%%%%%%%%%%%%%%%%%%%%%%%% \ Tcp Wrappers \- %%%%%%%%%%%%%%%%%%%%%%%% An Introduction to TCP Wrappers lothos lothos@thepentagon.com The TCP Wrappers program, from Wietse Venema, is an easy to use utility for host and network based access control that does logging for services started by inetd(8). TCP Wrappers will allow you to finger people who connect to you, display a banner for incoming telnet connections, or run an ambiguous command, and will also prevent some spoofing attacks by making sure the IP address and hostname match. _Getting TCP Wrappers_ TCP Wrappers is shipped with many flavors of unix, including BSD/OS, OpenBSD, and possibly other *BSD flavors. It comes standard with Linux, but is rarely configured correctly. You can get tcp_wrappers from ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz, or from ftp://coast.cs.purdue.edu/pub/tools/tcp_wrappers. Version 7.6 is the latest as of this writing. _Installing TCP Wrappers_ The advanced way to install tcp_wrappers, as instructed in the readme, is actually easier, so I will describe that way to install. 1. Copy the current /etc/inetd.conf to another location as a back up, such as /etc/inetd.conf.dist. 2. Edit tcpwrapper's Makefile to show where the real daemon's are located. Under OpenBSD I would uncomment REAL_DAEMON_DIR=/usr/libexec. 3. If you want the language extension enabled, uncomment the following line: #STYLE = -DPROCESS_OPTIONS # Enable language extensions. I recommend uncommenting this line, which makes access control easier by allowing you to specify access control in one file, instead of two, and also allows you to use the extra features, including banners and commands. 4. Next, compile tcpwrappers. If you simply type 'make' it will output an error message. You must specify the system type you have, as specified by the error message. _Configuring /etc/inetd.conf_ You must edit your inetd.conf file in order to use tcpwrappers. Change it to specify the location of tcpd. telnet stream tcp nowait root /usr/libexec/telnetd telnetd should be changed to: telnet stream tcp nowait root /usr/libexec/tcpd telnetd or the location of your tcpd daemon. A 'kill -HUP inetd' will update these changes. _Access Control_ Access is controlled by two files, /etc/hosts.allow and /etc/hosts.deny. If you followed my instructions above, you will only need the /etc/hosts.allow file. The format of this file is: daemons : client_host_list : option : option A simple example to demonstrate this: fingerd : local.machine.com : ALLOW NOTE: You should use ip addresses for increased security. TCP Wrappers should log to MAIL.INFO by default, but this can be changed in the Makefile. I have also set up my /etc/syslog.conf file so that the logs go to both a file and to /dev/ttyC7 so I can read them in real time. _Advanced Options_ Banners Banners display a message to someone connecting to your machine. You need to set up a directory for them, I have mine set up in /etc/Banners. Using banners, you can have separate banners for allowed hosts and denied hosts by using two directories (/etc/Banners/allowed/, for example) An example of a banner: Trying 192.168.0.0... Connected to 192.168.0.0. Escape character is '^]'. WARNING: This computer system is for authorized users only. Any unauthorized access will be logged and prosecuted. You have been logged as: root@phear.com OpenBSD/i386 (phear) (ttyp5) login: You can make your banners as simple or complex as you'd like. %c will return username@hostname info, assuming the other computer has identd running. Some expansions that can be used are: Token Mnemonic Expands to: %a address ip address of client. %c client info username@hostname %s server info daemon@host. There are many more options, these are the ones I use the most frequently. A denied host will display: Trying 192.168.0.0... Connected to 192.168.0.0. Escape character is '^]'. Connection closed by foreign host. You can also optionally specify a banner to display for deny as well by specifying a banner to use, to provide more information to the user about why the access is denied. If you want to allow fingerd from local hosts, and want external hosts to be denied with a message, you would configure /etc/hosts.allow like so: fingerd : LOCAL : allow fingerd : all : twist /path/to/message The twist option will run a specified shell command. You can also specify that tcpd finger anyone attempting to connect to your machine. We do not finger any finger connections, to prevent a continuous loop where the remote machine also fingers connections. all EXCEPT fingerd : bad.com : (/usr/local/bin/safe_finger -l @%h | \ /bin/mailx -s %d-%h security@phear.com) & You can split a command over two or more lines by using the backslash character. safe_finger is used because it filters out any nasty control characters. This command will mail the results of finger @bad.com to the user of your choice. _Checking Access Control Settings_ Besides coming with safe_finger, tcpwrappers also comes with two utilities that check your access control. From tcpdchk(8): tcpdchk examines your tcp wrapper configuration and reports all potential and real problems it can find. tcpdmatch will find a match in the access tables and tell you if it's allowed or denied, as well as displaying any banners you may have. This is a great way to see if your access files are thorough enough. _Limitations of tcpwrappers_ TCP Wrappers is vulnerable to IP spoofing because it uses IP addresses for host authentication. It will only provide authentication for daemons started by inetd(8), and only provides limited support for UDP services. There is a patch that allows tcpwrappers to be used with sendmail 8.8.8, but IMHO the wrapper that comes with TIS Firewall Tool Kit is much better. www.tis.com for more info. _Sources and More Info_ Read the man pages for more info: tcpd(8), tcpdchk(8), tcpdmatch(8), hosts_access(5), and hosts_options(5). There is also information about tcpwrappers in Practical Unix and Internet Security by Simson Garfinkel and Gene Spafford. Shoutouts: Legions of the Underground, Tara, Stratus, MostHateD, [gH], noderatz.