Editing TCP Wrappers

{{Short description|Access control list software}}
__NOTOC__
{{Infobox software
| name = TCP Wrapper
| logo = 
| caption = 
| screenshot = 
| developer = [[Wietse Venema]]
| latest_release_version = 7.6 (April 08, 1997)
| operating_system = [[Unix-like]]
| genre = Security
| license = [[BSD licenses|BSD license]]
| website = [http://ftp.porcupine.org/pub/security/index.html porcupine.org]
}}
'''TCP Wrappers''' (also known as '''tcp_wrappers''') is a host-based networking [[Access control list|ACL]] system, used to [[Filter (software)|filter]] network access to [[Internet protocol suite|Internet Protocol]] servers on ([[Unix-like]]) [[operating system]]s such as [[Linux]] or [[Berkeley Software Distribution|BSD]]. It allows host or [[subnetwork]] [[IP address]]es, [[Hostname|names]] and/or [[ident protocol|ident]] query replies, to be used as tokens on which to filter for [[access control]] purposes.

The original code was written by [[Wietse Venema]] in 1990 to monitor a cracker's activities on the [[Unix]] workstations at the Department of Math and Computer Science at the [[Eindhoven University of Technology]].<ref>[http://ftp.porcupine.org/pub/security/tcp_wrapper.pdf ''TCP WRAPPER - Network monitoring, access control, and booby traps.'' by Wietse Venema (USENIX UNIX Security Symposium III, 1992)]</ref> He maintained it until 1995, and on June 1, 2001, released it under its own [[BSD License|BSD-style license]].

The [[tar (file format)|tar]]ball includes a [[Library (computer science)|library]] named '''libwrap''' that implements the actual functionality. Initially, only services that were spawned for each connection from a [[super-server]] (such as [[inetd]]) got ''wrapped'', utilizing the '''tcpd''' program. However most common network service [[Daemon (computer software)|daemons]] today can be [[Linker (computing)|linked]] against libwrap directly.  This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections.  Otherwise, only the first connection attempt would get checked against its ACLs.

When compared to host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of [[Run time (program lifecycle phase)|runtime]] ACL reconfiguration (i.e., services don't have to be reloaded or restarted) and a generic approach to network administration.

This makes it easy to use for anti-[[Worm (computing)|worm]] scripts, such as [[DenyHosts]] or [[Fail2ban]], to add and expire client-blocking rules, when excessive connections and/or many failed login attempts are encountered.

While originally written to protect [[Transmission Control Protocol|TCP]] and [[User Datagram Protocol|UDP]] accepting services, examples of usage to filter on certain [[Internet Control Message Protocol|ICMP]] packets exist too, such as 'pingd' &ndash; the [[userspace]] [[Ping (networking utility)|ping]] request responder.<ref>[http://phrack.org/issues/52/7.html#article GNU/Linux Ping Daemon] by route|daemon9 - Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 07</ref>

==1999 Trojan==
In January 1999, the distribution package at [[Eindhoven University of Technology]] (the primary distribution site until that day) was replaced by a modified version. The replacement contained a trojaned version of the software that would allow the intruder access to any server that it was installed on. The author spotted this within hours, upon which he relocated the primary distribution to his personal site.<ref>{{cite web |title=CERT Advisory CA-1999-01 Trojan horse version of TCP Wrappers |url=https://resources.sei.cmu.edu/asset_files/WhitePaper/1999_019_001_496184.pdf#page=5 |website=Carnegie Mellon University Software Engineering Institute |archive-url=https://web.archive.org/web/20001017170613/http://www.cert.org/advisories/CA-1999-01.html |archive-date=2000-10-17 |access-date=15 September 2019 |url-status=live}}</ref><ref>{{cite web |title=CERT Advisory CA-1999-02 Trojan Horses |url=https://resources.sei.cmu.edu/asset_files/WhitePaper/1999_019_001_496184.pdf#page=14 |website=Carnegie Mellon University Software Engineering Institute |archive-url=https://web.archive.org/web/20001017172300/http://www.cert.org/advisories/CA-1999-02.html |archive-date=2000-10-17 |access-date=15 September 2019 |url-status=live}}</ref><ref>[http://seclists.org/bugtraq/1999/Jan/0257.html ''backdoored tcp wrapper source code'', by Wietse Venema], on [[Bugtraq]], Jan 21, 1999</ref><ref>[http://seclists.org/bugtraq/1999/Jan/0314.html ''Announcement: Wietse's FTP site has moved'', by Wietse Venema], on [[Bugtraq]], Jan 21, 1999</ref>

==See also==
*[[DNSBL|DNS-based blackhole list]]
*[[Forward-confirmed reverse DNS]]
*[[Firewall (networking)|Firewall]]
*[[IP blocking]]
*[[Nullroute]]
{{Portal|Free and open-source software
}}

==References==
{{reflist}}

==External links==
*[https://ftp.osuosl.org/pub/blfs/conglomeration/tcp_wrappers/ TCP Wrappers source code]
*[http://www.softpanorama.org/Net/Network_security/TCP_wrappers/index.shtml Softpanorama TCP Wrappers Information]

{{DEFAULTSORT:Tcp Wrapper}}
[[Category:Unix network-related software]]
[[Category:BSD software]]
[[Category:Free security software]]
[[Category:Transmission Control Protocol|Wrapper]]
[[Category:Internet Protocol based network software]]