📄 tcpd.html
字号:
<HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="description" CONTENT="TCP Wrappers"> <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (X11; I; OpenBSD 2.3 i386) [Netscape]"> <TITLE>TCP Wrappers-Access control for your computer!</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><CENTER><H2>TCP Wrappers</H2></CENTER><CENTER><H3>Locked doors and a security camera for your computer!</H3></CENTER><HR><FONT SIZE="-1"><B>Last updated: June 19, 1998</B></FONT><BR><FONT SIZE="-1"><B>Development stage: Beta</B></FONT><P>How to install TCP Wrappers to keep the bad guys out and monitor connectionattempts to your computer.<P><B>How does tcp_wrappers work?</B><P>When a user tries to connect to your computer on a port, inetd looksup the port number in /etc/services, when it finds the port number it looksin the file /etc/inetd.conf for a corresponding service and runs the service.With tcp_wrappers inetd is tricked into running tcpd instead of the servicethat would normally be called. Tcpd then checks it's rules in the /etc/hosts.allowand /etc/hosts.deny files. It either accepts the connection and runs theservice or denies the connection based on it's rules.<P><B>Installing TCP Wrappers:</B><BR>It's very possible the TCP Wrapper package is already installed onyour computer. Look in the directory "/usr/sbin" for a file named "tcpd",if it's there you most likely have it installed already and you can proceedto part 4.<P>The following instructions take you step by step through the installationprocess of tcp-wrappers from the source code...YES that's right...the source,no sissy-girl rpm's or deb's ;)<P><B>1: Download the tcp wrappers source code.</B><BR> <I>ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz</I><P><B>2: Untar-gz tcp_wrappers_7.6.tar.gz</B><BR> <I>tar zxvf tcp_wrappers_7.6.tar.gz </I><P><B>3: Compile and Install the wrappers program.</B><BR><B> </B>Now we will build and install the program.<P> <I>cd tcp_wrappers_7.6</I><BR><I> make REAL_DAEMON_DIR=/usr/sbin linux</I><BR><I> make install </I><----you'llneed to be logged on as root to run this command !<BR> <BR> At this point the tcp-wrapper program is installed, next we will configure our wrappers.<P><B>4: Set up our banners</B> (optional)<BR><B> </B>Banners contain the message displayed whentcpd is called for a particular service. Create the bannersdirectory if necessary.<BR> <BR> <I>mkdir /usr/local/etc/banners</I><P> For every service you want a message for, you'llhave to edit a file in the banners directory.<BR> /usr/local/etc/banners/in.telnetd <----forthe telnet banner<BR> /usr/local/etc/banners/in.ftpd <----for the ftp banner<BR> <BR><B>5: Edit your /etc/hosts.allow and /etc/hosts.deny tolimit access to your computer's network services.</B><BR> One of the nice features of tcp-wrappers is theability to control access to your computers network services and log failedor sucessful attempts. You can also perform certain actions based on theusers hostname.<BR> When someone tries to connect to a network serviceon your computer the tcp-wrapper (tcpd) reads the file /etc/hosts.allow for a rule that matches the the hostname of the person trying to connect,if /etc/hosts.allow doesn't contain a rule allowing access tcpd reads /etc/hosts.denyfor a rule that would deny access to the hostname. If neither file containsan accept or deny rule, access is granted by default.<P>In the following examples we are going to deny all finger request,deny telnet access to all users from lamers.edu (access can be denied inthe hosts.allow file) and email a user called "auth" with details of everyconnection attempt...the format of the hosts.allow/hosts.deny files isas follows:<BR><B>service: hostname: banners if needed : options</B><P>Our example /etc/hosts.allow looks like the following----><BR>---------------------------------------------------------<BR>in.fingerd: ALL : banners /usr/local/etc/banners/ : spawn (echo "Accessfrom %u@%h using %d." | sendmail auth) : DENY<BR>in.telnetd: .lamers.edu : spawn (echo "Access from %u@%h using %d."| sendmail auth : DENY<BR>ALL: ALL : spawn (echo "Access from %u %h using %d." | sendmail auth)<P>---------------------------------------------------------<BR>In the first line "in.fingerd" is the service, the hostname is "ALL"which means the rule applies to all hosts , then we tell tcpd to displaythe banner to the user, and finally we tell tcpd to start(spawn) another program that emails the message "Access from some-user@some.host.comusing in.fingerd" to the user "auth"...finally it tells tcpd the "DENY"access. For this to work you will need a user on your system called "auth",many people send it to "root" but then you have to be logged in as rootto read it, also it clutters root's mailbox and makes it difficult to sortyour tcpd mail from other "root" mail.<P>The second rule follows the same format as the first, it denies accessto telnet to all users from "lamers.edu", and sends email to auth.<P>The third rule allows access to all users from everywhere but email's"auth" with details of the connection.<P>Each rule goes on it's own unbroken line.<P><I>"man 5 hosts_access" </I>for more information.<P><B>4. Edit your /etc/syslog.conf to use the syslog with tcpd.</B><P><U>Here are a few lines of a typical /etc/syslog.conf:</U><P>*.err;kern.debug;auth.notice;mail.crit /dev/console<BR>*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages<BR>mail.info /var/log/maillog<P><U>Here are a few lines of our edited /etc/syslog.conf:</U><P>*.err;kern.debug;auth.notice;mail.crit /dev/console<BR>*.notice;kern.debug;lpr.info;mail.crit;news.err;auth.info /var/log/messages<BR>mail.info /var/log/maillog<P>The difference is the added line for auth.info logging to /var/log/messages.<BR> <BR><B>5. Edit /etc/inetd.conf to point your services to tcpd.</B><P>The following example has the original lines commented (#) out and ourmodified tcpd lines inserted.<PRE>#ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l -aftp stream tcp nowait root /usr/sbin/tcpd ftpd -l -a#telnet stream tcp nowait root /usr/sbin/telnetd telnetdtelnet stream tcp nowait root /usr/sbin/tcpd telnetd#finger stream tcp nowait nobody /usr/sbin/fingerd fingerd -sfinger stream tcp nowait nobody /usr/sbin/tcpd fingerd -s</PRE>Linux differs from some *unix's in that the file locations aren't quite"standard", so when you install tcp_wrappers the "tcpd" file may be inthe "/usr/libexec" directory, in which case you'll have to change "/usr/sbin/tcpd"to "/usr/libexec/tcpd" in the above example.<P>6. If everything above is correct you can reboot or restart inetd andsyslogd .<BR> <BR> To restart rather that reboot you need the pid#of both inetd and syslogd...to get this info:<P> <I>ps -xa | grep inetd</I><BR><I> </I>the output --->"19086 ?? IWs 0:00.05 inetd "<BR> <BR> 19086 is the pid of inetd...to restart inetd:<BR> <I>kill -1 19086</I><BR> The process is the same for the syslogdaemon and your done...<B>congratulations!</B><P>Comments, questions, suggestions, corrections? Drop me a line at <AHREF="mailto:fireman@shaw.wave.ca">fireman@shaw.wave.ca</A><BR> <P><B><FONT SIZE="-1">Copyright © 1998 <AHREF="mailto:fireman@shaw.wave.ca">Rob Sellars (fireman@shaw.wave.ca)</A>. Allrights reserved. Permission to use, distribute, modify and copy this document ishereby granted provided credit to this document is included in the modifyed document.</FONT></B></P></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -