telnet stream tcp nowait root /usr/local/libexec/tcpd telnetd
#finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s
finger stream tcp nowait nobody /usr/local/libexec/tcpd fingerd -s
Make the appropriate changes. Be sure to verify that your tcpd is actually in /usr/libexec, as some versions put it into /usr/local/libexec.
Consider disabling rsh, rlogin and so on. Use _only_ those services which you absolutely need.
6. Restart your syslogd and inetd daemons with a kill -1.
There. tcpd is running and you didnt have to learn a thing. Congratulations.