Two days ago, on Christmas Day to be precise, I was asked whether access to the Mosquitto broker can be limited by IP address, and after saying “no”, because Mosquitto ACLs don’t provide for that, I recalled TCP Wrappers and changed my answer to “yes”.

I’ve not used TCP Wrappers for donkeys’ ages, but the person for whom this is uses Debian, and Mosquitto packages on that platform (and CentOS’) come compiled with support for libwrap.

$ cat /etc/hosts.deny
mosquitto: *

$ cat /etc/hosts.allow
mosquitto: [::1] 127.0.0.1 192.168.33.1 

The syntax is documented in hosts_access(5) and hosts_options(5), and the example above ought to be self-explanatory.

TCP Wrappers have the benefit of runtime reconfiguration – services don’t have to be restarted for changes to hosts.allow or hosts.deny to take effect.

In the case of Mosquitto, the mosquitto.log keeps track of thwarted connection attempts:

Client connection from 192.168.1.131 denied access by tcpd.

From the entry on the author’s page:

Wietse Venema’s network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system.

I thought I’d mention this utility/library, as it can be useful for sundry services, although there are likely few left which actually use the wrap library; it stems from the dark ages, before Linux and iptables & co were well known.

unix and mqtt :: 27 Dec 2019 :: e-mail