Sun and Oracle Community Voices How to Buy Log In United States [Change] English

BigAdmin System Administration Portal
Community-Submitted Tech Tip
Print-friendly VersionPrint-friendly Version
This content is submitted by a BigAdmin user. It has not been reviewed for technical accuracy by Sun Microsystems, though it may have been lightly edited to improve readability. If you find an error or would like to comment on the article, please contact the submitter or use the comment field at the bottom of the article. Community submissions may not follow Sun trademark guidelines. For information on Sun trademarks, please see http://www.sun.com/suntrademarks/.
 
 

Configuring TCP Wrappers for the Solaris Operating System

Sivakanth Mundru, August, 2004

Last Updated September 07, 2004


Introduction

TCP Wrappers are used by Open Systems Administrators for two important features:

  1. Provide access control to a host and service depending on the origin of the request.
  2. Log both successful and unsuccessful connections to that host.

These instructions apply for the Solaris OS, versions 7, 8, and 9. The Solaris 8 OS doesn't have TCP wrappers built into the OS, while the Solaris 9 OS does; however, the procedure is applicable to both these versions of the OS. You would need a compiler to configure TCP Wrappers on your host. I have used gcc.

The Solaris 7 OS doesn't have IPV6 support. IPV6 support was first introduced in the Solaris 8 OS. Steps for the different versions of the Solaris OS are given below.


Where to Download TCP Wrappers

You can find TCP Wrappers at the site hosting Wietse's tools and papers:

ftp://ftp.porcupine.org/pub/security/index.html

For Solaris 7: Click on the link TCP Wrapper (tcp_wrappers_7.6.tar.gz)

For Solaris 8/9: Click on the link IPV6 version by Casper Dik (tcp_wrappers_7.6-ipv6.4.tar.gz)

If you install the first version listed above on a system running the Solaris OS, versions 8 or 9, you won't be able to log the request's address.

For example, you might see something like: 

Jun 06 14:13:05 hydra in.telnetd[941]: connect from 0.0.0.0

Download the tar.gz file into some directory of your preference, like /var/tmp/tcpd: 

# mkdir /var/tmp/tcpd

Unzip, Untar, and Compile
# cd /var/tmp/tcpd; gunzip tcp_wrappers*.tar.gz; tar -xvf tcp_wrappers*.tar;

# cd tcp_wrappers*

We need to make some changes to the make file: 

vi Makefile

Look for the lines: 

# SysV.4 Solaris 2.x OSF AIX
#REAL_DAEMON_DIR=/usr/sbin

Uncomment the second line to look like: 

REAL_DAEMON_DIR=/usr/sbin

Then look for the lines: 

# SunOS 5.x is another SYSV4 variant.
sunos5:
       @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
       LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
       NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
       BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all

Change the fourth of these lines to read: 

       LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv CC=gcc VSYSLOG= \

Then look for lines to enable IPV6 support in the Solaris 8 OS and above. (Failure to do this will result in 0.0.0.0 as the log address.) 

# If your system has IPv6 and supports getipnode* and inet_pton/inet_ntop
# comment out the following (Solaris 8 or above)
    
#IPV6 = -DHAVE_IPV6

Remove the comment (#) sign from the last of these lines, so that it reads: 

IPV6 = -DHAVE_IPV6

You might also want to edit the LOG LEVEL and LOG FACILITY values. They are set to a default of LOG_MAIL and LOG_INFO. For possible values, look at /usr/include/sys/syslog.h file and change as per your requirements.

Finally, compile the source code after determining your OS version and revision using uname -sr: 

# make sunos5

Configuring the inetd.conf File

Look for these lines: 

# cp -p /var/tmp/tcpd/tcpd /usr/sbin;

# cp -p /etc/inetd.conf /etc/inetd.conf.orig

# cd /etc;

Edit the /etc/inetd.conf file, replacing the service daemon with /usr/sbin/tcpd. For example, the line: 

telnet  stream  tcp6    nowait  root    /usr/sbin/in.telnetd    in.telnetd

should now read: 

telnet  stream  tcp6    nowait  root    /usr/sbin/tcpd    in.telnetd

Similarly, make changes to all the services you want. Save your changes and exit out of vi.

Send a HUP to inetd to re-read the configuration file. 

# pkill -HUP inetd

If you are using the Solaris 7 OS, the protocol field in inetd.conf may be just tcp and not tcp6.


Testing What You Have Done

Send a HUP to syslog if you have changed the facility and level when compiling the TCP wrappers.

Add the corresponding lines to syslog.conf: 

# pkill -HUP syslogd

# tail -f /var/log/syslog

Telnet into the machine running the Solaris OS from another host, and you should see something like: 

Jul 14 10:12:02 hydra in.telnetd[294]: connect from gizmo

Creating Your Access Control Files

Create your access control files /etc/hosts.deny and /etc/hosts.allow to deny or allow access to the host.

Syntax for both the files is: 

service-list: host-list

service-list is a comma-separated list of services as listed in the last field of entries in /etc/inetd.conf, and host-list is a comma-separated list of host names, domain names, or IP addresses. A host name or IP address matches an individual host, and a domain name starting with a dot matches all hosts within that domain.

Example: 

in.ftpd,in.telnetd: 192.168.1.10, .test.sun.com

ALL is a keyword that would match any host on the net.

To get the best out of TCP Wrappers, create /etc/hosts.deny with ALL:ALL so that everyone else is denied. Add the services to be accessible and the corresponding hosts, domains, or networks that can access these services.


Configuring OpenSSH With TCP Wrapper Support

You will need libwrap.a and tcpd.h if you want to compile OpenSSH with TCP Wrapper support. Copy these files to a different location if you want to clean up /var/tmp/tcpd.

Addendum/Comments
Commentor: Casper Dik
Added: September 7, 2004
Comment:
It is rather pointless to install TCP wrappers for Solaris 9 and later as the version included in the OS is exactly the same as the one available on porcupine. That version has also been reved twice because of bugs we ran into. Solaris 9 SSH already has libwrap support compiled on. In S10 and later we also provide rpcbind linked with libwrap.
 
 

 

The information and links on this page have been provided by a BigAdmin user. The submitter is solely responsible for such information and links. Sun is not responsible for the availability of external sites or resources, and does not endorse and is not responsible or liable for any content, advertising, products, or other materials on or available from such sites or resources. Sun will not be responsible or liable, directly or indirectly, for any actual or alleged damage or loss caused by or in connection with use of or reliance on the information posted here, or goods or services available on or through any external site or resource.


 BigAdmin
  
»  Search the HCL
 
BigAdmin Subscriptions
»   BigAdmin Newsletter
»   BigAdmin Blog
»   BigAdmin Wiki
»   RSS Feeds
Training and Certification
BigAdmin Areas
»   All Topics/Sections
»   Articles and FAQs
»   Blogs and Wikis
»   Discussions
»   Documentation
»   Features
»   From The Forums
»   HCL
»   Multilingual
»   Patches
»   Products and Tech
»   Resources
»   Scripts
»   Software/Tools
»   Solaris 10 Apps
»   ShellCmds
»   Submit Content
»   Suggestions
»   SysAdmin Jobs
»   SysAdmin Topics
»   Tech Tips
»   Videos
»   XPerts
BigAdmin Sun Center
»   Register Your System
»   Solaris Developer Center
»   Sun BluePrints
»   Support Center
»  Sun Doc Highlights
»  Sun Tech Days
»   Sun Advisory Panel for System Admins
BigAdmin Topics
»   DST
»   DTrace
»   Interoperability
»   Networking
»   Predictive Self-Healing
»   ZFS
»  Zones