12aef6930SMark Murray@(#) README 1.30 97/03/21 19:27:21 22aef6930SMark Murray 32aef6930SMark MurrayThis is the 7.6 version of the TCP/IP daemon wrapper package. 42aef6930SMark Murray 52aef6930SMark MurrayThank you for using this program. If you like it, send me a postcard. 62aef6930SMark MurrayMy postal address is at the bottom of this file. 72aef6930SMark Murray 82aef6930SMark MurrayRead the BLURB file for a brief summary of what is new. The CHANGES 92aef6930SMark Murrayfile gives a complete account of differences with respect to previous 102aef6930SMark Murrayreleases. 112aef6930SMark Murray 122aef6930SMark MurrayAnnouncements of new releases of this software are posted to Usenet 132aef6930SMark Murray(comp.security.unix, comp.unix.admin), to the cert-tools mailing list, 142aef6930SMark Murrayand to a dedicated mailing list. You can subscribe to the dedicated 152aef6930SMark Murraymailing list by sending an email message to majordomo@wzv.win.tue.nl 162aef6930SMark Murraywith in the body (not subject): subscribe tcp-wrappers-announce. 172aef6930SMark Murray 182aef6930SMark MurrayTable of contents 192aef6930SMark Murray----------------- 202aef6930SMark Murray 212aef6930SMark Murray 1 - Introduction 222aef6930SMark Murray 2 - Disclaimer 232aef6930SMark Murray 3 - Tutorials 242aef6930SMark Murray 3.1 - How it works 252aef6930SMark Murray 3.2 - Where the logging information goes 262aef6930SMark Murray 4 - Features 272aef6930SMark Murray 4.1 - Access control 282aef6930SMark Murray 4.2 - Host name spoofing 292aef6930SMark Murray 4.3 - Host address spoofing 302aef6930SMark Murray 4.4 - Client username lookups 312aef6930SMark Murray 4.5 - Language extensions 322aef6930SMark Murray 4.6 - Multiple ftp/gopher/www archives on one host 332aef6930SMark Murray 4.7 - Banner messages 342aef6930SMark Murray 4.8 - Sequence number guessing 352aef6930SMark Murray 5 - Other works 362aef6930SMark Murray 5.1 - Related documents 372aef6930SMark Murray 5.2 - Related software 382aef6930SMark Murray 6 - Limitations 392aef6930SMark Murray 6.1 - Known wrapper limitations 402aef6930SMark Murray 6.2 - Known system software bugs 412aef6930SMark Murray 7 - Configuration and installation 422aef6930SMark Murray 7.1 - Easy configuration and installation 432aef6930SMark Murray 7.2 - Advanced configuration and installation 442aef6930SMark Murray 7.3 - Daemons with arbitrary path names 452aef6930SMark Murray 7.4 - Building and testing the access control rules 462aef6930SMark Murray 7.5 - Other applications 472aef6930SMark Murray 8 - Acknowledgements 482aef6930SMark Murray 492aef6930SMark Murray1 - Introduction 502aef6930SMark Murray---------------- 512aef6930SMark Murray 522aef6930SMark MurrayWith this package you can monitor and filter incoming requests for the 532aef6930SMark MurraySYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other 542aef6930SMark Murraynetwork services. 552aef6930SMark Murray 562aef6930SMark MurrayIt supports both 4.3BSD-style sockets and System V.4-style TLI. Praise 572aef6930SMark Murrayyourself lucky if you don't know what that means. 582aef6930SMark Murray 592aef6930SMark MurrayThe package provides tiny daemon wrapper programs that can be installed 602aef6930SMark Murraywithout any changes to existing software or to existing configuration 612aef6930SMark Murrayfiles. The wrappers report the name of the client host and of the 622aef6930SMark Murrayrequested service; the wrappers do not exchange information with the 632aef6930SMark Murrayclient or server applications, and impose no overhead on the actual 642aef6930SMark Murrayconversation between the client and server applications. 652aef6930SMark Murray 662aef6930SMark MurrayOptional features are: access control to restrict what systems can 672aef6930SMark Murrayconnect to what network daemons; client user name lookups with the RFC 682aef6930SMark Murray931 etc. protocol; additional protection against hosts that pretend to 692aef6930SMark Murrayhave someone elses host name; additional protection against hosts that 702aef6930SMark Murraypretend to have someone elses host address. 712aef6930SMark Murray 722aef6930SMark MurrayThe programs are very portable. Build procedures are provided for many 732aef6930SMark Murraycommon (and not so common) environments, and guidelines are provided in 742aef6930SMark Murraycase your environment is not among them. 752aef6930SMark Murray 762aef6930SMark MurrayRequirements are that network daemons are spawned by a super server 772aef6930SMark Murraysuch as the inetd; a 4.3BSD-style socket programming interface and/or 782aef6930SMark MurraySystem V.4-style TLI programming interface; and the availability of a 792aef6930SMark Murraysyslog(3) library and of a syslogd(8) daemon. The wrappers should run 802aef6930SMark Murraywithout modification on any system that satisfies these requirements. 812aef6930SMark MurrayWorkarounds have been implemented for several common bugs in systems 822aef6930SMark Murraysoftware. 832aef6930SMark Murray 842aef6930SMark MurrayWhat to do if this is your first encounter with the wrapper programs: 852aef6930SMark Murray1) read the tutorial sections for an introduction to the relevant 862aef6930SMark Murrayconcepts and terminology; 2) glance over the security feature sections 872aef6930SMark Murrayin this document; 3) follow the installation instructions (easy or 882aef6930SMark Murrayadvanced). I recommend that you first use the default security feature 892aef6930SMark Murraysettings. Run the wrappers for a few days to become familiar with 902aef6930SMark Murraytheir logs, before doing anything drastic such as cutting off access or 912aef6930SMark Murrayinstalling booby traps. 922aef6930SMark Murray 932aef6930SMark Murray2 - Disclaimer 942aef6930SMark Murray-------------- 952aef6930SMark Murray 962aef6930SMark MurrayThe wrapper programs rely on source address information obtained from 972aef6930SMark Murraynetwork packets. This information is provided by the client host. It is 982aef6930SMark Murraynot 100 percent reliable, although the wrappers do their best to expose 992aef6930SMark Murrayforgeries. 1002aef6930SMark Murray 1012aef6930SMark MurrayIn the absence of cryptographic protection of message contents, and of 1022aef6930SMark Murraycryptographic authentication of message originators, all data from the 1032aef6930SMark Murraynetwork should be treated with sound scepticism. 1042aef6930SMark Murray 1052aef6930SMark MurrayTHIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS. 1062aef6930SMark Murray 1072aef6930SMark Murray3 - Tutorials 1082aef6930SMark Murray------------- 1092aef6930SMark Murray 1102aef6930SMark MurrayThe tutorial sections give a gentle introduction to the operation of 1112aef6930SMark Murraythe wrapper programs, and introduce some of the terminology that is 1122aef6930SMark Murrayused in the remainder of the document: client, server, the inetd and 1132aef6930SMark Murraysyslogd daemons, and their configuration files. 1142aef6930SMark Murray 1152aef6930SMark Murray3.1 - How it works 1162aef6930SMark Murray------------------ 1172aef6930SMark Murray 1182aef6930SMark MurrayAlmost every application of the TCP/IP protocols is based on a client- 1192aef6930SMark Murrayserver model. For example, when a user invokes the telnet command to 1202aef6930SMark Murrayconnect to one of your systems, a telnet server process is executed on 1212aef6930SMark Murraythe target host. The telnet server process connects the user to a login 1222aef6930SMark Murrayprocess. A few examples of client and server programs are shown in the 1232aef6930SMark Murraytable below: 1242aef6930SMark Murray 1252aef6930SMark Murray client server application 1262aef6930SMark Murray -------------------------------- 1272aef6930SMark Murray telnet telnetd remote login 1282aef6930SMark Murray ftp ftpd file transfer 1292aef6930SMark Murray finger fingerd show users 1302aef6930SMark Murray 1312aef6930SMark MurrayThe usual approach is to run one single daemon process that waits for 1322aef6930SMark Murrayall kinds of incoming network connections. Whenever a connection is 1332aef6930SMark Murrayestablished, this daemon (usually called inetd) runs the appropriate 1342aef6930SMark Murrayserver program and goes back to sleep, waiting for other connections. 1352aef6930SMark Murray 1362aef6930SMark MurrayThe wrapper programs rely on a simple, but powerful mechanism. Instead 1372aef6930SMark Murrayof directly running the desired server program, the inetd is tricked 1382aef6930SMark Murrayinto running a small wrapper program. The wrapper logs the client host 1392aef6930SMark Murrayname or address and performs some additional checks. When all is well, 1402aef6930SMark Murraythe wrapper executes the desired server program and goes away. 1412aef6930SMark Murray 1422aef6930SMark MurrayThe wrapper programs have no interaction with the client user (or with 1432aef6930SMark Murraythe client process). Nor do the wrappers interact with the server 1442aef6930SMark Murrayapplication. This has two major advantages: 1) the wrappers are 1452aef6930SMark Murrayapplication-independent, so that the same program can protect many 1462aef6930SMark Murraykinds of network services; 2) no interaction also means that the 1472aef6930SMark Murraywrappers are invisible from outside (at least for authorized users). 