你是本篇文章第 位訪客(since 06/21/2000)

bullet

Wrapper    
bullet

What is Wrapper
bullet

Wrapper 是一種用來提供其他(網路)程式存取控制的控管程式。Wrapper可以藉由記錄與封包過濾等方式,提高系統安全層次。 

bullet

Why Wrapper
bullet

以單一程式,提供系統網路存取安全,簡化控管機制。

bullet

安全升級無須牽動整個系統應用程式。

bullet

常見wrapper
bullet

Sendmail wrapper – smap/smapd

bullet

General-perpose wrapper – tcpwrapper (tcpd)

bullet

IP Filter (Firewall) – SOCKS

bullet

Tcpwrapper (tcpd)
bullet

What can tcpwrapper DO ? (From : Practical UNIX & Internet Security  Chap.22)
bullet

Optionally sends a "banner" to the connecting client. Banners are useful for displaying legal messages or advisories.

bullet

Performs a double-reverse lookup of the IP address, making sure that the DNS entries for the IP address and hostname match. If they do not, this fact is logged. (By default, tcpwrapper is compiled with the -DPARANOID option, so the program will automatically drop the incoming connection if the two do not match, under the assumption that something somewhere is being hacked.)

bullet

Compares the incoming hostname and requested service with an access control list, to see if this host or this combination of host and service has been explicitly denied. If either is denied, tcpwrapper drops the connection.

bullet

Uses the ident protocol (RFC 1413) to determine the username associated with the incoming connection.

bullet

Logs the results with syslog.

bullet

Optionally runs a command.

bullet

Passes control of the connection to the "real" network daemon, or passes control to some other program that can take further action.

bullet

Transfers to a "jail" or "faux" environment where you study the user's actions.

bullet

Tcpwrapper is activated by inetd


bullet

Access Control in tcpwrapper

 

bullet

Access Control File Format - /etc/hosts.allow & /etc/hosts.deny
bullet

Everything is denied if /etc/hosts.allow is not there or is empty.

bullet

Everything is allowed if /etc/hosts.deny is not there  or is empty.

bullet

File Format:
daemon_list : client_host_list [:option: option...]


daemon_list 

Specifies the command name (argv[0]) of a list of TCP daemons (e.g., telnetd). The reserved keyword "ALL" matches all daemons; you can also use the "EXCEPT" operator (e.g., "ALL EXCEPT in.ftpd")


client_host_list 

Specifies the hostname or IP address of the incoming connection. You can also use the format username@hostname to specify a particular user on a remote computer, although the remote computer must implement the ident protocol.[8] The keyword ALL matches all clients.


option

The options allow you considerable flexibility in handling a variety of conditions.This options are only valid when tcpwrapper is compiled with  with -DPROCESS_OPTIONS. In redhat linux, tcpwrapper is compiled with this option by default.

 
bullet

client_host_list keyword pattern in /etc/hosts.allow & /etc/hosts.deny

ALL Matches all hosts.
KNOWN Matches any IP address that has a corresponding hostname; also matches usernames when the ident service is available.
LOCAL Matches any host that does not have a period (.) in its name.
PARANOID Matches any host for which double-reverse hostname/IP address translation does not match.
UNKNOWN Matches any IP address that does not have a corresponding hostname. Also matches usernames when ident service is not available.
.subdomain.domain If the hostname begins with a period (.), the hostname will match any host whose hostname ends with the hostname (in this case, ".subdomain.domain").
iii.iii.jjj. If the hostname ends with a period (.), the hostname is interpreted as the beginning of an IP address. The string "18." will match any host with an IP addresses 18.0.0.1 through 18.255.255.254. The string "204.17.195." will match any host with an IP addresses 204.17.195.1 through 204.17.195.254.
a pattern EXCEPT another pattern Matches any host that is matched by a pattern except those that also match another pattern.
(The EXCEPT operator may also be used for specifying an Internet service.)

 

bullet

Options for tcpwrapper

     

Option

Effect

allow

Allows the connection.

deny

Denies the connection.

