BBS水木清华站∶精华区
发信人: CuteGuy (被大頭針扎傷※休養中), 信区: Linux
标 题: Enhancing System Security With TCP Wrappers(转)
发信站: BBS 水木清华站 (Sun May 2 12:33:43 1999)
http://www.performancecomputing.com/Linux-IT/features/9905of1.shtml
LINUX-IT - MAY 1999
Enhancing System Security With TCP Wrappers
Paul Dunne
TCP Wrappers, written by Wietse Venema, is a tool that filters incoming
connections to network services. This article looks at how TCP Wrappers can
be used to enhance the security of a networked system. The example platform
is Linux, but the information
is applicable to most any UNIX system.
The idea of the package is to provide "wrapper" daemons that can be installed
without any changes to existing software.
Most TCP/IP applications depend on the client-server model--that is, when a
connection is requested by a client, a server process is started on the host
to deal with it. TCP Wrappers works by interposing an additional layer, or
wrapper, between client
and server. In the basic service, the wrapper logs the name of the client
host and requested service, then hands the communication over to the real
daemon, neither exchanging information with the client or server, nor
imposing overhead on the actual
conversation between the two. Optional features may be enabled, including
access control, client username lookups, and additional protection against
hostname spoofing.
The current version of TCP Wrappers, 7.6, can be obtained from
ftp://ftp.porcupine.org/pub/security/. (Note that the old location,
ftp://ftp.win.tue.nl/pub/security/, was compromised earlier this year and is
no longer maintained.)
Compilation
There are a few decisions to make at compile time. Features can be turned on
or off through definitions. Here is a list, with default values shown where
appropriate:
STYLE = -DPROCESS_OPTIONS
Enables language extensions. This is disabled by default.
FACILITY=LOG_MAIL
Sets the location of log records. I prefer to set this to LOG_DAEMON, and log
stuff into /var/log/daemon. Your mileage may vary.
SEVERITY= LOG_INFO
Sets what level to give to the log message. The default, LOG_INFO, is fine in
most cases. The complete list is, in ascending order of severity, debug,
notice, warning, err, crit, alert, emerg. See the syslog.conf(5) man page for
more details.
HOSTS_ACCESS
When compiled with this option, the wrapper programs support a simple form of
access control. Since this is the reason most people install TCP Wrappers, it
is defined by default.
PARANOID
When compiled with -DPARANOID, the wrappers try to look up and double-check
the client hostname, and will always refuse service in case of a discrepancy
between hostname and IP address. This is a reasonable policy for most
systems. When compiled
without -DPARANOID, the wrappers by default still perform hostname lookup,
but hosts where such lookups give conflicting results for hostname and IP
address are not automatically rejected. They can be matched with the PARANOID
wildcard in the access
files, and a decision can be made on whether to grant access.
DOT= -DAPPEND_DOT
This appends a dot to a domain name. For example, "example.com" becomes
"example.com.". This is done because typically, the resolver will first
append substrings of the local domain before trying to resolve the name it
has actually been given. Use of
the APPEND_DOT feature stops this waste of time and resources. It is off by
default.
AUTH = -DALWAYS_RFC931
Always attempt remote username lookups. By default, this is off, and the
wrappers look up the remote username only when the access-control rules
require them to do so. Note that for this to be of any use, the remote host
must run a daemon that supports
the finger protocol. Also, such lookups are not possible for UDP-based
connections.
RFC931_TIMEOUT = 10
Username lookup timeout. This may not be long enough for slow hosts or
networks, but is enough to irritate PC users.
-DDAEMON_UMASK=022
The is the default file-protection mask for processes run under control of
the wrappers.
ACCESS = -DHOSTS_ACCESS
Sets host access control. This is enabled by default. Note that this can also
be turned off at run time by providing no, or empty, access-control tables.
TABLES = -DHOSTS_DENY=\"/etc/
hosts.deny\" -DHOSTS_
ALLOW=\"/etc/hosts.allow\"
Sets the pathnames for the access-control tables.
HOSTNAME= -DALWAYS_HOSTNAME
Always attempt to look up the client hostname. This is on by default. If this
is disabled, the client hostname lookup is postponed until the name is
required by an access-control rule or by a %letter expansion. If this is what
you want, you must
disable paranoid mode as well.
-DKILL_IP_OPTIONS
This is for protection against hosts that pretend they have someone else's
host address (host address spoofing). This option is not needed on modern
UNIX systems that can stop source-routed traffic in the kernel (for example,
Linux, Solaris 2.x, 4.4BSD
and derivatives).
-DNETGROUP
Defines if your system has NIS support. Off by default. This is used only in
conjunction with host access control, so if you're not using that, don't
bother about this in any case.
Some definitions are given that work around system bugs (just the basics
here; see Makefile for details). The standard define is:
BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
Having set the options to your requirements, type make sys-type, where
sys-type is one of the 48 systems listed in Figure 1. As you can see, enough
choices!
If none of these matches your environment, then you will have to edit the
system dependencies sections in the Makefile and do a make other.
Installation
There are two ways to install the software. The easy installation method
requires no changes to existing software or configuration files. You move the
daemons that you want to protect to the directory specified in
REAL_DAEMON_DIR in the Makefile,
replacing them with copies of the tcpd program. For example, for telnet:
mkdir REAL_DAEMON_DIR
mv /sbin/in.telnetd REAL_DAEMON_DIR
cp tcpd /sbin/in.telnetd
That's all there is to it. Note that the wrapper, all files used by the
wrapper, and all directories in the path leading to those files should have
read- or read-and-execute-only access (modes 755 or 555); they must not be
writable. There is no need to
set the wrapper set-uid.
