Using TCP wrappers

Completely disabling an unused service is fine, but what about the services that you really need? How can you selectively grant and deny access to these services? In previous versions of Red Hat Linux, the TCP wrapper daemon (tcpd) was used to facilitate this sort of selective access. In the current version of Red Hat Linux, TCP wrapper support has been integrated into xinetd. Xinetd will look at the files /etc/hosts.allow and /etc/hosts.deny to determine when a particular connection should be granted or refused. It scans through the hosts.allow and hosts.deny files and stops as soon as it finds an entry that matches the IP address of the connecting machine. The following checks are made each time a connection attempt occurs:

If the address is listed in the hosts.allow file, the connection is allowed and hosts.deny is not checked. Otherwise, if the address is in hosts.deny, the connection is denied.

Finally, if the address is in neither file, the connection is allowed.

It is not necessary (or even possible) to list every single address that may connect to your computer. The hosts.allow and hosts.deny files enable you to specify entire subnets and groups of addresses. You can even use the keyword ALL to specify all possible addresses. You can also restrict specific entries in these files so they only apply to specific network services. Let's look at an example of a typical pair of hosts.allow and hosts.deny files.

# hosts.allow This file describes the names of the hosts are

# allowed to use the local INET services, as decided

imapd, ipop3d: 199.170.177. in.telnetd: 199.170.177., .glaci.com ftpd: ALL

# hosts.deny This file describes the names of the hosts which are

# *not* allowed to use the local INET services, as

# decided by the '/usr/sbin/tcpd' server.

ALL: ALL

The above example is a rather restrictive configuration. It allows connections to the imap, ipop3d, and telnet services from certain hosts but then denies all other connections. Let's examine the files in detail.

As usual, lines beginning with a # character are comments and are ignored by tcpd when parsing the file. Each noncomment line consists of a comma-separated list of daemons followed by a colon (:) character and then a comma-separated list of client addresses to check. In this context, a client is any computer that attempts to access a network service on your system.

A client entry can be a numeric IP address (such as 199.170.177.25) or a hostname (such as dexter.glaci.com) but is more often a wildcard variation that specifies an entire range of addresses. A client entry can take four different forms. The online manual page for the hosts.allow file describes them as follows:

A string that begins with a dot (.) character. A hostname is matched if the last components of its name match the specified pattern. For example, the pattern .tue.nl matches the host name wzv.win.tue.nl.

A string that ends with a dot (.) character. A host address is matched if its first numeric fields match the given string. For example, the pattern 131.155. matches the address of (almost) every host on the Eindhoven University network (131.155.x.x).

A string that begins with an at (@) sign is treated as an NIS (formerly YP) netgroup name. A hostname is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.

An expression of the form n.n.n.n/m.m.m.m is interpreted as a net/mask pair. A host address is matched if net is equal to the bitwise AND of the address and the mask. For example, the net/mask pattern 131.155.72.0/255.255.254.0 matches every address in the range 131.155.72.0 through 131.155.73.255.

The example host.allow contains the first two types of client specification. The entry 199.170.177. will match any IP address that begins with that string, such as 199.170.177.25. The client entry .glaci.com will match host names such as dexter.glaci.com or scooby.glaci.com.

Let's examine what happens when a host named daffy.glaci.com (with IP address 199.170.179.18) connects to your Red Hat Linux box using the telnet protocol:

Xinetd receives the connection request.

Xinetd begins comparing the address and name of daffy.glaci.com to the rules listed in /etc/hosts.allow. It starts at the top of the file and works its way down the file until finding a match. Both the daemon (the program handling the network service on your Red Hat Linux box) and the connecting client's IP address or name must match the information in the hosts.allow file. In this case, the second rule that is encountered matches the request:

in.telnetd: 199.170.177., .glaci.com

Daffy is not in the 199.170.177 subnet, but it is in the glaci.com domain. Xinetd stops searching the file as soon as it finds this match.

How about if daffy connects to your box using the imap protocol? In this case, it matches none of the rules in hosts.allow; the only line that refers to the imapd daemon does not refer to the 199.170.179 subnet or to the glaci.com domain. Xinetd continues on to the hosts.deny file. The entry ALL: ALL matches with anything, so tcpd promptly denies the connection.

The ALL wildcard was also used in the hosts.allow file. In this case, we are telling xinetd to permit absolutely any host to connect to the FTP service on the Linux box. This is appropriate for running an anonymous FTP

server that anyone on the Internet can access. If you are not running an anonymous FTP site, you probably should not use the ALL flag.

A good rule of thumb is to make your hosts.allow and hosts.deny files as restrictive as possible and then explicitly enable only those services that you really need. Also, grant access only to those systems that really need access. Using the ALL flag to grant universal access to a particular service may be easier than typing in a long list of subnets or domains, but better a few minutes spent on proper security measures than many hours recovering from a break-in.

Tip You can further restrict access to services by using various options within the /etc/xinetd.conf file itself, even to the point of limiting access to certain services to specific times of the day. Read the online manual page for xinetd (by typing man xinetd at a command prompt) to learn more about these options.

Was this article helpful?

0 0

Post a comment