TCP wrappers are capable of more than allowing and denying access to services. With the optional command argument, they can send connection banners, warn of attacks from particular hosts, and enhance logging.
TCP wrapper banner for a service
To implement a TCP wrapper banner for a service, use the banner option. This example implements a banner for vsftpd. You need to create a banner file anywhere on the system, giving it the same name as the daemon. In this example, the file is called
/etc/banners/vsftpd and contains the following lines:
220-Hello, %c <220-All activity on ftp.example.com is logged. <220-Inappropriate use results in access privileges being removed.
The %c token supplies a variety of client information. The %d token (not shown) expands to the name of the daemon that the client attempted to connect to. For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:
# vi /etc/hosts.allow vsftpd : ALL : banners /etc/banners/
TCP wrappers to warn from potential attacks
TCP wrappers can warn you of potential attacks from a host or network by using the spawn directive. The spawn directive executes any shell command. In this example, access is being attempted from the 220.127.116.11/24 network. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:
# vi /etc/hosts.deny ALL : 18.104.22.168 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert
To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.
Deny access and log connection attempt
The following entry in /etc/hosts.deny denies all client access to all services (unless specifically permitted in /etc/hosts.allow) and logs the connection attempt:
# vi /etc/hosts.deny ALL : ALL : spawn /bin/echo “%c tried to connect to %d and was blocked” >> /var/log/tcpwrappers.log
The log level can be elevated by using the severity option. Assume that anyone attempting to ssh to an FTP server is an intruder. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection. To do this, place the following line in /etc/hosts.deny:
# vi /etc/hosts.deny sshd : ALL : severity emerg
This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.
Deny access from a specific domain
The following example states that if a connection to the SSH daemon (sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the /etc/hosts.allow file:
# vi /etc/hosts.allow sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ : deny
Each option field (spawn and deny) is preceded by the backslash (\) to prevent failure of the rule due to length.