Lines Matching +full:one +full:- +full:to +full:- +full:many
9 file gives a complete account of differences with respect to previous
12 Announcements of new releases of this software are posted to Usenet
13 (comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
14 and to a dedicated mailing list. You can subscribe to the dedicated
15 mailing list by sending an email message to majordomo@wzv.win.tue.nl
16 with in the body (not subject): subscribe tcp-wrappers-announce.
19 -----------------
21 1 - Introduction
22 2 - Disclaimer
23 3 - Tutorials
24 3.1 - How it works
25 3.2 - Where the logging information goes
26 4 - Features
27 4.1 - Access control
28 4.2 - Host name spoofing
29 4.3 - Host address spoofing
30 4.4 - Client username lookups
31 4.5 - Language extensions
32 4.6 - Multiple ftp/gopher/www archives on one host
33 4.7 - Banner messages
34 4.8 - Sequence number guessing
35 5 - Other works
36 5.1 - Related documents
37 5.2 - Related software
38 6 - Limitations
39 6.1 - Known wrapper limitations
40 6.2 - Known system software bugs
41 7 - Configuration and installation
42 7.1 - Easy configuration and installation
43 7.2 - Advanced configuration and installation
44 7.3 - Daemons with arbitrary path names
45 7.4 - Building and testing the access control rules
46 7.5 - Other applications
47 8 - Acknowledgements
49 1 - Introduction
50 ----------------
56 It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
60 without any changes to existing software or to existing configuration
66 Optional features are: access control to restrict what systems can
67 connect to what network daemons; client user name lookups with the RFC
68 931 etc. protocol; additional protection against hosts that pretend to
70 pretend to have someone elses host address.
72 The programs are very portable. Build procedures are provided for many
77 such as the inetd; a 4.3BSD-style socket programming interface and/or
78 System V.4-style TLI programming interface; and the availability of a
84 What to do if this is your first encounter with the wrapper programs:
85 1) read the tutorial sections for an introduction to the relevant
89 settings. Run the wrappers for a few days to become familiar with
93 2 - Disclaimer
94 --------------
98 not 100 percent reliable, although the wrappers do their best to expose
105 THIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS.
107 3 - Tutorials
108 -------------
110 The tutorial sections give a gentle introduction to the operation of
115 3.1 - How it works
116 ------------------
118 Almost every application of the TCP/IP protocols is based on a client-
119 server model. For example, when a user invokes the telnet command to
120 connect to one of your systems, a telnet server process is executed on
121 the target host. The telnet server process connects the user to a login
126 --------------------------------
131 The usual approach is to run one single daemon process that waits for
134 server program and goes back to sleep, waiting for other connections.
145 application-independent, so that the same program can protect many
151 a wrapper has done its work there is no overhead on the client-server
154 The simple mechanism has one major drawback: the wrappers go away after
157 one client. The wrappers would only see the first client attempt to
160 related software for ways to deal with such server programs.
162 There are two ways to use the wrapper programs:
164 1) The easy way: move network daemons to some other directory and fill
166 approach involves no changes to system configuration files, so there
172 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
178 server program that the wrapper will attempt to run when all is
179 well. Any arguments (`-s /tftpboot' in this particular example) are
180 transparently passed on to the server program.
182 For an account of the history of the wrapper programs, with real-life
185 3.2 - Where the logging information goes
186 ----------------------------------------
188 The wrapper programs send their logging information to the syslog
191 written to files, to the console, or are forwarded to a @loghost. Some
195 support priority levels ranging from 9 (debug-level messages) to 0
197 more urgent is written to the same destination. In the syslog.conf
203 anything that is more urgent, to be appended to the file
206 Newer syslog implementations support message classes in addition to
214 to be appended to the /var/log/syslog file.
216 By default, the wrapper logs go to the same place as the transaction
218 the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
220 just like sendmail, insists on one or more TABs between the left-hand
221 side and the right-hand side expressions in its configuration file.
227 run the program by hand (`syslogd -d') and see what really happens.
229 4 - Features
230 ------------
232 4.1 - Access control
233 --------------------
235 When compiled with -DHOSTS_ACCESS, the wrapper programs support a
239 feature may be used to install "booby traps". For details, see the
240 hosts_access.5 manual page, which is in `nroff -man' format. A later
243 Access control can also be used to connect clients to the "right"
245 of the request, and what host address the client connects to. Examples:
251 with different internet hostnames from one host (section 4.6).
257 The hosts_options.5 manual page (`nroff -man' format) documents an
263 to the Berkeley socket programming interface. Like Berkeley sockets,
264 TLI was designed to cover multiple protocols, not just Internet.
267 TCP/IP or UDP/IP conversation it uses this knowledge to provide the
268 same functions as with traditional socket-based applications. When
273 4.2 - Host name spoofing
274 ------------------------
283 depend on some far-away DNS (domain name server) outside your own
287 the address->name DNS server, by asking for a second opinion. To this
289 the name->address DNS server, which may be an entirely different host.
292 opinion is not available, the wrappers assume that one of the two name
293 servers is lying, and assume that the client host pretends to have
296 When compiled with -DPARANOID, the wrappers will always attempt to look
301 When compiled without -DPARANOID, the wrappers by default still perform
303 with the PARANOID wildcard and decide whether or not to grant service.
310 4.3 - Host address spoofing
311 ---------------------------
314 it is much harder to find out that a host claims to have someone elses
319 claim to have an address that lies outside their own network. For
320 example, some far-away host that claims to be a trusted host within
327 very few, if any, UNIX vendors have adopted it. Our site, and many
331 When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
332 programs refuse to service TCP connections with IP source routing
333 options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
334 that can stop source-routed traffic in the kernel. Examples are
338 If you are going to use this feature on SunOS 4.1.x you should apply
339 patch 100804-03+ or 101790-something depending on your SunOS version.
351 4.4 - Client username lookups
352 -----------------------------
354 The protocol proposed in RFC 931 provides a means to obtain the client
356 host runs an RFC 931-compliant daemon. The information provided by such
357 a daemon is not intended to be used for authentication purposes, but it
361 TAP, RFC 1413). To add to the confusion, they all use the same network
367 name lookups can cause noticeable delays with connections from non-UNIX
368 PCs. Recent PC software seem to have fixed this (for example NCSA
369 telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
373 control rules require them to do so (via user@host client patterns, see
377 You can configure the wrappers to always perform client username
382 On System V with TLI-based network services, client username lookups
385 4.5 - Language extensions
386 -------------------------
389 good reason: programs that run at high privilege levels must be easy to
390 verify. And the smaller a program, the easier to verify. There is,
391 however, a provision to add features.
395 documented in the hosts_options.5 document, which is in `nroff -man'
398 server instead of the standard one; many others.
401 introduce an incompatible change to the access control language
402 syntax. Instructions to enable the extensions are given in the
405 4.6 - Multiple ftp/gopher/www archives on one host
406 --------------------------------------------------
408 Imagine one host with multiple internet addresses. These addresses do
409 not need to have the same internet hostname. Thus, it is possible to
410 offer services with different internet hostnames from just one host.
412 Service providers can use this to offer organizations a presence on the
414 aren't connected to the Internet at all. To the end user it makes no
417 There are several ways to assign multiple addresses to one machine.
418 The nice way is to take an existing network interface and to assign
424 On other systems one has to increase the number of network interfaces:
426 PPP. The interfaces do not need to be attached to anything. They just
427 need to be up and to be assigned a suitable internet address and mask.
430 used to distinguish requests by the network address that they are aimed
432 `nroff -man' format) can guide the requests to the right server. These
434 to take additional context from the command line, or a combination.
436 Another way is to modify gopher or www listeners so that they bind to
437 only one specific network address. Multiple gopher or www servers can
438 then be run side by side, each taking requests sent to its respective
441 4.7 - Banner messages
442 ---------------------
444 Some sites are required to present an informational message to users
445 before they attempt to login. Banner messages can also be useful when
447 explanation is given first. Finally, banners can be used to give your
450 The wrapper software provides easy-to-use tools to generate pre-login
452 textfile. Details on banners and on-the-fly %<letter> expansions are
453 given in the hosts_options.5 manual page (`nroff -man' format). An
456 In order to support banner messages the wrappers have to be built with
459 4.8 - Sequence number guessing
460 ------------------------------
463 well-known weakness in TCP/IP sequence number generators. This
464 weakness allows intruders to impersonate trusted hosts. Break-ins have
468 A long-term solution is to stop using network services that trust the
469 client host name or address, and to use data encryption instead.
471 A short-term solution, as outlined in in CERT advisory CA-95:01, is to
476 The IDENT (RFC931 etc.) client username lookup protocol can help to
486 less trustworthy. It is possible for an attacker to spoof both the
492 section. Pointers to IDENT daemon software are described in the section
495 5 - Other works
496 ---------------
498 5.1 - Related documents
499 -----------------------
521 Addison-Wesley, 1994.
524 Subscribe to the mailing list by sending a message to
530 5.2 - Related software
531 ----------------------
535 hundred kbytes each day. egrep-based filters can help to suppress some
539 applications are by no means restricted to security. Swatch is
540 available ftp.stanford.edu, directory /general/security-tools/swatch.
542 Socks, described in the UNIX Security III proceedings, can be used to
544 firewall host, to the outer world. Socks consists of a daemon that is
549 For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
552 Tcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp
556 The TIS firewall toolkit provides a multitude of tools to build your
559 Versions of rshd and rlogind, modified to report the client user name
560 in addition to the client host name, are available for anonymous ftp
561 (ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z). These programs are
562 drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
564 S/Key or SecureNet one-time passwords in addition to traditional UNIX
567 The securelib shared library by William LeFebvre can be used to control
568 access to network daemons that are not run under control of the inetd
569 or that serve more than one client, such as the NFS mount daemon that
573 xinetd (posted to comp.sources.unix) is an inetd replacement that
579 netlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to
583 Where shared libraries or router-based packet filtering are not an
584 option, an alternative portmap daemon can help to prevent hackers
586 ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
587 4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
600 ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog
603 6 - Limitations
604 ---------------
606 6.1 - Known wrapper limitations
607 -------------------------------
609 Many UDP (and rpc/udp) daemons linger around for a while after they
617 registered as rpc/tcp in the inetd configuration file. The only non-
622 Some RPC requests (for example: rwall, rup, rusers) appear to come from
624 to all portmap daemons on its network; each portmap daemon forwards the
625 request to a daemon on its own system. As far as the rwall etc. daemons
631 6.2 - Known system software bugs
632 --------------------------------
638 IRIX has so many bugs that it has its own README.IRIX file.
641 This makes it impossible for the daemon wrappers to look up the
646 behind zombie processes when writing to logged-in users. Workaround:
647 increase the syslogd threshold for logging to users, or reduce the
651 trigger a kernel bug. When a client host connects to your system, and
652 the RFC 931 connection from your system to that client is rejected by a
654 not a bug in the wrapper programs: complain to your vendor, and don't
660 Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
661 Reportedly, a fix for Ultrix is available (CXO-8919).
663 The following procedure can be used (from outside the tue.nl domain) to
668 This command attempts to make an ftp connection to our anonymous ftp
676 attempts to connect to our portmap process. The telnet command should
687 7 - Configuration and installation
688 ----------------------------------
690 7.1 - Easy configuration and installation
691 -----------------------------------------
693 The "easy" recipe requires no changes to existing software or
694 configuration files. Basically, you move the daemons that you want to
695 protect to a different directory and plug the resulting holes with
703 ready-to-use templates for many common UNIX implementations (sun,
704 ultrix, hp-ux, aix, irix,...).
706 IRIX has so many bugs that it has its own README.IRIX file.
711 You can use the `tcpdchk' program to identify the most common problems
715 react to specific requests for service.
719 hosts may do in response to your finger probes.
721 The `try-from' program tests the host and username lookup code. Run it
722 from a remote shell command (`rsh host /some/where/try-from') and it
723 should be able to figure out from what system it is being called.
725 The tcpd program can be used to monitor the telnet, finger, ftp, exec,
727 a one-to-one mapping onto executable files.
731 such as rexd. You probably do not want to run rexd anyway. On most
734 With System V.4-style systems, the tcpd program can also handle TLI
736 the same functions as with socket-based applications. When some other
740 Decide which services you want to monitor. Move the corresponding
741 vendor-provided daemon programs to the location specified by the
743 copies of the tcpd program. That is, one copy of (or link to) the tcpd
744 program for each service that you want to monitor. For example, to
751 The example applies to SunOS 4. With other UNIX implementations the
753 "in." prefix to their names, but you get the idea.
756 directories in the path leading to those files, should be accessible
758 install the wrapper set-uid.
760 Ultrix only: If you want to monitor the SYSTAT service, move the
761 vendor-provided miscd daemon to the location specified by the
765 In the absence of any access-control tables, the daemon wrappers
766 will just maintain a record of network connections made to your system.
