647 lines
10 KiB
HTML
647 lines
10 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>The tcpd Access Control Facility</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="ImportantNetwork Features"
|
|
HREF="x-087-2-appl.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="The inetd Super Server"
|
|
HREF="x-087-2-appl.inetd.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="The Services and Protocols Files"
|
|
HREF="x-087-2-appl.services.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-appl.inetd.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 12. ImportantNetwork Features</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-appl.services.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-APPL.TCPD"
|
|
>12.2. The tcpd Access Control Facility</A
|
|
></H1
|
|
><P
|
|
>Since opening a computer to network access involves many security risks,
|
|
applications are designed to guard against several types of attacks. Some
|
|
security features, however, may be flawed (most drastically demonstrated by the
|
|
RTM Internet worm, which exploited a hole in a number of programs, including old
|
|
versions of the sendmail mail daemon), or do not distinguish between secure
|
|
hosts from which requests for a particular service will be accepted and
|
|
insecure hosts whose requests should be rejected. We've already briefly
|
|
discussed the <B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> and <B
|
|
CLASS="COMMAND"
|
|
>tftp</B
|
|
> services.
|
|
Network Administrator would want to limit access to these services to
|
|
“trusted hosts” only, which is impossible with the usual setup,
|
|
for which <B
|
|
CLASS="COMMAND"
|
|
>inetd</B
|
|
> provides this service either to all clients
|
|
or not at all.</P
|
|
><P
|
|
>A useful tool for managing host-specific access is <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
>,
|
|
often called the daemon
|
|
“wrapper.”<A
|
|
NAME="X-087-2-FNFE01"
|
|
HREF="#FTN.X-087-2-FNFE01"
|
|
>[1]</A
|
|
>
|
|
For TCP services you want to monitor or protect, it is invoked instead of the
|
|
server program. <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> checks if the remote host is allowed
|
|
to use that service, and only if this succeeds will it execute the real server
|
|
program. <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> also logs the request to the
|
|
<B
|
|
CLASS="COMMAND"
|
|
>syslog</B
|
|
> daemon. Note that this does not work with
|
|
UDP-based services.</P
|
|
><P
|
|
>
|
|
For example, to wrap the <B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> daemon, you have to change
|
|
the corresponding line in <TT
|
|
CLASS="FILENAME"
|
|
>inetd.conf</TT
|
|
> from this:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># unwrapped finger daemon
|
|
finger stream tcp nowait bin /usr/sbin/fingerd in.fingerd</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
to this:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># wrap finger daemon
|
|
finger stream tcp nowait root /usr/sbin/tcpd in.fingerd</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
> Without adding any access control, this will appear to the client as
|
|
the usual <B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> setup, except that any requests are logged
|
|
to <B
|
|
CLASS="COMMAND"
|
|
>syslog</B
|
|
>'s <I
|
|
CLASS="EMPHASIS"
|
|
>auth</I
|
|
>
|
|
facility.</P
|
|
><P
|
|
>
|
|
|
|
Two files called <TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.allow</TT
|
|
> and
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.deny</TT
|
|
> implement access control.
|
|
They contain entries that allow and deny access to certain services and hosts.
|
|
When <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> handles a request for a service such as
|
|
<B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> from a client host named
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>biff.foobar.com</SPAN
|
|
>, it scans
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>hosts.allow</TT
|
|
> and <TT
|
|
CLASS="FILENAME"
|
|
>hosts.deny</TT
|
|
>
|
|
(in this order) for an entry matching both the service and client host.
|
|
If a matching entry is found in <TT
|
|
CLASS="FILENAME"
|
|
>hosts.allow</TT
|
|
>, access
|
|
is granted and <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> doesn't consult the
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>hosts.deny</TT
|
|
> file. If no match is found in the
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>hosts.allow</TT
|
|
> file, but a match is found in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>hosts.deny</TT
|
|
>, the request is rejected by closing down the
|
|
connection. The request is accepted if no match is found at all.</P
|
|
><P
|
|
>Entries in the access files look like this:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>servicelist</I
|
|
></TT
|
|
>: <TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>hostlist</I
|
|
></TT
|
|
> [:<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>shellcmd</I
|
|
></TT
|
|
>]</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
><TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>servicelist</I
|
|
></TT
|
|
> is a list of service names from
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/services</TT
|
|
>, or the keyword
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>ALL</SPAN
|
|
>. To match all services except
|
|
<B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> and <B
|
|
CLASS="COMMAND"
|
|
>tftp</B
|
|
>, use
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>ALL</SPAN
|
|
>
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>EXCEPT</SPAN
|
|
>
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>finger, tftp</TT
|
|
>.</P
|
|
><P
|
|
><TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>hostlist</I
|
|
></TT
|
|
> is a list of hostnames, IP addresses,
|
|
or the keywords <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>ALL</SPAN
|
|
>,
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>LOCAL</SPAN
|
|
>,
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>UNKNOWN</SPAN
|
|
> or
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>PARANOID</SPAN
|
|
>.
