TCP Wrapper. Provides host-based access control to network services

Similar documents
LINUX ADMINISTRATION TYBSC-IT SEM V

Xinted. 1.1 Brief introduction. 1.2 Configuration of Xinetd

INSE 6130 Operating System Security

FreeBSD Security Advisories (1)

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

RHCSA BOOT CAMP. Network Security

TELE 301 Lecture 8: Post

1. Add these options in kernel configuration file and recompile the kernel

Linux Networking: network services

FreeBSD Security Advisories

FreeBSD Security Advisories

Security. Advanced Operating Systems and Virtualization Alessandro Pellegrini A.Y. 2017/2018

TCP wrappers and IP filtering (UKERNA security workshop)

Global Information Assurance Certification Paper

10 Defense Mechanisms

14. Configuring Telnet in Knoppix

Processes are subjects.

MultiBase and Cosmos. Particularities about the database engine installation on client-server architecture. BASE 100, S.A.

Security for All Jaqui Lynch

RFC RFC. Configuring FTP Server. FTP Clients

A Practical Guide to Red Hat Linux

Blacklist'd. A daemon to manage network attacks. Christos Zoulas

Admin Guide ( Unix System Administration )

HP HP-UX Networking and Security. Download Full Version :

Introduction to UNIX/LINUX Security. Hu Weiwei

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

CSE 265: System and Network Administration

Paranoid Penguin Using iptables for Local Security

Services and Security

Configuring Logging. Information About Logging CHAPTER

Chapter 3: Client-Server Paradigm and Middleware

Paranoid Penguin rsync, Part I

Multiservice servers. Stefan D. Bruda. Winter 2018

Configuring Security Features on an External AAA Server

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

inside: THE MAGAZINE OF USENIX & SAGE June 2002 volume 27 number 3 SECURITY PROTOWRAP by Gunnar Wolf

Snort Rules Classification and Interpretation

ch02 True/False Indicate whether the statement is true or false.

BOOTP. 1. Verify that the bootpd and bootptab files are in the correct. 2. Edit the hosts file to add the printer internet addresses and names:

Linux Security & Firewall

Configuring Authentication Proxy

Configuring Authentication Proxy

Preface to the First Edition Preface to the Second Edition Acknowledgments UNIX Operating System Environment p. 1 UNIX: Past and Present p.

Network Implementation

Linux Network Administration

CHAPTER 7 ADVANCED ADMINISTRATION PC

Foundations of Python

GSS Administration and Troubleshooting

Taken from the README of the netcat source tree, this description sums up the uses of netcat perfectly.

LPI Exam Questions & Answers

7 Distributed File Systems

UDP-based Amplification Attacks and its Mitigations

TCP, UDP Ports, and ICMP Message Types1

Configuring Authentication Proxy

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Cisco WAAS Software Command Summary

Configuring LDAP. Finding Feature Information

Software Engineering 4C03 Answer Key

Globus Toolkit Firewall Requirements. Abstract

Check List: Linux Machines

Tcpdump. For this exercise you must again be root. Login and obtain root privileges: Note that we use three computers for this exercise.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Setting Up Your Server

Global Information Assurance Certification Paper

OS security mechanisms:

CISCO CONTEXT-BASED ACCESS CONTROL

Cisco IOS Firewall Authentication Proxy

Configuring Switch-Based Authentication

Linux+ Guide to Linux Certification, Third Edition. Chapter 12 Network Configuration

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Computer and Network Security

OPERATING SYSTEMS. Božo Krstajić, PhD, University of Montenegro Podgorica.

Auto-configuration by File Construction: Configuration Management with Newfig

Configuring Network Address Translation

upgrade-mp through xlate-bypass Commands

Netcat Scanning to Backdoors

RH-302. RedHat. Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)

Managing Databases. Prerequisites. Information About the Database Administration Tools CHAPTER

Securing Linux. John Kristoff DePaul University Chicago, IL 60604

BGPmon: Administrator s Reference Manual

Intercepting Web Requests

1/18/13. Network+ Guide to Networks 5 th Edition. Objectives. Chapter 10 In-Depth TCP/IP Networking

Lecture 10 Overview!

