mirror of
https://github.com/freebsd/freebsd-src.git
synced 2024-12-04 18:59:37 +00:00
2aef693010
Rest of build to follow.
1039 lines
47 KiB
Plaintext
1039 lines
47 KiB
Plaintext
@(#) README 1.30 97/03/21 19:27:21
|
|
|
|
This is the 7.6 version of the TCP/IP daemon wrapper package.
|
|
|
|
Thank you for using this program. If you like it, send me a postcard.
|
|
My postal address is at the bottom of this file.
|
|
|
|
Read the BLURB file for a brief summary of what is new. The CHANGES
|
|
file gives a complete account of differences with respect to previous
|
|
releases.
|
|
|
|
Announcements of new releases of this software are posted to Usenet
|
|
(comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
|
|
and to a dedicated mailing list. You can subscribe to the dedicated
|
|
mailing list by sending an email message to majordomo@wzv.win.tue.nl
|
|
with in the body (not subject): subscribe tcp-wrappers-announce.
|
|
|
|
Table of contents
|
|
-----------------
|
|
|
|
1 - Introduction
|
|
2 - Disclaimer
|
|
3 - Tutorials
|
|
3.1 - How it works
|
|
3.2 - Where the logging information goes
|
|
4 - Features
|
|
4.1 - Access control
|
|
4.2 - Host name spoofing
|
|
4.3 - Host address spoofing
|
|
4.4 - Client username lookups
|
|
4.5 - Language extensions
|
|
4.6 - Multiple ftp/gopher/www archives on one host
|
|
4.7 - Banner messages
|
|
4.8 - Sequence number guessing
|
|
5 - Other works
|
|
5.1 - Related documents
|
|
5.2 - Related software
|
|
6 - Limitations
|
|
6.1 - Known wrapper limitations
|
|
6.2 - Known system software bugs
|
|
7 - Configuration and installation
|
|
7.1 - Easy configuration and installation
|
|
7.2 - Advanced configuration and installation
|
|
7.3 - Daemons with arbitrary path names
|
|
7.4 - Building and testing the access control rules
|
|
7.5 - Other applications
|
|
8 - Acknowledgements
|
|
|
|
1 - Introduction
|
|
----------------
|
|
|
|
With this package you can monitor and filter incoming requests for the
|
|
SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
|
|
network services.
|
|
|
|
It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
|
|
yourself lucky if you don't know what that means.
|
|
|
|
The package provides tiny daemon wrapper programs that can be installed
|
|
without any changes to existing software or to existing configuration
|
|
files. The wrappers report the name of the client host and of the
|
|
requested service; the wrappers do not exchange information with the
|
|
client or server applications, and impose no overhead on the actual
|
|
conversation between the client and server applications.
|
|
|
|
Optional features are: access control to restrict what systems can
|
|
connect to what network daemons; client user name lookups with the RFC
|
|
931 etc. protocol; additional protection against hosts that pretend to
|
|
have someone elses host name; additional protection against hosts that
|
|
pretend to have someone elses host address.
|
|
|
|
The programs are very portable. Build procedures are provided for many
|
|
common (and not so common) environments, and guidelines are provided in
|
|
case your environment is not among them.
|
|
|
|
Requirements are that network daemons are spawned by a super server
|
|
such as the inetd; a 4.3BSD-style socket programming interface and/or
|
|
System V.4-style TLI programming interface; and the availability of a
|
|
syslog(3) library and of a syslogd(8) daemon. The wrappers should run
|
|
without modification on any system that satisfies these requirements.
|
|
Workarounds have been implemented for several common bugs in systems
|
|
software.
|
|
|
|
What to do if this is your first encounter with the wrapper programs:
|
|
1) read the tutorial sections for an introduction to the relevant
|
|
concepts and terminology; 2) glance over the security feature sections
|
|
in this document; 3) follow the installation instructions (easy or
|
|
advanced). I recommend that you first use the default security feature
|
|
settings. Run the wrappers for a few days to become familiar with
|
|
their logs, before doing anything drastic such as cutting off access or
|
|
installing booby traps.
|
|
|
|
2 - Disclaimer
|
|
--------------
|
|
|
|
The wrapper programs rely on source address information obtained from
|
|
network packets. This information is provided by the client host. It is
|
|
not 100 percent reliable, although the wrappers do their best to expose
|
|
forgeries.
|
|
|
|
In the absence of cryptographic protection of message contents, and of
|
|
cryptographic authentication of message originators, all data from the
|
|
network should be treated with sound scepticism.
|
|
|
|
THIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS.
|
|
|
|
3 - Tutorials
|
|
-------------
|
|
|
|
The tutorial sections give a gentle introduction to the operation of
|
|
the wrapper programs, and introduce some of the terminology that is
|
|
used in the remainder of the document: client, server, the inetd and
|
|
syslogd daemons, and their configuration files.
|
|
|
|
3.1 - How it works
|
|
------------------
|
|
|
|
Almost every application of the TCP/IP protocols is based on a client-
|
|
server model. For example, when a user invokes the telnet command to
|
|
connect to one of your systems, a telnet server process is executed on
|
|
the target host. The telnet server process connects the user to a login
|
|
process. A few examples of client and server programs are shown in the
|
|
table below:
|
|
|
|
client server application
|
|
--------------------------------
|
|
telnet telnetd remote login
|
|
ftp ftpd file transfer
|
|
finger fingerd show users
|
|
|
|
The usual approach is to run one single daemon process that waits for
|
|
all kinds of incoming network connections. Whenever a connection is
|
|
established, this daemon (usually called inetd) runs the appropriate
|
|
server program and goes back to sleep, waiting for other connections.
|
|
|
|
The wrapper programs rely on a simple, but powerful mechanism. Instead
|
|
of directly running the desired server program, the inetd is tricked
|
|
into running a small wrapper program. The wrapper logs the client host
|
|
name or address and performs some additional checks. When all is well,
|
|
the wrapper executes the desired server program and goes away.
|
|
|
|
The wrapper programs have no interaction with the client user (or with
|
|
the client process). Nor do the wrappers interact with the server
|
|
application. This has two major advantages: 1) the wrappers are
|
|
application-independent, so that the same program can protect many
|
|
kinds of network services; 2) no interaction also means that the
|
|
wrappers are invisible from outside (at least for authorized users).
|
|
|
|
Another important property is that the wrapper programs are active only
|
|
when the initial contact between client and server is established. Once
|
|
a wrapper has done its work there is no overhead on the client-server
|
|
conversation.
|
|
|
|
The simple mechanism has one major drawback: the wrappers go away after
|
|
the initial contact between client and server processes, so the
|
|
wrappers are of little use with network daemons that service more than
|
|
one client. The wrappers would only see the first client attempt to
|
|
contact such a server. The NFS mount daemon is a typical example of a
|
|
daemon that services requests from multiple clients. See the section on
|
|
related software for ways to deal with such server programs.
|
|
|
|
There are two ways to use the wrapper programs:
|
|
|
|
1) The easy way: move network daemons to some other directory and fill
|
|
the resulting holes with copies of the wrapper programs. This
|
|
approach involves no changes to system configuration files, so there
|
|
is very little risk of breaking things.
|
|
|
|
2) The advanced way: leave the network daemons alone and modify the
|
|
inetd configuration file. For example, an entry such as:
|
|
|
|
tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
|
|
|
|
When a tftp request arrives, inetd will run the wrapper program
|
|
(tcpd) with a process name `in.tftpd'. This is the name that the
|
|
wrapper will use when logging the request and when scanning the
|
|
optional access control tables. `in.tftpd' is also the name of the
|
|
server program that the wrapper will attempt to run when all is
|
|
well. Any arguments (`-s /tftpboot' in this particular example) are
|
|
transparently passed on to the server program.
|
|
|
|
For an account of the history of the wrapper programs, with real-life
|
|
examples, see the section below on related documents.
|
|
|
|
3.2 - Where the logging information goes
|
|
----------------------------------------
|
|
|
|
The wrapper programs send their logging information to the syslog
|
|
daemon (syslogd). The disposition of the wrapper logs is determined by
|
|
the syslog configuration file (usually /etc/syslog.conf). Messages are
|
|
written to files, to the console, or are forwarded to a @loghost. Some
|
|
syslogd versions can even forward messages down a |pipeline.
|
|
|
|
Older syslog implementations (still found on Ultrix systems) only
|
|
support priority levels ranging from 9 (debug-level messages) to 0
|
|
(alerts). All logging information of the specified priority level or
|
|
more urgent is written to the same destination. In the syslog.conf
|
|
file, priority levels are specified in numerical form. For example,
|
|
|
|
8/usr/spool/mqueue/syslog
|
|
|
|
causes all messages with priority 8 (informational messages), and
|
|
anything that is more urgent, to be appended to the file
|
|
/usr/spool/mqueue/syslog.
|
|
|
|
Newer syslog implementations support message classes in addition to
|
|
priority levels. Examples of message classes are: mail, daemon, auth
|
|
and news. In the syslog.conf file, priority levels are specified with
|
|
symbolic names: debug, info, notice, ..., emerg. For example,
|
|
|
|
mail.debug /var/log/syslog
|
|
|
|
causes all messages of class mail with priority debug (or more urgent)
|
|
to be appended to the /var/log/syslog file.
|
|
|
|
By default, the wrapper logs go to the same place as the transaction
|
|
logs of the sendmail daemon. The disposition can be changed by editing
|
|
the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
|
|
syslogd after changing its configuration file. Remember that syslogd,
|
|
just like sendmail, insists on one or more TABs between the left-hand
|
|
side and the right-hand side expressions in its configuration file.
|
|
|
|
Solaris 2.x note: the syslog daemon depends on the m4 macro processor.
|
|
The m4 program is installed as part of the software developer packages.
|
|
|
|
Trouble shooting note: when the syslogging does not work as expected,
|
|
run the program by hand (`syslogd -d') and see what really happens.
|
|
|
|
4 - Features
|
|
------------
|
|
|
|
4.1 - Access control
|
|
--------------------
|
|
|
|
When compiled with -DHOSTS_ACCESS, the wrapper programs support a
|
|
simple form of access control. Access can be controlled per host, per
|
|
service, or combinations thereof. The software provides hooks for the
|
|
execution of shell commands when an access control rule fires; this
|
|
feature may be used to install "booby traps". For details, see the
|
|
hosts_access.5 manual page, which is in `nroff -man' format. A later
|
|
section describes how you can test your access control rules.
|
|
|
|
Access control can also be used to connect clients to the "right"
|
|
service. What is right may depend on the requested service, the origin
|
|
of the request, and what host address the client connects to. Examples:
|
|
|
|
(1) A gopher or www database speaks native language when contacted from
|
|
within the country, otherwise it speaks English.
|
|
|
|
(2) A service provider offers different ftp, gopher or www services
|
|
with different internet hostnames from one host (section 4.6).
|
|
|
|
Access control is enabled by default. It can be turned off by editing
|
|
the Makefile, or by providing no access control tables. The install
|
|
instructions below describe the Makefile editing process.
|
|
|
|
The hosts_options.5 manual page (`nroff -man' format) documents an
|
|
extended version of the access control language. The extensions are
|
|
disabled by default. See the section below on language extensions.
|
|
|
|
Later System V implementations provide the Transport Level Interface
|
|
(TLI), a network programming interface that performs functions similar
|
|
to the Berkeley socket programming interface. Like Berkeley sockets,
|
|
TLI was designed to cover multiple protocols, not just Internet.
|
|
|
|
When the wrapper discovers that the TLI interface sits on top of a
|
|
TCP/IP or UDP/IP conversation it uses this knowledge to provide the
|
|
same functions as with traditional socket-based applications. When
|
|
some other protocol is used underneath TLI, the host address will be
|
|
some universal magic cookie that may not even be usable for access
|
|
control purposes.
