<HTML><HEAD>  <TITLE>BBS水木清華站∶精華區</TITLE></HEAD><BODY><CENTER><H1>BBS水木清華站∶精華區</H1></CENTER>發信人:&nbsp;CuteGuy&nbsp;(被大頭針扎傷※休養中),&nbsp;信區:&nbsp;Linux&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>標&nbsp;&nbsp;題:&nbsp;Enhancing&nbsp;System&nbsp;Security&nbsp;With&nbsp;TCP&nbsp;Wrappers（轉）&nbsp;<BR>發信站:&nbsp;BBS&nbsp;水木清華站&nbsp;(Sun&nbsp;May&nbsp;&nbsp;2&nbsp;12:33:43&nbsp;1999)&nbsp;<BR>&nbsp;<BR>&nbsp;<BR>&nbsp;&nbsp;<BR><A HREF="http://www.performancecomputing.com/Linux-IT/features/9905of1.shtml">http://www.performancecomputing.com/Linux-IT/features/9905of1.shtml</A>&nbsp;<BR>&nbsp;<BR>LINUX-IT&nbsp;-&nbsp;MAY&nbsp;1999&nbsp;<BR>&nbsp;Enhancing&nbsp;System&nbsp;Security&nbsp;With&nbsp;TCP&nbsp;Wrappers&nbsp;<BR>Paul&nbsp;Dunne&nbsp;<BR>TCP&nbsp;Wrappers,&nbsp;written&nbsp;by&nbsp;Wietse&nbsp;Venema,&nbsp;is&nbsp;a&nbsp;tool&nbsp;that&nbsp;filters&nbsp;incoming&nbsp;&nbsp;<BR>connections&nbsp;to&nbsp;network&nbsp;services.&nbsp;This&nbsp;article&nbsp;looks&nbsp;at&nbsp;how&nbsp;TCP&nbsp;Wrappers&nbsp;can&nbsp;&nbsp;<BR>be&nbsp;used&nbsp;to&nbsp;enhance&nbsp;the&nbsp;security&nbsp;of&nbsp;a&nbsp;networked&nbsp;system.&nbsp;The&nbsp;example&nbsp;platform&nbsp;&nbsp;<BR>is&nbsp;Linux,&nbsp;but&nbsp;the&nbsp;information&nbsp;&nbsp;<BR>is&nbsp;applicable&nbsp;to&nbsp;most&nbsp;any&nbsp;UNIX&nbsp;system.&nbsp;<BR>The&nbsp;idea&nbsp;of&nbsp;the&nbsp;package&nbsp;is&nbsp;to&nbsp;provide&nbsp;&quot;wrapper&quot;&nbsp;daemons&nbsp;that&nbsp;can&nbsp;be&nbsp;installed&nbsp;&nbsp;<BR>without&nbsp;any&nbsp;changes&nbsp;to&nbsp;existing&nbsp;software.&nbsp;<BR>&nbsp;<BR>Most&nbsp;TCP/IP&nbsp;applications&nbsp;depend&nbsp;on&nbsp;the&nbsp;client-server&nbsp;model--that&nbsp;is,&nbsp;when&nbsp;a&nbsp;&nbsp;<BR>connection&nbsp;is&nbsp;requested&nbsp;by&nbsp;a&nbsp;client,&nbsp;a&nbsp;server&nbsp;process&nbsp;is&nbsp;started&nbsp;on&nbsp;the&nbsp;host&nbsp;&nbsp;<BR>to&nbsp;deal&nbsp;with&nbsp;it.&nbsp;TCP&nbsp;Wrappers&nbsp;works&nbsp;by&nbsp;interposing&nbsp;an&nbsp;additional&nbsp;layer,&nbsp;or&nbsp;&nbsp;<BR>wrapper,&nbsp;between&nbsp;client&nbsp;&nbsp;<BR>and&nbsp;server.