2.11 Configure TCP Wrappers - svcprop tcp_wrappers true

Information

TCP Wrappers is a host-based access control system that allows administrators to control
who has access to various network services based on the IP address of the remote end of
the connection. TCP Wrappers also provide logging information via syslog about both
successful and unsuccessful connections.

TCP Wrappers provides granular control over what services can be accessed over the
network. Its logs show attempted access to services from non-authorized systems, which
can help identify unauthorized access attempts.

Solution

To enable TCP Wrappers, run the following commands-1. Create and customize your policy in /etc/hosts.allow-# echo 'ALL- <net>/<mask>, <net/<mask>, ' > /etc/hosts.allow
where each <net>/<mask> combination (for example, the Class C address block
'192.168.1.0/255.255.255.0') can represent one network block in use by your
organization that requires access to this system.2. Create a default deny policy in /etc/hosts.deny-# echo 'ALL- ALL' >/etc/hosts.deny3. Enable TCP Wrappers for all services started by inetd-# inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command-# inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands-# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bindThe versions of SSH and sendmail that ship with Solaris 11 will automatically use
TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect
UDP and RPC-based services that are spawned from inetd, consider implementing a
host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: bc1103cd21715ef3e164934dd26f112047eec180bb9a4c0301b23d9b4ed872b4