The advanced installation method leaves your daemon executables alone, but
involves simple modifications to the inetd configuration file /etc/inetd.conf.
The changes to inetd.conf are straightforward. For each service to be
protected by wrappers, tcpd
should be executed in place of the original daemon, passing the original
daemon pathname as an argument to tcpd.
Here is a standard inetd.conf record for telnet service:
telnet stream tcp nowait root /sbin/in.telnetd /sbin/in.telnetd
And here is the same record after modification to support TCP Wrappers:
telnet stream tcp nowait root /sbin/tcpd /sbin/in.telnetd
Remember after editing this file to tell inetd to re-read it with kill -1.
Configuration
Access Control
The core idea behind TCP Wrappers is that of an access-control policy. The
policy rules are held in two files: /etc/hosts.allow and /etc/hosts.deny.
These are the default pathnames, which can be changed in the Makefile.
Access can be controlled per host, per service, or in combinations thereof.
Access control also can be used to connect clients to particular services,
depending on the requested service, the origin of the request, and to what
host address the client
connects. For example, a www daemon might serve documents in the native
language when contacted from within the same country, but default to English
otherwise.
The format of these files is described in detail by hosts_access(5). Each
file consists of a set of rules that are searched first in hosts.allow, then
in hosts.deny. The search stops at the first match, so if a host is granted
access in hosts.allow, it
doesn't matter if it is blocked in hosts.deny.
There are two basic keywords, "allow" and "deny." These are used in
conjunction with specific hostnames, or a wildcard from the following list:
A string beginning with "." matches all hostnames that conclude with that
string. For example, .example.com would match dunne.example.com.
A string ending with "." matches all hosts whose IP addresses begin with that
sequence. For example, 192.168. would match all addresses in the range
192.168.xxx.xxx.
A string beginning with "@" is treated as an NIS netgroup name.
A string of the form n.n.n.n/m.m.m.m is treated as a network/mask pair.
There also are some special shorthand names:
ALL
Always matches.
LOCAL
Matches any host whose name does not contain a dot character.
UNKNOWN
Matches a user whose name is unknown, and matches any host whose name or
address are unknown.
KNOWN
Matches a user whose name is known, and matches any host whose name and
address is known.
PARANOID
Matches any host whose name does not match its address.
There also is a set of symbolic names that expand to various information
about the client and server. The full list of such expansions is:
%a
the client IP address
%c
client information: user@host, user@
%d
argv[0] from the daemon process
%h
client hostname or IP address
%n
client hostname
%p
process id of the daemon
%s
server information
%u
client username
%%
literal "%"
Examples
There are several typical forms of access control that provide examples of
using the access control files. note that explicitly-authorized hosts are
listed in hosts.allow; most other rules are put in hosts.deny.
To deny all access, leave hosts.allow blank, and put this in hosts.deny:
ALL: ALL
To allow all access, simply leave both files blank.
To allow controlled access, add rules to hosts.allow and hosts.deny as
appropriate. At it's simplest, this involves listing banned sites in
hosts.deny:
evilcrackers.com: ALL
On the other hand, you can also deny access to all save selected sites:
/etc/hosts.allow:
example.com:ALL
/etc/hosts.deny:
ALL:ALL
Remember, the first match is the one that counts -- the "ALL" in hosts.deny
won't block example.com.
Booby Traps
A useful feature is the ability to trigger actions on the host based on
attempted connections. For example, if we detect a remote site attempting to
use our tftp server, the following rule in /etc/hosts.deny not only rejects
the attempt, but notifies
the system administrator:
in.tftpd: ALL: spawn finger -l @%h 2>&1 | mail -s "remote tftp attempt" sysadm
The use of this feature relies on the PROCESS_OPTIONS option. This option
also provides some other useful features.
spawn <shell_command>
Runs the specified shell command as a child process.
twist <shell_command>
Replaces the current process by the specified shell command.
banners <pathname>
Copies the contents of the file in <pathname> to the client. Useful for sites
that are required to display a site policy banner to all users.
See the host_options(5) man page for full details of these and other options.
Logging
Log records are written to the syslog daemon, syslogd, with facility and
level as specified in the Makefile at compile time. What happens to them
there is determined by the syslogd config file /etc/syslog.conf. If
PROCESS_OPTIONS has been defined, the
facility and level can be changed at run time by using the keyword
"severity," for example,
severity mail.info
specifies a facility "mail," level "info." An undotted argument is understood
as a level.
Resources
In addition to the thorough set of man pages that comes with the software,
Venema's paper, "TCP WRAPPER: Network monitoring, access control, and booby
traps," is a useful account of the thinking that led to the creation of the
software. It is available
at ftp://ftp.porcupine.org/pub/security/ in ASCII text and PostScript -- look
for tcp_wrapper.<format>.Z.
Conclusion
TCP Wrappers protects against many common attempts to compromise a UNIX
machine connected to the Internet. TCP Wrappers is easy to use: there is no
need to modify existing software, only simple (and optional) changes to one
existing configuration file
are necessary, and there is no impact on genuine users. For your efforts, you
get protection against a variety of cracking techniques and the ability to
install trip wires to notify you of attempted break-ins. It's easy to see why
millions of systems
worldwide have installed this valuable tool.
Paul Dunne (http://dunne.home.dhs.org) is a writer and consultant
specializing in Linux..
--
^\ ..... ( ^ ) ..... /^
^-^ ^^^^^^ { 0 0 } ^^^^^^ ^-^
^ ^^ ( @ ) ^^ ^
"
I am back from hell
Tears still leave in heaven
※ 修改:·CuteGuy 於 May 2 12:34:46 修改本文·[FROM: rock.cs.uestc.e]
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: rock.cs.uestc.e]
BBS水木清华站∶精华区