How to deny client access using domain in TCP Wrapper?

Latest response

I appreciate if someone can help me out with TCP Wrapper.

I want to deny all client access from .ywlocal.net domain to vsftpd server.

My environment is below. I use RHEL 7.3.

role hostname ip address
vsftpd server server1 192.168.11.16
ftp client tester1 192.168.11.17

As the document describes, I have defined the /etc/hosts.deny file on the ftp server (vsftpd) side as below.

#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
#vsftpd : ALL EXCEPT 192.168.11.
vsftpd : .ywlocal.net

I also have my /etc/hosts as below

[root@server1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.11.17 tester1 tester1.ywlocal.net

I have opened firewall port as well.

[root@server1 ~]# firewall-cmd --list-rich-rule
rule family="ipv4" port port="21" protocol="tcp" accept
rule family="ipv4" port port="10000-10001" protocol="tcp" accept

However, I still can access vsftpd server from client side .

[ywatanabe@tester1 ~]$ lftp 192.168.11.16
lftp 192.168.11.16:~> ls              
drwxr-xr-x    2 0        0               6 Jun 23  2016 pub
lftp 192.168.11.16:/> 

How can I deny client access using domain?

Responses

Is there deny rule defined in your firewall? If you wish to restrict access to a service using tcpwrappers then best way is to deny everyone and allow access to only domain to whichever is required. If I wish to block vsftpd service access to domain1.example.com and allow allow rest then I would add "vsftpd: ALL" into /etc/hosts.deny and "vsftpd: ALL EXCEPT 192.168.11." (as in your case) into /etc/hosts.allow files. This should work. However, this could be best achieved using firewall which is the recommended way.

You should note that domain-based access control only works if the server can successfully resolve the client hostname from the IP address. A reverse DNS lookup returns the fully-qualified domain name, but if the hostname gets resolved from /etc/hosts, the lookup result will be the first name on the line with the client's IP address.

I see you've added this line to your /etc/hosts:

192.168.11.17 tester1 tester1.ywlocal.net

The problem here is that it says the system's canonical, primary name is "tester1", and "tester1.ywlocal.net" is just an alias for it. The ordering of names on the /etc/hosts line is important.

Make the fully-qualified name be the first on the line, and then tcpwrappers should work as you expect:

192.168.11.17 tester1.ywlocal.net tester1
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.