Using TCP wrappers with SafeTP

This page describes how to setup TCP wrappers (tcpd) to limit access to the raw ftpd server. Most unixes come with tcpd installed, but you can also get it from Wietse Venema's site.

Since the SafeTP server daemon (sftpd) is usually configured to listen to port 21, the default FTP port, it is expected to handle all incoming FTP connections. However, the ordinary FTP server (ftpd) is simply moved to port 351, and is still accessible there.

inetd configuration: /etc/inetd.conf

If you'd like to prevent users from connecting to port 351, and only allow sftpd to connect from the local machine, first arrange for ftpd to be run from tcpd. The line in /etc/inetd.conf which runs ftpd may look like this now (after a safetp install), depending on where your ftpd lives and what arguments you've given it: 
  raw-ftp stream tcp nowait root   /usr/sbin/wu.ftpd wu.ftpd -l -i -a -t0
To interpose tcpd between inetd and ftpd, change the line to look like this (depending on where your tcpd lives): 
  raw-ftp stream tcp nowait root   /usr/sbin/tcpd wu.ftpd -l -i -a -t0
This means that inetd will first run tcpd, and then tcpd can choose to either exec(2) ftpd (if the client passes the access controls) or simply close the connection (if the client fails the access controls).

Note: You need to send the HUP signal to the inetd process to cause it to re-read its configuration files. See kill(1).

tcpd configuration: /etc/hosts.deny and /etc/hosts.allow

Then, add the following entries to the tcpd configuration files:

In /etc/hosts.deny: 
    # by default, nothing can connect to the raw ftpd server
    # (this assumes you're using wu-ftpd; change the daemon name to
    # the argv[0] name of whatever you're in fact using)
    wu.ftpd : ALL
and in /etc/hosts.allow: 
    # allow local processes (in particular, sftpd) to connect to the
    # raw ftpd server; replace 1.2.3.4 with your IP address(es)
    wu.ftpd : 1.2.3.4, 127.0.0.1
It's not sufficient to allow only localhost (127.0.0.1) because sftpd contacts ftpd on the same interface it was itself contacted on.

Note that when tcpd denies a connection, it does so by first accepting the connection, waiting about 3 seconds, then closing it. This might be confusing to users, since the connection initially appears to succeed.

Final thought

It's perhaps worth mentioning that sftpd itself can also have access controlled by tcpd. One advantage of doing so is that tcpd does some other checks and logging on each incoming connection, such as attempting to detect host name spoofing and doing identd (RFC 931) lookups. In particular, since sftpd contacts ftpd locally, the tcpd wrapper on ftpd will not provide these services once SafeTP is installed.