1482aef6930SMark Murray 1492aef6930SMark MurrayAnother important property is that the wrapper programs are active only 1502aef6930SMark Murraywhen the initial contact between client and server is established. Once 1512aef6930SMark Murraya wrapper has done its work there is no overhead on the client-server 1522aef6930SMark Murrayconversation. 1532aef6930SMark Murray 1542aef6930SMark MurrayThe simple mechanism has one major drawback: the wrappers go away after 1552aef6930SMark Murraythe initial contact between client and server processes, so the 1562aef6930SMark Murraywrappers are of little use with network daemons that service more than 1572aef6930SMark Murrayone client. The wrappers would only see the first client attempt to 1582aef6930SMark Murraycontact such a server. The NFS mount daemon is a typical example of a 1592aef6930SMark Murraydaemon that services requests from multiple clients. See the section on 1602aef6930SMark Murrayrelated software for ways to deal with such server programs. 1612aef6930SMark Murray 1622aef6930SMark MurrayThere are two ways to use the wrapper programs: 1632aef6930SMark Murray 1642aef6930SMark Murray1) The easy way: move network daemons to some other directory and fill 1652aef6930SMark Murray the resulting holes with copies of the wrapper programs. This 1662aef6930SMark Murray approach involves no changes to system configuration files, so there 1672aef6930SMark Murray is very little risk of breaking things. 1682aef6930SMark Murray 1692aef6930SMark Murray2) The advanced way: leave the network daemons alone and modify the 1702aef6930SMark Murray inetd configuration file. For example, an entry such as: 1712aef6930SMark Murray 1722aef6930SMark Murray tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot 1732aef6930SMark Murray 1742aef6930SMark Murray When a tftp request arrives, inetd will run the wrapper program 1752aef6930SMark Murray (tcpd) with a process name `in.tftpd'. This is the name that the 1762aef6930SMark Murray wrapper will use when logging the request and when scanning the 1772aef6930SMark Murray optional access control tables. `in.tftpd' is also the name of the 1782aef6930SMark Murray server program that the wrapper will attempt to run when all is 1792aef6930SMark Murray well. Any arguments (`-s /tftpboot' in this particular example) are 1802aef6930SMark Murray transparently passed on to the server program. 1812aef6930SMark Murray 1822aef6930SMark MurrayFor an account of the history of the wrapper programs, with real-life 1832aef6930SMark Murrayexamples, see the section below on related documents. 1842aef6930SMark Murray 1852aef6930SMark Murray3.2 - Where the logging information goes 1862aef6930SMark Murray---------------------------------------- 1872aef6930SMark Murray 1882aef6930SMark MurrayThe wrapper programs send their logging information to the syslog 1892aef6930SMark Murraydaemon (syslogd). The disposition of the wrapper logs is determined by 1902aef6930SMark Murraythe syslog configuration file (usually /etc/syslog.conf). Messages are 1912aef6930SMark Murraywritten to files, to the console, or are forwarded to a @loghost. Some 1922aef6930SMark Murraysyslogd versions can even forward messages down a |pipeline. 1932aef6930SMark Murray 1942aef6930SMark MurrayOlder syslog implementations (still found on Ultrix systems) only 1952aef6930SMark Murraysupport priority levels ranging from 9 (debug-level messages) to 0 1962aef6930SMark Murray(alerts). All logging information of the specified priority level or 1972aef6930SMark Murraymore urgent is written to the same destination. In the syslog.conf 1982aef6930SMark Murrayfile, priority levels are specified in numerical form. For example, 1992aef6930SMark Murray 2002aef6930SMark Murray 8/usr/spool/mqueue/syslog 2012aef6930SMark Murray 2022aef6930SMark Murraycauses all messages with priority 8 (informational messages), and 2032aef6930SMark Murrayanything that is more urgent, to be appended to the file 2042aef6930SMark Murray/usr/spool/mqueue/syslog. 2052aef6930SMark Murray 2062aef6930SMark MurrayNewer syslog implementations support message classes in addition to 2072aef6930SMark Murraypriority levels. Examples of message classes are: mail, daemon, auth 2082aef6930SMark Murrayand news. In the syslog.conf file, priority levels are specified with 2092aef6930SMark Murraysymbolic names: debug, info, notice, ..., emerg. For example, 2102aef6930SMark Murray 2112aef6930SMark Murray mail.debug /var/log/syslog 2122aef6930SMark Murray 2132aef6930SMark Murraycauses all messages of class mail with priority debug (or more urgent) 2142aef6930SMark Murrayto be appended to the /var/log/syslog file. 2152aef6930SMark Murray 2162aef6930SMark MurrayBy default, the wrapper logs go to the same place as the transaction 2172aef6930SMark Murraylogs of the sendmail daemon. The disposition can be changed by editing 2182aef6930SMark Murraythe Makefile and/or the syslog.conf file. Send a `kill -HUP' to the 2192aef6930SMark Murraysyslogd after changing its configuration file. Remember that syslogd, 2202aef6930SMark Murrayjust like sendmail, insists on one or more TABs between the left-hand 2212aef6930SMark Murrayside and the right-hand side expressions in its configuration file. 2222aef6930SMark Murray 2232aef6930SMark MurraySolaris 2.x note: the syslog daemon depends on the m4 macro processor. 2242aef6930SMark MurrayThe m4 program is installed as part of the software developer packages. 2252aef6930SMark Murray 2262aef6930SMark MurrayTrouble shooting note: when the syslogging does not work as expected, 2272aef6930SMark Murrayrun the program by hand (`syslogd -d') and see what really happens. 2282aef6930SMark Murray 2292aef6930SMark Murray4 - Features 2302aef6930SMark Murray------------ 2312aef6930SMark Murray 2322aef6930SMark Murray4.1 - Access control 2332aef6930SMark Murray-------------------- 2342aef6930SMark Murray 2352aef6930SMark MurrayWhen compiled with -DHOSTS_ACCESS, the wrapper programs support a 2362aef6930SMark Murraysimple form of access control. Access can be controlled per host, per 2372aef6930SMark Murrayservice, or combinations thereof. The software provides hooks for the 2382aef6930SMark Murrayexecution of shell commands when an access control rule fires; this 2392aef6930SMark Murrayfeature may be used to install "booby traps". For details, see the 2402aef6930SMark Murrayhosts_access.5 manual page, which is in `nroff -man' format. A later 2412aef6930SMark Murraysection describes how you can test your access control rules. 2422aef6930SMark Murray 2432aef6930SMark MurrayAccess control can also be used to connect clients to the "right" 2442aef6930SMark Murrayservice. What is right may depend on the requested service, the origin 2452aef6930SMark Murrayof the request, and what host address the client connects to. Examples: 2462aef6930SMark Murray 2472aef6930SMark Murray(1) A gopher or www database speaks native language when contacted from 2482aef6930SMark Murray within the country, otherwise it speaks English. 2492aef6930SMark Murray 2502aef6930SMark Murray(2) A service provider offers different ftp, gopher or www services 2512aef6930SMark Murray with different internet hostnames from one host (section 4.6). 2522aef6930SMark Murray 2532aef6930SMark MurrayAccess control is enabled by default. It can be turned off by editing 2542aef6930SMark Murraythe Makefile, or by providing no access control tables. The install 2552aef6930SMark Murrayinstructions below describe the Makefile editing process. 2562aef6930SMark Murray 2572aef6930SMark MurrayThe hosts_options.5 manual page (`nroff -man' format) documents an 2582aef6930SMark Murrayextended version of the access control language. The extensions are 2592aef6930SMark Murraydisabled by default. See the section below on language extensions. 2602aef6930SMark Murray 2612aef6930SMark MurrayLater System V implementations provide the Transport Level Interface 2622aef6930SMark Murray(TLI), a network programming interface that performs functions similar 2632aef6930SMark Murrayto the Berkeley socket programming interface. Like Berkeley sockets, 2642aef6930SMark MurrayTLI was designed to cover multiple protocols, not just Internet. 