Transmission Control Protocol (TCP) Wrappers provide
enhanced security for services spawned by inetd. TCP Wrappers are an alternative to using /etc/inetd.sec. TCP Wrappers provide protection against host name and host address
spoofing. Spoofing is a method of pretending to be a valid user or
host to gain unauthorized access to a system.
To prevent spoofing, TCP Wrappers uses Access Control
Lists (ACLs). The ACLs are lists of systems in the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers provide
some protection against IP spoofing when configured to verify host
name to IP address mapping and to reject packets with IP source routing.
However, TCP Wrappers do not provide cryptographic
authentication or data encryption. Like inetd,
information is passed in clear text.
TCP Wrappers are part of the HP-UX Internet Services
software. For more information, see the HP-UX Internet
Services Administrator's Guide at: http://www.docs.hp.com/en/netcom.html#Internet%20Services and to the following manpages:
tcpd(1M), tcpdmatch(1), tcpdchk(1), tcpd.conf(4), hosts_access(3), hosts_access(5), and hosts_options(5).
When you enable TCP Wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running
the requested service directly. The TCP Wrappers work as follows:
Clients send connection
requests to inetd as they normally do, for example, telnet.
Instead of invoking the
server process, inetd calls the TCP Wrapper daemon
The TCP Wrapper daemon determines
the validity of the client's connection request. The tcpd daemon logs the request and checks the access control
files (/etc/hosts.allow and /etc/hosts.deny).
If the client is valid,tcpd calls the appropriate server process.
The server process processes
the client's request, for example, the telnet connection completes.
Additional Features of TCP Wrappers
You can also define configuration parameters in
the /etc/tcpd.conf configuration file, such as
logging behavior, user name lookups, and reverse look up failure behavior.
The tcpd daemon reads this configuration file to look for configuration parameters during run time.
You can configure the /etc/hosts.allow and /etc/hosts.deny files for other security
features, such as trap setting and banner message.
The trap setting feature of TCP Wrappers enables
you to trigger appropriate action on the host depending upon the number
of denied connection attempts from a remote host.
The banner message feature causes a message to
be sent to the client when an ACL rule is included in an access control
TCP Wrappers Do Not Work with RPC Services
TCP Wrappers do not work with remote procedure
call (RPC) services over TCP. These services are registered as rpc or tcp in the /etc/inetd.conf file. The only important service that is affected by this limitation
is rexd, used by the on command.