&nbsp;In&nbsp;the&nbsp;basic&nbsp;service,&nbsp;the&nbsp;wrapper&nbsp;logs&nbsp;the&nbsp;name&nbsp;of&nbsp;the&nbsp;client&nbsp;&nbsp;<BR>host&nbsp;and&nbsp;requested&nbsp;service,&nbsp;then&nbsp;hands&nbsp;the&nbsp;communication&nbsp;over&nbsp;to&nbsp;the&nbsp;real&nbsp;&nbsp;<BR>daemon,&nbsp;neither&nbsp;exchanging&nbsp;information&nbsp;with&nbsp;the&nbsp;client&nbsp;or&nbsp;server,&nbsp;nor&nbsp;&nbsp;<BR>imposing&nbsp;overhead&nbsp;on&nbsp;the&nbsp;actual&nbsp;&nbsp;<BR>conversation&nbsp;between&nbsp;the&nbsp;two.&nbsp;Optional&nbsp;features&nbsp;may&nbsp;be&nbsp;enabled,&nbsp;including&nbsp;&nbsp;<BR>access&nbsp;control,&nbsp;client&nbsp;username&nbsp;lookups,&nbsp;and&nbsp;additional&nbsp;protection&nbsp;against&nbsp;&nbsp;<BR>hostname&nbsp;spoofing.&nbsp;<BR>The&nbsp;current&nbsp;version&nbsp;of&nbsp;TCP&nbsp;Wrappers,&nbsp;7.6,&nbsp;can&nbsp;be&nbsp;obtained&nbsp;from&nbsp;&nbsp;<BR><A HREF="ftp://ftp.porcupine.org/pub/security/.">ftp://ftp.porcupine.org/pub/security/.</A>&nbsp;(Note&nbsp;that&nbsp;the&nbsp;old&nbsp;location,&nbsp;&nbsp;<BR><A HREF="ftp://ftp.win.tue.nl/pub/security/,">ftp://ftp.win.tue.nl/pub/security/,</A>&nbsp;was&nbsp;compromised&nbsp;earlier&nbsp;this&nbsp;year&nbsp;and&nbsp;is&nbsp;&nbsp;<BR>no&nbsp;longer&nbsp;maintained.)&nbsp;<BR>Compilation&nbsp;<BR>There&nbsp;are&nbsp;a&nbsp;few&nbsp;decisions&nbsp;to&nbsp;make&nbsp;at&nbsp;compile&nbsp;time.&nbsp;Features&nbsp;can&nbsp;be&nbsp;turned&nbsp;on&nbsp;&nbsp;<BR>or&nbsp;off&nbsp;through&nbsp;definitions.&nbsp;Here&nbsp;is&nbsp;a&nbsp;list,&nbsp;with&nbsp;default&nbsp;values&nbsp;shown&nbsp;where&nbsp;&nbsp;<BR>appropriate:&nbsp;<BR>STYLE&nbsp;=&nbsp;-DPROCESS_OPTIONS&nbsp;<BR>Enables&nbsp;language&nbsp;extensions.&nbsp;This&nbsp;is&nbsp;disabled&nbsp;by&nbsp;default.&nbsp;<BR>FACILITY=LOG_MAIL&nbsp;<BR>Sets&nbsp;the&nbsp;location&nbsp;of&nbsp;log&nbsp;records.&nbsp;I&nbsp;prefer&nbsp;to&nbsp;set&nbsp;this&nbsp;to&nbsp;LOG_DAEMON,&nbsp;and&nbsp;log&nbsp;&nbsp;<BR>stuff&nbsp;into&nbsp;/var/log/daemon.&nbsp;Your&nbsp;mileage&nbsp;may&nbsp;vary.&nbsp;<BR>SEVERITY=&nbsp;LOG_INFO&nbsp;<BR>Sets&nbsp;what&nbsp;level&nbsp;to&nbsp;give&nbsp;to&nbsp;the&nbsp;log&nbsp;message.&nbsp;The&nbsp;default,&nbsp;LOG_INFO,&nbsp;is&nbsp;fine&nbsp;in&nbsp;&nbsp;<BR>most&nbsp;cases.