SlideShare a Scribd company logo

Lession2 Xinetd

Download as PPT, PDF
L
leminhvuong

TCP wrappers and xinetd provide additional security layers for network services by controlling access at the application level. TCP wrappers work by checking the hosts.allow and hosts.deny files to determine if a client is allowed to connect to a wrapped service like sshd or xinetd. Xinetd is a super server that controls access and starts services like Telnet. It uses configuration files in /etc/xinetd.d to define access rules and settings for each managed service.

Technology
1 of 20
Downloaded 42 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
TCP WRAPPERS and XINETD
TCP Wrappers and xinetd Controlling access to network services is one of the most important security tasks facing a server administrator: An iptables-based firewall filters out unwelcome network packets within the kernel's network stack. TCP wrappers add an additional layer of protection by defining which hosts are allowed or not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server.
TCP Wrappers When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/ etc/hosts.allow and /etc/hosts.deny ) to determine whether or not the client host is allowed to connect. It then uses the syslog daemon ( syslogd ) to write the name of the requesting host and the requested service to / var/log/secure or / var/log/messages . If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server. Because TCP wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Linux are linked against the libwrap.a library. Some such applications include /usr/sbin/sshd , /usr/sbin/sendmail , and /usr/sbin/xinetd.
TCP Wrappers Configuration Files To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files : /etc/hosts.allow /etc/hosts.deny When a client request is received by a TCP wrapped service, it takes the following basic steps: The service references /etc/hosts.allow . The TCP wrapped service sequentially parses the / etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to step 2. The service references /etc/hosts.deny . The TCP wrapped service sequentially parses the / etc/hosts.deny file. If it finds a matching rule is denies the connection. If not, access to the service is granted.
TCP Wrappers Configuration Files Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny . Therefore, if access to a service is allowed in hosts.allow , a rule denying access to that same service in hosts.deny is ignored. Since the rules in each file are read from the top down and the first matching rule for a given service is the only one applied, the order of the rules is extremely important . If no rules for the service are found in either file, or if neither file exists, access to the service is granted . TCP wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network services .
Formatting Access Rules The format for both /etc/hosts.allow and /etc/hosts.deny are identical. Any blank lines or lines that start with a hash mark (#) are ignored, and each rule must be on its own line. Each rule uses the following basic format to control access to network services: < daemonList > : < clientList > [: < option > : < option > : ... ] < daemon list > — A comma separated list of process names ( not service names) or the ALL wildcard . The daemon list also accepts operators to allow greater flexibility. < client list > — A comma separated list of hostnames, host IP addresses, special patterns , or special wildcards which identify the hosts effected by the rule. The client list also accepts operators to allow greater flexibility. < option > — An optional action or colon separated list of actions performed when the rule is triggered. Option fields support expansions , launch shell commands, allow or deny access, and alter logging behavior.
Formatting Access Rules - Examples The following is a basic sample hosts access rule: vsftpd : . example . com This rule instructs TCP wrappers to watch for connections to the FTP daemon ( vsftpd ) from any host in the example.com domain. If this rule appears in hosts.allow , the connection will be accepted. If this rule appears in hosts.deny , the connection will be rejected. The next sample hosts access rule is more complex and uses two option fields: sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ : deny
Wildcards and Patterns The following wildcards may be used: ALL — Matches everything. It can be used for both the daemon list and the client list. LOCAL — Matches any host that does not contain a period ( . ), such as localhost. The following is a list of the most common accepted patterns for a client list entry: Hostname beginning with a period (.) — Placing a period at the beginning of a hostname, matches all hosts sharing the listed components of the name. The following example would apply to any host within the example.com domain: ALL : .example.com IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example would apply to any host within the 192.168.x.x network: ALL : 192.168.
Patterns and Operators IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example would apply to any host with an address of 192.168.0.0 through 192.168.1.255 : ALL : 192.168.0.0/255.255.254.0 The asterisk (*) — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the example.com domain: ALL : *.example.com The EXCEPT operator allows specific exceptions to broader matches within the same rule. ALL: .example.com EXCEPT cracker.example.com ALL EXCEPT vsftpd: 192.168.0.
Access Control Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option. For instance, the following two rules allow SSH connections from client-1.example.com , but deny connections from client-2.example.com : sshd : client-1.example.com : allow sshd : client-2.example.com : deny By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny . Some consider this an easier way of organizing access rules.
Shell Commands Option fields allow access rules to launch shell commands through the following two directives: spawn — This option directive can perform tasks to get more information about the requesting client or create special log files using the echo command. In the following example, clients attempting to access Telnet services from the example.com domain are quietly logged to a special file: in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h >> /var/log/telnet.log : allow twist — This directive is often used to set up traps for intruders (also called &quot;honey pots&quot;). It can also be used to send messages to connecting clients. The twist command must occur at the end of the rule line. In the following example, clients attempting to access FTP services from the example.com domain are sent a message via the echo command: vsftpd : .example.com \ : twist /bin/echo &quot;421 Bad hacker, go away!&quot;
Expansions Expansions, when used in conjunction with the spawn and twist directives provide information about the client, server, and processes involved. Below is a list of supported expansions: %a — The client's IP address. %A — The server's IP address. %d — The daemon process name. %h — The client's hostname (or IP address, if the hostname is unavailable). %H — The server's hostname (or IP address, if the hostname is unavailable). %u — The client's username. If unavailable, unknown is printed.
XINETD Xinetd is a program used to start and stop a variety of Linux data communication applications. Some of these applications, such as Telnet , are installed by default in RedHat and Fedora Core Linux, others such as TFTP , need to be installed afterwards. xinetd Configuration Files /etc/xinetd.conf — The global xinetd configuration file. /etc/xinetd.d/ directory — The directory containing all service-specific files.
The /etc/xinetd.d/ Directory The files in the /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf , this file is read only when the xinetd service is started. In order for any changes to take effect, the administrator must restart the xinetd service . To get an idea of how these files are structured, consider the / etc/xinetd.d/telnet file: service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }
Service Configuration File service — Defines the service name, usually to match a service listed in the /etc/services file. flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection. socket_type — Sets the network socket type to stream. wait — Defines whether the service is single-threaded (yes) or multi-threaded (no). user — Defines what user ID the process process will run under. server — Defines the binary executable to be launched. log_on_failure — Defines logging parameters for log_on_failure in addition to those already defined in xinetd.conf. disable — Defines whether or not the service is active. only_from — Allows only the specified hosts to use the service. no_access — Blocks listed hosts from using the service. no_access = 10.0.1.0/24 access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM .
The TELNET server Setting Up A Telnet Server To set up a Telnet server use the chkconfig command to activate Telnet. root@bigboy tmp# chkconfig telnet on Verifying the telnet service by netstat comand root@bigboy tmp# netstat -a | grep telnet tcp 0 0 *:telnet *:* LISTEN Verifying the telnet service by chkconfig --list command [root@bigboy tmp]# chkconfig --list | grep telnet telnet: on Stopping A Telnet Server Use the chkconfig command to deactivate telnet, even after the next reboot. [root@bigboy tmp]# chkconfig telnet off
Basic Telnet Security Let Telnet Listen On Another TCP Port 1) Edit a /etc/services file and add an entry for a new service. Call it stelnet . # Local services stelnet 7777/tcp # &quot;secure&quot; telnet 2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet : [root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet 3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 }
Basic Telnet Security 4) Use chkconfig to activate stelnet. [root@bigboy tmp]# chkconfig stelnet on 5) Check to make sure your server is now listening on port 7777 with the netstat command. [root@bigboy tmp]# netstat -an | grep 777 tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN Let Telnet Allow Connections From Trusted Addresses service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }
The TFTP Server Software Installing the TFTP Server Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard( the RPM's filename usually starts with the word &quot;tftp-server&quot; followed by a version number like this: tftp-server-0.33-3.i386.rpm ). Configuring The TFTP Server The first step is to the configuration file /etc/xinetd.d/tftp and set disable to &quot;no&quot;. service tftp { socket_type = dgram protocol = udp wait = yes user = root only_from = 192.168.1.1 server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = no }
The TFTP Server Software In this example, xinetd will only allow the TFTP server to accept connections from the router / switch / firewall with an address of 192.168.1.1. You can extend this list with commas in between or just comment it out al together for global access. Create a / tftpboot directory with global read write privileges [root@bigboy tmp]# chmod 777 /tftpboot Restart xinetd [root@bigboy tmp]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ]

More Related Content

PPT
Lession1 Linux Preview
leminhvuong
 
PPTX
Proxy
leminhvuong
 
PPT
Linux Networking Commands
tmavroidis
 
PPT
IPTABLES
Tan Huynh Cong
 
PPT
Http
leminhvuong
 
PPT
TCP WRAPPERS and XINETD
Tan Huynh Cong
 
DOC
Arp Dan Ipconfig Syntax
guestcc37e8c
 
PDF
Meeting 13. web server i
Syaiful Ahdan
 
Lession1 Linux Preview
leminhvuong
 
Proxy
leminhvuong
 
Linux Networking Commands
tmavroidis
 
IPTABLES
Tan Huynh Cong
 
Http
leminhvuong
 
TCP WRAPPERS and XINETD
Tan Huynh Cong
 
Arp Dan Ipconfig Syntax
guestcc37e8c
 
Meeting 13. web server i
Syaiful Ahdan
 

What's hot (19)

DOCX
DNS, DHCP Configuration
Anik Saha
 
PPTX
Introduction to tcp ip linux networking
Sreenatha Reddy K R
 
PPT
Iptables
leminhvuong
 
PDF
Linux Network commands
Hanan Nmr
 
PDF
Curl
manasystest
 
PDF
Tcpdump
Mohamed Gamel
 
PPT
Linux apache installation
Dima Gomaa
 
PPTX
Linux networking commands
Sayed Ahmed
 
PDF
Packet Filtering Using Iptables
Ahmed Mekkawy
 
PPTX
Network configuration
engshemachi
 
PPT
Iptables in linux
Mandeep Singh
 
PPTX
SquirrelMail for webmail
Aryman Gautam
 
DOCX
Puertos tcp & udp
Claudia Ortiz Ruiz
 
PPT
Apache1.ppt
webhostingguy
 
PPT
Linux
Kavi Bharathi R
 
DOCX
Backtrack Manual Part3
Nutan Kumar Panda
 
PDF
Computer network (4)
NYversity
 
PDF
Meeting 6 : ftp
Syaiful Ahdan
 
PDF
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
DNS, DHCP Configuration
Anik Saha
 
Introduction to tcp ip linux networking
Sreenatha Reddy K R
 
Iptables
leminhvuong
 
Linux Network commands
Hanan Nmr
 
Curl
manasystest
 
Tcpdump
Mohamed Gamel
 
Linux apache installation
Dima Gomaa
 
Linux networking commands
Sayed Ahmed
 
Packet Filtering Using Iptables
Ahmed Mekkawy
 
Network configuration
engshemachi
 
Iptables in linux
Mandeep Singh
 
SquirrelMail for webmail
Aryman Gautam
 
Puertos tcp & udp
Claudia Ortiz Ruiz
 
Apache1.ppt
webhostingguy
 
Linux
Kavi Bharathi R
 
Backtrack Manual Part3
Nutan Kumar Panda
 
Computer network (4)
NYversity
 
Meeting 6 : ftp
Syaiful Ahdan
 
introduction to linux kernel tcp/ip ptocotol stack
monad bobo
 
Ad

Viewers also liked (6)

PPT
Net Admin Intro
leminhvuong
 
PPT
Module 7 Sql Injection
leminhvuong
 
PDF
NETWORK SERVICEOPENSSH + NTP + SQUID
Ploynatcha Akkaraputtipat
 
PPT
Ch18
leminhvuong
 
PPT
Rhce ppt
Mohammed Ben
 
PPT
Wire Less
leminhvuong
 
Net Admin Intro
leminhvuong
 
Module 7 Sql Injection
leminhvuong
 
NETWORK SERVICEOPENSSH + NTP + SQUID
Ploynatcha Akkaraputtipat
 
Ch18
leminhvuong
 
Rhce ppt
Mohammed Ben
 
Wire Less
leminhvuong
 
Ad

Similar to Lession2 Xinetd (20)

PPTX
Linux unit 2 part 3 notes.pptxl;lk;l; k
abhinandpk2405
 
PPT
Apache HTTP Server
Tan Huynh Cong
 
PPTX
application layer protocol for iot.pptx
aravind Guru
 
PDF
Components of computer systems often have dependencies--other co.pdf
alamodeindia1
 
PPT
Firewall - Network Defense in Depth Firewalls
phanleson
 
PDF
Ip Access Lists
CCNAResources
 
PPT
Firewall
Manikyala Rao
 
PPTX
Unit 6 : Application Layer
Chandan Gupta Bhagat
 
PPT
Ch16 system administration
Raja Waseem Akhtar
 
PPTX
Application Layer
Dr Shashikant Athawale
 
PDF
Application Layer protocols- OSI Model Layers
sandhyakiran10
 
PPT
Sf rmr - Servicing Forwarding Remote Multiplexing Relay
AlenMilincevic
 
PPTX
System and network administration network services
Uc Man
 
DOCX
IntroductionA powerful tool for network troubleshooting but also.docx
mariuse18nolet
 
PDF
Ch2 the application layer protocols_ftp_telnet_samba_dhcp_4
Syed Ariful Islam Emon
 
PDF
Linux internet server security and configuration tutorial
annik147
 
PPT
Cita310chap09
gofortution
 
PPTX
Lecture 1 Introduction to Web Development.pptx
Kevi20
 
DOCX
Internet
Jack Nicole
 
PPTX
HTTP/2 Introduction
Walter Liu
 
Linux unit 2 part 3 notes.pptxl;lk;l; k
abhinandpk2405
 
Apache HTTP Server
Tan Huynh Cong
 
application layer protocol for iot.pptx
aravind Guru
 
Components of computer systems often have dependencies--other co.pdf
alamodeindia1
 
Firewall - Network Defense in Depth Firewalls
phanleson
 
Ip Access Lists
CCNAResources
 
Firewall
Manikyala Rao
 
Unit 6 : Application Layer
Chandan Gupta Bhagat
 
Ch16 system administration
Raja Waseem Akhtar
 
Application Layer
Dr Shashikant Athawale
 
Application Layer protocols- OSI Model Layers
sandhyakiran10
 
Sf rmr - Servicing Forwarding Remote Multiplexing Relay
AlenMilincevic
 
System and network administration network services
Uc Man
 
IntroductionA powerful tool for network troubleshooting but also.docx
mariuse18nolet
 
Ch2 the application layer protocols_ftp_telnet_samba_dhcp_4
Syed Ariful Islam Emon
 
Linux internet server security and configuration tutorial
annik147
 
Cita310chap09
gofortution
 
Lecture 1 Introduction to Web Development.pptx
Kevi20
 
Internet
Jack Nicole
 
HTTP/2 Introduction
Walter Liu
 

More from leminhvuong (20)

PPT
Dns
leminhvuong
 
PPT
Lession4 Dhcp
leminhvuong
 
PPT
Lession3 Routing
leminhvuong
 
PPT
Module 1 Introduction
leminhvuong
 
PPT
Net Security Intro
leminhvuong
 
PPT
Module 10 Physical Security
leminhvuong
 
PPT
Module 9 Dos
leminhvuong
 
PPT
Module 8 System Hacking
leminhvuong
 
PPT
Module 6 Session Hijacking
leminhvuong
 
PPT
Module 5 Sniffers
leminhvuong
 
PPT
Module 4 Enumeration
leminhvuong
 
PPT
Module 3 Scanning
leminhvuong
 
PPT
Module 2 Foot Printing
leminhvuong
 
PPT
Call Back
leminhvuong
 
PPT
Module 1 Introduction
leminhvuong
 
PPT
Call Back
leminhvuong
 
PPT
Call Back
leminhvuong
 
PPT
Url Connection
leminhvuong
 
PPT
Udp Programming
leminhvuong
 
PPT
Socket Programming
leminhvuong
 
Dns
leminhvuong
 
Lession4 Dhcp
leminhvuong
 
Lession3 Routing
leminhvuong
 
Module 1 Introduction
leminhvuong
 
Net Security Intro
leminhvuong
 
Module 10 Physical Security
leminhvuong
 
Module 9 Dos
leminhvuong
 
Module 8 System Hacking
leminhvuong
 
Module 6 Session Hijacking
leminhvuong
 
Module 5 Sniffers
leminhvuong
 
Module 4 Enumeration
leminhvuong
 
Module 3 Scanning
leminhvuong
 
Module 2 Foot Printing
leminhvuong
 
Call Back
leminhvuong
 
Module 1 Introduction
leminhvuong
 
Call Back
leminhvuong
 
Call Back
leminhvuong
 
Url Connection
leminhvuong
 
Udp Programming
leminhvuong
 
Socket Programming
leminhvuong
 

Recently uploaded (20)

PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 

Lession2 Xinetd

  • 2. TCP Wrappers and xinetd Controlling access to network services is one of the most important security tasks facing a server administrator: An iptables-based firewall filters out unwelcome network packets within the kernel's network stack. TCP wrappers add an additional layer of protection by defining which hosts are allowed or not allowed to connect to &quot;wrapped&quot; network services. One such wrapped network service is the xinetd super server.
  • 3. TCP Wrappers When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/ etc/hosts.allow and /etc/hosts.deny ) to determine whether or not the client host is allowed to connect. It then uses the syslog daemon ( syslogd ) to write the name of the requesting host and the requested service to / var/log/secure or / var/log/messages . If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server. Because TCP wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Linux are linked against the libwrap.a library. Some such applications include /usr/sbin/sshd , /usr/sbin/sendmail , and /usr/sbin/xinetd.
  • 4. TCP Wrappers Configuration Files To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files : /etc/hosts.allow /etc/hosts.deny When a client request is received by a TCP wrapped service, it takes the following basic steps: The service references /etc/hosts.allow . The TCP wrapped service sequentially parses the / etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to step 2. The service references /etc/hosts.deny . The TCP wrapped service sequentially parses the / etc/hosts.deny file. If it finds a matching rule is denies the connection. If not, access to the service is granted.
  • 5. TCP Wrappers Configuration Files Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny . Therefore, if access to a service is allowed in hosts.allow , a rule denying access to that same service in hosts.deny is ignored. Since the rules in each file are read from the top down and the first matching rule for a given service is the only one applied, the order of the rules is extremely important . If no rules for the service are found in either file, or if neither file exists, access to the service is granted . TCP wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately without restarting network services .
  • 6. Formatting Access Rules The format for both /etc/hosts.allow and /etc/hosts.deny are identical. Any blank lines or lines that start with a hash mark (#) are ignored, and each rule must be on its own line. Each rule uses the following basic format to control access to network services: < daemonList > : < clientList > [: < option > : < option > : ... ] < daemon list > — A comma separated list of process names ( not service names) or the ALL wildcard . The daemon list also accepts operators to allow greater flexibility. < client list > — A comma separated list of hostnames, host IP addresses, special patterns , or special wildcards which identify the hosts effected by the rule. The client list also accepts operators to allow greater flexibility. < option > — An optional action or colon separated list of actions performed when the rule is triggered. Option fields support expansions , launch shell commands, allow or deny access, and alter logging behavior.
  • 7. Formatting Access Rules - Examples The following is a basic sample hosts access rule: vsftpd : . example . com This rule instructs TCP wrappers to watch for connections to the FTP daemon ( vsftpd ) from any host in the example.com domain. If this rule appears in hosts.allow , the connection will be accepted. If this rule appears in hosts.deny , the connection will be rejected. The next sample hosts access rule is more complex and uses two option fields: sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied >> /var/log/sshd.log \ : deny
  • 8. Wildcards and Patterns The following wildcards may be used: ALL — Matches everything. It can be used for both the daemon list and the client list. LOCAL — Matches any host that does not contain a period ( . ), such as localhost. The following is a list of the most common accepted patterns for a client list entry: Hostname beginning with a period (.) — Placing a period at the beginning of a hostname, matches all hosts sharing the listed components of the name. The following example would apply to any host within the example.com domain: ALL : .example.com IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example would apply to any host within the 192.168.x.x network: ALL : 192.168.
  • 9. Patterns and Operators IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example would apply to any host with an address of 192.168.0.0 through 192.168.1.255 : ALL : 192.168.0.0/255.255.254.0 The asterisk (*) — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the example.com domain: ALL : *.example.com The EXCEPT operator allows specific exceptions to broader matches within the same rule. ALL: .example.com EXCEPT cracker.example.com ALL EXCEPT vsftpd: 192.168.0.
  • 10. Access Control Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option. For instance, the following two rules allow SSH connections from client-1.example.com , but deny connections from client-2.example.com : sshd : client-1.example.com : allow sshd : client-2.example.com : deny By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny . Some consider this an easier way of organizing access rules.
  • 11. Shell Commands Option fields allow access rules to launch shell commands through the following two directives: spawn — This option directive can perform tasks to get more information about the requesting client or create special log files using the echo command. In the following example, clients attempting to access Telnet services from the example.com domain are quietly logged to a special file: in.telnetd : .example.com \ : spawn /bin/echo `/bin/date` from %h >> /var/log/telnet.log : allow twist — This directive is often used to set up traps for intruders (also called &quot;honey pots&quot;). It can also be used to send messages to connecting clients. The twist command must occur at the end of the rule line. In the following example, clients attempting to access FTP services from the example.com domain are sent a message via the echo command: vsftpd : .example.com \ : twist /bin/echo &quot;421 Bad hacker, go away!&quot;
  • 12. Expansions Expansions, when used in conjunction with the spawn and twist directives provide information about the client, server, and processes involved. Below is a list of supported expansions: %a — The client's IP address. %A — The server's IP address. %d — The daemon process name. %h — The client's hostname (or IP address, if the hostname is unavailable). %H — The server's hostname (or IP address, if the hostname is unavailable). %u — The client's username. If unavailable, unknown is printed.
  • 13. XINETD Xinetd is a program used to start and stop a variety of Linux data communication applications. Some of these applications, such as Telnet , are installed by default in RedHat and Fedora Core Linux, others such as TFTP , need to be installed afterwards. xinetd Configuration Files /etc/xinetd.conf — The global xinetd configuration file. /etc/xinetd.d/ directory — The directory containing all service-specific files.
  • 14. The /etc/xinetd.d/ Directory The files in the /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf , this file is read only when the xinetd service is started. In order for any changes to take effect, the administrator must restart the xinetd service . To get an idea of how these files are structured, consider the / etc/xinetd.d/telnet file: service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes }
  • 15. Service Configuration File service — Defines the service name, usually to match a service listed in the /etc/services file. flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection. socket_type — Sets the network socket type to stream. wait — Defines whether the service is single-threaded (yes) or multi-threaded (no). user — Defines what user ID the process process will run under. server — Defines the binary executable to be launched. log_on_failure — Defines logging parameters for log_on_failure in addition to those already defined in xinetd.conf. disable — Defines whether or not the service is active. only_from — Allows only the specified hosts to use the service. no_access — Blocks listed hosts from using the service. no_access = 10.0.1.0/24 access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM .
  • 16. The TELNET server Setting Up A Telnet Server To set up a Telnet server use the chkconfig command to activate Telnet. root@bigboy tmp# chkconfig telnet on Verifying the telnet service by netstat comand root@bigboy tmp# netstat -a | grep telnet tcp 0 0 *:telnet *:* LISTEN Verifying the telnet service by chkconfig --list command [root@bigboy tmp]# chkconfig --list | grep telnet telnet: on Stopping A Telnet Server Use the chkconfig command to deactivate telnet, even after the next reboot. [root@bigboy tmp]# chkconfig telnet off
  • 17. Basic Telnet Security Let Telnet Listen On Another TCP Port 1) Edit a /etc/services file and add an entry for a new service. Call it stelnet . # Local services stelnet 7777/tcp # &quot;secure&quot; telnet 2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet : [root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet 3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 }
  • 18. Basic Telnet Security 4) Use chkconfig to activate stelnet. [root@bigboy tmp]# chkconfig stelnet on 5) Check to make sure your server is now listening on port 7777 with the netstat command. [root@bigboy tmp]# netstat -an | grep 777 tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN Let Telnet Allow Connections From Trusted Addresses service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 }
  • 19. The TFTP Server Software Installing the TFTP Server Most RedHat and Fedora Linux software products are available in the RPM format. Downloading and installing RPMs isn't hard( the RPM's filename usually starts with the word &quot;tftp-server&quot; followed by a version number like this: tftp-server-0.33-3.i386.rpm ). Configuring The TFTP Server The first step is to the configuration file /etc/xinetd.d/tftp and set disable to &quot;no&quot;. service tftp { socket_type = dgram protocol = udp wait = yes user = root only_from = 192.168.1.1 server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = no }
  • 20. The TFTP Server Software In this example, xinetd will only allow the TFTP server to accept connections from the router / switch / firewall with an address of 192.168.1.1. You can extend this list with commas in between or just comment it out al together for global access. Create a / tftpboot directory with global read write privileges [root@bigboy tmp]# chmod 777 /tftpboot Restart xinetd [root@bigboy tmp]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ]