old-www/LDP/nag2/x-087-2-appl.tcpd.html

<HTML
><HEAD
><TITLE
>The tcpd Access Control Facility</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
REL="HOME"
TITLE="Linux Network Administrators Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="ImportantNetwork Features"
HREF="x-087-2-appl.html"><LINK
REL="PREVIOUS"
TITLE="The inetd Super Server"
HREF="x-087-2-appl.inetd.html"><LINK
REL="NEXT"
TITLE="The Services and Protocols Files"
HREF="x-087-2-appl.services.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Network Administrators Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x-087-2-appl.inetd.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 12. ImportantNetwork Features</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x-087-2-appl.services.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="X-087-2-APPL.TCPD"
>12.2. The tcpd Access Control Facility</A
></H1
><P
>Since opening a computer to network access involves many security risks,
applications are designed to guard against several types of attacks. Some
security features, however, may be flawed (most drastically demonstrated by the
RTM Internet worm, which exploited a hole in a number of programs, including old
versions of the sendmail mail daemon), or do not distinguish between secure
hosts from which requests for a particular service will be accepted and
insecure hosts whose requests should be rejected. We've already briefly
discussed the <B
CLASS="COMMAND"
>finger</B
> and <B
CLASS="COMMAND"
>tftp</B
> services.
Network Administrator would want to limit access to these services to 
&#8220;trusted hosts&#8221; only, which is impossible with the usual setup, 
for which <B
CLASS="COMMAND"
>inetd</B
> provides this service either to all clients 
or not at all.</P
><P
>A useful tool for managing host-specific access is <B
CLASS="COMMAND"
>tcpd</B
>,
often called the daemon
&#8220;wrapper.&#8221;<A
NAME="X-087-2-FNFE01"
HREF="#FTN.X-087-2-FNFE01"
>[1]</A
>
For TCP services you want to monitor or protect, it is invoked instead of the
server program. <B
CLASS="COMMAND"
>tcpd</B
> checks if the remote host is allowed 
to use that service, and only if this succeeds will it execute the real server
program. <B
CLASS="COMMAND"
>tcpd</B
> also logs the request to the 
<B
CLASS="COMMAND"
>syslog</B
> daemon. Note that this does not work with 
UDP-based services.</P
><P
> 
For example, to wrap the <B
CLASS="COMMAND"
>finger</B
> daemon, you have to change
the corresponding line in <TT
CLASS="FILENAME"
>inetd.conf</TT
> from this:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
># unwrapped finger daemon
finger    stream tcp nowait bin    /usr/sbin/fingerd in.fingerd</PRE
></TD
></TR
></TABLE
>

to this:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
># wrap finger daemon
finger  stream  tcp     nowait  root    /usr/sbin/tcpd   in.fingerd</PRE
></TD
></TR
></TABLE
></P
><P
>&#13;Without adding any access control, this will appear to the client as
the usual <B
CLASS="COMMAND"
>finger</B
> setup, except that any requests are logged
to <B
CLASS="COMMAND"
>syslog</B
>'s <I
CLASS="EMPHASIS"
>auth</I
>
facility.</P
><P
> 
 
Two files called <TT
CLASS="FILENAME"
>/etc/hosts.allow</TT
> and 
<TT
CLASS="FILENAME"
>/etc/hosts.deny</TT
> implement access control.
They contain entries that allow and deny access to certain services and hosts.
When <B
CLASS="COMMAND"
>tcpd</B
> handles a request for a service such as
<B
CLASS="COMMAND"
>finger</B
> from a client host named
<SPAN
CLASS="SYSTEMITEM"
>biff.foobar.com</SPAN
>, it scans
<TT
CLASS="FILENAME"
>hosts.allow</TT
> and <TT
CLASS="FILENAME"
>hosts.deny</TT
>
(in this order) for an entry matching both the service and client host.
If a matching entry is found in <TT
CLASS="FILENAME"
>hosts.allow</TT
>, access
is granted and <B
CLASS="COMMAND"
>tcpd</B
> doesn't consult the
<TT
CLASS="FILENAME"
>hosts.deny</TT
> file. If no match is found in the
<TT
CLASS="FILENAME"
>hosts.allow</TT
> file, but a match is found in
<TT
CLASS="FILENAME"
>hosts.deny</TT
>, the request is rejected by closing down the
connection. The request is accepted if no match is found at all.</P
><P
>Entries in the access files look like this:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
><TT
CLASS="REPLACEABLE"
><I
>servicelist</I
></TT
>: <TT
CLASS="REPLACEABLE"
><I
>hostlist</I
></TT
> [:<TT
CLASS="REPLACEABLE"
><I
>shellcmd</I
></TT
>]</PRE
></TD
></TR
></TABLE
></P
><P
><TT
CLASS="REPLACEABLE"
><I
>servicelist</I
></TT
> is a list of service names from
<TT
CLASS="FILENAME"
>/etc/services</TT
>, or the keyword
<SPAN
CLASS="SYSTEMITEM"
>ALL</SPAN
>. To match all services except
<B
CLASS="COMMAND"
>finger</B
> and <B
CLASS="COMMAND"
>tftp</B
>, use
<SPAN
CLASS="SYSTEMITEM"
>ALL</SPAN
>
<SPAN
CLASS="SYSTEMITEM"
>EXCEPT</SPAN
>
<TT
CLASS="LITERAL"
>finger, tftp</TT
>.</P
><P
><TT
CLASS="REPLACEABLE"
><I
>hostlist</I
></TT
> is a list of hostnames, IP addresses,
or the keywords <SPAN
CLASS="SYSTEMITEM"
>ALL</SPAN
>,
<SPAN
CLASS="SYSTEMITEM"
>LOCAL</SPAN
>,
<SPAN
CLASS="SYSTEMITEM"
>UNKNOWN</SPAN
> or
<SPAN
CLASS="SYSTEMITEM"
>PARANOID</SPAN
>.
<SPAN
CLASS="SYSTEMITEM"
>ALL</SPAN
> matches any host, while
<SPAN
CLASS="SYSTEMITEM"
>LOCAL</SPAN
> matches hostnames that don't 
contain a dot.<A
NAME="X-087-2-FNFE02"
HREF="#FTN.X-087-2-FNFE02"
>[2]</A
>

