Skip to main content

Host Security with TCP Wrappers and Systemd Sockets

Hands-On Lab

 

Photo of Kenny Armstrong

Kenny Armstrong

Linux Training Architect II in Content

Length

01:00:00

Difficulty

Beginner

A Linux system administrator is responsible for keeping their servers secure. There are a multitude of tools and software packages available to keep a networked Linux system safe from malicious intruders. In this hands-on lab, we will learn how to move away from always-on services to those that use systemd socket units. Socket units only provide access to a network service when an incoming connection requests it. To further enchance the security of the service, we will apply TCP wrappers to allow incoming connections to a specified service.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Host Security with TCP Wrappers and Systemd Sockets

Introduction

A Linux system administrator is responsible for keeping their servers secure. There are a multitude of tools and software packages available to keep a networked Linux system safe from malicious intruders. In this hands-on lab, we will learn how to move away from always-on services to those that use systemd socket units. Socket units only provide access to a network service when an incoming connection requests it. To further enchance the security of the service, we will apply TCP wrappers to allow incoming connections to a specified service.

Connecting to the Lab

  1. Open your terminal application, and run the following command. (Remember to replace <PUBLIC_IP> with the public IP you were provided on the lab instructions page.)
    ssh cloud_user@<PUBLIC_IP>
  2. Enter your password at the prompt.

Configure sshd to use Sockets

  1. Verify that the sshd.socket unit is not active.
    systemctl status sshd.socket
  2. Set up an at job that stops the sshd.service unit and starts sshd.socket.
    sudo at now + 3 minutes
  3. Enter your password at the prompt.
  4. Add the following:
    at> systemctl stop sshd.service
    at> systemctl start sshd.socket
  5. Press Ctrl + D to end the at job configuration.
  6. Verify that the sshd.socket unit is active and running.
    systemctl status sshd.socket
  7. Enable the socket for SSH and disable the service for SSH.
    sudo systemctl enable sshd.socket
    sudo systemctl disable sshd.service

Set Up TCP Wrappers to Only Allow SSH

  1. Verify that the sshd server has been compiled to use TCP wrappers.
    ldd /usr/sbin/sshd | grep libwrap
  2. Edit the /etc/hosts.allow file.
    sudo vim /etc/hosts.allow
  3. Add the following line to the file:
    sshd2 sshd : ALL
  4. Edit the /etc/hosts.deny file.
    sudo vim /etc/hosts.deny
  5. Add the following line to the file:
    ALL : ALL
  6. Exit the SSH session.
    exit
  7. Reconnect to the secure shell session.
    ssh cloud_user@<PUBLIC_IP>
  8. Enter your password at the prompt.

Conclusion

Congratulations, you've successfully completed this hands-on lab!