Details
TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections.
TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts.
Solution
To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo “ALL:
where each
2. Create a default deny policy in /etc/hosts.deny:
# echo “ALL: ALL” >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE
To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE
To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.