&nbsp;The&nbsp;complete&nbsp;list&nbsp;is,&nbsp;in&nbsp;ascending&nbsp;order&nbsp;of&nbsp;severity,&nbsp;debug,&nbsp;&nbsp;<BR>notice,&nbsp;warning,&nbsp;err,&nbsp;crit,&nbsp;alert,&nbsp;emerg.&nbsp;See&nbsp;the&nbsp;syslog.conf(5)&nbsp;man&nbsp;page&nbsp;for&nbsp;&nbsp;<BR>more&nbsp;details.&nbsp;<BR>HOSTS_ACCESS&nbsp;<BR>When&nbsp;compiled&nbsp;with&nbsp;this&nbsp;option,&nbsp;the&nbsp;wrapper&nbsp;programs&nbsp;support&nbsp;a&nbsp;simple&nbsp;form&nbsp;of&nbsp;&nbsp;<BR>access&nbsp;control.&nbsp;Since&nbsp;this&nbsp;is&nbsp;the&nbsp;reason&nbsp;most&nbsp;people&nbsp;install&nbsp;TCP&nbsp;Wrappers,&nbsp;it&nbsp;&nbsp;<BR>is&nbsp;defined&nbsp;by&nbsp;default.&nbsp;<BR>PARANOID&nbsp;<BR>When&nbsp;compiled&nbsp;with&nbsp;-DPARANOID,&nbsp;the&nbsp;wrappers&nbsp;try&nbsp;to&nbsp;look&nbsp;up&nbsp;and&nbsp;double-check&nbsp;&nbsp;<BR>the&nbsp;client&nbsp;hostname,&nbsp;and&nbsp;will&nbsp;always&nbsp;refuse&nbsp;service&nbsp;in&nbsp;case&nbsp;of&nbsp;a&nbsp;discrepancy&nbsp;&nbsp;<BR>between&nbsp;hostname&nbsp;and&nbsp;IP&nbsp;address.&nbsp;This&nbsp;is&nbsp;a&nbsp;reasonable&nbsp;policy&nbsp;for&nbsp;most&nbsp;&nbsp;<BR>systems.&nbsp;When&nbsp;compiled&nbsp;&nbsp;<BR>without&nbsp;-DPARANOID,&nbsp;the&nbsp;wrappers&nbsp;by&nbsp;default&nbsp;still&nbsp;perform&nbsp;hostname&nbsp;lookup,&nbsp;&nbsp;<BR>but&nbsp;hosts&nbsp;where&nbsp;such&nbsp;lookups&nbsp;give&nbsp;conflicting&nbsp;results&nbsp;for&nbsp;hostname&nbsp;and&nbsp;IP&nbsp;&nbsp;<BR>address&nbsp;are&nbsp;not&nbsp;automatically&nbsp;rejected.&nbsp;They&nbsp;can&nbsp;be&nbsp;matched&nbsp;with&nbsp;the&nbsp;PARANOID&nbsp;&nbsp;<BR>wildcard&nbsp;in&nbsp;the&nbsp;access&nbsp;&nbsp;<BR>files,&nbsp;and&nbsp;a&nbsp;decision&nbsp;can&nbsp;be&nbsp;made&nbsp;on&nbsp;whether&nbsp;to&nbsp;grant&nbsp;access.&nbsp;<BR>DOT=&nbsp;-DAPPEND_DOT&nbsp;<BR>This&nbsp;appends&nbsp;a&nbsp;dot&nbsp;to&nbsp;a&nbsp;domain&nbsp;name.&nbsp;For&nbsp;example,&nbsp;&quot;example.com&quot;&nbsp;becomes&nbsp;&nbsp;<BR>&quot;example.com.&quot;.&nbsp;This&nbsp;is&nbsp;done&nbsp;because&nbsp;typically,&nbsp;the&nbsp;resolver&nbsp;will&nbsp;first&nbsp;&nbsp;<BR>append&nbsp;substrings&nbsp;of&nbsp;the&nbsp;local&nbsp;domain&nbsp;before&nbsp;trying&nbsp;to&nbsp;resolve&nbsp;the&nbsp;name&nbsp;it&nbsp;&nbsp;<BR>has&nbsp;actually&nbsp;been&nbsp;given.