| 

							command line argument</PRE>





<BR>



<P>

















Now you have got a simplified view of the entery this is the entery used

to start the ftp service for the example i showed above. In this entery&nbsp;

/usr/sbin/wu.ftpd so for the TCP wrapper proggie to become involved this

line above needs to be edited, so simply add this. /usr/sbin/tcpd

the rest can stay as they were. You need to do this change in each line

found in inetd.conf that starts the service that you want to use with the

TCP wrapper. If you want to close that service simply add a # in from of

ftp all the way to the left and your ftp service port (21) should now be

closed.

<BR>Now for the changes you have done to take effect you must either reboot

your box or restart the inetd by typing:



<P>root@mike:~# killall -HUP inetd



<P>If you don't really know what your really doing, a good idea is to chattr

the inetd.conf, this command stops any changes being made by accident and

stops renaming and linking.



<P>root@mike:~# chattr +i /etc/inetd.conf



<P>to edit inetd.conf you just got to do the reverse



<P>root@mike:~# chattr -i /etc/inetd.conf



<P>&nbsp;Now that we configured the tcpd to mangage network services by

editing inetd.conf, we now have to edit the two filz i mentioned above,

host.allow and hosts.deny, which are for allowing/denying which hosts are

allowed/denied access to your box.



<P>-=-=-=-=-=-=-=-=-=-=-=-

<BR><A NAME="hosts.allow"></A>Configure hosts.allow

<BR>-=-=-=-=-=-=-=-=-=-=-=-

<BR>Now after configureing the internet deamon, we have to configure the

hosts.allow file which gives access to which hosts you are going to allow

access. The configuration of hosts.allow/hosts.deny is very similar.

The

<BR>basic syntax for these filz is



<P>&nbsp;The daemon list : Client list : shell command



<P>Lets start with the daemon list, this syntax is used to give the name

of the service to which the rule applies. To place more than one

service you seperate each sevice with a comma. The Client list you

are going to use an IP address, host name or a dns to which your

going to allow, and to allow more than one simply put a comma after each.

It is very important if you can to allow certain ip's instead of a DNS,

because host spoofing if easier than ip spoofing so keep that in mind.

The shell command is optional yet very vital/usefull, keep reading to find

out why.



<P>One thing that many people always forget about TCP wrappers is that

the first matching rule that tcpd finds when it seaches is the one that

it is going to use, so in other words once a match is found it stops looking.&nbsp;

This is very bad because if no match is found in either allow/deny files

then access by default will be granted. TCP wrappers first check

hosts.allow first so its is very important to halt any ip's you don't want

in that file first instead of putting them in hosts.deny, so one way to

solve this fault in TCP wrappers is to deny access to all then select/grant

access to those who need access(people/hosts your trust).



<P>Operator key words

<BR>==============

<BR>Here some some key words you can use for these parameters so you can

make configureing these two filz easier. Examples will follow.



<P>LOCAL = This key word will match any host whose name doens't have a

dot character.



<P>UNKNOWN =This key word will match the host whose name or address is

not known.



<P>ALL = This key word will match all hosts and services used.

<BR>&nbsp;



<P>KNOWN = This key word matches any host/user whose address is known.



<P>EXCEPT = This key word acts as an if/or ie, group1 EXCEPT group2



<P>---------

<BR>Here is an example of an hosts.allow file (this is fake)



<P>ALL : All@127.0.0.1 : ALLOW

<BR>in.sshd : zopa.com

<BR>inet.ftpd : roster.zopa.com

<BR>ALL : .zopa.com EXCEPT cracker.zopa.com



<P>Here all the hosts in the zopa.com domain are allowed to

use sshd, but roster is the only subdomain which will have access to use

ftpd, and the others can't access ftpd.  In the last line all hosts

of zopa.com's domain will be allowed access to use all services but except

the subdomain cracker.zopa.com . Notice it is more important to deny access

in hosts.allow cause till TCP wrapper checks hosts.deny the access will

be given access to the host because I had allowed access to zopa.com which

is a match for the host thus it will grant access before even checking

cracker.zopa.com if i had placed it in the hosts.deny folder. So its is

obvious that to use the 'EXCEPT' keyword in hosts.allow is better

than putting the host in host.deny!