2652aef6930SMark Murray 2662aef6930SMark MurrayWhen the wrapper discovers that the TLI interface sits on top of a 2672aef6930SMark MurrayTCP/IP or UDP/IP conversation it uses this knowledge to provide the 2682aef6930SMark Murraysame functions as with traditional socket-based applications. When 2692aef6930SMark Murraysome other protocol is used underneath TLI, the host address will be 2702aef6930SMark Murraysome universal magic cookie that may not even be usable for access 2712aef6930SMark Murraycontrol purposes. 2722aef6930SMark Murray 2732aef6930SMark Murray4.2 - Host name spoofing 2742aef6930SMark Murray------------------------ 2752aef6930SMark Murray 2762aef6930SMark MurrayWith some network applications, such as RSH or RLOGIN, the client host 2772aef6930SMark Murrayname plays an important role in the authentication process. Host name 2782aef6930SMark Murrayinformation can be reliable when lookups are done from a _local_ hosts 2792aef6930SMark Murraytable, provided that the client IP address can be trusted. 2802aef6930SMark Murray 2812aef6930SMark MurrayWith _distributed_ name services, authentication schemes that rely on 2822aef6930SMark Murrayhost names become more problematic. The security of your system now may 2832aef6930SMark Murraydepend on some far-away DNS (domain name server) outside your own 2842aef6930SMark Murraycontrol. 2852aef6930SMark Murray 2862aef6930SMark MurrayThe wrapper programs verify the client host name that is returned by 2872aef6930SMark Murraythe address->name DNS server, by asking for a second opinion. To this 2882aef6930SMark Murrayend, the programs look at the name and addresses that are returned by 2892aef6930SMark Murraythe name->address DNS server, which may be an entirely different host. 2902aef6930SMark Murray 2912aef6930SMark MurrayIf any name or address discrepancies are found, or if the second DNS 2922aef6930SMark Murrayopinion is not available, the wrappers assume that one of the two name 2932aef6930SMark Murrayservers is lying, and assume that the client host pretends to have 2942aef6930SMark Murraysomeone elses host name. 2952aef6930SMark Murray 2962aef6930SMark MurrayWhen compiled with -DPARANOID, the wrappers will always attempt to look 2972aef6930SMark Murrayup and double check the client host name, and will always refuse 2982aef6930SMark Murrayservice in case of a host name/address discrepancy. This is a 2992aef6930SMark Murrayreasonable policy for most systems. 3002aef6930SMark Murray 3012aef6930SMark MurrayWhen compiled without -DPARANOID, the wrappers by default still perform 3022aef6930SMark Murrayhostname lookup. You can match hosts with a name/address discrepancy 3032aef6930SMark Murraywith the PARANOID wildcard and decide whether or not to grant service. 3042aef6930SMark Murray 3052aef6930SMark MurrayAutomatic hostname verification is enabled by default. Automatic 3062aef6930SMark Murrayhostname lookups and verification can be turned off by editing the 3072aef6930SMark MurrayMakefile. The configuration and installation section below describes 3082aef6930SMark Murraythe Makefile editing process. 3092aef6930SMark Murray 3102aef6930SMark Murray4.3 - Host address spoofing 3112aef6930SMark Murray--------------------------- 3122aef6930SMark Murray 3132aef6930SMark MurrayWhile host name spoofing can be found out by asking a second opinion, 3142aef6930SMark Murrayit is much harder to find out that a host claims to have someone elses 3152aef6930SMark Murraynetwork address. And since host names are deduced from network 3162aef6930SMark Murrayaddresses, address spoofing is at least as effective as name spoofing. 3172aef6930SMark Murray 3182aef6930SMark MurrayThe wrapper programs can give additional protection against hosts that 3192aef6930SMark Murrayclaim to have an address that lies outside their own network. For 3202aef6930SMark Murrayexample, some far-away host that claims to be a trusted host within 3212aef6930SMark Murrayyour own network. Such things are possible even while the impersonated 3222aef6930SMark Murraysystem is up and running. 3232aef6930SMark Murray 3242aef6930SMark MurrayThis additional protection is not an invention of my own; it has been 3252aef6930SMark Murraypresent for at least five years in the BSD rsh and rlogin daemons. 3262aef6930SMark MurrayUnfortunately, that feature was added *after* 4.3 BSD came out, so that 3272aef6930SMark Murrayvery few, if any, UNIX vendors have adopted it. Our site, and many 3282aef6930SMark Murrayother ones, has been running these enhanced daemons for several years, 3292aef6930SMark Murrayand without any ill effects. 3302aef6930SMark Murray 3312aef6930SMark MurrayWhen the wrapper programs are compiled with -DKILL_IP_OPTIONS, the 3322aef6930SMark Murrayprograms refuse to service TCP connections with IP source routing 3332aef6930SMark Murrayoptions. -DKILL_IP_OPTIONS is not needed on modern UNIX systems 3342aef6930SMark Murraythat can stop source-routed traffic in the kernel. Examples are 3352aef6930SMark Murray4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals 3362aef6930SMark Murrayfor details. 3372aef6930SMark Murray 3382aef6930SMark MurrayIf you are going to use this feature on SunOS 4.1.x you should apply 3392aef6930SMark Murraypatch 100804-03+ or 101790-something depending on your SunOS version. 3402aef6930SMark MurrayOtherwise you may experience "BAD TRAP" and "Data fault" panics when 3412aef6930SMark Murraythe getsockopt() system call is executed after a TCP RESET has been 3422aef6930SMark Murrayreceived. This is a kernel bug, it is not the fault of the wrappers. 3432aef6930SMark Murray 3442aef6930SMark MurrayThe feature is disabled by default. It can be turned on by editing the 3452aef6930SMark MurrayMakefile. The configuration and installation section below describes 3462aef6930SMark Murraythe Makefile editing process. 3472aef6930SMark Murray 3482aef6930SMark MurrayUDP services do not benefit from this additional protection. With UDP, 3492aef6930SMark Murrayall you can be certain of is the network packet's destination address. 3502aef6930SMark Murray 3512aef6930SMark Murray4.4 - Client username lookups 3522aef6930SMark Murray----------------------------- 3532aef6930SMark Murray 3542aef6930SMark MurrayThe protocol proposed in RFC 931 provides a means to obtain the client 3552aef6930SMark Murrayuser name from the client host. The requirement is that the client 3562aef6930SMark Murrayhost runs an RFC 931-compliant daemon. The information provided by such 3572aef6930SMark Murraya daemon is not intended to be used for authentication purposes, but it 3582aef6930SMark Murraycan provide additional information about the owner of a TCP connection. 3592aef6930SMark Murray 3602aef6930SMark MurrayThe RFC 931 protocol has diverged into different directions (IDENT, 3612aef6930SMark MurrayTAP, RFC 1413). To add to the confusion, they all use the same network 3622aef6930SMark Murrayport. The daemon wrappers implement a common subset of the protocols. 3632aef6930SMark Murray 3642aef6930SMark MurrayThere are some limitations: the number of hosts that run an RFC 931 (or 3652aef6930SMark Murraycompatible) daemon is limited (but growing); client user name lookups 3662aef6930SMark Murraydo not work for datagram (UDP) services. More seriously, client user 3672aef6930SMark Murrayname lookups can cause noticeable delays with connections from non-UNIX 3682aef6930SMark MurrayPCs. Recent PC software seem to have fixed this (for example NCSA 3692aef6930SMark Murraytelnet). The wrappers use a 10-second timeout for RFC931 lookups, to 3702aef6930SMark Murrayaccommodate slow networks and slow hosts. 3712aef6930SMark Murray 3722aef6930SMark MurrayBy default, the wrappers will do username lookup only when the access 3732aef6930SMark Murraycontrol rules require them to do so (via user@host client patterns, see 3742aef6930SMark Murraythe hosts_access.5 manual page) or when the username is needed for 3752aef6930SMark Murray%<letter> expansions. 3762aef6930SMark Murray 3772aef6930SMark MurrayYou can configure the wrappers to always perform client username 3782aef6930SMark Murraylookups, by editing the Makefile. The client username lookup timeout 3792aef6930SMark Murrayperiod (10 seconds default) can be changed by editing the Makefile. The 3802aef6930SMark Murrayinstallation sections below describe the Makefile editing process. 3812aef6930SMark Murray 3822aef6930SMark MurrayOn System V with TLI-based network services, client username lookups 3832aef6930SMark Murraywill be possible only when the underlying network protocol is TCP/IP. 3842aef6930SMark Murray 3852aef6930SMark Murray4.5 - Language extensions 3862aef6930SMark Murray------------------------- 3872aef6930SMark Murray 3882aef6930SMark MurrayThe wrappers sport only a limited number of features. This is for a 3892aef6930SMark Murraygood reason: programs that run at high privilege levels must be easy to 3902aef6930SMark Murrayverify. And the smaller a program, the easier to verify. There is, 3912aef6930SMark Murrayhowever, a provision to add features. 