tcpwrappers.html

黑客培训教程

                                                                       | 
							command line argument</PRE>


<BR>

<P>








Now you have got a simplified view of the entery this is the entery used
to start the ftp service for the example i showed above. In this entery&nbsp;
/usr/sbin/wu.ftpd so for the TCP wrapper proggie to become involved this
line above needs to be edited, so simply add this. /usr/sbin/tcpd
the rest can stay as they were. You need to do this change in each line
found in inetd.conf that starts the service that you want to use with the
TCP wrapper. If you want to close that service simply add a # in from of
ftp all the way to the left and your ftp service port (21) should now be
closed.
<BR>Now for the changes you have done to take effect you must either reboot
your box or restart the inetd by typing:

<P>root@mike:~# killall -HUP inetd

<P>If you don't really know what your really doing, a good idea is to chattr
the inetd.conf, this command stops any changes being made by accident and
stops renaming and linking.

<P>root@mike:~# chattr +i /etc/inetd.conf

<P>to edit inetd.conf you just got to do the reverse

<P>root@mike:~# chattr -i /etc/inetd.conf

<P>&nbsp;Now that we configured the tcpd to mangage network services by
editing inetd.conf, we now have to edit the two filz i mentioned above,
host.allow and hosts.deny, which are for allowing/denying which hosts are
allowed/denied access to your box.

<P>-=-=-=-=-=-=-=-=-=-=-=-
<BR><A NAME="hosts.allow"></A>Configure hosts.allow
<BR>-=-=-=-=-=-=-=-=-=-=-=-
<BR>Now after configureing the internet deamon, we have to configure the
hosts.allow file which gives access to which hosts you are going to allow
access. The configuration of hosts.allow/hosts.deny is very similar.
The
<BR>basic syntax for these filz is

<P>&nbsp;The daemon list : Client list : shell command

<P>Lets start with the daemon list, this syntax is used to give the name
of the service to which the rule applies. To place more than one
service you seperate each sevice with a comma. The Client list you
are going to use an IP address, host name or a dns to which your
going to allow, and to allow more than one simply put a comma after each.
It is very important if you can to allow certain ip's instead of a DNS,
because host spoofing if easier than ip spoofing so keep that in mind.
The shell command is optional yet very vital/usefull, keep reading to find
out why.

<P>One thing that many people always forget about TCP wrappers is that
the first matching rule that tcpd finds when it seaches is the one that
it is going to use, so in other words once a match is found it stops looking.&nbsp;
This is very bad because if no match is found in either allow/deny files
then access by default will be granted. TCP wrappers first check
hosts.allow first so its is very important to halt any ip's you don't want
in that file first instead of putting them in hosts.deny, so one way to
solve this fault in TCP wrappers is to deny access to all then select/grant
access to those who need access(people/hosts your trust).

<P>Operator key words
<BR>==============
<BR>Here some some key words you can use for these parameters so you can
make configureing these two filz easier. Examples will follow.

<P>LOCAL = This key word will match any host whose name doens't have a
dot character.

<P>UNKNOWN =This key word will match the host whose name or address is
not known.

<P>ALL = This key word will match all hosts and services used.
<BR>&nbsp;

<P>KNOWN = This key word matches any host/user whose address is known.

<P>EXCEPT = This key word acts as an if/or ie, group1 EXCEPT group2

<P>---------
<BR>Here is an example of an hosts.allow file (this is fake)

<P>ALL : All@127.0.0.1 : ALLOW
<BR>in.sshd : zopa.com
<BR>inet.ftpd : roster.zopa.com
<BR>ALL : .zopa.com EXCEPT cracker.zopa.com

<P>Here all the hosts in the zopa.com domain are allowed to
use sshd, but roster is the only subdomain which will have access to use
ftpd, and the others can't access ftpd.  In the last line all hosts
of zopa.com's domain will be allowed access to use all services but except
the subdomain cracker.zopa.com . Notice it is more important to deny access
in hosts.allow cause till TCP wrapper checks hosts.deny the access will
be given access to the host because I had allowed access to zopa.com which
is a match for the host thus it will grant access before even checking
cracker.zopa.com if i had placed it in the hosts.deny folder. So its is
obvious that to use the 'EXCEPT' keyword in hosts.allow is better
than putting the host in host.deny!

<P>Now we don't want to leave hosts.deny empty we should place this command.

<P>Here is an of&nbsp;<A NAME="hosts.deny"></A>hosts.deny

<P>ALL : ALL

<P>==========
<BR>This will put a security that will deny access to all that isn't explicitly
granted access will be denied any access.

<P>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
<BR><A NAME="variables"></A>Optional variables for shells commands
<BR>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

<P>You can also implement the optional shell command variables. Many people
don't use this optional feature cause its becomes too technical but if
you understand it can lead you to forshadow any incoming attack.

<P>I will tell you some variables to use with shell commands here.

<P>{-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=}
<BR>%u This variable will return the client username

<P>%d This variable will return the daemon process

<P>%p This variable will return the daemon process ID

<P>%a This variable will return the client host address.

<P>%c This variable will return information about the
<BR> client, like host name or user@host.

<P>%h This variable will return the server hostname, and
<BR> if it can't find it, it will return the address.
<BR>{-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=}

<P>Okay this is enough let me show you an example.

<P>Thic could be an example of a line you might want to put in your hosts.deny

<P>

ALL : ALL spawn (echo Attempt from %h %a to %d %p at 'date' | tee /var/log/tcp.deny.log | mail rammal81@hotmail.com )
<br>or something like the bottom but the above is preferred! <br>
in.fptd : .zopa.com : (/usr/bin/fingerd -l @%h | /usr/ucb/mail -s %d
%c %h root) 

<P>so if access was denied to hosts from .zopa.com root would recieve an
email with info that are parallel to the variable description.
<BR>
<p>-=-=-=-=-=-=
<br><A NAME="conclusion"></A>Conclusion
<br>-=-=-=-=-=-=
<BR>One thing you should always keep in mind is that if a hacker wants
to root your box TCP wrappers will help but are not the 100% inpenetrable
line of defence. If you are going to use tcp wrappers as the only means of protecting yourself via hosts.deny as your only means of blocking inbound traffic you better use ipchains or block the traffic before it reaches your host via a hardware firewall or a router. Now lets get serious we can't afford that so we have to use ipchains as our real world option, and if you can I am coming over to your house, hehe. Ipchains is very good/flexible because it blocks traffic at the kernel level before the packet is read by inetd or tcpd. I won't bother going further into ipchains because way better tutorials have been written on the topic so search of them at the security sites. Back to tcp wrappers, you should use the utilities called <a href="http://uw7doc.sco.com/cgi-bin/man/man?tcpdchk+1Mtcp">tcpdchk</a> and <a href="http://uw7doc.sco.com/cgi-bin/man/man?tcpmatch+1Mtcp">tcpmatch</a>,  which come
with the TCP wrapper package and are explained pretty well in the links given. Also IP's can be spoofed so always keep that in mind with a lot
of time an attacker can know which hosts you allow and can spoof as them.
One other thing you should keep in mind is that TCP wrappers are only used
to start up the correct daemon that will be satisfying the correct request
so don't use it for services like NFS which deal with multiple clients
requests when started. Okay i hope you learned something here, if you have
anything to add to this phile or have found some errors, plz email me and
i'll fix it up. thx<br>
<p>-=-=-=-=-
<br><A NAME="shoutz"></A>Greetz
<br>-=-=-=-=-
<br>Well there are just too many to give greetz to, but everyone from Box Network, the kewl members of Blacksun, the wonderful visitors who come everyday and the peeps who answer the daily post don't think i forgot ya! Ohh and everyone on irc.box.sk in all #channels. Ahh before i forget, a huge greetz also goes out to Cube and Kript0n for always being there. Thx!
<P>EOF
<BR>

</BODY>
</HTML>