TCP Wrapper that ALWAYS logs denials

During teaching of a class this week, one of my students noticed that the vsftpd service was being denied by his TCP Wrapper rules in /etc/hosts.allow and /etc/hosts.deny, but that nothing was being logged into /var/log/messages. He then asked me if there was still a way for the TCP Wrapper to start a process as an option. I told him about both the spawn and twist options, and referred him the to the hosts_access and hosts_options man pages. After both of us experimenting a little bit, we came up with the solution that all allow rules should be in /etc/hosts.allow and that /etc/hosts.deny should look something like this:

ALL:ALL:spawn (logger TCP wrapper in /etc/hosts.deny denied %c access to %d)

With this rule, anything that gets denied will be logged by spawn starting the logger process in a subshell (thus the parentheses) and that it would report the client (%c) who was attempting to connect to the daemon (%d). Now, anytime a denial is suspected, the /var/log/messages file can be checked for a 'TCP Wrapper' message.

1 comment:

Keith Wright said...

To avoid problems with SELinux stopping spawn from starting a new shell, remove the parentheses around the logger command.

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.