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>ALL</SPAN
|
|
> matches any host, while
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>LOCAL</SPAN
|
|
> matches hostnames that don't
|
|
contain a dot.<A
|
|
NAME="X-087-2-FNFE02"
|
|
HREF="#FTN.X-087-2-FNFE02"
|
|
>[2]</A
|
|
>
|
|
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>UNKNOWN</SPAN
|
|
> matches any hosts whose name
|
|
or address lookup failed. <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>PARANOID</SPAN
|
|
>
|
|
matches any host whose hostname does not resolve back to its IP
|
|
address.<A
|
|
NAME="X-087-2-FNFE03"
|
|
HREF="#FTN.X-087-2-FNFE03"
|
|
>[3]</A
|
|
>
|
|
|
|
A name starting with a dot matches all hosts whose domain is equal to this
|
|
name. For example, <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>.foobar.com</SPAN
|
|
> matches
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>biff.foobar.com</SPAN
|
|
>, but not
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>nurks.fredsville.com</SPAN
|
|
>. A pattern that
|
|
ends with a dot matches any host whose IP address begins with the supplied
|
|
pattern, so <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>172.16.</SPAN
|
|
> matches
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>172.16.32.0</SPAN
|
|
>, but not
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>172.15.9.1</SPAN
|
|
>. A pattern of the form
|
|
<TT
|
|
CLASS="LITERAL"
|
|
><TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>n.n.n.n</I
|
|
></TT
|
|
>/<TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>m.m.m.m</I
|
|
></TT
|
|
></TT
|
|
><I
|
|
CLASS="EMPHASIS"
|
|
></I
|
|
> is treated as an IP address and network mask, so we could specify
|
|
our previous example as
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>172.16.0.0/255.255.0.0</SPAN
|
|
> instead.
|
|
Lastly, any pattern beginning with a “/” character allows you to
|
|
specify a file that is presumed to contain a list of hostname or IP address
|
|
patterns, any of which are allowed to match. So a pattern that looked like
|
|
<I
|
|
CLASS="EMPHASIS"
|
|
>/var/access/trustedhosts</I
|
|
> would cause
|
|
the <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> daemon to read that file, testing if any of the
|
|
lines in it matched the connecting host.</P
|
|
><P
|
|
>To deny access to the <B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> and <B
|
|
CLASS="COMMAND"
|
|
>tftp</B
|
|
>
|
|
services to all but the local hosts, put the following in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.deny</TT
|
|
> and leave
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.allow</TT
|
|
> empty:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>in.tftpd, in.fingerd: ALL EXCEPT LOCAL, <TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>.your.domain</I
|
|
></TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>The optional <TT
|
|
CLASS="REPLACEABLE"
|
|
><I
|
|
>shellcmd</I
|
|
></TT
|
|
> field may contain a shell
|
|
command to be invoked when the entry is matched. This is useful to set up
|
|
traps that may expose potential attackers. The following example creates
|
|
a log file listing the user and host connecting, and if the host is not
|
|
<I
|
|
CLASS="EMPHASIS"
|
|
>vlager.vbrew.com</I
|
|
> it will append the
|
|
output of a <B
|
|
CLASS="COMMAND"
|
|
>finger</B
|
|
> to that host:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>in.ftpd: ALL EXCEPT LOCAL, .vbrew.com : \
|
|
echo "request from %d@%h: >> /var/log/finger.log; \
|
|
if [ %h != "vlager.vbrew.com:" ]; then \
|
|
finger -l @%h >> /var/log/finger.log \
|
|
fi</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>The <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>%h</SPAN
|
|
> and
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>%d</SPAN
|
|
> arguments are expanded by
|
|
<B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> to the client hostname and service name,
|
|
respectively. Please refer to the <TT
|
|
CLASS="FILENAME"
|
|
>hosts_access(5)</TT
|
|
>
|
|
manual page for details.
|
|
|
|
</P
|
|
></DIV
|
|
><H3
|
|
CLASS="FOOTNOTES"
|
|
>Notes</H3
|
|
><TABLE
|
|
BORDER="0"
|
|
CLASS="FOOTNOTES"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.X-087-2-FNFE01"
|
|
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE01"
|
|
>[1]</A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
>Written by Wietse Venema,
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>wietse@wzv.win.tue.nl</SPAN
|
|
>.</P
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.X-087-2-FNFE02"
|
|
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE02"
|
|
>[2]</A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
>Usually only local hostnames obtained from lookups in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts</TT
|
|
> contain no dots.</P
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.X-087-2-FNFE03"
|
|
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE03"
|
|
>[3]</A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
>While its name suggests it is an extreme measure, the <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>PARANOID</SPAN
|
|
> keyword is
|
|
a good default, as it protects you against mailicious hosts pretending to
|
|
be someone they are not. Not all <B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> are supplied with
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>PARANOID</SPAN
|
|
> compiled in; if yours is not, you need to recompile
|
|
<B
|
|
CLASS="COMMAND"
|
|
>tcpd</B
|
|
> to use it.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-appl.inetd.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-appl.services.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>The inetd Super Server</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-appl.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>The Services and Protocols Files</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |