tcpd.html

伯克利做的SFTP安全文件传输协议

<html>
<head>
<title>Using TCP wrappers with SafeTP</title>
</head>

<body>
<h1>Using TCP wrappers with SafeTP</h1>
<p>

This page describes how to setup TCP wrappers (tcpd) to limit access
to the raw ftpd server.  Most unixes come with tcpd installed, but you
can also get it from
<a href="ftp://ftp.porcupine.org/pub/security/index.html">Wietse Venema's
site</a>.<p>

<hr>

Since the SafeTP server daemon (sftpd) is usually configured to listen
to port 21, the default FTP port, it is expected to handle all incoming
FTP connections.  However, the ordinary FTP server (ftpd) is simply
moved to port 351, and is still accessible there.<p>


<h2>inetd configuration: <tt>/etc/inetd.conf</tt></h2>

If you'd like to prevent users from connecting to port 351, and only
allow sftpd to connect from the local machine, first arrange for ftpd
to be run from tcpd.  The line in <tt>/etc/inetd.conf</tt> which runs
ftpd may look like this now (after a safetp install), depending on where
your ftpd lives and what arguments you've given it:

  <pre>
  raw-ftp stream tcp nowait root   /usr/sbin/wu.ftpd wu.ftpd -l -i -a -t0
  </pre>

To interpose tcpd between inetd and ftpd, change the line to look like this
(depending on where your tcpd lives):

  <pre>
  raw-ftp stream tcp nowait root   /usr/sbin/tcpd wu.ftpd -l -i -a -t0
  </pre>

This means that inetd will first run tcpd, and then tcpd can choose to either
exec(2) ftpd (if the client passes the access controls) or simply close the
connection (if the client fails the access controls).<p>

Note:  You need to send the HUP signal to the inetd process to cause
it to re-read its configuration files.  See kill(1).<p>


<h2>tcpd configuration: <tt>/etc/hosts.deny</tt> and <tt>/etc/hosts.allow</tt></h2>

Then, add the following entries to the tcpd configuration files:<p>

<blockquote>

  In <tt>/etc/hosts.deny</tt>:

    <pre>
    # by default, nothing can connect to the raw ftpd server
    # (this assumes you're using wu-ftpd; change the daemon name to
    # the argv[0] name of whatever you're in fact using)
    wu.ftpd : ALL
    </pre>

  and in <tt>/etc/hosts.allow</tt>:

    <pre>
    # allow local processes (in particular, sftpd) to connect to the
    # raw ftpd server; replace 1.2.3.4 with your IP address(es)
    wu.ftpd : 1.2.3.4, 127.0.0.1
    </pre>

</blockquote>

It's not sufficient to allow only localhost (127.0.0.1) because sftpd contacts
ftpd on the same interface it was itself contacted on.<p>

Note that when tcpd denies a connection, it does so by first accepting
the connection, waiting about 3 seconds, then closing it.  This might
be confusing to users, since the connection initially appears to succeed.<p>


<h2>Final thought</h2>

It's perhaps worth mentioning that sftpd itself can also have access
controlled by tcpd.  One advantage of doing so is that tcpd does some
other checks and logging on each incoming connection, such as
attempting to detect host name spoofing and doing identd (RFC 931)
lookups.  In particular, since sftpd contacts ftpd locally, the tcpd
wrapper on ftpd will not provide these services once SafeTP is
installed.<p>


</body>
</html>