/tcp-wrapper-multiplexer

A multiplexer to allow for multiple TCP wrapper filters to be executed in sequence.

Primary LanguageShellMIT LicenseMIT

BlueTeamToolbox logo
Github Build Status Release Commits since release

Overview

This is a TCP wrapper which acts as a multiplexer allowing multiple TCP Wrapper filters to be executed in sequence.

Unlike our specific filters, this wrapper do not provide any logic for allowing or denying connections itself, but simply bubbles up the allow/deny from the filters it calls.

It will call each filter in turn and only progress to the next if the current filter do not deny the connection. If all filters have been run and no deny has happened it will return an implicit allow. This follows the same logic as the individual filters.

Security

The use of TCP wrappers does not eliminate the need for a properly configured firewall. This script should be seen as part of your security solution, not the whole of it.

Prerequisites

Although there are no specific prerequisites, the wrapper will do nothing unless you install one of our TCP Wrapper filters.

Install the multiplexer

Copy the script to /usr/local/sbin/multiplexer (and ensure that it is executable [chmod +x]).

Out of the box the FILTERS list is empty so the effect at this point is to return 0 (allow connection) and no implicit deny was found.

Adding filters

To add filters to the list, add them to the FILTERS variable. This is a space (or comma) separated list of filter name. The filter name is the name of the executable as defined in the filter documentation. E.g. asn-filter or country-filter. This will be prefixed with the FILTER_PATH to ensure the filter is accessed correctly.

You can add as many filters as you wish and they are run IN ORDER

Process Ordering

In Linux/Unix based systems the processing order for TCP wrappers is as follows:

  1. hosts.allow
  2. hosts.deny

This means that anything that is not handled (allowed / denied) by hosts.allow will be handled by hosts.deny.

/etc/hosts.allow

The following configuration will tell the system to pass all IPs, for ssh connections, to the country-filter. The return code of the filter specifies the action to be taken.

  1. 0 = Success - allow the connection.
  2. 1 = Failure - deny the connection.
sshd: ALL: aclexec /usr/local/sbin/multiplexer %a 

aclexec tells the system to execute the following script and %a is replace by the current IP address.

/etc/hosts.deny

The following configuration will tell the system to deny all ssh connections.

sshd: ALL

This should never be reached because all cases should be handled by the country filter, but as with all security configurations protection in depth is key and having a safe / secure fallback position is preferable.

TCP Filters

We provide a number of different TCP Wrapper filters, all of which will work with this multiplexer.