<SPAN
CLASS="SYSTEMITEM"
>UNKNOWN</SPAN
> matches any hosts whose name
or address lookup failed. <SPAN
CLASS="SYSTEMITEM"
>PARANOID</SPAN
>
matches any host whose hostname does not resolve back to its IP
address.<A
NAME="X-087-2-FNFE03"
HREF="#FTN.X-087-2-FNFE03"
>[3]</A
>

A name starting with a dot matches all hosts whose domain is equal to this
name. For example, <SPAN
CLASS="SYSTEMITEM"
>.foobar.com</SPAN
> matches
<SPAN
CLASS="SYSTEMITEM"
>biff.foobar.com</SPAN
>, but not
<SPAN
CLASS="SYSTEMITEM"
>nurks.fredsville.com</SPAN
>. A pattern that
ends with a dot matches any host whose IP address begins with the supplied
pattern, so <SPAN
CLASS="SYSTEMITEM"
>172.16.</SPAN
> matches
<SPAN
CLASS="SYSTEMITEM"
>172.16.32.0</SPAN
>, but not
<SPAN
CLASS="SYSTEMITEM"
>172.15.9.1</SPAN
>. A pattern of the form
<TT
CLASS="LITERAL"
><TT
CLASS="REPLACEABLE"
><I
>n.n.n.n</I
></TT
>/<TT
CLASS="REPLACEABLE"
><I
>m.m.m.m</I
></TT
></TT
><I
CLASS="EMPHASIS"
></I
> is treated as an IP address and network mask, so we could specify
our previous example as
<SPAN
CLASS="SYSTEMITEM"
>172.16.0.0/255.255.0.0</SPAN
> instead.
Lastly, any pattern beginning with a &#8220;/&#8221; character allows you to
specify a file that is presumed to contain a list of hostname or IP address
patterns, any of which are allowed to match. So a pattern that looked like
<I
CLASS="EMPHASIS"
>/var/access/trustedhosts</I
> would cause
the <B
CLASS="COMMAND"
>tcpd</B
> daemon to read that file, testing if any of the
lines in it matched the connecting host.</P
><P
>To deny access to the <B
CLASS="COMMAND"
>finger</B
> and <B
CLASS="COMMAND"
>tftp</B
>
services to all but the local hosts, put the following in
<TT
CLASS="FILENAME"
>/etc/hosts.deny</TT
> and leave
<TT
CLASS="FILENAME"
>/etc/hosts.allow</TT
> empty:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>in.tftpd, in.fingerd: ALL EXCEPT LOCAL, <TT
CLASS="REPLACEABLE"
><I
>.your.domain</I
></TT
></PRE
></TD
></TR
></TABLE
></P
><P
>The optional <TT
CLASS="REPLACEABLE"
><I
>shellcmd</I
></TT
> field may contain a shell
command to be invoked when the entry is matched. This is useful to set up
traps that may expose potential attackers. The following example creates
a log file listing the user and host connecting, and if the host is not
<I
CLASS="EMPHASIS"
>vlager.vbrew.com</I
> it will append the
output of a <B
CLASS="COMMAND"
>finger</B
> to that host:

<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>in.ftpd: ALL EXCEPT LOCAL, .vbrew.com : \
      echo "request from %d@%h: &#62;&#62; /var/log/finger.log; \
      if [ %h != "vlager.vbrew.com:" ]; then \ 
          finger -l @%h &#62;&#62; /var/log/finger.log \
      fi</PRE
></TD
></TR
></TABLE
></P
><P
>The <SPAN
CLASS="SYSTEMITEM"
>%h</SPAN
> and
<SPAN
CLASS="SYSTEMITEM"
>%d</SPAN
> arguments are expanded by
<B
CLASS="COMMAND"
>tcpd</B
> to the client hostname and service name,
respectively. Please refer to the <TT
CLASS="FILENAME"
>hosts_access(5)</TT
>
manual page for details.

&#13;</P
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.X-087-2-FNFE01"
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE01"
>[1]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>Written by Wietse Venema,
<SPAN
CLASS="SYSTEMITEM"
>wietse@wzv.win.tue.nl</SPAN
>.</P
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.X-087-2-FNFE02"
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE02"
>[2]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>Usually only local hostnames obtained from lookups in
<TT
CLASS="FILENAME"
>/etc/hosts</TT
> contain no dots.</P
></TD
></TR
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.X-087-2-FNFE03"
HREF="x-087-2-appl.tcpd.html#X-087-2-FNFE03"
>[3]</A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
>While its name suggests it is an extreme measure, the <SPAN
CLASS="SYSTEMITEM"
>PARANOID</SPAN
> keyword is
a good default, as it protects you against mailicious hosts pretending to
be someone they are not. Not all <B
CLASS="COMMAND"
>tcpd</B
> are supplied with
<SPAN
CLASS="SYSTEMITEM"
>PARANOID</SPAN
> compiled in; if yours is not, you need to recompile
<B
CLASS="COMMAND"
>tcpd</B
> to use it.</P
></TD
></TR
></TABLE
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x-087-2-appl.inetd.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x-087-2-appl.services.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The inetd Super Server</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="x-087-2-appl.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>The Services and Protocols Files</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>