768 7.2 - Advanced configuration and installation
769 ---------------------------------------------
772 simple modifications to the inetd configuration file.
775 ready-to-use templates for many common UNIX implementations (sun,
776 ultrix, hp-ux, aix, irix, ...).
783 You can use the `tcpdchk' program to identify the most common problems
787 react to specific requests for service.
789 The `try-from' program tests the host and username lookup code. Run it
790 from a remote shell command (`rsh host /some/where/try-from') and it
791 should be able to figure out from what system it is being called.
795 may do in response to your finger probes.
797 The tcpd program can be used to monitor the telnet, finger, ftp, exec,
799 a one-to-one mapping onto executable files.
801 With System V.4-style systems, the tcpd program can also handle TLI
803 the same functions as with socket-based applications. When some other
809 such as rexd. You probably do not want to run rexd anyway. On most
813 want to install it under a different name because the name "tcpd" is
817 directories in the path leading to those files, should be accessible
819 install the wrapper set-uid.
830 Send a `kill -HUP' to the inetd process to make the change effective.
832 finger service (comment out the finger service and `kill -HUP' the
834 twice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1.
836 AIX note: you may have to execute the `inetimp' command after changing
839 The example applies to SunOS 4. With other UNIX implementations the
841 daemons have no "in." prefix to their names, or the username field in
845 changes for other network services. Do not forget the `kill -HUP'.
848 services. It decides what to do by looking at its process name. One of
850 you want to monitor the systat service, install the miscd wrapper in a
855 Ultrix 4.3 allows you to specify a user id under which the daemon will
863 In the absence of any access-control tables, the daemon wrappers
864 will just maintain a record of network connections made to your system.
866 7.3 - Daemons with arbitrary path names
867 ---------------------------------------
882 7.4 - Building and testing the access control rules
883 ---------------------------------------------------
885 In order to support access control the wrappers must be compiled with
886 the -DHOSTS_ACCESS option. The access control policy is given in the
894 host names that you will have to build into your access control rules.
897 hosts_access.5, which is in `nroff -man' format. This is a lengthy
898 document, and no-one expects you to read it right away from beginning
899 to end. Instead, after reading the introductory section, skip to the
904 The examples in the hosts_access.5 document (`nroff -man' format) show
908 makers). You will have to choose what model suits your situation best.
911 Optional extensions to the access control language are described in the
912 hosts_options.5 document (`nroff -man' format).
915 and reports any problems it can find. `tcpdchk -v' writes to standard
916 output a pretty-printed list of all rules. `tcpdchk -d' examines the
918 program is described in the tcpdchk.8 document (`nroff -man' format).
920 The `tcpdmatch' command can be used to try out your local access
928 will be taken, when hosts connect to your own system. The program is
929 described in the tcpdmatch.8 document (`nroff -man' format).
931 Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
935 Note 2: you cannot use the `tcpdmatch' command to simulate what happens
936 when the local system connects to other hosts.
938 In order to find out what process name to use, just use the service and
941 to the tftp example in the tutorial section above:
943 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
945 This entry causes the inetd to run the wrapper program (tcpd) with a
948 process name that should be given to the `tcpdmatch' command. On your
960 simulate what happens when the wrapper is unable to look up the client
963 7.5 - Other applications
964 ------------------------
967 programs. The hosts_access.3 manual page (`nroff -man' format)
970 The tcpd program can even be used to control access to the mail
975 In that case, sendmail should not be run as a stand-alone network
979 smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs
981 You will still need to run one sendmail background process to handle
982 queued-up outgoing mail. A command like:
984 /usr/lib/sendmail -q15m
986 (no `-bd' flag) should take care of that. You cannot really prevent
987 people from posting forged mail this way, because there are many
990 8 - Acknowledgements
991 --------------------
993 Many people contributed to the evolution of the programs, by asking
998 Thanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is)
1002 peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
1004 provided assistance. Hal R. Brand (addvax.llnl.gov) told me how to
1005 get the client IP address in case of datagram-oriented services, and
1007 (mentor.cc.purdue.edu) provided a first version of a much-needed manual
1008 page. Granville Boman Goza, IV (sei.cmu.edu) suggested to use the
1015 (we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try
1016 my early TLI code and to work out how DG/UX differs from Solaris.
1028 C. Wingenbach, Everett F. Batey and many, many others provided fixes,