IBM. Networking INETD. IBM i. Version 7.2

CS 716: Introduction to communication networks th class; 11 th Nov Instructor: Sridhar Iyer IIT Bombay

History Page. Barracuda NextGen Firewall F

Firewall Identification: Banner Grabbing

Platform Settings for Classic Devices

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

The Linux IPL Procedure

BOOTP Operations. Section Network and Host System Operations. HDS ViewStation System Administrator s Guide. 3.

Application Layer: OSI and TCP/IP Models

Assignment - 1 Chap. 1 Wired LAN s

A Client-Server Exchange

Configuring System Message Logging

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

CMU : Cluster Management Utility. CMU diskless user s guide Version 4.0, January 2009

ACL Compliance Director Tutorial

Numerics INDEX. 2.4-GHz WMIC, contrasted with 4.9-GHz WMIC g 3-6, x authentication 4-13

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

Transcription:

1 TCP Wrapper Provides host-based access control to network services It has the following features: Logging Access Control Host Name Verification User Name Verification Spoofing Protection

2 TCP Wrapper Has the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management

3 TCP Wrapper Advantages TCP wrappers provide the following advantages over other network service control techniques: Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management

4 TCP Wrapper Disadvantages Services must be compiled with the libwrap library Only works with a super-daemon such as inetd or xinetd Ident service not reliable Doesn t wrap RPC services TCP Wrappers is not a firewall replacement

5 TCP Wrapper Files tcpd TCP wrappers deamon tcpdchk and tcpdmatch - test programs for tcpd /etc/hosts.allow - names of the hosts allowed /etc/hosts.deny - names of the hosts NOT allowed Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted

6 TCP Wrapper Services In order to gain the benefit of TCP wrappers, the service must be compiled to support the services For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd grep libwrap libwrap.so.0 => /lib64/libwrap.so.0 (0x0.. If not supported, rebuild program with option to support

7 TCP Wrapper Operation tcpd intercepts connection request tcpd evaluates connection attributes with host.allow/host.deny If allowed, tcpd releases control of the connection to the requested service If denied, tcpd does not release control of the connection

8 TCP Wrapper Configuration /etc/hosts.allow and /etc/hosts.deny use the format: daemon_list : client_list [ : option : \ option :... ] Where, daemon_list - a list of one or more daemons client_list - a list of one or more hosts option - optional action list

9 TCP Wrapper Wildcards The access control language supports explicit wildcards: ALL - The universal wildcard, always matches LOCAL - Matches host whose name does not contain a dot UNKNOWN - Matches any unknown name/address KNOWN - Matches any known name/address PARANOID - Matches any host whose name does not match its address

10 TCP Wrapper Examples Set default policy to deny all access (/etc/hosts.deny): ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0 sshd :.xyz.com

11 TCP Wrapper twist Option Send a message back to the source of the attempted connection after it is dropped append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo Not allowed %d %h." The message Not allowed to use daemon from hostname. will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped

12 TCP Wrapper spawn Option Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h \ attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log.

13 Network Super Server Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP

14 inetd Configuration service socket protocol {wait nowait} user server parms service name of the service from /etc/services socket can be stream, dgram or raw protocol can be tcp or udp wait/nowait wait for dgram and nowait for other types user username used to run the server server server binary file, usually /usr/sbin/tcpd parms parameters that are passed to the server ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd

xinetd Configuration service ftp { socket_type = stream protocol = tcp wait = no user = ftp server = /usr/sbin/in.ftpd server_args = -i disable = no } Disable a service: change disable to yes To restart the xinetd service: /etc/init.d/xinetd {restart reload} 15

16 xinetd Security Enhancements Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses: only_from = <IP Addresses Network> Deny connections only from IP addresses: no_access = <IP Addresses Network> Set times during which users may access the server: access_times = hour:min-hour:min If access is prohibited, send banner to client: banner = /usr/local/etc/deny_banner

17 To Run or Not to Run xinetd To run: Conserves resources Runs daemons only when needed Provides an additional layer of security and can Turn virtually any script or program into a service Not to run: Another vulnerable service Can secure services using other methods Can be used to create a backdoor listener

xinetd Backdoor Listener service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i } xinetd reads this file and determines port from /etc/services 18

19 Evaluation Order Firewall Allowed Rejected TCP Wrappers Allowed xinetd Allowed TCP Wrapped Network Service xinetd Controlled Network Service

