source: basicnet/netprogs/tcpwrappers.xml@ c53fc5f6

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY tcpwrappers-download-http "http://files.ichilton.co.uk/nfs/tcp_wrappers_&tcpwrappers-version;.tar.gz">
  <!ENTITY tcpwrappers-download-ftp  "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_&tcpwrappers-version;.tar.gz">
  <!ENTITY tcpwrappers-md5           "e6fa25f71226d090f34de3f6b122fb5a">
  <!ENTITY tcpwrappers-size          "97 KB">
  <!ENTITY tcpwrappers-buildsize     "1.09 MB">
  <!ENTITY tcpwrappers-time          "0.03 SBU">
]>

<sect1 id="tcpwrappers" xreflabel="tcpwrappers-&tcpwrappers-version;">
<sect1info>
<othername>$LastChangedBy$</othername>
<date>$Date$</date>
</sect1info>
<?dbhtml filename="tcpwrappers.html"?>
<title>tcpwrappers-&tcpwrappers-version;</title>
<indexterm zone="tcpwrappers">
<primary sortas="a-Tcpwrappers">Tcpwrappers</primary></indexterm>

<sect2>
<title>Introduction to <application>tcpwrappers</application></title>

<para>The <application>tcpwrappers</application> package provides daemon 
wrapper programs that report the name of the client requesting network 
services and the requested service.</para> 

<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&tcpwrappers-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&tcpwrappers-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 Sum: &tcpwrappers-md5;</para></listitem>
<listitem><para>Download size: &tcpwrappers-size;</para></listitem>
<listitem><para>Estimated disk space required:
&tcpwrappers-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&tcpwrappers-time;</para></listitem></itemizedlist>
</sect3>

<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch (Fixes some build issues and adds building of a 
shared library): <ulink 
url="&patch-root;/tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch"/>
</para></listitem>
</itemizedlist>
</sect3>

</sect2>

<sect2>
<title>Installation of <application>tcpwrappers</application></title>

<para>Install <application>tcpwrappers</application> with the following 
commands:</para>

<screen><userinput><command>patch -Np1 -i ../tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch &amp;&amp;
sed -i -e "s,^extern char \*malloc();,/* &amp; */," scaffold.c &amp;&amp;
make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux</command></userinput></screen>

<para>Now, as the root user:</para>

<screen><userinput role='root'><command>make install</command></userinput></screen>

</sect2>

<sect2>
<title>Command explanations</title>

<para><command>sed -i -e ... scaffold.c</command>: This command removes an 
obsolete C declaration which causes the build to fail if using 
<application><acronym>GCC</acronym>-3.4.x</application>.</para>

</sect2>

<sect2>
<title>Configuring <application>tcpwrappers</application></title>

<sect3 id="tcpwrappers-config"><title>Config files</title>
<para><filename>/etc/hosts.allow</filename> and 
<filename>/etc/hosts.deny</filename></para>
<indexterm zone="tcpwrappers tcpwrappers-config">
<primary sortas="e-etc-hosts.allow">/etc/hosts.allow</primary></indexterm>
<indexterm zone="tcpwrappers tcpwrappers-config">
<primary sortas="e-etc-hosts.deny">/etc/hosts.deny</primary></indexterm>

<para>File protections: the wrapper, all files used by the wrapper,
and all directories in the path leading to those files, should be
accessible but not writable for unprivileged users (mode 755 or mode
555). Do not install the wrapper set-uid.</para>

<para>As the root user, perform the following edits on the
<filename>/etc/inetd.conf</filename> configuration file:</para>
<indexterm zone="tcpwrappers tcpwrappers-config">
<primary sortas="e-etc-inetd.conf">/etc/inetd.conf</primary></indexterm>

<screen><userinput role='root'>finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd</userinput></screen>
<para>becomes:</para>
<screen><userinput role='root'>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</userinput></screen>

<note><para>The finger server is used as an example here.</para></note>

<para>Similar changes must be made if <application>xinetd</application> is 
used, with the emphasis being on calling <command>/usr/sbin/tcpd</command> 
instead of calling the service daemon directly, and passing the name of the 
service daemon to <command>tcpd</command>.</para>
<indexterm zone="tcpwrappers tcpwrappers-config">
<primary sortas="e-etc-xinetd.conf">/etc/xinetd.conf</primary></indexterm>
</sect3>

</sect2>

<sect2>
<title>Contents</title>

<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Library</segtitle>
<segtitle>Installed Directories</segtitle>

<seglistitem>
<seg>tcpd, tcpdchk, tcpdmatch, try-from and safe_finger</seg>
<seg>libwrap.[so,a]</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>

<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>

<varlistentry id="tcpd">
<term><command>tcpd</command></term>
<listitem><para>is the main access control daemon for all Internet services, 
which <command>inetd</command> or <command>xinetd</command> will run instead 
of running the requested service daemon.</para>
<indexterm zone="tcpwrappers tcpd">
<primary sortas="b-tcpd">tcpd</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="tcpdchk">
<term><command>tcpdchk</command></term>
<listitem><para>is a tool to examine a <command>tcpd</command> wrapper 
configuration and report problems with it.</para>
<indexterm zone="tcpwrappers tcpdchk">
<primary sortas="b-tcpdchk">tcpdchk</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="tcpdmatch">
<term><command>tcpdmatch</command></term>
<listitem><para>is used to predict how the <acronym>TCP</acronym> wrapper 
would handle a specific request for a service.</para>
<indexterm zone="tcpwrappers tcpdmatch">
<primary sortas="b-tcpdmatch">tcpdmatch</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="try-from">
<term><command>try-from</command></term>
<listitem><para>can be called via a remote shell command to find out if the 
host name and address are properly recognized.</para>
<indexterm zone="tcpwrappers try-from">
<primary sortas="b-try-from">try-from</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="safe_finger">
<term><command>safe_finger</command></term>
<listitem><para>is a wrapper for the <command>finger</command> utility, to 
provide automatic reverse name lookups.</para>
<indexterm zone="tcpwrappers safe_finger">
<primary sortas="b-safe_finger">safe_finger</primary>
</indexterm></listitem>
</varlistentry>

<varlistentry id="libwrap">
<term><filename class='libraryfile'>libwrap.[so,a]</filename></term>
<listitem><para>contains the <acronym>API</acronym> functions required by 
the <application>tcpwrappers</application> programs as well as other programs 
to become <quote><application>tcpwrappers</application>-aware</quote>.</para>
<indexterm zone="tcpwrappers libwrap">
<primary sortas="c-libwrap">libwrap.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>

</sect2>

</sect1>