Lines Matching +full:system +full:- +full:control
13 (comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
16 with in the body (not subject): subscribe tcp-wrappers-announce.
19 -----------------
21 1 - Introduction
22 2 - Disclaimer
23 3 - Tutorials
24 3.1 - How it works
25 3.2 - Where the logging information goes
26 4 - Features
27 4.1 - Access control
28 4.2 - Host name spoofing
29 4.3 - Host address spoofing
30 4.4 - Client username lookups
31 4.5 - Language extensions
32 4.6 - Multiple ftp/gopher/www archives on one host
33 4.7 - Banner messages
34 4.8 - Sequence number guessing
35 5 - Other works
36 5.1 - Related documents
37 5.2 - Related software
38 6 - Limitations
39 6.1 - Known wrapper limitations
40 6.2 - Known system software bugs
41 7 - Configuration and installation
42 7.1 - Easy configuration and installation
43 7.2 - Advanced configuration and installation
44 7.3 - Daemons with arbitrary path names
45 7.4 - Building and testing the access control rules
46 7.5 - Other applications
47 8 - Acknowledgements
49 1 - Introduction
50 ----------------
56 It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
66 Optional features are: access control to restrict what systems can
77 such as the inetd; a 4.3BSD-style socket programming interface and/or
78 System V.4-style TLI programming interface; and the availability of a
80 without modification on any system that satisfies these requirements.
93 2 - Disclaimer
94 --------------
107 3 - Tutorials
108 -------------
115 3.1 - How it works
116 ------------------
118 Almost every application of the TCP/IP protocols is based on a client-
126 --------------------------------
145 application-independent, so that the same program can protect many
151 a wrapper has done its work there is no overhead on the client-server
166 approach involves no changes to system configuration files, so there
172 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
177 optional access control tables. `in.tftpd' is also the name of the
179 well. Any arguments (`-s /tftpboot' in this particular example) are
182 For an account of the history of the wrapper programs, with real-life
185 3.2 - Where the logging information goes
186 ----------------------------------------
195 support priority levels ranging from 9 (debug-level messages) to 0
218 the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
220 just like sendmail, insists on one or more TABs between the left-hand
221 side and the right-hand side expressions in its configuration file.
227 run the program by hand (`syslogd -d') and see what really happens.
229 4 - Features
230 ------------
232 4.1 - Access control
233 --------------------
235 When compiled with -DHOSTS_ACCESS, the wrapper programs support a
236 simple form of access control. Access can be controlled per host, per
238 execution of shell commands when an access control rule fires; this
240 hosts_access.5 manual page, which is in `nroff -man' format. A later
241 section describes how you can test your access control rules.
243 Access control can also be used to connect clients to the "right"
253 Access control is enabled by default. It can be turned off by editing
254 the Makefile, or by providing no access control tables. The install
257 The hosts_options.5 manual page (`nroff -man' format) documents an
258 extended version of the access control language. The extensions are
261 Later System V implementations provide the Transport Level Interface
268 same functions as with traditional socket-based applications. When
271 control purposes.
273 4.2 - Host name spoofing
274 ------------------------
282 host names become more problematic. The security of your system now may
283 depend on some far-away DNS (domain name server) outside your own
284 control.
287 the address->name DNS server, by asking for a second opinion. To this
289 the name->address DNS server, which may be an entirely different host.
296 When compiled with -DPARANOID, the wrappers will always attempt to look
301 When compiled without -DPARANOID, the wrappers by default still perform
310 4.3 - Host address spoofing
311 ---------------------------
320 example, some far-away host that claims to be a trusted host within
322 system is up and running.
331 When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
333 options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
334 that can stop source-routed traffic in the kernel. Examples are
335 4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
339 patch 100804-03+ or 101790-something depending on your SunOS version.
341 the getsockopt() system call is executed after a TCP RESET has been
351 4.4 - Client username lookups
352 -----------------------------
356 host runs an RFC 931-compliant daemon. The information provided by such
367 name lookups can cause noticeable delays with connections from non-UNIX
369 telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
373 control rules require them to do so (via user@host client patterns, see
382 On System V with TLI-based network services, client username lookups
385 4.5 - Language extensions
386 -------------------------
395 documented in the hosts_options.5 document, which is in `nroff -man'
401 introduce an incompatible change to the access control language
405 4.6 - Multiple ftp/gopher/www archives on one host
406 --------------------------------------------------
429 With the wrapper software, `daemon@host' access control patterns can be
432 `nroff -man' format) can guide the requests to the right server. These
441 4.7 - Banner messages
442 ---------------------
448 system a more personal touch.
450 The wrapper software provides easy-to-use tools to generate pre-login
452 textfile. Details on banners and on-the-fly %<letter> expansions are
453 given in the hosts_options.5 manual page (`nroff -man' format). An
459 4.8 - Sequence number guessing
460 ------------------------------
463 well-known weakness in TCP/IP sequence number generators. This
464 weakness allows intruders to impersonate trusted hosts. Break-ins have
468 A long-term solution is to stop using network services that trust the
471 A short-term solution, as outlined in in CERT advisory CA-95:01, is to
495 5 - Other works
496 ---------------
498 5.1 - Related documents
499 -----------------------
503 W.Z. Venema, "TCP WRAPPER, network monitoring, access control and
521 Addison-Wesley, 1994.
530 5.2 - Related software
531 ----------------------
535 hundred kbytes each day. egrep-based filters can help to suppress some
536 of the noise. A more powerful tool is the Swatch monitoring system by
540 available ftp.stanford.edu, directory /general/security-tools/swatch.
543 control network traffic from hosts on an internal network, through a
549 For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
557 own internet firewall system. ftp.tis.com, directory /pub/firewalls.
561 (ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z). These programs are
562 drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
564 S/Key or SecureNet one-time passwords in addition to traditional UNIX
567 The securelib shared library by William LeFebvre can be used to control
568 access to network daemons that are not run under control of the inetd
574 provides, among others, logging, username lookup and access control.
575 However, it does not support the System V TLI services, and involves
583 Where shared libraries or router-based packet filtering are not an
586 ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
587 4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
600 ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog
603 6 - Limitations
604 ---------------
606 6.1 - Known wrapper limitations
607 -------------------------------
617 registered as rpc/tcp in the inetd configuration file. The only non-
625 request to a daemon on its own system. As far as the rwall etc. daemons
631 6.2 - Known system software bugs
632 --------------------------------
634 Workarounds have been implemented for several bugs in system software.
635 They are described in the Makefile. Unfortunately, some system software
646 behind zombie processes when writing to logged-in users. Workaround:
651 trigger a kernel bug. When a client host connects to your system, and
652 the RFC 931 connection from your system to that client is rejected by a
660 Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
661 Reportedly, a fix for Ultrix is available (CXO-8919).
664 find out if your kernel has the bug. From the system under test, do:
670 the following command from the same system under test, while keeping
682 enough with incoming ICMP UNREACHABLE control messages (it ignored the
684 with the remote system). The bug is still present in the BSD NET/1
687 7 - Configuration and installation
688 ----------------------------------
690 7.1 - Easy configuration and installation
691 -----------------------------------------
703 ready-to-use templates for many common UNIX implementations (sun,
704 ultrix, hp-ux, aix, irix,...).
721 The `try-from' program tests the host and username lookup code. Run it
722 from a remote shell command (`rsh host /some/where/try-from') and it
723 should be able to figure out from what system it is being called.
727 a one-to-one mapping onto executable files.
734 With System V.4-style systems, the tcpd program can also handle TLI
736 the same functions as with socket-based applications. When some other
741 vendor-provided daemon programs to the location specified by the
758 install the wrapper set-uid.
761 vendor-provided miscd daemon to the location specified by the
765 In the absence of any access-control tables, the daemon wrappers
766 will just maintain a record of network connections made to your system.
768 7.2 - Advanced configuration and installation
769 ---------------------------------------------
775 ready-to-use templates for many common UNIX implementations (sun,
776 ultrix, hp-ux, aix, irix, ...).
789 The `try-from' program tests the host and username lookup code. Run it
790 from a remote shell command (`rsh host /some/where/try-from') and it
791 should be able to figure out from what system it is being called.
799 a one-to-one mapping onto executable files.
801 With System V.4-style systems, the tcpd program can also handle TLI
803 the same functions as with socket-based applications. When some other
819 install the wrapper set-uid.
830 Send a `kill -HUP' to the inetd process to make the change effective.
832 finger service (comment out the finger service and `kill -HUP' the
845 changes for other network services. Do not forget the `kill -HUP'.
863 In the absence of any access-control tables, the daemon wrappers
864 will just maintain a record of network connections made to your system.
866 7.3 - Daemons with arbitrary path names
867 ---------------------------------------
871 links all over your file system is not a clean solution, either.
880 of the daemon process name for logging and for access control.
882 7.4 - Building and testing the access control rules
883 ---------------------------------------------------
885 In order to support access control the wrappers must be compiled with
886 the -DHOSTS_ACCESS option. The access control policy is given in the
888 Access control is disabled when there are no access control tables, or
892 them a couple of days without any access control restrictions. The
894 host names that you will have to build into your access control rules.
896 The syntax of the access control rules is documented in the file
897 hosts_access.5, which is in `nroff -man' format. This is a lengthy
898 document, and no-one expects you to read it right away from beginning
904 The examples in the hosts_access.5 document (`nroff -man' format) show
905 two specific types of access control policy: 1) mostly closed (only
911 Optional extensions to the access control language are described in the
912 hosts_options.5 document (`nroff -man' format).
914 The `tcpdchk' program examines all rules in your access control files
915 and reports any problems it can find. `tcpdchk -v' writes to standard
916 output a pretty-printed list of all rules. `tcpdchk -d' examines the
918 program is described in the tcpdchk.8 document (`nroff -man' format).
921 control files. The command syntax is:
928 will be taken, when hosts connect to your own system. The program is
929 described in the tcpdmatch.8 document (`nroff -man' format).
931 Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
936 when the local system connects to other hosts.
943 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
947 when scanning the access control tables. Therefore, `in.tftpd' is the
949 system the actual inetd.conf entry may differ (tftpd instead of
963 7.5 - Other applications
964 ------------------------
966 The access control routines can easily be integrated with other
967 programs. The hosts_access.3 manual page (`nroff -man' format)
970 The tcpd program can even be used to control access to the mail
975 In that case, sendmail should not be run as a stand-alone network
979 smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs
982 queued-up outgoing mail. A command like:
984 /usr/lib/sendmail -q15m
986 (no `-bd' flag) should take care of that. You cannot really prevent
990 8 - Acknowledgements
991 --------------------
1002 peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
1005 get the client IP address in case of datagram-oriented services, and
1007 (mentor.cc.purdue.edu) provided a first version of a much-needed manual