|
|
|
|
4.2 - Host name spoofing
|
|
------------------------
|
|
|
|
With some network applications, such as RSH or RLOGIN, the client host
|
|
name plays an important role in the authentication process. Host name
|
|
information can be reliable when lookups are done from a _local_ hosts
|
|
table, provided that the client IP address can be trusted.
|
|
|
|
With _distributed_ name services, authentication schemes that rely on
|
|
host names become more problematic. The security of your system now may
|
|
depend on some far-away DNS (domain name server) outside your own
|
|
control.
|
|
|
|
The wrapper programs verify the client host name that is returned by
|
|
the address->name DNS server, by asking for a second opinion. To this
|
|
end, the programs look at the name and addresses that are returned by
|
|
the name->address DNS server, which may be an entirely different host.
|
|
|
|
If any name or address discrepancies are found, or if the second DNS
|
|
opinion is not available, the wrappers assume that one of the two name
|
|
servers is lying, and assume that the client host pretends to have
|
|
someone elses host name.
|
|
|
|
When compiled with -DPARANOID, the wrappers will always attempt to look
|
|
up and double check the client host name, and will always refuse
|
|
service in case of a host name/address discrepancy. This is a
|
|
reasonable policy for most systems.
|
|
|
|
When compiled without -DPARANOID, the wrappers by default still perform
|
|
hostname lookup. You can match hosts with a name/address discrepancy
|
|
with the PARANOID wildcard and decide whether or not to grant service.
|
|
|
|
Automatic hostname verification is enabled by default. Automatic
|
|
hostname lookups and verification can be turned off by editing the
|
|
Makefile. The configuration and installation section below describes
|
|
the Makefile editing process.
|
|
|
|
4.3 - Host address spoofing
|
|
---------------------------
|
|
|
|
While host name spoofing can be found out by asking a second opinion,
|
|
it is much harder to find out that a host claims to have someone elses
|
|
network address. And since host names are deduced from network
|
|
addresses, address spoofing is at least as effective as name spoofing.
|
|
|
|
The wrapper programs can give additional protection against hosts that
|
|
claim to have an address that lies outside their own network. For
|
|
example, some far-away host that claims to be a trusted host within
|
|
your own network. Such things are possible even while the impersonated
|
|
system is up and running.
|
|
|
|
This additional protection is not an invention of my own; it has been
|
|
present for at least five years in the BSD rsh and rlogin daemons.
|
|
Unfortunately, that feature was added *after* 4.3 BSD came out, so that
|
|
very few, if any, UNIX vendors have adopted it. Our site, and many
|
|
other ones, has been running these enhanced daemons for several years,
|
|
and without any ill effects.
|
|
|
|
When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
|
|
programs refuse to service TCP connections with IP source routing
|
|
options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
|
|
that can stop source-routed traffic in the kernel. Examples are
|
|
4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
|
|
for details.
|
|
|
|
If you are going to use this feature on SunOS 4.1.x you should apply
|
|
patch 100804-03+ or 101790-something depending on your SunOS version.
|
|
Otherwise you may experience "BAD TRAP" and "Data fault" panics when
|
|
the getsockopt() system call is executed after a TCP RESET has been
|
|
received. This is a kernel bug, it is not the fault of the wrappers.
|
|
|
|
The feature is disabled by default. It can be turned on by editing the
|
|
Makefile. The configuration and installation section below describes
|
|
the Makefile editing process.
|
|
|
|
UDP services do not benefit from this additional protection. With UDP,
|
|
all you can be certain of is the network packet's destination address.
|
|
|
|
4.4 - Client username lookups
|
|
-----------------------------
|
|
|
|
The protocol proposed in RFC 931 provides a means to obtain the client
|
|
user name from the client host. The requirement is that the client
|
|
host runs an RFC 931-compliant daemon. The information provided by such
|
|
a daemon is not intended to be used for authentication purposes, but it
|
|
can provide additional information about the owner of a TCP connection.
|
|
|
|
The RFC 931 protocol has diverged into different directions (IDENT,
|
|
TAP, RFC 1413). To add to the confusion, they all use the same network
|
|
port. The daemon wrappers implement a common subset of the protocols.
|
|
|
|
There are some limitations: the number of hosts that run an RFC 931 (or
|
|
compatible) daemon is limited (but growing); client user name lookups
|
|
do not work for datagram (UDP) services. More seriously, client user
|
|
name lookups can cause noticeable delays with connections from non-UNIX
|
|
PCs. Recent PC software seem to have fixed this (for example NCSA
|
|
telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
|
|
accommodate slow networks and slow hosts.
|
|
|
|
By default, the wrappers will do username lookup only when the access
|
|
control rules require them to do so (via user@host client patterns, see
|
|
the hosts_access.5 manual page) or when the username is needed for
|
|
%<letter> expansions.
|
|
|
|
You can configure the wrappers to always perform client username
|
|
lookups, by editing the Makefile. The client username lookup timeout
|
|
period (10 seconds default) can be changed by editing the Makefile. The
|
|
installation sections below describe the Makefile editing process.
|
|
|
|
On System V with TLI-based network services, client username lookups
|
|
will be possible only when the underlying network protocol is TCP/IP.
|
|
|
|
4.5 - Language extensions
|
|
-------------------------
|
|
|
|
The wrappers sport only a limited number of features. This is for a
|
|
good reason: programs that run at high privilege levels must be easy to
|
|
verify. And the smaller a program, the easier to verify. There is,
|
|
however, a provision to add features.
|
|
|
|
The options.c module provides a framework for language extensions.
|
|
Quite a few extensions have already been implemented; they are
|
|
documented in the hosts_options.5 document, which is in `nroff -man'
|
|
format. Examples: changing the severity level at which a request for
|
|
service is logged; "allow" and "deny" keywords; running a customized
|
|
server instead of the standard one; many others.
|
|
|
|
The language extensions are not enabled by default because they
|
|
introduce an incompatible change to the access control language
|
|
syntax. Instructions to enable the extensions are given in the
|
|
Makefile.
|
|
|
|
4.6 - Multiple ftp/gopher/www archives on one host
|
|
--------------------------------------------------
|
|
|
|
Imagine one host with multiple internet addresses. These addresses do
|
|
not need to have the same internet hostname. Thus, it is possible to
|
|
offer services with different internet hostnames from just one host.
|
|
|
|
Service providers can use this to offer organizations a presence on the
|
|
"net" with their own internet hostname, even when those organizations
|
|
aren't connected to the Internet at all. To the end user it makes no
|
|
difference, because applications use internet hostnames.
|
|
|
|
There are several ways to assign multiple addresses to one machine.
|
|
The nice way is to take an existing network interface and to assign
|
|
additional internet addresses with the `ifconfig' command. Examples:
|
|
|
|
Solaris 2: ifconfig le0:1 <address> netmask <mask> up
|
|
4.4 BSD: ifconfig en0 alias <address> netmask <mask>
|
|
|
|
On other systems one has to increase the number of network interfaces:
|
|
either with hardware interfaces, or with pseudo interfaces like SLIP or
|
|
PPP. The interfaces do not need to be attached to anything. They just
|
|
need to be up and to be assigned a suitable internet address and mask.
|
|
|
|
With the wrapper software, `daemon@host' access control patterns can be
|
|
used to distinguish requests by the network address that they are aimed
|
|
at. Judicious use of the `twist' option (see the hosts_options.5 file,
|
|
`nroff -man' format) can guide the requests to the right server. These
|
|
can be servers that live in separate chroot areas, or servers modified
|
|
to take additional context from the command line, or a combination.
|
|
|
|
Another way is to modify gopher or www listeners so that they bind to
|
|
only one specific network address. Multiple gopher or www servers can
|
|
then be run side by side, each taking requests sent to its respective
|
|
network address.
|
|
|
|
4.7 - Banner messages
|
|
---------------------
|
|
|
|
Some sites are required to present an informational message to users
|
|
before they attempt to login. Banner messages can also be useful when
|
|
denying service: instead of simply dropping the connection a polite
|
|
explanation is given first. Finally, banners can be used to give your
|
|
system a more personal touch.
|
|
|
|
The wrapper software provides easy-to-use tools to generate pre-login
|
|
banners for ftp, telnet, rlogin etc. from a single prototype banner
|
|
textfile. Details on banners and on-the-fly %<letter> expansions are
|
|
given in the hosts_options.5 manual page (`nroff -man' format). An
|
|
example is given in the file Banners.Makefile.
|
|
|
|
In order to support banner messages the wrappers have to be built with
|
|
language extensions enabled. See the section on language extensions.
|
|
|
|
4.8 - Sequence number guessing
|
|
------------------------------
|
|
|
|
Recently, systems came under attack from intruders that exploited a
|
|
well-known weakness in TCP/IP sequence number generators. This
|
|
weakness allows intruders to impersonate trusted hosts. Break-ins have
|
|
been reported via the rsh service. In fact, any network service can be
|
|
exploited that trusts the client host name or address.
|
|
|
|
A long-term solution is to stop using network services that trust the
|
|
client host name or address, and to use data encryption instead.
|
|
|
|
A short-term solution, as outlined in in CERT advisory CA-95:01, is to
|
|
configure network routers so that they discard datagrams from "outside"
|
|
with an "inside" source address. This approach is most fruitful when
|
|
you do not trust any hosts outside your local network.
|
|
|
|
The IDENT (RFC931 etc.) client username lookup protocol can help to
|
|
detect host impersonation attacks. Before accepting a client request,
|
|
the wrappers can query the client's IDENT server and find out that the
|
|
client never sent that request.
|
|
|
|
When the client host provides IDENT service, a negative IDENT lookup
|
|
result (the client matches `UNKNOWN@host') is strong evidence of a host
|
|
impersonation attack.
|
|
|
|
A positive IDENT lookup result (the client matches `KNOWN@host') is
|
|
less trustworthy. It is possible for an attacker to spoof both the
|
|
client request and the IDENT lookup connection, although doing so
|
|
should be much harder than spoofing just a client request. Another
|
|
possibility is that the client's IDENT server is lying.
|
|
|
|
Client username lookups are described in more detail in a previous
|
|
section. Pointers to IDENT daemon software are described in the section
|
|
on related software.
|
|
|
|
5 - Other works
|
|
---------------
|
|
|
|
5.1 - Related documents
|
|
-----------------------
|
|
|
|
The war story behind the tcp wrapper tools is described in:
|
|
|
|
W.Z. Venema, "TCP WRAPPER, network monitoring, access control and
|
|
booby traps", UNIX Security Symposium III Proceedings (Baltimore),
|
|
September 1992.
|
|
|
|
ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript)
|
|
ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text)
|
|
|
|
The same cracker is also described in:
|
|
|
|
W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is
|
|
Lured, Endured, and Studied", Proceedings of the Winter USENIX
|
|
Conference (San Francisco), January 1992.
|
|
|
|
research.att.com:/dist/internet_security/berferd.ps
|
|
|
|
An updated version of the latter paper appeared in:
|
|
|
|
W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security",
|
|
Addison-Wesley, 1994.
|
|
|
|
Discussions on internet firewalls are archived on ftp.greatcircle.com.
|
|
Subscribe to the mailing list by sending a message to
|
|
|
|
majordomo@greatcircle.com
|
|
|
|
With in the body (not subject): subscribe firewalls.
|
|
|
|
5.2 - Related software
|
|
----------------------
|
|
|
|
Network daemons etc. with enhanced logging capabilities can generate
|
|
massive amounts of information: our 150+ workstations generate several
|
|
hundred kbytes each day. egrep-based filters can help to suppress some
|
|
of the noise. A more powerful tool is the Swatch monitoring system by
|
|
Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
|
|
real time and can associate arbitrary actions with patterns; its
|
|
applications are by no means restricted to security. Swatch is
|
|
available ftp.stanford.edu, directory /general/security-tools/swatch.
|
|
|
|
Socks, described in the UNIX Security III proceedings, can be used to
|
|
control network traffic from hosts on an internal network, through a
|
|
firewall host, to the outer world. Socks consists of a daemon that is
|
|
run on the firewall host, and of a library with routines that redirect
|
|
application socket calls through the firewall daemon. Socks is
|
|
available from s1.gov in /pub/firewalls/socks.tar.Z.
|
|
|
|
For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
|
|
ftp.nec.com, directory /pub/security/socks.cstc.
|
|
|
|
Tcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp
|
|
and telnet commands across a firewall. Unlike socks it can be used with
|
|
unmodified client software. Available from ftp.alantec.com, /pub/tcpr.
|
|
|
|
The TIS firewall toolkit provides a multitude of tools to build your
|
|
own internet firewall system. ftp.tis.com, directory /pub/firewalls.
|
|
|
|
Versions of rshd and rlogind, modified to report the client user name
|
|
in addition to the client host name, are available for anonymous ftp
|
|
(ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z). These programs are
|
|
drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
|
|
9.x. This archive also contains ftpd/rexecd/login versions that support
|
|
S/Key or SecureNet one-time passwords in addition to traditional UNIX
|
|
reusable passwords.
|
|
|
|
The securelib shared library by William LeFebvre can be used to control
|
|
access to network daemons that are not run under control of the inetd
|
|
or that serve more than one client, such as the NFS mount daemon that
|
|
runs until the machine goes down. Available from eecs.nwu.edu, file
|
|
/pub/securelib.tar.
|
|
|
|
xinetd (posted to comp.sources.unix) is an inetd replacement that
|
|
provides, among others, logging, username lookup and access control.
|
|
However, it does not support the System V TLI services, and involves
|
|
much more source code than the daemon wrapper programs. Available
|
|
from ftp.uu.net, directory /usenet/comp.sources.unix.
|
|
|
|
netlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to
|
|
passively watch all TCP and UDP network traffic on a network. The
|
|
current version is on net.tamu.edu in /pub/security/TAMU.
|
|
|
|
Where shared libraries or router-based packet filtering are not an
|
|
option, an alternative portmap daemon can help to prevent hackers
|
|
from mounting your NFS file systems using the proxy RPC facility.
|
|
ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
|
|
4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
|
|
protection is less effective than that of the securelib library because
|
|
portmap is mostly a dictionary service.
|
|
|
|
An rpcbind replacement (the Solaris 2.x moral equivalent of portmap)
|
|
can be found on ftp.win.tue.nl in /pub/security. It prevents hackers
|
|
from mounting your NFS file systems by using the proxy RPC facility.
|
|
|
|
Source for a portable RFC 931 (TAP, IDENT, RFC 1413) daemon by Peter
|
|
Eriksson is available from ftp.lysator.liu.se:/pub/ident/servers.
|
|
|
|
Some TCP/IP implementations come without syslog library. Some come with
|
|
the library but have no syslog daemon. A replacement can be found in
|
|
ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog
|
|
library that comes with the nntp sources reportedly works well, too.
|
|
|
|
6 - Limitations
|
|
---------------
|
|
|
|
6.1 - Known wrapper limitations
|
|
-------------------------------
|
|
|
|
Many UDP (and rpc/udp) daemons linger around for a while after they
|
|
have serviced a request, just in case another request comes in. In the
|
|
inetd configuration file these daemons are registered with the `wait'
|
|
option. Only the request that started such a daemon will be seen by the
|
|
wrappers. Such daemons are better protected with the securelib shared
|
|
library (see: Related software).
|
|
|
|
The wrappers do not work with RPC services over TCP. These services are
|
|
registered as rpc/tcp in the inetd configuration file. The only non-
|
|
trivial service that is affected by this limitation is rexd, which is
|
|
used by the on(1) command. This is no great loss. On most systems,
|
|
rexd is less secure than a wildcard in /etc/hosts.equiv.
|
|
|
|
Some RPC requests (for example: rwall, rup, rusers) appear to come from
|
|
the server host. What happens is that the client broadcasts its request
|
|
to all portmap daemons on its network; each portmap daemon forwards the
|
|
request to a daemon on its own system. As far as the rwall etc. daemons
|
|
know, the request comes from the local host.
|
|
|
|
Portmap and RPC (e.g. NIS and NFS) (in)security is a topic in itself.
|
|
See the section in this document on related software.
|
|
|
|
6.2 - Known system software bugs
|
|
--------------------------------
|
|
|
|
Workarounds have been implemented for several bugs in system software.
|
|
They are described in the Makefile. Unfortunately, some system software
|
|
bugs cannot be worked around. The result is loss of functionality.
|
|
|
|
IRIX has so many bugs that it has its own README.IRIX file.
|
|
|
|
Older ConvexOS versions come with a broken recvfrom(2) implementation.
|
|
This makes it impossible for the daemon wrappers to look up the
|
|
client host address (and hence, the name) in case of UDP requests.
|
|
A patch is available for ConvexOS 10.1; later releases should be OK.
|
|
|
|
With early Solaris (SunOS 5) versions, the syslog daemon will leave
|
|
behind zombie processes when writing to logged-in users. Workaround:
|
|
increase the syslogd threshold for logging to users, or reduce the
|
|
wrapper's logging severity.
|
|
|
|
On some systems, the optional RFC 931 etc. client username lookups may
|
|
trigger a kernel bug. When a client host connects to your system, and
|
|
the RFC 931 connection from your system to that client is rejected by a
|
|
router, your kernel may drop all connections with that client. This is
|
|
not a bug in the wrapper programs: complain to your vendor, and don't
|
|
enable client user name lookups until the bug has been fixed.
|
|
|
|
Reportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2
|
|
and later are OK.
|
|
|
|
Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
|
|
Reportedly, a fix for Ultrix is available (CXO-8919).
|
|
|
|
The following procedure can be used (from outside the tue.nl domain) to
|
|
find out if your kernel has the bug. From the system under test, do:
|
|
|
|
% ftp 131.155.70.19
|
|
|
|
This command attempts to make an ftp connection to our anonymous ftp
|
|
server (ftp.win.tue.nl). When the connection has been established, run
|
|
the following command from the same system under test, while keeping
|
|
the ftp connection open:
|
|
|
|
% telnet 131.155.70.19 111
|
|
|
|
Do not forget the `111' at the end of the command. This telnet command
|
|
attempts to connect to our portmap process. The telnet command should
|
|
fail with: "host not reachable", or with a timeout error. If your ftp
|
|
connection gets messed up, you have the bug. If the telnet command does
|
|
not fail, please let me know a.s.a.p.!
|
|
|
|
For those who care, the bug is that the BSD kernel code was not careful
|
|
enough with incoming ICMP UNREACHABLE control messages (it ignored the
|
|
local and remote port numbers, and therefore zapped *all* connections
|
|
with the remote system). The bug is still present in the BSD NET/1
|
|
source release (1989) but apparently has been fixed in BSD NET/2 (1991).
|
|
|
|
7 - Configuration and installation
|
|
----------------------------------
|
|
|
|
7.1 - Easy configuration and installation
|
|
-----------------------------------------
|
|
|
|
The "easy" recipe requires no changes to existing software or
|
|
configuration files. Basically, you move the daemons that you want to
|
|
protect to a different directory and plug the resulting holes with
|
|
copies of the wrapper programs.
|
|
|
|
If you don't run Ultrix, you won't need the miscd wrapper program. The
|
|
miscd daemon implements among others the SYSTAT service, which produces
|
|
the same output as the WHO command.
|
|
|
|
Type `make' and follow the instructions. The Makefile comes with
|
|
ready-to-use templates for many common UNIX implementations (sun,
|
|
ultrix, hp-ux, aix, irix,...).
|
|
|
|
IRIX has so many bugs that it has its own README.IRIX file.
|
|
|
|
When the `make' succeeds the result is five executables (six in case of
|
|
Ultrix).
|
|
|
|
You can use the `tcpdchk' program to identify the most common problems
|
|
in your wrapper and inetd configuration files.
|
|
|
|
With the `tcpdmatch' program you can examine how the wrapper would
|
|
react to specific requests for service.
|
|
|
|
The `safe_finger' command should be used when you implement booby
|
|
traps: it gives better protection against nasty stuff that remote
|
|
hosts may do in response to your finger probes.
|
|
|
|
The `try-from' program tests the host and username lookup code. Run it
|
|
from a remote shell command (`rsh host /some/where/try-from') and it
|
|
should be able to figure out from what system it is being called.
|
|
|
|
The tcpd program can be used to monitor the telnet, finger, ftp, exec,
|
|
rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
|
|
a one-to-one mapping onto executable files.
|
|
|
|
The tcpd program can also be used for services that are marked as
|
|
rpc/udp in the inetd configuration file, but not for rpc/tcp services
|
|
such as rexd. You probably do not want to run rexd anyway. On most
|
|
systems it is even less secure than a wildcard in /etc/hosts.equiv.
|
|
|
|
With System V.4-style systems, the tcpd program can also handle TLI
|
|
services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
|
|
the same functions as with socket-based applications. When some other
|
|
protocol is used underneath TLI, functionality will be limited (no
|
|
client username lookups, weird network address formats).
|
|
|
|
Decide which services you want to monitor. Move the corresponding
|
|
vendor-provided daemon programs to the location specified by the
|
|
REAL_DAEMON_DIR constant in the Makefile, and fill the holes with
|
|
copies of the tcpd program. That is, one copy of (or link to) the tcpd
|
|
program for each service that you want to monitor. For example, to
|
|
monitor the use of your finger service:
|
|
|
|
# mkdir REAL_DAEMON_DIR
|
|
# mv /usr/etc/in.fingerd REAL_DAEMON_DIR
|
|
# cp tcpd /usr/etc/in.fingerd
|
|
|
|
The example applies to SunOS 4. With other UNIX implementations the
|
|
network daemons live in /usr/libexec, /usr/sbin or in /etc, or have no
|
|
"in." prefix to their names, but you get the idea.
|
|
|
|
File protections: the wrapper, all files used by the wrapper, and all
|
|
directories in the path leading to those files, should be accessible
|
|
but not writable for unprivileged users (mode 755 or mode 555). Do not
|
|
install the wrapper set-uid.
|
|
|
|
Ultrix only: If you want to monitor the SYSTAT service, move the
|
|
vendor-provided miscd daemon to the location specified by the
|
|
REAL_DAEMON_DIR macro in the Makefile, and install the miscd wrapper
|
|
at the original miscd location.
|
|
|
|
In the absence of any access-control tables, the daemon wrappers
|
|
will just maintain a record of network connections made to your system.
|
|
|
|
7.2 - Advanced configuration and installation
|
|
---------------------------------------------
|
|
|
|
The advanced recipe leaves your daemon executables alone, but involves
|
|
simple modifications to the inetd configuration file.
|
|
|
|
Type `make' and follow the instructions. The Makefile comes with
|
|
ready-to-use templates for many common UNIX implementations (sun,
|
|
ultrix, hp-ux, aix, irix, ...).
|
|
|
|
IRIX users should read the warnings in the README.IRIX file first.
|
|
|
|
When the `make' succeeds the result is five executables (six in case of
|
|
Ultrix).
|
|
|
|
You can use the `tcpdchk' program to identify the most common problems
|
|
in your wrapper and inetd configuration files.
|
|
|
|
With the `tcpdmatch' program you can examine how the wrapper would
|
|
react to specific requests for service.
|
|
|
|
The `try-from' program tests the host and username lookup code. Run it
|
|
from a remote shell command (`rsh host /some/where/try-from') and it
|
|
should be able to figure out from what system it is being called.
|
|
|
|
The `safe_finger' command should be used when you implement a booby
|
|
trap: it gives better protection against nasty stuff that remote hosts
|
|
may do in response to your finger probes.
|
|
|
|
The tcpd program can be used to monitor the telnet, finger, ftp, exec,
|
|
rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
|
|
a one-to-one mapping onto executable files.
|
|
|
|
With System V.4-style systems, the tcpd program can also handle TLI
|
|
services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
|
|
the same functions as with socket-based applications. When some other
|
|
protocol is used underneath TLI, functionality will be limited (no
|
|
client username lookups, weird network address formats).
|
|
|
|
The tcpd program can also be used for services that are marked as
|
|
rpc/udp in the inetd configuration file, but not for rpc/tcp services
|
|
such as rexd. You probably do not want to run rexd anyway. On most
|
|
systems it is even less secure than a wildcard in /etc/hosts.equiv.
|
|
|
|
Install the tcpd command in a suitable place. Apollo UNIX users will
|
|
want to install it under a different name because the name "tcpd" is
|
|
already taken; a suitable name would be "frontd".
|
|
|
|
File protections: the wrapper, all files used by the wrapper, and all
|
|
directories in the path leading to those files, should be accessible
|
|
but not writable for unprivileged users (mode 755 or mode 555). Do not
|
|
install the wrapper set-uid.
|
|
|
|
Then perform the following edits on the inetd configuration file
|
|
(usually /etc/inetd.conf or /etc/inet/inetd.conf):
|
|
|
|
finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
|
|
^^^^^^^^^^^^^^^^^^^
|
|
becomes:
|
|
|
|
finger stream tcp nowait nobody /usr/etc/tcpd in.fingerd
|
|
^^^^^^^^^^^^^
|
|
Send a `kill -HUP' to the inetd process to make the change effective.
|
|
Some IRIX inetd implementations require that you first disable the
|
|
finger service (comment out the finger service and `kill -HUP' the
|
|
inetd) before you can turn on the modified version. Sending a HUP
|
|
twice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1.
|
|
|
|
AIX note: you may have to execute the `inetimp' command after changing
|
|
the inetd configuration file.
|
|
|
|
The example applies to SunOS 4. With other UNIX implementations the
|
|
network daemons live in /usr/libexec, /usr/sbin, or /etc, the network
|
|
daemons have no "in." prefix to their names, or the username field in
|
|
the inetd configuration file may be missing.
|
|
|
|
When the finger service works as expected you can perform similar
|
|
changes for other network services. Do not forget the `kill -HUP'.
|
|
|
|
The miscd daemon that comes with Ultrix implements several network
|
|
services. It decides what to do by looking at its process name. One of
|
|
the services is systat, which is a kind of limited finger service. If
|
|
you want to monitor the systat service, install the miscd wrapper in a
|
|
suitable place and update the inetd configuration file:
|
|
|
|
systat stream tcp nowait /suitable/place/miscd systatd
|
|
|
|
Ultrix 4.3 allows you to specify a user id under which the daemon will
|
|
be executed. This feature is not documented in the manual pages. Thus,
|
|
the example would become:
|
|
|
|
systat stream tcp nowait nobody /suitable/place/miscd systatd
|
|
|
|
Older Ultrix systems still run all their network daemons as root.
|
|
|
|
In the absence of any access-control tables, the daemon wrappers
|
|
will just maintain a record of network connections made to your system.
|
|
|
|
7.3 - Daemons with arbitrary path names
|
|
---------------------------------------
|
|
|
|
The above tcpd examples work fine with network daemons that live in a
|
|
common directory, but sometimes that is not practical. Having soft
|
|
links all over your file system is not a clean solution, either.
|
|
|
|
Instead you can specify, in the inetd configuration file, an absolute
|
|
path name for the daemon process name. For example,
|
|
|
|
ntalk dgram udp wait root /usr/etc/tcpd /usr/local/lib/ntalkd
|
|
|
|
When the daemon process name is an absolute path name, tcpd ignores the
|
|
value of the REAL_DAEMON_DIR constant, and uses the last path component
|
|
of the daemon process name for logging and for access control.
|
|
|
|
7.4 - Building and testing the access control rules
|
|
---------------------------------------------------
|
|
|
|
In order to support access control the wrappers must be compiled with
|
|
the -DHOSTS_ACCESS option. The access control policy is given in the
|
|
form of two tables (default: /etc/hosts.allow and /etc/hosts.deny).
|
|
Access control is disabled when there are no access control tables, or
|
|
when the tables are empty.
|
|
|
|
If you haven't used the wrappers before I recommend that you first run
|
|
them a couple of days without any access control restrictions. The
|
|
logfile records should give you an idea of the process names and of the
|
|
host names that you will have to build into your access control rules.
|
|
|
|
The syntax of the access control rules is documented in the file
|
|
hosts_access.5, which is in `nroff -man' format. This is a lengthy
|
|
document, and no-one expects you to read it right away from beginning
|
|
to end. Instead, after reading the introductory section, skip to the
|
|
examples at the end so that you get a general idea of the language.
|
|
Then you can appreciate the detailed reference sections near the
|
|
beginning of the document.
|
|
|
|
The examples in the hosts_access.5 document (`nroff -man' format) show
|
|
two specific types of access control policy: 1) mostly closed (only
|
|
permitting access from a limited number of systems) and 2) mostly open
|
|
(permitting access from everyone except a limited number of trouble
|
|
makers). You will have to choose what model suits your situation best.
|
|
Implementing a mixed policy should not be overly difficult either.
|
|
|
|
Optional extensions to the access control language are described in the
|
|
hosts_options.5 document (`nroff -man' format).
|
|
|
|
The `tcpdchk' program examines all rules in your access control files
|
|
and reports any problems it can find. `tcpdchk -v' writes to standard
|
|
output a pretty-printed list of all rules. `tcpdchk -d' examines the
|
|
hosts.access and hosts.allow files in the current directory. This
|
|
program is described in the tcpdchk.8 document (`nroff -man' format).
|
|
|
|
The `tcpdmatch' command can be used to try out your local access
|
|
control files. The command syntax is:
|
|
|
|
tcpdmatch process_name hostname (e.g.: tcpdmatch in.tftpd localhost)
|
|
|
|
tcpdmatch process_name address (e.g.: tcpdmatch in.tftpd 127.0.0.1)
|
|
|
|
This way you can simulate what decisions will be made, and what actions
|
|
will be taken, when hosts connect to your own system. The program is
|
|
described in the tcpdmatch.8 document (`nroff -man' format).
|
|
|
|
Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
|
|
current working directory. This is useful for testing new rules without
|
|
bothering your users.
|
|
|
|
Note 2: you cannot use the `tcpdmatch' command to simulate what happens
|
|
when the local system connects to other hosts.
|
|
|
|
In order to find out what process name to use, just use the service and
|
|
watch the process name that shows up in the logfile. Alternatively,
|
|
you can look up the name from the inetd configuration file. Coming back
|
|
to the tftp example in the tutorial section above:
|
|
|
|
tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
|
|
|
|
This entry causes the inetd to run the wrapper program (tcpd) with a
|
|
process name `in.tftpd'. This is the name that the wrapper will use
|
|
when scanning the access control tables. Therefore, `in.tftpd' is the
|
|
process name that should be given to the `tcpdmatch' command. On your
|
|
system the actual inetd.conf entry may differ (tftpd instead of
|
|
in.tftpd, and no `root' field), but you get the idea.
|
|
|
|
When you specify a host name, the `tcpdmatch' program will use both the
|
|
host name and address. This way you can simulate the most common case
|
|
where the wrappers know both the host address and the host name. The
|
|
`tcpdmatch' program will iterate over all addresses that it can find
|
|
for the given host name.
|
|
|
|
When you specify a host address instead of a host name, the `tcpdmatch'
|
|
program will pretend that the host name is unknown, so that you can
|
|
simulate what happens when the wrapper is unable to look up the client
|
|
host name.
|
|
|
|
7.5 - Other applications
|
|
------------------------
|
|
|
|
The access control routines can easily be integrated with other
|
|
programs. The hosts_access.3 manual page (`nroff -man' format)
|
|
describes the external interface of the libwrap.a library.
|
|
|
|
The tcpd program can even be used to control access to the mail
|
|
service. This can be useful when you suspect that someone is trying
|
|
out some obscure sendmail bug, or when a remote site is misconfigured
|
|
and keeps hammering your mail daemon.
|
|
|
|
In that case, sendmail should not be run as a stand-alone network
|
|
listener, but it should be registered in the inetd configuration file.
|
|
For example:
|
|
|
|
smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs
|
|
|
|
You will still need to run one sendmail background process to handle
|
|
queued-up outgoing mail. A command like:
|
|
|
|
/usr/lib/sendmail -q15m
|
|
|
|
(no `-bd' flag) should take care of that. You cannot really prevent
|
|
people from posting forged mail this way, because there are many
|
|
unprotected smtp daemons on the network.
|
|
|
|
8 - Acknowledgements
|
|
--------------------
|
|
|
|
Many people contributed to the evolution of the programs, by asking
|
|
inspiring questions, by suggesting features or bugfixes, or by
|
|
submitting source code. Nevertheless, all mistakes and bugs in the
|
|
wrappers are my own.
|
|
|
|
Thanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is)
|
|
and Dan Bernstein (kramden.acf.nyu.edu) for feedback on an early
|
|
release of this product. The host name/address check was suggested by
|
|
John Kimball (src.honeywell.com). Apollo's UNIX environment has some
|
|
peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
|
|
Schoenmakers (es.ele.tue.nl) and Charles S. Fuller (wccs.psc.edu)
|
|
provided assistance. Hal R. Brand (addvax.llnl.gov) told me how to
|
|
get the client IP address in case of datagram-oriented services, and
|
|
suggested the optional shell command feature. Shabbir Safdar
|
|
(mentor.cc.purdue.edu) provided a first version of a much-needed manual
|
|
page. Granville Boman Goza, IV (sei.cmu.edu) suggested to use the
|
|
client IP address even when the host name is available. Casper H.S.
|
|
Dik (fwi.uva.nl) provided additional insight into DNS spoofing
|
|
techniques. The bogus daemon feature was inspired by code from Andrew
|
|
Macpherson (BNR Europe Ltd). Steve Bellovin (research.att.com)
|
|
confirmed some of my suspicions about the darker sides of TCP/IP
|
|
insecurity. Risks of automated fingers were pointed out by Borja Marcos
|
|
(we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try
|
|
my early TLI code and to work out how DG/UX differs from Solaris.
|
|
|
|
John P. Rouillard (cs.umb.edu) deserves special mention for his
|
|
persistent, but constructive, nagging about wrong or missing things,
|
|
and for trying out and discussing embryonic code or ideas.
|
|
|
|
Last but not least, Howard Chu (hanauma.jpl.nasa.gov), Darren Reed
|
|
(coombs.anu.edu.au), Icarus Sparry (gdr.bath.ac.uk), Scott Schwartz
|
|
(cs.psu.edu), John A. Kunze (violet.berkeley.edu), Daniel Len Schales
|
|
(engr.latech.edu), Chris Turbeville (cse.uta.edu), Paul Kranenburg
|
|
(cs.few.eur.nl), Marc Boucher (cam.org), Dave Mitchell
|
|
(dcs.shef.ac.uk), Andrew Maffei, Adrian van Bloois, Rop Gonggrijp, John
|
|
C. Wingenbach, Everett F. Batey and many, many others provided fixes,
|
|
code fragments, or ideas for improvements.
|
|
|
|
Wietse Venema (wietse@wzv.win.tue.nl)
|
|
Department of Mathematics and Computing Science
|
|
Eindhoven University of Technology
|
|
P.O. Box 513
|
|
5600 MB Eindhoven
|
|
The Netherlands
|
|
|
|
Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
|