3922aef6930SMark Murray 3932aef6930SMark MurrayThe options.c module provides a framework for language extensions. 3942aef6930SMark MurrayQuite a few extensions have already been implemented; they are 3952aef6930SMark Murraydocumented in the hosts_options.5 document, which is in `nroff -man' 3962aef6930SMark Murrayformat. Examples: changing the severity level at which a request for 3972aef6930SMark Murrayservice is logged; "allow" and "deny" keywords; running a customized 3982aef6930SMark Murrayserver instead of the standard one; many others. 3992aef6930SMark Murray 4002aef6930SMark MurrayThe language extensions are not enabled by default because they 4012aef6930SMark Murrayintroduce an incompatible change to the access control language 4022aef6930SMark Murraysyntax. Instructions to enable the extensions are given in the 4032aef6930SMark MurrayMakefile. 4042aef6930SMark Murray 4052aef6930SMark Murray4.6 - Multiple ftp/gopher/www archives on one host 4062aef6930SMark Murray-------------------------------------------------- 4072aef6930SMark Murray 4082aef6930SMark MurrayImagine one host with multiple internet addresses. These addresses do 4092aef6930SMark Murraynot need to have the same internet hostname. Thus, it is possible to 4102aef6930SMark Murrayoffer services with different internet hostnames from just one host. 4112aef6930SMark Murray 4122aef6930SMark MurrayService providers can use this to offer organizations a presence on the 4132aef6930SMark Murray"net" with their own internet hostname, even when those organizations 4142aef6930SMark Murrayaren't connected to the Internet at all. To the end user it makes no 4152aef6930SMark Murraydifference, because applications use internet hostnames. 4162aef6930SMark Murray 4172aef6930SMark MurrayThere are several ways to assign multiple addresses to one machine. 4182aef6930SMark MurrayThe nice way is to take an existing network interface and to assign 4192aef6930SMark Murrayadditional internet addresses with the `ifconfig' command. Examples: 4202aef6930SMark Murray 4212aef6930SMark Murray Solaris 2: ifconfig le0:1 <address> netmask <mask> up 4222aef6930SMark Murray 4.4 BSD: ifconfig en0 alias <address> netmask <mask> 4232aef6930SMark Murray 4242aef6930SMark MurrayOn other systems one has to increase the number of network interfaces: 4252aef6930SMark Murrayeither with hardware interfaces, or with pseudo interfaces like SLIP or 4262aef6930SMark MurrayPPP. The interfaces do not need to be attached to anything. They just 4272aef6930SMark Murrayneed to be up and to be assigned a suitable internet address and mask. 4282aef6930SMark Murray 4292aef6930SMark MurrayWith the wrapper software, `daemon@host' access control patterns can be 4302aef6930SMark Murrayused to distinguish requests by the network address that they are aimed 4312aef6930SMark Murrayat. Judicious use of the `twist' option (see the hosts_options.5 file, 4322aef6930SMark Murray`nroff -man' format) can guide the requests to the right server. These 4332aef6930SMark Murraycan be servers that live in separate chroot areas, or servers modified 4342aef6930SMark Murrayto take additional context from the command line, or a combination. 4352aef6930SMark Murray 4362aef6930SMark MurrayAnother way is to modify gopher or www listeners so that they bind to 4372aef6930SMark Murrayonly one specific network address. Multiple gopher or www servers can 4382aef6930SMark Murraythen be run side by side, each taking requests sent to its respective 4392aef6930SMark Murraynetwork address. 4402aef6930SMark Murray 4412aef6930SMark Murray4.7 - Banner messages 4422aef6930SMark Murray--------------------- 4432aef6930SMark Murray 4442aef6930SMark MurraySome sites are required to present an informational message to users 4452aef6930SMark Murraybefore they attempt to login. Banner messages can also be useful when 4462aef6930SMark Murraydenying service: instead of simply dropping the connection a polite 4472aef6930SMark Murrayexplanation is given first. Finally, banners can be used to give your 4482aef6930SMark Murraysystem a more personal touch. 4492aef6930SMark Murray 4502aef6930SMark MurrayThe wrapper software provides easy-to-use tools to generate pre-login 4512aef6930SMark Murraybanners for ftp, telnet, rlogin etc. from a single prototype banner 4522aef6930SMark Murraytextfile. Details on banners and on-the-fly %<letter> expansions are 4532aef6930SMark Murraygiven in the hosts_options.5 manual page (`nroff -man' format). An 4542aef6930SMark Murrayexample is given in the file Banners.Makefile. 4552aef6930SMark Murray 4562aef6930SMark MurrayIn order to support banner messages the wrappers have to be built with 4572aef6930SMark Murraylanguage extensions enabled. See the section on language extensions. 4582aef6930SMark Murray 4592aef6930SMark Murray4.8 - Sequence number guessing 4602aef6930SMark Murray------------------------------ 4612aef6930SMark Murray 4622aef6930SMark MurrayRecently, systems came under attack from intruders that exploited a 4632aef6930SMark Murraywell-known weakness in TCP/IP sequence number generators. This 4642aef6930SMark Murrayweakness allows intruders to impersonate trusted hosts. Break-ins have 4652aef6930SMark Murraybeen reported via the rsh service. In fact, any network service can be 4662aef6930SMark Murrayexploited that trusts the client host name or address. 4672aef6930SMark Murray 4682aef6930SMark MurrayA long-term solution is to stop using network services that trust the 4692aef6930SMark Murrayclient host name or address, and to use data encryption instead. 4702aef6930SMark Murray 4712aef6930SMark MurrayA short-term solution, as outlined in in CERT advisory CA-95:01, is to 4722aef6930SMark Murrayconfigure network routers so that they discard datagrams from "outside" 4732aef6930SMark Murraywith an "inside" source address. This approach is most fruitful when 4742aef6930SMark Murrayyou do not trust any hosts outside your local network. 4752aef6930SMark Murray 4762aef6930SMark MurrayThe IDENT (RFC931 etc.) client username lookup protocol can help to 4772aef6930SMark Murraydetect host impersonation attacks. Before accepting a client request, 4782aef6930SMark Murraythe wrappers can query the client's IDENT server and find out that the 4792aef6930SMark Murrayclient never sent that request. 4802aef6930SMark Murray 4812aef6930SMark MurrayWhen the client host provides IDENT service, a negative IDENT lookup 4822aef6930SMark Murrayresult (the client matches `UNKNOWN@host') is strong evidence of a host 4832aef6930SMark Murrayimpersonation attack. 4842aef6930SMark Murray 4852aef6930SMark MurrayA positive IDENT lookup result (the client matches `KNOWN@host') is 4862aef6930SMark Murrayless trustworthy. It is possible for an attacker to spoof both the 4872aef6930SMark Murrayclient request and the IDENT lookup connection, although doing so 4882aef6930SMark Murrayshould be much harder than spoofing just a client request. Another 4892aef6930SMark Murraypossibility is that the client's IDENT server is lying. 4902aef6930SMark Murray 4912aef6930SMark MurrayClient username lookups are described in more detail in a previous 4922aef6930SMark Murraysection. Pointers to IDENT daemon software are described in the section 4932aef6930SMark Murrayon related software. 4942aef6930SMark Murray 4952aef6930SMark Murray5 - Other works 4962aef6930SMark Murray--------------- 4972aef6930SMark Murray 4982aef6930SMark Murray5.1 - Related documents 4992aef6930SMark Murray----------------------- 5002aef6930SMark Murray 5012aef6930SMark MurrayThe war story behind the tcp wrapper tools is described in: 5022aef6930SMark Murray 5032aef6930SMark Murray W.Z. Venema, "TCP WRAPPER, network monitoring, access control and 5042aef6930SMark Murray booby traps", UNIX Security Symposium III Proceedings (Baltimore), 5052aef6930SMark Murray September 1992. 5062aef6930SMark Murray 5072aef6930SMark Murray ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript) 5082aef6930SMark Murray ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text) 5092aef6930SMark Murray 5102aef6930SMark MurrayThe same cracker is also described in: 5112aef6930SMark Murray 5122aef6930SMark Murray W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is 5132aef6930SMark Murray Lured, Endured, and Studied", Proceedings of the Winter USENIX 5142aef6930SMark Murray Conference (San Francisco), January 1992. 5152aef6930SMark Murray 5162aef6930SMark Murray research.att.com:/dist/internet_security/berferd.ps 5172aef6930SMark Murray 5182aef6930SMark MurrayAn updated version of the latter paper appeared in: 5192aef6930SMark Murray 5202aef6930SMark Murray W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security", 5212aef6930SMark Murray Addison-Wesley, 1994. 5222aef6930SMark Murray 5232aef6930SMark MurrayDiscussions on internet firewalls are archived on ftp.greatcircle.com. 5242aef6930SMark MurraySubscribe to the mailing list by sending a message to 5252aef6930SMark Murray 5262aef6930SMark Murray majordomo@greatcircle.com 5272aef6930SMark Murray 5282aef6930SMark MurrayWith in the body (not subject): subscribe firewalls. 5292aef6930SMark Murray 5302aef6930SMark Murray5.2 - Related software 5312aef6930SMark Murray---------------------- 5322aef6930SMark Murray 5332aef6930SMark MurrayNetwork daemons etc. with enhanced logging capabilities can generate 5342aef6930SMark Murraymassive amounts of information: our 150+ workstations generate several 5352aef6930SMark Murrayhundred kbytes each day. egrep-based filters can help to suppress some 5362aef6930SMark Murrayof the noise. A more powerful tool is the Swatch monitoring system by 5372aef6930SMark MurrayStephen E. Hansen and E. Todd Atkins. Swatch can process log files in 5382aef6930SMark Murrayreal time and can associate arbitrary actions with patterns; its 5392aef6930SMark Murrayapplications are by no means restricted to security. Swatch is 5402aef6930SMark Murrayavailable ftp.stanford.edu, directory /general/security-tools/swatch. 5412aef6930SMark Murray 5422aef6930SMark MurraySocks, described in the UNIX Security III proceedings, can be used to 5432aef6930SMark Murraycontrol network traffic from hosts on an internal network, through a 5442aef6930SMark Murrayfirewall host, to the outer world. Socks consists of a daemon that is 5452aef6930SMark Murrayrun on the firewall host, and of a library with routines that redirect 5462aef6930SMark Murrayapplication socket calls through the firewall daemon. Socks is 5472aef6930SMark Murrayavailable from s1.gov in /pub/firewalls/socks.tar.Z. 5482aef6930SMark Murray 5492aef6930SMark MurrayFor a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try 5502aef6930SMark Murrayftp.nec.com, directory /pub/security/socks.cstc. 5512aef6930SMark Murray 5522aef6930SMark MurrayTcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp 5532aef6930SMark Murrayand telnet commands across a firewall. Unlike socks it can be used with 5542aef6930SMark Murrayunmodified client software. Available from ftp.alantec.com, /pub/tcpr. 5552aef6930SMark Murray 5562aef6930SMark MurrayThe TIS firewall toolkit provides a multitude of tools to build your 5572aef6930SMark Murrayown internet firewall system. ftp.tis.com, directory /pub/firewalls. 5582aef6930SMark Murray 5592aef6930SMark MurrayVersions of rshd and rlogind, modified to report the client user name 5602aef6930SMark Murrayin addition to the client host name, are available for anonymous ftp 5612aef6930SMark Murray(ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z). These programs are 5622aef6930SMark Murraydrop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX 5632aef6930SMark Murray9.x. This archive also contains ftpd/rexecd/login versions that support 5642aef6930SMark MurrayS/Key or SecureNet one-time passwords in addition to traditional UNIX 5652aef6930SMark Murrayreusable passwords. 5662aef6930SMark Murray 5672aef6930SMark MurrayThe securelib shared library by William LeFebvre can be used to control 5682aef6930SMark Murrayaccess to network daemons that are not run under control of the inetd 5692aef6930SMark Murrayor that serve more than one client, such as the NFS mount daemon that 5702aef6930SMark Murrayruns until the machine goes down. Available from eecs.nwu.edu, file 5712aef6930SMark Murray/pub/securelib.tar. 5722aef6930SMark Murray 5732aef6930SMark Murrayxinetd (posted to comp.sources.unix) is an inetd replacement that 5742aef6930SMark Murrayprovides, among others, logging, username lookup and access control. 5752aef6930SMark MurrayHowever, it does not support the System V TLI services, and involves 5762aef6930SMark Murraymuch more source code than the daemon wrapper programs. Available 5772aef6930SMark Murrayfrom ftp.uu.net, directory /usenet/comp.sources.unix. 5782aef6930SMark Murray 5792aef6930SMark Murraynetlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to 5802aef6930SMark Murraypassively watch all TCP and UDP network traffic on a network. The 5812aef6930SMark Murraycurrent version is on net.tamu.edu in /pub/security/TAMU. 5822aef6930SMark Murray 5832aef6930SMark MurrayWhere shared libraries or router-based packet filtering are not an 5842aef6930SMark Murrayoption, an alternative portmap daemon can help to prevent hackers 5852aef6930SMark Murrayfrom mounting your NFS file systems using the proxy RPC facility. 5862aef6930SMark Murrayftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS 5872aef6930SMark Murray4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The 5882aef6930SMark Murrayprotection is less effective than that of the securelib library because 5892aef6930SMark Murrayportmap is mostly a dictionary service. 5902aef6930SMark Murray 5912aef6930SMark MurrayAn rpcbind replacement (the Solaris 2.x moral equivalent of portmap) 5922aef6930SMark Murraycan be found on ftp.win.tue.nl in /pub/security. It prevents hackers 5932aef6930SMark Murrayfrom mounting your NFS file systems by using the proxy RPC facility. 5942aef6930SMark Murray 5952aef6930SMark MurraySource for a portable RFC 931 (TAP, IDENT, RFC 1413) daemon by Peter 5962aef6930SMark MurrayEriksson is available from ftp.lysator.liu.se:/pub/ident/servers. 5972aef6930SMark Murray 5982aef6930SMark MurraySome TCP/IP implementations come without syslog library. Some come with 5992aef6930SMark Murraythe library but have no syslog daemon. A replacement can be found in 6002aef6930SMark Murrayftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog 6012aef6930SMark Murraylibrary that comes with the nntp sources reportedly works well, too. 6022aef6930SMark Murray 6032aef6930SMark Murray6 - Limitations 6042aef6930SMark Murray--------------- 6052aef6930SMark Murray 6062aef6930SMark Murray6.1 - Known wrapper limitations 6072aef6930SMark Murray------------------------------- 6082aef6930SMark Murray 6092aef6930SMark MurrayMany UDP (and rpc/udp) daemons linger around for a while after they 6102aef6930SMark Murrayhave serviced a request, just in case another request comes in. In the 6112aef6930SMark Murrayinetd configuration file these daemons are registered with the `wait' 6122aef6930SMark Murrayoption. Only the request that started such a daemon will be seen by the 6132aef6930SMark Murraywrappers. Such daemons are better protected with the securelib shared 6142aef6930SMark Murraylibrary (see: Related software). 6152aef6930SMark Murray 6162aef6930SMark MurrayThe wrappers do not work with RPC services over TCP. These services are 6172aef6930SMark Murrayregistered as rpc/tcp in the inetd configuration file. The only non- 6182aef6930SMark Murraytrivial service that is affected by this limitation is rexd, which is 6192aef6930SMark Murrayused by the on(1) command. This is no great loss. On most systems, 6202aef6930SMark Murrayrexd is less secure than a wildcard in /etc/hosts.equiv. 6212aef6930SMark Murray 6222aef6930SMark MurraySome RPC requests (for example: rwall, rup, rusers) appear to come from 6232aef6930SMark Murraythe server host. What happens is that the client broadcasts its request 6242aef6930SMark Murrayto all portmap daemons on its network; each portmap daemon forwards the 6252aef6930SMark Murrayrequest to a daemon on its own system. As far as the rwall etc. daemons 6262aef6930SMark Murrayknow, the request comes from the local host. 6272aef6930SMark Murray 6282aef6930SMark MurrayPortmap and RPC (e.g. NIS and NFS) (in)security is a topic in itself. 6292aef6930SMark MurraySee the section in this document on related software. 6302aef6930SMark Murray 6312aef6930SMark Murray6.2 - Known system software bugs 6322aef6930SMark Murray-------------------------------- 6332aef6930SMark Murray 6342aef6930SMark MurrayWorkarounds have been implemented for several bugs in system software. 6352aef6930SMark MurrayThey are described in the Makefile. Unfortunately, some system software 6362aef6930SMark Murraybugs cannot be worked around. The result is loss of functionality. 6372aef6930SMark Murray 6382aef6930SMark MurrayIRIX has so many bugs that it has its own README.IRIX file. 6392aef6930SMark Murray 6402aef6930SMark MurrayOlder ConvexOS versions come with a broken recvfrom(2) implementation. 6412aef6930SMark MurrayThis makes it impossible for the daemon wrappers to look up the 6422aef6930SMark Murrayclient host address (and hence, the name) in case of UDP requests. 6432aef6930SMark MurrayA patch is available for ConvexOS 10.1; later releases should be OK. 6442aef6930SMark Murray 6452aef6930SMark MurrayWith early Solaris (SunOS 5) versions, the syslog daemon will leave 6462aef6930SMark Murraybehind zombie processes when writing to logged-in users. Workaround: 6472aef6930SMark Murrayincrease the syslogd threshold for logging to users, or reduce the 6482aef6930SMark Murraywrapper's logging severity. 