Options for dealing with sub-shells:

nice nn

Changes the priority of the process to nn. Use numbers such as +4 or +8 to reduce the amount of CPU time allocated to network services.

setenv name value

Sets the environment variable name to value for the daemon.

spawn shell_command

Runs the shell_command. The streams stdin, stdout, and stderr are connected to /dev/null to avoid conflict with any communications with the client.

twist shell_command

Runs the shell_command. The streams stdin, stdout, and stderr are connected to the remote client. This allows you to run a server process other than the one specified in the file /etc/inetd.conf. (Note: Will not work with some UDP services.)

umask nnn

Specifies the umask that should be used for sub-shells. Specify it in octal.

user username

Assume the privileges of username. (Note: tcpwrapper must be running as root for this option to work.)

user username.groupname

Assume the privileges of username and set the current group to be groupname.

Options for dealing with the network connection:

banners /some/directory/

Specifies a directory that contains banner files. If a filename is found in the banner directory that has the same name as the network server (such as telnetd), the contents of the banner file are sent to the client before the TCP connection is turned over to the server. This process allows you to send clients messages, for example, informing them that unauthorized use of your computer is prohibited.

keepalive

Causes the UNIX kernel to periodically send a message to a client process; if the message cannot be sent, the connection is automatically broken.

linger seconds

Specifies how long the UNIX kernel should spend trying to send a message to the remote client after the server closes the connection.

rfc931 [timeout in seconds]

Specifies that the ident protocol should be used to attempt to determine the username of the person running the client program on the remote computer. The timeout, if specified, is the number of seconds that tcpwrapper should spend waiting for this information.

        

bullet

Token Expansion Available for the tcpwrapper Shell Command

     

%a

The IP address of the client.

%A

The IP address of the server.

%c

username@hostname (if username is available); otherwise, only hostname or IP address.

%d

The name of the daemon (argv[0]).

%h

The hostname of the client. (IP address if hostname is unavailable.)

%H

The hostname of the server. (IP address if hostname is unavailable.)

%p

The Process ID of the daemon process.

%s

daemon@host.

%u

The client username (or unknown)

%%

Expands to the "%" character.

 

bullet

安裝 tcpwrapper
bullet

tcpwrapper is installed enabled by default when you install RedHAT Linux.

bullet

Check your tcpwrapper version
[woody@nmc woody]# rpm -q -a | grep tcp
tcp_wrappers-7.6-10

bullet

You may get the source, and install with options you like.

bullet

Make tcpwrapper works
bullet

To make your tcpwrapper work, you have to make sure your /etc/inetd.conf is modified like the following (RedHAT do this for you automatically)
:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
:

bullet

Some Example For /etc/hosts.allow and /etc/hosts.deny
bullet

Example 1

Allow all hosts except *.spamer.com for all services

#
# /etc/hosts.allow:
#
# Allow anybody to connect to our machine except people from pirate.net
#
all : .spmmer.com : deny
all : all         : allow


bullet

Example 2

1.Allow Internal hosts use in.fingerd
2.When hosts from outside tried to use in.fingerd, /usr/local/bin/external_fingerd_message is executed.(twist選項所指定之程式優先權高於/etc/inetd.conf)
3.All hosts except those from .pirate.net are allowed to use all services in this server.

#
# /etc/hosts.allow:
#
# Allow anybody to connect to our machine except people from pirate.net
#
#
in.fingerd : LOCAL : allow
in.fingerd : all : twist /usr/local/bin/external_fingerd_message
all : .pirate.net : deny
all : all : allow

bullet

Example 3

Allow telnet & rlogin from sleepy.com, but nowhere else

#
# /etc/hosts.allow:
#
#
in.telnetd,rlogind : sleepy.com : allow
in.telnetd,rlogind : all : deny
#

bullet

Example 4

1.Deny Hosts From pirate.net  for in.telnetd service
2.執行程式/security/logit,記錄Client端相關資訊(/security/logit is some secure log related program in your system)
3.Try send messages in file "/security/banners/in.telnetd or /security/banners/in.rlogind " to the remote client.


# /etc/hosts.deny: 

# Don't allow logins from pirate.net, and log attempts 

in.telnetd,in.rlogind : pirate.net : spawn=(/security/logit %d deny %c %p %a %h %u)& \ 
: linger 10 : banners /security/banners