<P>Now we don't want to leave hosts.deny empty we should place this command.



<P>Here is an of&nbsp;<A NAME="hosts.deny"></A>hosts.deny



<P>ALL : ALL



<P>==========

<BR>This will put a security that will deny access to all that isn't explicitly

granted access will be denied any access.



<P>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

<BR><A NAME="variables"></A>Optional variables for shells commands

<BR>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



<P>You can also implement the optional shell command variables. Many people

don't use this optional feature cause its becomes too technical but if

you understand it can lead you to forshadow any incoming attack.



<P>I will tell you some variables to use with shell commands here.



<P>{-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=}

<BR>%u This variable will return the client username



<P>%d This variable will return the daemon process



<P>%p This variable will return the daemon process ID



<P>%a This variable will return the client host address.



<P>%c This variable will return information about the

<BR> client, like host name or user@host.



<P>%h This variable will return the server hostname, and

<BR> if it can't find it, it will return the address.

<BR>{-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=}



<P>Okay this is enough let me show you an example.



<P>Thic could be an example of a line you might want to put in your hosts.deny



<P>



ALL : ALL spawn (echo Attempt from %h %a to %d %p at 'date' | tee /var/log/tcp.deny.log | mail rammal81@hotmail.com )

<br>or something like the bottom but the above is preferred! <br>

in.fptd : .zopa.com : (/usr/bin/fingerd -l @%h | /usr/ucb/mail -s %d

%c %h root) 



<P>so if access was denied to hosts from .zopa.com root would recieve an

email with info that are parallel to the variable description.

<BR>

<p>-=-=-=-=-=-=

<br><A NAME="conclusion"></A>Conclusion

<br>-=-=-=-=-=-=

<BR>One thing you should always keep in mind is that if a hacker wants

to root your box TCP wrappers will help but are not the 100% inpenetrable

line of defence. If you are going to use tcp wrappers as the only means of protecting yourself via hosts.deny as your only means of blocking inbound traffic you better use ipchains or block the traffic before it reaches your host via a hardware firewall or a router. Now lets get serious we can't afford that so we have to use ipchains as our real world option, and if you can I am coming over to your house, hehe. Ipchains is very good/flexible because it blocks traffic at the kernel level before the packet is read by inetd or tcpd. I won't bother going further into ipchains because way better tutorials have been written on the topic so search of them at the security sites. Back to tcp wrappers, you should use the utilities called <a href="http://uw7doc.sco.com/cgi-bin/man/man?tcpdchk+1Mtcp">tcpdchk</a> and <a href="http://uw7doc.sco.com/cgi-bin/man/man?tcpmatch+1Mtcp">tcpmatch</a>,  which come

with the TCP wrapper package and are explained pretty well in the links given. Also IP's can be spoofed so always keep that in mind with a lot

of time an attacker can know which hosts you allow and can spoof as them.

One other thing you should keep in mind is that TCP wrappers are only used

to start up the correct daemon that will be satisfying the correct request

so don't use it for services like NFS which deal with multiple clients

requests when started. Okay i hope you learned something here, if you have

anything to add to this phile or have found some errors, plz email me and

i'll fix it up. thx<br>

<p>-=-=-=-=-

<br><A NAME="shoutz"></A>Greetz

<br>-=-=-=-=-

<br>Well there are just too many to give greetz to, but everyone from Box Network, the kewl members of Blacksun, the wonderful visitors who come everyday and the peeps who answer the daily post don't think i forgot ya! Ohh and everyone on irc.box.sk in all #channels. Ahh before i forget, a huge greetz also goes out to Cube and Kript0n for always being there. Thx!

<P>EOF

<BR>



</BODY>

</HTML>