20 Disable Services/Interfaces Disable DHCP, configure static IP Disable, remove, unused protocols such as IPv6 Disable wireless networking (to include Bluetooth) Disable/remove clear text protocols and use their secure replacement

TCP Wrapper Provides host-based access control to network services It has the following features: Logging Access Control Host Name Verification User Name Verification Spoofing Protection 1 The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services. It has the following features: Logging - Connections that are monitored by the TCP wrappers daemon (tcpd) are reported through the syslog facility. Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask. Host Name Verification - tcpd verifies the client

TCP Wrapper Has the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management 2 The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services. It has the following features: Logging - Connections that are monitored by the TCP wrappers daemon (tcpd) are reported through the syslog facility. Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask. Host Name Verification - tcpd verifies the client

TCP Wrapper Advantages TCP wrappers provide the following advantages over other network service control techniques: Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management 3 TCP wrappers provide the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail. Centralized management of multiple protocols TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management.

TCP Wrapper Disadvantages Services must be compiled with the libwrap library Only works with a super-daemon such as inetd or xinetd Ident service not reliable Doesn t wrap RPC services TCP Wrappers is not a firewall replacement 4 Disadvantages: Services must be compiled with the libwrap library. Only works with in conjunction with a super-daemon such as inetd or xinetd. Ident service not reliable - It is nearly impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information. Doesn t wrap RPC services.

TCP Wrapper Files tcpd TCP wrappers deamon tcpdchk and tcpdmatch - test programs for tcpd /etc/hosts.allow - names of the hosts allowed /etc/hosts.deny - names of the hosts NOT allowed Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted 5 Advantages: Logs and applies access controls to remote connections Lets you define which daemons are wrapped Performs reverse lookup on host IPs Disadvantages: Ident service not reliable Only looks at network daemons spawned by inetd (xinetd has its own way of performing this function) Doesn t wrap ALL services (RPC) Could give a false sense of security tcpdchk and tcpdmatch - test programs for tcpd

TCP Wrapper Services In order to gain the benefit of TCP wrappers, the service must be compiled to support the services For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd grep libwrap libwrap.so.0 => /lib64/libwrap.so.0 (0x0.. If not supported, rebuild program with option to support 6 In order to gain the benefit of TCP wrappers, the service must be compiled to support the services. To determine if the service you wish to protect with TCP wrappers is built with TCP wrappers support use the command ldd which prints shared library dependencies. For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd linux-vdso.so.1 => (0x00007fff54dfe000) libfipscheck.so.1 =>

TCP Wrapper Operation tcpd intercepts connection request tcpd evaluates connection attributes with host.allow/host.deny If allowed, tcpd releases control of the connection to the requested service If denied, tcpd does not release control of the connection 7 When a connection attempt is made to a TCP wrapped service, the tcpd service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine if the client host is allowed to connect. If configured, and it should be, the name of the requesting host and the requested service is written using syslog. If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host

TCP Wrapper Configuration /etc/hosts.allow and /etc/hosts.deny use the format: daemon_list : client_list [ : option : \ option :... ] Where, daemon_list - a list of one or more daemons client_list - a list of one or more hosts option - optional action list 8 Both /etc/hosts.allow and /etc/hosts.deny uses the following format: daemon_list : client_list [ : option : option :... ] Where, daemon_list - a list of one or more daemon process names. client_list - a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address. option - optional action or

TCP Wrapper Wildcards The access control language supports explicit wildcards: ALL - The universal wildcard, always matches LOCAL - Matches host whose name does not contain a dot UNKNOWN - Matches any unknown name/address KNOWN - Matches any known name/address PARANOID - Matches any host whose name does not match its address 9 WildCards - the access control language supports explicit wildcards: ALL matches. - The universal wildcard, always LOCAL - Matches any host whose name does not contain a dot character. UNKNOWN - Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure

TCP Wrapper Examples Set default policy to deny all access (/etc/hosts.deny): ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0 sshd :.xyz.com 10 TCPD Configuration Examples Set default policy to deny all access. Edit the file /etc/hosts.deny as follows: ALL: ALL Once the default deny policy is applied, you have to explicitly permit authorized hosts by adding them to the /etc/hosts.allow: popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0

TCP Wrapper twist Option Send a message back to the source of the attempted connection after it is dropped append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo Not allowed %d %h." The message Not allowed to use daemon from hostname. will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped 11 Suppose that a situation occurs where a connection should be denied and a reason should be sent to the source of the attempted connection. That action is possible with twist. When a connection attempt is made, twist executes a shell command or script and sends it to the source of the attempted connection. For example, append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." In this example, the message You are

TCP Wrapper spawn Option Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h \ attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log. 12 Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the daemon to which access was attempted to

Network Super Server Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP 13 Unix super servers: Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features

inetd Configuration service socket protocol {wait nowait} user server parms service name of the service from /etc/services socket can be stream, dgram or raw protocol can be tcp or udp wait/nowait wait for dgram and nowait for other types user username used to run the server server server binary file, usually /usr/sbin/tcpd parms parameters that are passed to the server ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd 14 inetd has been deprecated by xinetd, so it is recommended to replace it with xinetd. You may run into existing systems using inetd, so it is good to know how to read the configuration so you can convert from inetd format to xinetd. Main configuration file: /etc/inetd.conf Other configuration files typically in /etc/inetd.d/

xinetd Configuration service ftp { socket_type = stream protocol = tcp wait = no user = ftp server = /usr/sbin/in.ftpd server_args = -i disable = no } Disable a service: change disable to yes To restart the xinetd service: /etc/init.d/xinetd {restart reload} 15 Configuration file: /etc/xinetd.conf Files in /etc/xinetd.d/ are included Each server run via xinetd installs a file in /etc/xinetd.d Syntax of /etc/xinetd.conf Example: service ftp

xinetd Security Enhancements Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses: only_from = <IP Addresses Network> Deny connections only from IP addresses: no_access = <IP Addresses Network> Set times during which users may access the server: access_times = hour:min-hour:min If access is prohibited, send banner to client: banner = /usr/local/etc/deny_banner 16 Using the following options in /etc/xinetd.conf Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses (similar to TCP Wrapper s host.allow): only_from = <IP Addresses Network> Deny connections only from IP addresses (similar to TCP Wrapper s host.deny):

To Run or Not to Run xinetd To run: Conserves resources Runs daemons only when needed Provides an additional layer of security and can Turn virtually any script or program into a service Not to run: Another vulnerable service Can secure services using other methods Can be used to create a backdoor listener 17 Reasons to run xinetd: xinetd conserves resources, runs daemons only when needed, provides an additional layer of security and can "box" a service into a directory with "change root., and it can turn virtually any script or program into a service (this can be bad, see next). Reasons to not run xinetd: Like any additional service, it has suffered from vulnerabilities. Although, there are currently no known

xinetd Backdoor Listener service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i } xinetd reads this file and determines port from /etc/services 18 Here is an example of a xinetd backdoor listener: Create an file in /etc/xinetd.d/kazaa service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i }

Evaluation Order Firewall Allowed Rejected TCP Wrappers Allowed xinetd TCP Wrapped Network Service Allowed xinetd Controlled Network Service 19 The firewall, TCP wrappers, and xinetd function independently of each other and each provide a layer of protection. When troubleshooting connectivity problems when using these services together, follow the chart and watch the logs to find the service responsible.

Disable Services/Interfaces Disable DHCP, configure static IP Disable, remove, unused protocols such as IPv6 Disable wireless networking (to include Bluetooth) Disable/remove clear text protocols and use their secure replacement 20 Network Interfaces and protocols: Most distributions use DHCP by default. For enhanced security, configure a static IP address. This ensures the system maintains the same address at all times and any external system such as a firewall or IDS is protecting this system as it maintains its static IP address. Another solution would be to use a reservation in DHCP. Disabled unused protocols such as IPv6. This prevents attackers from using protocols that you may not be monitoring. Wireless networking presents a risk to leakage of information. The best solution is to remove the wireless hardware, but if that is not feasible, then the drivers can be removed. Although Bluetooth supposedly has a limited range, there are proof of concept interception of Bluetooth signals from a fairly large distance. It may also be possible to disable wireless in the BIOS. Disable/remove all clear text protocols. Use other options such as SSH.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback