Lines Matching +full:local +full:- +full:bd +full:- +full:address +full:- +full:broken
6 My postal address is at the bottom of this file.
13 (comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
16 with in the body (not subject): subscribe tcp-wrappers-announce.
19 -----------------
21 1 - Introduction
22 2 - Disclaimer
23 3 - Tutorials
24 3.1 - How it works
25 3.2 - Where the logging information goes
26 4 - Features
27 4.1 - Access control
28 4.2 - Host name spoofing
29 4.3 - Host address spoofing
30 4.4 - Client username lookups
31 4.5 - Language extensions
32 4.6 - Multiple ftp/gopher/www archives on one host
33 4.7 - Banner messages
34 4.8 - Sequence number guessing
35 5 - Other works
36 5.1 - Related documents
37 5.2 - Related software
38 6 - Limitations
39 6.1 - Known wrapper limitations
40 6.2 - Known system software bugs
41 7 - Configuration and installation
42 7.1 - Easy configuration and installation
43 7.2 - Advanced configuration and installation
44 7.3 - Daemons with arbitrary path names
45 7.4 - Building and testing the access control rules
46 7.5 - Other applications
47 8 - Acknowledgements
49 1 - Introduction
50 ----------------
56 It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
70 pretend to have someone elses host address.
77 such as the inetd; a 4.3BSD-style socket programming interface and/or
78 System V.4-style TLI programming interface; and the availability of a
93 2 - Disclaimer
94 --------------
96 The wrapper programs rely on source address information obtained from
107 3 - Tutorials
108 -------------
115 3.1 - How it works
116 ------------------
118 Almost every application of the TCP/IP protocols is based on a client-
126 --------------------------------
139 name or address and performs some additional checks. When all is well,
145 application-independent, so that the same program can protect many
151 a wrapper has done its work there is no overhead on the client-server
172 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
179 well. Any arguments (`-s /tftpboot' in this particular example) are
182 For an account of the history of the wrapper programs, with real-life
185 3.2 - Where the logging information goes
186 ----------------------------------------
195 support priority levels ranging from 9 (debug-level messages) to 0
218 the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
220 just like sendmail, insists on one or more TABs between the left-hand
221 side and the right-hand side expressions in its configuration file.
227 run the program by hand (`syslogd -d') and see what really happens.
229 4 - Features
230 ------------
232 4.1 - Access control
233 --------------------
235 When compiled with -DHOSTS_ACCESS, the wrapper programs support a
240 hosts_access.5 manual page, which is in `nroff -man' format. A later
245 of the request, and what host address the client connects to. Examples:
257 The hosts_options.5 manual page (`nroff -man' format) documents an
268 same functions as with traditional socket-based applications. When
269 some other protocol is used underneath TLI, the host address will be
273 4.2 - Host name spoofing
274 ------------------------
279 table, provided that the client IP address can be trusted.
283 depend on some far-away DNS (domain name server) outside your own
287 the address->name DNS server, by asking for a second opinion. To this
289 the name->address DNS server, which may be an entirely different host.
291 If any name or address discrepancies are found, or if the second DNS
296 When compiled with -DPARANOID, the wrappers will always attempt to look
298 service in case of a host name/address discrepancy. This is a
301 When compiled without -DPARANOID, the wrappers by default still perform
302 hostname lookup. You can match hosts with a name/address discrepancy
310 4.3 - Host address spoofing
311 ---------------------------
315 network address. And since host names are deduced from network
316 addresses, address spoofing is at least as effective as name spoofing.
319 claim to have an address that lies outside their own network. For
320 example, some far-away host that claims to be a trusted host within
331 When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
333 options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
334 that can stop source-routed traffic in the kernel. Examples are
339 patch 100804-03+ or 101790-something depending on your SunOS version.
349 all you can be certain of is the network packet's destination address.
351 4.4 - Client username lookups
352 -----------------------------
356 host runs an RFC 931-compliant daemon. The information provided by such
367 name lookups can cause noticeable delays with connections from non-UNIX
369 telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
382 On System V with TLI-based network services, client username lookups
385 4.5 - Language extensions
386 -------------------------
395 documented in the hosts_options.5 document, which is in `nroff -man'
405 4.6 - Multiple ftp/gopher/www archives on one host
406 --------------------------------------------------
421 Solaris 2: ifconfig le0:1 <address> netmask <mask> up
422 4.4 BSD: ifconfig en0 alias <address> netmask <mask>
427 need to be up and to be assigned a suitable internet address and mask.
430 used to distinguish requests by the network address that they are aimed
432 `nroff -man' format) can guide the requests to the right server. These
437 only one specific network address. Multiple gopher or www servers can
439 network address.
441 4.7 - Banner messages
442 ---------------------
450 The wrapper software provides easy-to-use tools to generate pre-login
452 textfile. Details on banners and on-the-fly %<letter> expansions are
453 given in the hosts_options.5 manual page (`nroff -man' format). An
459 4.8 - Sequence number guessing
460 ------------------------------
463 well-known weakness in TCP/IP sequence number generators. This
464 weakness allows intruders to impersonate trusted hosts. Break-ins have
466 exploited that trusts the client host name or address.
468 A long-term solution is to stop using network services that trust the
469 client host name or address, and to use data encryption instead.
471 A short-term solution, as outlined in in CERT advisory CA-95:01, is to
473 with an "inside" source address. This approach is most fruitful when
474 you do not trust any hosts outside your local network.
495 5 - Other works
496 ---------------
498 5.1 - Related documents
499 -----------------------
521 Addison-Wesley, 1994.
530 5.2 - Related software
531 ----------------------
535 hundred kbytes each day. egrep-based filters can help to suppress some
540 available ftp.stanford.edu, directory /general/security-tools/swatch.
549 For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
561 (ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z). These programs are
562 drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
564 S/Key or SecureNet one-time passwords in addition to traditional UNIX
583 Where shared libraries or router-based packet filtering are not an
586 ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
587 4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
600 ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z. The fakesyslog
603 6 - Limitations
604 ---------------
606 6.1 - Known wrapper limitations
607 -------------------------------
617 registered as rpc/tcp in the inetd configuration file. The only non-
626 know, the request comes from the local host.
631 6.2 - Known system software bugs
632 --------------------------------
640 Older ConvexOS versions come with a broken recvfrom(2) implementation.
642 client host address (and hence, the name) in case of UDP requests.
646 behind zombie processes when writing to logged-in users. Workaround:
660 Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
661 Reportedly, a fix for Ultrix is available (CXO-8919).
683 local and remote port numbers, and therefore zapped *all* connections
687 7 - Configuration and installation
688 ----------------------------------
690 7.1 - Easy configuration and installation
691 -----------------------------------------
703 ready-to-use templates for many common UNIX implementations (sun,
704 ultrix, hp-ux, aix, irix,...).
721 The `try-from' program tests the host and username lookup code. Run it
722 from a remote shell command (`rsh host /some/where/try-from') and it
727 a one-to-one mapping onto executable files.
734 With System V.4-style systems, the tcpd program can also handle TLI
736 the same functions as with socket-based applications. When some other
738 client username lookups, weird network address formats).
741 vendor-provided daemon programs to the location specified by the
758 install the wrapper set-uid.
761 vendor-provided miscd daemon to the location specified by the
765 In the absence of any access-control tables, the daemon wrappers
768 7.2 - Advanced configuration and installation
769 ---------------------------------------------
775 ready-to-use templates for many common UNIX implementations (sun,
776 ultrix, hp-ux, aix, irix, ...).
789 The `try-from' program tests the host and username lookup code. Run it
790 from a remote shell command (`rsh host /some/where/try-from') and it
799 a one-to-one mapping onto executable files.
801 With System V.4-style systems, the tcpd program can also handle TLI
803 the same functions as with socket-based applications. When some other
805 client username lookups, weird network address formats).
819 install the wrapper set-uid.
830 Send a `kill -HUP' to the inetd process to make the change effective.
832 finger service (comment out the finger service and `kill -HUP' the
845 changes for other network services. Do not forget the `kill -HUP'.
863 In the absence of any access-control tables, the daemon wrappers
866 7.3 - Daemons with arbitrary path names
867 ---------------------------------------
876 ntalk dgram udp wait root /usr/etc/tcpd /usr/local/lib/ntalkd
882 7.4 - Building and testing the access control rules
883 ---------------------------------------------------
886 the -DHOSTS_ACCESS option. The access control policy is given in the
897 hosts_access.5, which is in `nroff -man' format. This is a lengthy
898 document, and no-one expects you to read it right away from beginning
904 The examples in the hosts_access.5 document (`nroff -man' format) show
912 hosts_options.5 document (`nroff -man' format).
915 and reports any problems it can find. `tcpdchk -v' writes to standard
916 output a pretty-printed list of all rules. `tcpdchk -d' examines the
918 program is described in the tcpdchk.8 document (`nroff -man' format).
920 The `tcpdmatch' command can be used to try out your local access
925 tcpdmatch process_name address (e.g.: tcpdmatch in.tftpd 127.0.0.1)
929 described in the tcpdmatch.8 document (`nroff -man' format).
931 Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
936 when the local system connects to other hosts.
943 tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot
953 host name and address. This way you can simulate the most common case
954 where the wrappers know both the host address and the host name. The
958 When you specify a host address instead of a host name, the `tcpdmatch'
963 7.5 - Other applications
964 ------------------------
967 programs. The hosts_access.3 manual page (`nroff -man' format)
975 In that case, sendmail should not be run as a stand-alone network
979 smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs
982 queued-up outgoing mail. A command like:
984 /usr/lib/sendmail -q15m
986 (no `-bd' flag) should take care of that. You cannot really prevent
990 8 - Acknowledgements
991 --------------------
1000 release of this product. The host name/address check was suggested by
1002 peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
1005 get the client IP address in case of datagram-oriented services, and
1007 (mentor.cc.purdue.edu) provided a first version of a much-needed manual
1009 client IP address even when the host name is available. Casper H.S.