The TCP Wrapper package provides daemon wrapper programs that report the name of the client requesting network services and the requested service.
Download (HTTP): http://files.ichilton.co.uk/nfs/tcp_wrappers_7.6.tar.gz
Download (FTP): ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
Download MD5 sum: e6fa25f71226d090f34de3f6b122fb5a
Download size: 97 KB
Estimated disk space required: 1.09 MB
Estimated build time: less than 0.1 SBU
Required Patch (Fixes some build issues and adds building a shared library): http://www.linuxfromscratch.org/patches/blfs/6.2.0/tcp_wrappers-7.6-shared_lib_plus_plus-1.patch
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tcpwrappers
Install TCP Wrapper with the following commands:
patch -Np1 -i ../tcp_wrappers-7.6-shared_lib_plus_plus-1.patch && sed -i -e "s,^extern char \*malloc();,/* & */," scaffold.c && make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux
This package does not come with a test suite.
Now, as the root user:
make install
sed -i -e ... scaffold.c: This command removes an obsolete C declaration which causes the build to fail if using GCC >= 3.4.x.
/etc/hosts.allow and /etc/hosts.deny
File protections: the wrapper, all files used by the wrapper, and all directories in the path leading to those files, should be accessible but not writable for unprivileged users (mode 755 or mode 555). Do not install the wrapper set-uid.
As the root user, perform the following edits on the /etc/inetd.conf configuration file:
finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
becomes:
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
The finger server is used as an example here.
Similar changes must be made if xinetd is used, with the emphasis being on calling /usr/sbin/tcpd instead of calling the service daemon directly, and passing the name of the service daemon to tcpd.
Last updated on 2006-06-21 11:26:07 -0500