Linux, Unix, /etc/
TCP Wrappers is designed to filter incoming connections to network services. This article looks at how this package can be used to enhance the security of a networking system.
STYLE = -DPROCESS_OPTIONSEnable language extensions. This is disabled by default.
FACILITY=LOG_MAILWhere do log records go? I prefer to set this to LOG_DAEMON, so that everything goes to /var/log/daemon. But you can do what you like!
SEVERITY= LOG_INFOWhat level to give to the log message. The default, LOG_INFO, is fine.
HOSTS_ACCESSWhen compiled with this option, the wrapper programs support a simple form of access control. Since this is the raison d'�re of the suite, this is defined by default!
PARANOIDWhen compiled with -DPARANOID, the wrappers will always try to look up and double check the client host name, and will always refuse service in case of a discrepancy between hostname and IP address. This is a reasonable policy for most systems.
When compiled without -DPARANOID, the wrappers by default still perform hostname lookup, but hosts where such lookups give conflicting results for hostname and IP address are *not* automatically rejected. They can be matched with the PARANOID wildcard in the access files, and a decision made on whether to grant access.
DOT= -DAPPEND_DOTThis appends a dot to every domain name. For example, example.com becomes example.com.. This is done because on many Unix systems the resolver will append substrings of the local domain, and try to look up those hostnames, before trying to resolve the name it has actually been given. Use of the APPEND_DOT feature stops this waste of time and resources. It is off by default.
AUTH = -DALWAYS_RFC931Always try to lookup the remote username. Note that for this to be of any use, the remote host must run a daemon that supports the finger protocol; and also, that such lookups are not possible for UDP-based connections. By default, this is turned off, and the wrappers look up the remote username only when the access control rules specify this behaviour.
RFC931_TIMEOUT = 10Username lookup timeout.
-DDAEMON_UMASK=022The is the default file permissions mask for processes run under control of the wrappers.
ACCESS = -DHOSTS_ACCESSHost access control. Note that this can also be turned off at runtime by providing no, or empty, access control tables. Enabled by default.
TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"The pathnames for the access control tables.
HOSTNAME= -DALWAYS_HOSTNAMEAlways attempt to look up the client hostname. If this is disabled, the client hostname lookup is postponed until the name is required by an access control rule or by a %letter expansion. If this is what you want, note that paranoid mode must be disabled as well. This is on by default.
-DKILL_IP_OPTIONSThis is for protection against hosts that pretend they have someone else's host address — host address spoofing. this option is not needed on modern Unix systems that can stop source-routed traffic in the kernel e.g. Linux, Solaris 2.x, 4.4BSD and derivatives.
-DNETGROUPDefine if your system has NIS support. This is used only in conjunction with host access control, so if you're not using that, don't bother about this in any case. Off by default.
Some definitions are given that work around system bugs (just the basics here; see Makefile for details). The standard define is:
BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOKHaving set the options to your requirements, type
make sys-typeWhere sys-type is one of
generic (most bsd-ish systems with sys5 compatibility) 386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543 dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211 ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4 sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2 uts215 uxpIf the unlikely event of none of these matching your system, then you will have to edit the system dependencies sections in the Makefile and do a 'make other'.
$ mkdir REAL_DAEMON_DIR $ mv /sbin/in.telnetd REAL_DAEMON_DIR $ cp tcpd /sbin/in.telnetdAnd that is all there is to it. Note that the wrapper, all files used by the wrapper, and all directories in the path leading to those files, should all have read only, or read and execute only, access; they must *not* be writable. So, use modes 755 or 555. There is no need for the wrapper to be set-uid.
Here is a standard inetd.conf record for telnet service:
telnet stream tcp nowait root /sbin/in.telnetd /sbin/in.telnetdAnd here is the same record after modification to support TCP Wrappers:
telnet stream tcp nowait root /sbin/tcpd /sbin/in.telnetdRemember after editing this file to tell inetd to re-read it with kill -1.
/etc/hosts.denyThese are the default pathnames, which can be changed in the Makefile.
Access can be controlled per host, per service, or combinations thereof. Access control can also be used to connect clients to particular services, depending on the requested service, the origin of the request, and what host address the client connects to. For example, a www daemon might serve documents in the native language when contacted from within the country, otherwise in English.
The format of these files is described in detail by hosts_access(5). Basically, each file consists of a set of rules. these rules are searched in the order hosts.allow, hosts.deny, and the search stops at the first match. So, if a host is granted access in host.allow, it doesn't matter if it is then blocked in hosts.deny. Remember, first rule matched determines what action to take.
There are two basic keywords, allow and deny. These are used in conjuction with specific hostnames, or a wildcard from the list below.
A string beginning with . matches all hostnames that conclude with that string. For examle, .example.com would match dunne.example.com.
A string ending with . matches all hosts if whose IP addresses begin with that sequence. For example, 192.168 would match all addresses in the range 192.168.xxx.xxx.
A string beginning with @ is treated as an NIS netgroup name.
A string of the form n.n.n.n/m.m.m.m is treated as a netowrk/mask pair.
There are also some special shorthand names:
LOCALMatches any host whose name does not contain a dot character.
UNKNOWNMatches a user whose name is unknown, and matches any hsot whose name or address are unknown.
KNOWNMatches a user whose name is known, and matches any host whose name and address is known.
PARANOIDMatches any host whose name does not match its address.
There is also a set of symbolic names which expand to various information about the client and server. The full list of such expansions is:
%a the client IP address %c client information: user@host, user@IP, etc %d argv from the daemon process %h client host name or IP address %n client host name %p process id of the daemon %s server information %u client user name %% literal %
To deny all access, leave hosts.allow blank, and put this in hosts.deny
ALL: ALLTo allow all acesss, simply leave both files blank.
To allow controlled access, add rules to hosts.allow and hosts.deny as appropriate. At it's simplest, this involves listing banned sites in hosts.deny.
evilcrackers.com: ALLOn the other hand, you can also deny access to all save selected sites. In /etc/hosts.allow:
ALL:ALLRemember, first match is the important one — the ALL in hosts.deny won't block example.com
in.tftpd: ALL: finger -l @%h 2>&1 | mail -s 'remote tftp attempt' sysadmNote that use of this feature relies on the PROCESS_OPTIONS option. This option also provides some other useful features.
spawn <shell_command>Run the specified shell command as a child process.
twist <shell_command>Replace the current process by the specified shell command.
banners <pathname>Copy the contents of the file in <pathname> to the client. Useful for sites which are required to display a site policy banner to all users.
See the host_options(5) man page for full details of these and other options.
severity mail.infoSpecifies logging with as facility mail at level info. An undotted argument is understood as a level.
A good account of the thinking which led to the creation of the TCP Wrappers is Venema's paper, TCP WRAPPER: Network monitoring, access control, and booby traps. It is available from his ftp site at ftp.porcupine.org/pub/security in a variety of formats— look for tcp_wrapper.<format>.Z.
Paul Dunne , Tuesday 26th July 2005