6492aef6930SMark Murray 6502aef6930SMark MurrayOn some systems, the optional RFC 931 etc. client username lookups may 6512aef6930SMark Murraytrigger a kernel bug. When a client host connects to your system, and 6522aef6930SMark Murraythe RFC 931 connection from your system to that client is rejected by a 6532aef6930SMark Murrayrouter, your kernel may drop all connections with that client. This is 6542aef6930SMark Murraynot a bug in the wrapper programs: complain to your vendor, and don't 6552aef6930SMark Murrayenable client user name lookups until the bug has been fixed. 6562aef6930SMark Murray 6572aef6930SMark MurrayReportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2 6582aef6930SMark Murrayand later are OK. 6592aef6930SMark Murray 6602aef6930SMark MurraySony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug. 6612aef6930SMark MurrayReportedly, a fix for Ultrix is available (CXO-8919). 6622aef6930SMark Murray 6632aef6930SMark MurrayThe following procedure can be used (from outside the tue.nl domain) to 6642aef6930SMark Murrayfind out if your kernel has the bug. From the system under test, do: 6652aef6930SMark Murray 6662aef6930SMark Murray % ftp 131.155.70.19 6672aef6930SMark Murray 6682aef6930SMark MurrayThis command attempts to make an ftp connection to our anonymous ftp 6692aef6930SMark Murrayserver (ftp.win.tue.nl). When the connection has been established, run 6702aef6930SMark Murraythe following command from the same system under test, while keeping 6712aef6930SMark Murraythe ftp connection open: 6722aef6930SMark Murray 6732aef6930SMark Murray % telnet 131.155.70.19 111 6742aef6930SMark Murray 6752aef6930SMark MurrayDo not forget the `111' at the end of the command. This telnet command 6762aef6930SMark Murrayattempts to connect to our portmap process. The telnet command should 6772aef6930SMark Murrayfail with: "host not reachable", or with a timeout error. If your ftp 6782aef6930SMark Murrayconnection gets messed up, you have the bug. If the telnet command does 6792aef6930SMark Murraynot fail, please let me know a.s.a.p.! 6802aef6930SMark Murray 6812aef6930SMark MurrayFor those who care, the bug is that the BSD kernel code was not careful 6822aef6930SMark Murrayenough with incoming ICMP UNREACHABLE control messages (it ignored the 6832aef6930SMark Murraylocal and remote port numbers, and therefore zapped *all* connections 6842aef6930SMark Murraywith the remote system). The bug is still present in the BSD NET/1 6852aef6930SMark Murraysource release (1989) but apparently has been fixed in BSD NET/2 (1991). 6862aef6930SMark Murray 6872aef6930SMark Murray7 - Configuration and installation 6882aef6930SMark Murray---------------------------------- 6892aef6930SMark Murray 6902aef6930SMark Murray7.1 - Easy configuration and installation 6912aef6930SMark Murray----------------------------------------- 6922aef6930SMark Murray 6932aef6930SMark MurrayThe "easy" recipe requires no changes to existing software or 6942aef6930SMark Murrayconfiguration files. Basically, you move the daemons that you want to 6952aef6930SMark Murrayprotect to a different directory and plug the resulting holes with 6962aef6930SMark Murraycopies of the wrapper programs. 6972aef6930SMark Murray 6982aef6930SMark MurrayIf you don't run Ultrix, you won't need the miscd wrapper program. The 6992aef6930SMark Murraymiscd daemon implements among others the SYSTAT service, which produces 7002aef6930SMark Murraythe same output as the WHO command. 7012aef6930SMark Murray 7022aef6930SMark MurrayType `make' and follow the instructions. The Makefile comes with 7032aef6930SMark Murrayready-to-use templates for many common UNIX implementations (sun, 7042aef6930SMark Murrayultrix, hp-ux, aix, irix,...). 7052aef6930SMark Murray 7062aef6930SMark MurrayIRIX has so many bugs that it has its own README.IRIX file. 7072aef6930SMark Murray 7082aef6930SMark MurrayWhen the `make' succeeds the result is five executables (six in case of 7092aef6930SMark MurrayUltrix). 7102aef6930SMark Murray 7112aef6930SMark MurrayYou can use the `tcpdchk' program to identify the most common problems 7122aef6930SMark Murrayin your wrapper and inetd configuration files. 7132aef6930SMark Murray 7142aef6930SMark MurrayWith the `tcpdmatch' program you can examine how the wrapper would 7152aef6930SMark Murrayreact to specific requests for service. 7162aef6930SMark Murray 7172aef6930SMark MurrayThe `safe_finger' command should be used when you implement booby 7182aef6930SMark Murraytraps: it gives better protection against nasty stuff that remote 7192aef6930SMark Murrayhosts may do in response to your finger probes. 7202aef6930SMark Murray 7212aef6930SMark MurrayThe `try-from' program tests the host and username lookup code. Run it 7222aef6930SMark Murrayfrom a remote shell command (`rsh host /some/where/try-from') and it 7232aef6930SMark Murrayshould be able to figure out from what system it is being called. 7242aef6930SMark Murray 7252aef6930SMark MurrayThe tcpd program can be used to monitor the telnet, finger, ftp, exec, 7262aef6930SMark Murrayrsh, rlogin, tftp, talk, comsat and other tcp or udp services that have 7272aef6930SMark Murraya one-to-one mapping onto executable files. 7282aef6930SMark Murray 7292aef6930SMark MurrayThe tcpd program can also be used for services that are marked as 7302aef6930SMark Murrayrpc/udp in the inetd configuration file, but not for rpc/tcp services 7312aef6930SMark Murraysuch as rexd. You probably do not want to run rexd anyway. On most 7322aef6930SMark Murraysystems it is even less secure than a wildcard in /etc/hosts.equiv. 7332aef6930SMark Murray 7342aef6930SMark MurrayWith System V.4-style systems, the tcpd program can also handle TLI 7352aef6930SMark Murrayservices. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides 7362aef6930SMark Murraythe same functions as with socket-based applications. When some other 7372aef6930SMark Murrayprotocol is used underneath TLI, functionality will be limited (no 7382aef6930SMark Murrayclient username lookups, weird network address formats). 7392aef6930SMark Murray 7402aef6930SMark MurrayDecide which services you want to monitor. Move the corresponding 7412aef6930SMark Murrayvendor-provided daemon programs to the location specified by the 7422aef6930SMark MurrayREAL_DAEMON_DIR constant in the Makefile, and fill the holes with 7432aef6930SMark Murraycopies of the tcpd program. That is, one copy of (or link to) the tcpd 7442aef6930SMark Murrayprogram for each service that you want to monitor. For example, to 7452aef6930SMark Murraymonitor the use of your finger service: 7462aef6930SMark Murray 7472aef6930SMark Murray # mkdir REAL_DAEMON_DIR 7482aef6930SMark Murray # mv /usr/etc/in.fingerd REAL_DAEMON_DIR 7492aef6930SMark Murray # cp tcpd /usr/etc/in.fingerd 7502aef6930SMark Murray 7512aef6930SMark MurrayThe example applies to SunOS 4. With other UNIX implementations the 7522aef6930SMark Murraynetwork daemons live in /usr/libexec, /usr/sbin or in /etc, or have no 7532aef6930SMark Murray"in." prefix to their names, but you get the idea. 7542aef6930SMark Murray 7552aef6930SMark MurrayFile protections: the wrapper, all files used by the wrapper, and all 7562aef6930SMark Murraydirectories in the path leading to those files, should be accessible 7572aef6930SMark Murraybut not writable for unprivileged users (mode 755 or mode 555). Do not 7582aef6930SMark Murrayinstall the wrapper set-uid. 7592aef6930SMark Murray 7602aef6930SMark MurrayUltrix only: If you want to monitor the SYSTAT service, move the 7612aef6930SMark Murrayvendor-provided miscd daemon to the location specified by the 7622aef6930SMark MurrayREAL_DAEMON_DIR macro in the Makefile, and install the miscd wrapper 7632aef6930SMark Murrayat the original miscd location. 7642aef6930SMark Murray 7652aef6930SMark MurrayIn the absence of any access-control tables, the daemon wrappers 7662aef6930SMark Murraywill just maintain a record of network connections made to your system. 7672aef6930SMark Murray 7682aef6930SMark Murray7.2 - Advanced configuration and installation 7692aef6930SMark Murray--------------------------------------------- 7702aef6930SMark Murray 7712aef6930SMark MurrayThe advanced recipe leaves your daemon executables alone, but involves 7722aef6930SMark Murraysimple modifications to the inetd configuration file. 7732aef6930SMark Murray 7742aef6930SMark MurrayType `make' and follow the instructions. The Makefile comes with 7752aef6930SMark Murrayready-to-use templates for many common UNIX implementations (sun, 7762aef6930SMark Murrayultrix, hp-ux, aix, irix, ...). 7772aef6930SMark Murray 7782aef6930SMark MurrayIRIX users should read the warnings in the README.IRIX file first. 7792aef6930SMark Murray 7802aef6930SMark MurrayWhen the `make' succeeds the result is five executables (six in case of 7812aef6930SMark MurrayUltrix). 7822aef6930SMark Murray 7832aef6930SMark MurrayYou can use the `tcpdchk' program to identify the most common problems 7842aef6930SMark Murrayin your wrapper and inetd configuration files. 7852aef6930SMark Murray 7862aef6930SMark MurrayWith the `tcpdmatch' program you can examine how the wrapper would 7872aef6930SMark Murrayreact to specific requests for service. 7882aef6930SMark Murray 7892aef6930SMark MurrayThe `try-from' program tests the host and username lookup code. Run it 7902aef6930SMark Murrayfrom a remote shell command (`rsh host /some/where/try-from') and it 7912aef6930SMark Murrayshould be able to figure out from what system it is being called. 7922aef6930SMark Murray 7932aef6930SMark MurrayThe `safe_finger' command should be used when you implement a booby 7942aef6930SMark Murraytrap: it gives better protection against nasty stuff that remote hosts 7952aef6930SMark Murraymay do in response to your finger probes. 7962aef6930SMark Murray 7972aef6930SMark MurrayThe tcpd program can be used to monitor the telnet, finger, ftp, exec, 7982aef6930SMark Murrayrsh, rlogin, tftp, talk, comsat and other tcp or udp services that have 7992aef6930SMark Murraya one-to-one mapping onto executable files. 8002aef6930SMark Murray 8012aef6930SMark MurrayWith System V.4-style systems, the tcpd program can also handle TLI 8022aef6930SMark Murrayservices. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides 8032aef6930SMark Murraythe same functions as with socket-based applications. When some other 8042aef6930SMark Murrayprotocol is used underneath TLI, functionality will be limited (no 8052aef6930SMark Murrayclient username lookups, weird network address formats). 8062aef6930SMark Murray 8072aef6930SMark MurrayThe tcpd program can also be used for services that are marked as 8082aef6930SMark Murrayrpc/udp in the inetd configuration file, but not for rpc/tcp services 8092aef6930SMark Murraysuch as rexd. You probably do not want to run rexd anyway. On most 8102aef6930SMark Murraysystems it is even less secure than a wildcard in /etc/hosts.equiv. 8112aef6930SMark Murray 8122aef6930SMark MurrayInstall the tcpd command in a suitable place. Apollo UNIX users will 8132aef6930SMark Murraywant to install it under a different name because the name "tcpd" is 8142aef6930SMark Murrayalready taken; a suitable name would be "frontd". 8152aef6930SMark Murray 8162aef6930SMark MurrayFile protections: the wrapper, all files used by the wrapper, and all 8172aef6930SMark Murraydirectories in the path leading to those files, should be accessible 8182aef6930SMark Murraybut not writable for unprivileged users (mode 755 or mode 555). Do not 8192aef6930SMark Murrayinstall the wrapper set-uid. 8202aef6930SMark Murray 8212aef6930SMark MurrayThen perform the following edits on the inetd configuration file 8222aef6930SMark Murray(usually /etc/inetd.conf or /etc/inet/inetd.conf): 8232aef6930SMark Murray 8242aef6930SMark Murray finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd 8252aef6930SMark Murray ^^^^^^^^^^^^^^^^^^^ 8262aef6930SMark Murraybecomes: 8272aef6930SMark Murray 8282aef6930SMark Murray finger stream tcp nowait nobody /usr/etc/tcpd in.fingerd 8292aef6930SMark Murray ^^^^^^^^^^^^^ 8302aef6930SMark MurraySend a `kill -HUP' to the inetd process to make the change effective. 8312aef6930SMark MurraySome IRIX inetd implementations require that you first disable the 8322aef6930SMark Murrayfinger service (comment out the finger service and `kill -HUP' the 8332aef6930SMark Murrayinetd) before you can turn on the modified version. Sending a HUP 8342aef6930SMark Murraytwice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1. 8352aef6930SMark Murray 8362aef6930SMark MurrayAIX note: you may have to execute the `inetimp' command after changing 8372aef6930SMark Murraythe inetd configuration file. 8382aef6930SMark Murray 8392aef6930SMark MurrayThe example applies to SunOS 4. With other UNIX implementations the 8402aef6930SMark Murraynetwork daemons live in /usr/libexec, /usr/sbin, or /etc, the network 8412aef6930SMark Murraydaemons have no "in." prefix to their names, or the username field in 8422aef6930SMark Murraythe inetd configuration file may be missing. 8432aef6930SMark Murray 8442aef6930SMark MurrayWhen the finger service works as expected you can perform similar 8452aef6930SMark Murraychanges for other network services. Do not forget the `kill -HUP'. 8462aef6930SMark Murray 8472aef6930SMark MurrayThe miscd daemon that comes with Ultrix implements several network 8482aef6930SMark Murrayservices. It decides what to do by looking at its process name. One of 8492aef6930SMark Murraythe services is systat, which is a kind of limited finger service. If 8502aef6930SMark Murrayyou want to monitor the systat service, install the miscd wrapper in a 8512aef6930SMark Murraysuitable place and update the inetd configuration file: 8522aef6930SMark Murray 8532aef6930SMark Murray systat stream tcp nowait /suitable/place/miscd systatd 8542aef6930SMark Murray 8552aef6930SMark MurrayUltrix 4.3 allows you to specify a user id under which the daemon will 8562aef6930SMark Murraybe executed. This feature is not documented in the manual pages. Thus, 8572aef6930SMark Murraythe example would become: 8582aef6930SMark Murray 8592aef6930SMark Murray systat stream tcp nowait nobody /suitable/place/miscd systatd 8602aef6930SMark Murray 8612aef6930SMark MurrayOlder Ultrix systems still run all their network daemons as root. 8622aef6930SMark Murray 8632aef6930SMark MurrayIn the absence of any access-control tables, the daemon wrappers 8642aef6930SMark Murraywill just maintain a record of network connections made to your system. 8652aef6930SMark Murray 8662aef6930SMark Murray7.3 - Daemons with arbitrary path names 8672aef6930SMark Murray--------------------------------------- 8682aef6930SMark Murray 8692aef6930SMark MurrayThe above tcpd examples work fine with network daemons that live in a 8702aef6930SMark Murraycommon directory, but sometimes that is not practical. Having soft 8712aef6930SMark Murraylinks all over your file system is not a clean solution, either. 8722aef6930SMark Murray 8732aef6930SMark MurrayInstead you can specify, in the inetd configuration file, an absolute 8742aef6930SMark Murraypath name for the daemon process name. For example, 8752aef6930SMark Murray 8762aef6930SMark Murray ntalk dgram udp wait root /usr/etc/tcpd /usr/local/lib/ntalkd 8772aef6930SMark Murray 8782aef6930SMark MurrayWhen the daemon process name is an absolute path name, tcpd ignores the 8792aef6930SMark Murrayvalue of the REAL_DAEMON_DIR constant, and uses the last path component 8802aef6930SMark Murrayof the daemon process name for logging and for access control. 8812aef6930SMark Murray 8822aef6930SMark Murray7.4 - Building and testing the access control rules 8832aef6930SMark Murray--------------------------------------------------- 8842aef6930SMark Murray 8852aef6930SMark MurrayIn order to support access control the wrappers must be compiled with 8862aef6930SMark Murraythe -DHOSTS_ACCESS option. The access control policy is given in the 8872aef6930SMark Murrayform of two tables (default: /etc/hosts.allow and /etc/hosts.deny). 8882aef6930SMark MurrayAccess control is disabled when there are no access control tables, or 8892aef6930SMark Murraywhen the tables are empty. 8902aef6930SMark Murray 8912aef6930SMark MurrayIf you haven't used the wrappers before I recommend that you first run 8922aef6930SMark Murraythem a couple of days without any access control restrictions. The 8932aef6930SMark Murraylogfile records should give you an idea of the process names and of the 8942aef6930SMark Murrayhost names that you will have to build into your access control rules. 8952aef6930SMark Murray 8962aef6930SMark MurrayThe syntax of the access control rules is documented in the file 8972aef6930SMark Murrayhosts_access.5, which is in `nroff -man' format. This is a lengthy 8982aef6930SMark Murraydocument, and no-one expects you to read it right away from beginning 8992aef6930SMark Murrayto end. Instead, after reading the introductory section, skip to the 9002aef6930SMark Murrayexamples at the end so that you get a general idea of the language. 9012aef6930SMark MurrayThen you can appreciate the detailed reference sections near the 9022aef6930SMark Murraybeginning of the document. 9032aef6930SMark Murray 9042aef6930SMark MurrayThe examples in the hosts_access.5 document (`nroff -man' format) show 9052aef6930SMark Murraytwo specific types of access control policy: 1) mostly closed (only 9062aef6930SMark Murraypermitting access from a limited number of systems) and 2) mostly open 9072aef6930SMark Murray(permitting access from everyone except a limited number of trouble 9082aef6930SMark Murraymakers). You will have to choose what model suits your situation best. 9092aef6930SMark MurrayImplementing a mixed policy should not be overly difficult either. 9102aef6930SMark Murray 9112aef6930SMark MurrayOptional extensions to the access control language are described in the 9122aef6930SMark Murrayhosts_options.5 document (`nroff -man' format). 9132aef6930SMark Murray 9142aef6930SMark MurrayThe `tcpdchk' program examines all rules in your access control files 9152aef6930SMark Murrayand reports any problems it can find. `tcpdchk -v' writes to standard 9162aef6930SMark Murrayoutput a pretty-printed list of all rules. `tcpdchk -d' examines the 9172aef6930SMark Murrayhosts.access and hosts.allow files in the current directory. This 9182aef6930SMark Murrayprogram is described in the tcpdchk.8 document (`nroff -man' format). 9192aef6930SMark Murray 9202aef6930SMark MurrayThe `tcpdmatch' command can be used to try out your local access 9212aef6930SMark Murraycontrol files. The command syntax is: 9222aef6930SMark Murray 9232aef6930SMark Murray tcpdmatch process_name hostname (e.g.: tcpdmatch in.tftpd localhost) 9242aef6930SMark Murray 9252aef6930SMark Murray tcpdmatch process_name address (e.g.: tcpdmatch in.tftpd 127.0.0.1) 9262aef6930SMark Murray 9272aef6930SMark MurrayThis way you can simulate what decisions will be made, and what actions 9282aef6930SMark Murraywill be taken, when hosts connect to your own system. The program is 9292aef6930SMark Murraydescribed in the tcpdmatch.8 document (`nroff -man' format). 9302aef6930SMark Murray 9312aef6930SMark MurrayNote 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the 9322aef6930SMark Murraycurrent working directory. This is useful for testing new rules without 9332aef6930SMark Murraybothering your users. 9342aef6930SMark Murray 9352aef6930SMark MurrayNote 2: you cannot use the `tcpdmatch' command to simulate what happens 9362aef6930SMark Murraywhen the local system connects to other hosts. 9372aef6930SMark Murray 9382aef6930SMark MurrayIn order to find out what process name to use, just use the service and 9392aef6930SMark Murraywatch the process name that shows up in the logfile. Alternatively, 9402aef6930SMark Murrayyou can look up the name from the inetd configuration file. Coming back 9412aef6930SMark Murrayto the tftp example in the tutorial section above: 9422aef6930SMark Murray 9432aef6930SMark Murray tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot 9442aef6930SMark Murray 9452aef6930SMark MurrayThis entry causes the inetd to run the wrapper program (tcpd) with a 9462aef6930SMark Murrayprocess name `in.tftpd'. This is the name that the wrapper will use 9472aef6930SMark Murraywhen scanning the access control tables. Therefore, `in.tftpd' is the 9482aef6930SMark Murrayprocess name that should be given to the `tcpdmatch' command. On your 9492aef6930SMark Murraysystem the actual inetd.conf entry may differ (tftpd instead of 9502aef6930SMark Murrayin.tftpd, and no `root' field), but you get the idea. 9512aef6930SMark Murray 9522aef6930SMark MurrayWhen you specify a host name, the `tcpdmatch' program will use both the 9532aef6930SMark Murrayhost name and address. This way you can simulate the most common case 9542aef6930SMark Murraywhere the wrappers know both the host address and the host name. The 9552aef6930SMark Murray`tcpdmatch' program will iterate over all addresses that it can find 9562aef6930SMark Murrayfor the given host name. 9572aef6930SMark Murray 9582aef6930SMark MurrayWhen you specify a host address instead of a host name, the `tcpdmatch' 9592aef6930SMark Murrayprogram will pretend that the host name is unknown, so that you can 9602aef6930SMark Murraysimulate what happens when the wrapper is unable to look up the client 9612aef6930SMark Murrayhost name. 9622aef6930SMark Murray 9632aef6930SMark Murray7.5 - Other applications 9642aef6930SMark Murray------------------------ 9652aef6930SMark Murray 9662aef6930SMark MurrayThe access control routines can easily be integrated with other 9672aef6930SMark Murrayprograms. The hosts_access.3 manual page (`nroff -man' format) 9682aef6930SMark Murraydescribes the external interface of the libwrap.a library. 9692aef6930SMark Murray 9702aef6930SMark MurrayThe tcpd program can even be used to control access to the mail 9712aef6930SMark Murrayservice. This can be useful when you suspect that someone is trying 9722aef6930SMark Murrayout some obscure sendmail bug, or when a remote site is misconfigured 9732aef6930SMark Murrayand keeps hammering your mail daemon. 9742aef6930SMark Murray 9752aef6930SMark MurrayIn that case, sendmail should not be run as a stand-alone network 9762aef6930SMark Murraylistener, but it should be registered in the inetd configuration file. 9772aef6930SMark MurrayFor example: 9782aef6930SMark Murray 9792aef6930SMark Murray smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs 9802aef6930SMark Murray 9812aef6930SMark MurrayYou will still need to run one sendmail background process to handle 9822aef6930SMark Murrayqueued-up outgoing mail. A command like: 9832aef6930SMark Murray 9842aef6930SMark Murray /usr/lib/sendmail -q15m 9852aef6930SMark Murray 9862aef6930SMark Murray(no `-bd' flag) should take care of that. You cannot really prevent 9872aef6930SMark Murraypeople from posting forged mail this way, because there are many 9882aef6930SMark Murrayunprotected smtp daemons on the network. 9892aef6930SMark Murray 9902aef6930SMark Murray8 - Acknowledgements 9912aef6930SMark Murray-------------------- 9922aef6930SMark Murray 9932aef6930SMark MurrayMany people contributed to the evolution of the programs, by asking 9942aef6930SMark Murrayinspiring questions, by suggesting features or bugfixes, or by 9952aef6930SMark Murraysubmitting source code. Nevertheless, all mistakes and bugs in the 9962aef6930SMark Murraywrappers are my own. 9972aef6930SMark Murray 9982aef6930SMark MurrayThanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is) 9992aef6930SMark Murrayand Dan Bernstein (kramden.acf.nyu.edu) for feedback on an early 10002aef6930SMark Murrayrelease of this product. The host name/address check was suggested by 10012aef6930SMark MurrayJohn Kimball (src.honeywell.com). Apollo's UNIX environment has some 10022aef6930SMark Murraypeculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter 10032aef6930SMark MurraySchoenmakers (es.ele.tue.nl) and Charles S. Fuller (wccs.psc.edu) 10042aef6930SMark Murrayprovided assistance. Hal R. Brand (addvax.llnl.gov) told me how to 10052aef6930SMark Murrayget the client IP address in case of datagram-oriented services, and 10062aef6930SMark Murraysuggested the optional shell command feature. Shabbir Safdar 10072aef6930SMark Murray(mentor.cc.purdue.edu) provided a first version of a much-needed manual 10082aef6930SMark Murraypage. Granville Boman Goza, IV (sei.cmu.edu) suggested to use the 10092aef6930SMark Murrayclient IP address even when the host name is available. Casper H.S. 10102aef6930SMark MurrayDik (fwi.uva.nl) provided additional insight into DNS spoofing 10112aef6930SMark Murraytechniques. The bogus daemon feature was inspired by code from Andrew 10122aef6930SMark MurrayMacpherson (BNR Europe Ltd). Steve Bellovin (research.att.com) 10132aef6930SMark Murrayconfirmed some of my suspicions about the darker sides of TCP/IP 10142aef6930SMark Murrayinsecurity. Risks of automated fingers were pointed out by Borja Marcos 10152aef6930SMark Murray(we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try 10162aef6930SMark Murraymy early TLI code and to work out how DG/UX differs from Solaris. 10172aef6930SMark Murray 10182aef6930SMark MurrayJohn P. Rouillard (cs.umb.edu) deserves special mention for his 10192aef6930SMark Murraypersistent, but constructive, nagging about wrong or missing things, 10202aef6930SMark Murrayand for trying out and discussing embryonic code or ideas. 10212aef6930SMark Murray 10222aef6930SMark MurrayLast but not least, Howard Chu (hanauma.jpl.nasa.gov), Darren Reed 10232aef6930SMark Murray(coombs.anu.edu.au), Icarus Sparry (gdr.bath.ac.uk), Scott Schwartz 10242aef6930SMark Murray(cs.psu.edu), John A. Kunze (violet.berkeley.edu), Daniel Len Schales 10252aef6930SMark Murray(engr.latech.edu), Chris Turbeville (cse.uta.edu), Paul Kranenburg 10262aef6930SMark Murray(cs.few.eur.nl), Marc Boucher (cam.org), Dave Mitchell 10272aef6930SMark Murray(dcs.shef.ac.uk), Andrew Maffei, Adrian van Bloois, Rop Gonggrijp, John 10282aef6930SMark MurrayC. Wingenbach, Everett F. Batey and many, many others provided fixes, 10292aef6930SMark Murraycode fragments, or ideas for improvements. 10302aef6930SMark Murray 10312aef6930SMark Murray Wietse Venema (wietse@wzv.win.tue.nl) 10322aef6930SMark Murray Department of Mathematics and Computing Science 10332aef6930SMark Murray Eindhoven University of Technology 10342aef6930SMark Murray P.O. Box 513 10352aef6930SMark Murray 5600 MB Eindhoven 10362aef6930SMark Murray The Netherlands 10372aef6930SMark Murray 10382aef6930SMark Murray Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA. 1039