&nbsp;Use&nbsp;of&nbsp;&nbsp;<BR>the&nbsp;APPEND_DOT&nbsp;feature&nbsp;stops&nbsp;this&nbsp;waste&nbsp;of&nbsp;time&nbsp;and&nbsp;resources.&nbsp;It&nbsp;is&nbsp;off&nbsp;by&nbsp;&nbsp;<BR>default.&nbsp;<BR>AUTH&nbsp;=&nbsp;-DALWAYS_RFC931&nbsp;<BR>Always&nbsp;attempt&nbsp;remote&nbsp;username&nbsp;lookups.&nbsp;By&nbsp;default,&nbsp;this&nbsp;is&nbsp;off,&nbsp;and&nbsp;the&nbsp;&nbsp;<BR>wrappers&nbsp;look&nbsp;up&nbsp;the&nbsp;remote&nbsp;username&nbsp;only&nbsp;when&nbsp;the&nbsp;access-control&nbsp;rules&nbsp;&nbsp;<BR>require&nbsp;them&nbsp;to&nbsp;do&nbsp;so.&nbsp;Note&nbsp;that&nbsp;for&nbsp;this&nbsp;to&nbsp;be&nbsp;of&nbsp;any&nbsp;use,&nbsp;the&nbsp;remote&nbsp;host&nbsp;&nbsp;<BR>must&nbsp;run&nbsp;a&nbsp;daemon&nbsp;that&nbsp;supports&nbsp;&nbsp;<BR>the&nbsp;finger&nbsp;protocol.&nbsp;Also,&nbsp;such&nbsp;lookups&nbsp;are&nbsp;not&nbsp;possible&nbsp;for&nbsp;UDP-based&nbsp;&nbsp;<BR>connections.&nbsp;<BR>RFC931_TIMEOUT&nbsp;=&nbsp;10&nbsp;<BR>Username&nbsp;lookup&nbsp;timeout.&nbsp;This&nbsp;may&nbsp;not&nbsp;be&nbsp;long&nbsp;enough&nbsp;for&nbsp;slow&nbsp;hosts&nbsp;or&nbsp;&nbsp;<BR>networks,&nbsp;but&nbsp;is&nbsp;enough&nbsp;to&nbsp;irritate&nbsp;PC&nbsp;users.&nbsp;<BR>-DDAEMON_UMASK=022&nbsp;<BR>The&nbsp;is&nbsp;the&nbsp;default&nbsp;file-protection&nbsp;mask&nbsp;for&nbsp;processes&nbsp;run&nbsp;under&nbsp;control&nbsp;of&nbsp;&nbsp;<BR>the&nbsp;wrappers.&nbsp;<BR>ACCESS&nbsp;=&nbsp;-DHOSTS_ACCESS&nbsp;<BR>Sets&nbsp;host&nbsp;access&nbsp;control.&nbsp;This&nbsp;is&nbsp;enabled&nbsp;by&nbsp;default.&nbsp;Note&nbsp;that&nbsp;this&nbsp;can&nbsp;also&nbsp;&nbsp;<BR>be&nbsp;turned&nbsp;off&nbsp;at&nbsp;run&nbsp;time&nbsp;by&nbsp;providing&nbsp;no,&nbsp;or&nbsp;empty,&nbsp;access-control&nbsp;tables.&nbsp;<BR>TABLES&nbsp;=&nbsp;-DHOSTS_DENY=\&quot;/etc/&nbsp;<BR>&nbsp;&nbsp;hosts.deny\&quot;&nbsp;-DHOSTS_&nbsp;<BR>&nbsp;&nbsp;ALLOW=\&quot;/etc/hosts.allow\&quot;&nbsp;<BR>Sets&nbsp;the&nbsp;pathnames&nbsp;for&nbsp;the&nbsp;access-control&nbsp;tables.&nbsp;<BR>HOSTNAME=&nbsp;-DALWAYS_HOSTNAME&nbsp;<BR>Always&nbsp;attempt&nbsp;to&nbsp;look&nbsp;up&nbsp;the&nbsp;client&nbsp;hostname.&nbsp;This&nbsp;is&nbsp;on&nbsp;by&nbsp;default.&nbsp;If&nbsp;this&nbsp;&nbsp;<BR>is&nbsp;disabled,&nbsp;the&nbsp;client&nbsp;hostname&nbsp;lookup&nbsp;is&nbsp;postponed&nbsp;until&nbsp;the&nbsp;name&nbsp;is&nbsp;&nbsp;<BR>required&nbsp;by&nbsp;an&nbsp;access-control&nbsp;rule&nbsp;or&nbsp;by&nbsp;a&nbsp;%letter&nbsp;expansion.&nbsp;If&nbsp;this&nbsp;is&nbsp;what&nbsp;&nbsp;<BR>you&nbsp;want,&nbsp;you&nbsp;must&nbsp;&nbsp;<BR>disable&nbsp;paranoid&nbsp;mode&nbsp;as&nbsp;well.&nbsp;<BR>-DKILL_IP_OPTIONS&nbsp;<BR>This&nbsp;is&nbsp;for&nbsp;protection&nbsp;against&nbsp;hosts&nbsp;that&nbsp;pretend&nbsp;they&nbsp;have&nbsp;someone&nbsp;else's&nbsp;&nbsp;<BR>host&nbsp;address&nbsp;(host&nbsp;address&nbsp;spoofing).&nbsp;This&nbsp;option&nbsp;is&nbsp;not&nbsp;needed&nbsp;on&nbsp;modern&nbsp;&nbsp;<BR>UNIX&nbsp;systems&nbsp;that&nbsp;can&nbsp;stop&nbsp;source-routed&nbsp;traffic&nbsp;in&nbsp;the&nbsp;kernel&nbsp;(for&nbsp;example,&nbsp;&nbsp;<BR>Linux,&nbsp;Solaris&nbsp;2.x,&nbsp;4.4BSD&nbsp;&nbsp;<BR>and&nbsp;derivatives).&nbsp;<BR>-DNETGROUP&nbsp;<BR>Defines&nbsp;if&nbsp;your&nbsp;system&nbsp;has&nbsp;NIS&nbsp;support.&nbsp;Off&nbsp;by&nbsp;default.&nbsp;This&nbsp;is&nbsp;used&nbsp;only&nbsp;in&nbsp;&nbsp;<BR>conjunction&nbsp;with&nbsp;host&nbsp;access&nbsp;control,&nbsp;so&nbsp;if&nbsp;you're&nbsp;not&nbsp;using&nbsp;that,&nbsp;don't&nbsp;&nbsp;<BR>bother&nbsp;about&nbsp;this&nbsp;in&nbsp;any&nbsp;case.&nbsp;<BR>Some&nbsp;definitions&nbsp;are&nbsp;given&nbsp;that&nbsp;work&nbsp;around&nbsp;system&nbsp;bugs&nbsp;(just&nbsp;the&nbsp;basics&nbsp;&nbsp;<BR>here;&nbsp;see&nbsp;Makefile&nbsp;for&nbsp;details).&nbsp;The&nbsp;standard&nbsp;define&nbsp;is:&nbsp;<BR>BUGS&nbsp;=&nbsp;-DGETPEERNAME_BUG&nbsp;-DBROKEN_FGETS&nbsp;-DLIBC_CALLS_STRTOK&nbsp;<BR>Having&nbsp;set&nbsp;the&nbsp;options&nbsp;to&nbsp;your&nbsp;requirements,&nbsp;type&nbsp;make&nbsp;sys-type,&nbsp;where&nbsp;&nbsp;<BR>sys-type&nbsp;is&nbsp;one&nbsp;of&nbsp;the&nbsp;48&nbsp;systems&nbsp;listed&nbsp;in&nbsp;Figure&nbsp;1.&nbsp;As&nbsp;you&nbsp;can&nbsp;see,&nbsp;enough&nbsp;&nbsp;<BR>choices!&nbsp;<BR>If&nbsp;none&nbsp;of&nbsp;these&nbsp;matches&nbsp;your&nbsp;environment,&nbsp;then&nbsp;you&nbsp;will&nbsp;have&nbsp;to&nbsp;edit&nbsp;the&nbsp;&nbsp;<BR>system&nbsp;dependencies&nbsp;sections&nbsp;in&nbsp;the&nbsp;Makefile&nbsp;and&nbsp;do&nbsp;a&nbsp;make&nbsp;other.&nbsp;<BR>Installation&nbsp;<BR>There&nbsp;are&nbsp;two&nbsp;ways&nbsp;to&nbsp;install&nbsp;the&nbsp;software.&nbsp;The&nbsp;easy&nbsp;installation&nbsp;method&nbsp;&nbsp;<BR>requires&nbsp;no&nbsp;changes&nbsp;to&nbsp;existing&nbsp;software&nbsp;or&nbsp;configuration&nbsp;files.&nbsp;You&nbsp;move&nbsp;the&nbsp;&nbsp;<BR>daemons&nbsp;that&nbsp;you&nbsp;want&nbsp;to&nbsp;protect&nbsp;to&nbsp;the&nbsp;directory&nbsp;specified&nbsp;in&nbsp;&nbsp;<BR>REAL_DAEMON_DIR&nbsp;in&nbsp;the&nbsp;Makefile,&nbsp;&nbsp;<BR>replacing&nbsp;them&nbsp;with&nbsp;copies&nbsp;of&nbsp;the&nbsp;tcpd&nbsp;program.&nbsp;For&nbsp;example,&nbsp;for&nbsp;telnet:&nbsp;<BR>mkdir&nbsp;REAL_DAEMON_DIR&nbsp;<BR>mv&nbsp;/sbin/in.telnetd&nbsp;REAL_DAEMON_DIR&nbsp;<BR>cp&nbsp;tcpd&nbsp;/sbin/in.telnetd&nbsp;<BR>That's&nbsp;all&nbsp;there&nbsp;is&nbsp;to&nbsp;it.&nbsp;Note&nbsp;that&nbsp;the&nbsp;wrapper,&nbsp;all&nbsp;files&nbsp;used&nbsp;by&nbsp;the&nbsp;&nbsp;<BR>wrapper,&nbsp;and&nbsp;all&nbsp;directories&nbsp;in&nbsp;the&nbsp;path&nbsp;leading&nbsp;to&nbsp;those&nbsp;files&nbsp;should&nbsp;have&nbsp;&nbsp;<BR>read-&nbsp;or&nbsp;read-and-execute-only&nbsp;access&nbsp;(modes&nbsp;755&nbsp;or&nbsp;555);&nbsp;they&nbsp;must&nbsp;not&nbsp;be&nbsp;&nbsp;<BR>writable.&nbsp;There&nbsp;is&nbsp;no&nbsp;need&nbsp;to&nbsp;&nbsp;<BR>set&nbsp;the&nbsp;wrapper&nbsp;set-uid.&nbsp;<BR>The&nbsp;advanced&nbsp;installation&nbsp;method&nbsp;leaves&nbsp;your&nbsp;daemon&nbsp;executables&nbsp;alone,&nbsp;but&nbsp;&nbsp;<BR>involves&nbsp;simple&nbsp;modifications&nbsp;to&nbsp;the&nbsp;inetd&nbsp;configuration&nbsp;file&nbsp;/etc/inetd.conf.&nbsp;<BR>&nbsp;The&nbsp;changes&nbsp;to&nbsp;inetd.conf&nbsp;are&nbsp;straightforward.&nbsp;For&nbsp;each&nbsp;service&nbsp;to&nbsp;be&nbsp;&nbsp;<BR>protected&nbsp;by&nbsp;wrappers,&nbsp;tcpd&nbsp;&nbsp;<BR>should&nbsp;be&nbsp;executed&nbsp;in&nbsp;place&nbsp;of&nbsp;the&nbsp;original&nbsp;daemon,&nbsp;passing&nbsp;the&nbsp;original&nbsp;&nbsp;<BR>daemon&nbsp;pathname&nbsp;as&nbsp;an&nbsp;argument&nbsp;to&nbsp;tcpd.&nbsp;<BR>Here&nbsp;is&nbsp;a&nbsp;standard&nbsp;inetd.conf&nbsp;record&nbsp;for&nbsp;telnet&nbsp;service:&nbsp;<BR>telnet&nbsp;stream&nbsp;tcp&nbsp;nowait&nbsp;root&nbsp;/sbin/in.telnetd&nbsp;/sbin/in.telnetd&nbsp;<BR>