Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

   1
   2
   3
   4
   5
   6
   7
   8
   9
  10
  11
  12
  13
  14
  15
  16
  17
  18
  19
  20
  21
  22
  23
  24
  25
  26
  27
  28
  29
  30
  31
  32
  33
  34
  35
  36
  37
  38
  39
  40
  41
  42
  43
  44
  45
  46
  47
  48
  49
  50
  51
  52
  53
  54
  55
  56
  57
  58
  59
  60
  61
  62
  63
  64
  65
  66
  67
  68
  69
  70
  71
  72
  73
  74
  75
  76
  77
  78
  79
  80
  81
  82
  83
  84
  85
  86
  87
  88
  89
  90
  91
  92
  93
  94
  95
  96
  97
  98
  99
 100
 101
 102
 103
 104
 105
 106
 107
 108
 109
 110
 111
 112
 113
 114
 115
 116
 117
 118
 119
 120
 121
 122
 123
 124
 125
 126
 127
 128
 129
 130
 131
 132
 133
 134
 135
 136
 137
 138
 139
 140
 141
 142
 143
 144
 145
 146
 147
 148
 149
 150
 151
 152
 153
 154
 155
 156
 157
 158
 159
 160
 161
 162
 163
 164
 165
 166
 167
 168
 169
 170
 171
 172
 173
 174
 175
 176
 177
 178
 179
 180
 181
 182
 183
 184
 185
 186
 187
 188
 189
 190
 191
 192
 193
 194
 195
 196
 197
 198
 199
 200
 201
 202
 203
 204
 205
 206
 207
 208
 209
 210
 211
 212
 213
 214
 215
 216
 217
 218
 219
 220
 221
 222
 223
 224
 225
 226
 227
 228
 229
 230
 231
 232
 233
 234
 235
 236
 237
 238
 239
 240
 241
 242
 243
 244
 245
 246
 247
 248
 249
 250
 251
 252
 253
 254
 255
 256
 257
 258
 259
 260
 261
 262
 263
 264
 265
 266
 267
 268
 269
 270
 271
 272
 273
 274
 275
 276
 277
 278
 279
 280
 281
 282
 283
 284
 285
 286
 287
 288
 289
 290
 291
 292
 293
 294
 295
 296
 297
 298
 299
 300
 301
 302
 303
 304
 305
 306
 307
 308
 309
 310
 311
 312
 313
 314
 315
 316
 317
 318
 319
 320
 321
 322
 323
 324
 325
 326
 327
 328
 329
 330
 331
 332
 333
 334
 335
 336
 337
 338
 339
 340
 341
 342
 343
 344
 345
 346
 347
 348
 349
 350
 351
 352
 353
 354
 355
 356
 357
 358
 359
 360
 361
 362
 363
 364
 365
 366
 367
 368
 369
 370
 371
 372
 373
 374
 375
 376
 377
 378
 379
 380
 381
 382
 383
 384
 385
 386
 387
 388
 389
 390
 391
 392
 393
 394
 395
 396
 397
 398
 399
 400
 401
 402
 403
 404
 405
 406
 407
 408
 409
 410
 411
 412
 413
 414
 415
 416
 417
 418
 419
 420
 421
 422
 423
 424
 425
 426
 427
 428
 429
 430
 431
 432
 433
 434
 435
 436
 437
 438
 439
 440
 441
 442
 443
 444
 445
 446
 447
 448
 449
 450
 451
 452
 453
 454
 455
 456
 457
 458
 459
 460
 461
 462
 463
 464
 465
 466
 467
 468
 469
 470
 471
 472
 473
 474
 475
 476
 477
 478
 479
 480
 481
 482
 483
 484
 485
 486
 487
 488
 489
 490
 491
 492
 493
 494
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506
 507
 508
 509
 510
 511
 512
 513
 514
 515
 516
 517
 518
 519
 520
 521
 522
 523
 524
 525
 526
 527
 528
 529
 530
 531
 532
 533
 534
 535
 536
 537
 538
 539
 540
 541
 542
 543
 544
 545
 546
 547
 548
 549
 550
 551
 552
 553
 554
 555
 556
 557
 558
 559
 560
 561
 562
 563
 564
 565
 566
 567
 568
 569
 570
 571
 572
 573
 574
 575
 576
 577
 578
 579
 580
 581
 582
 583
 584
 585
 586
 587
 588
 589
 590
 591
 592
 593
 594
 595
 596
 597
 598
 599
 600
 601
 602
 603
 604
 605
 606
 607
 608
 609
 610
 611
 612
 613
 614
 615
 616
 617
 618
 619
 620
 621
 622
 623
 624
 625
 626
 627
 628
 629
 630
 631
 632
 633
 634
 635
 636
 637
 638
 639
 640
 641
 642
 643
 644
 645
 646
 647
 648
 649
 650
 651
 652
 653
 654
 655
 656
 657
 658
 659
 660
 661
 662
 663
 664
 665
 666
 667
 668
 669
 670
 671
 672
 673
 674
 675
 676
 677
 678
 679
 680
 681
 682
 683
 684
 685
 686
 687
 688
 689
 690
 691
 692
 693
 694
 695
 696
 697
 698
 699
 700
 701
 702
 703
 704
 705
 706
 707
 708
 709
 710
 711
 712
 713
 714
 715
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730
 731
 732
 733
 734
 735
 736
 737
 738
 739
 740
 741
 742
 743
 744
 745
 746
 747
 748
 749
 750
 751
 752
 753
 754
 755
 756
 757
 758
 759
 760
 761
 762
 763
 764
 765
 766
 767
 768
 769
 770
 771
 772
 773
 774
 775
 776
 777
 778
 779
 780
 781
 782
 783
 784
 785
 786
 787
 788
 789
 790
 791
 792
 793
 794
 795
 796
 797
 798
 799
 800
 801
 802
 803
 804
 805
 806
 807
 808
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842
 843
 844
 845
 846
 847
 848
 849
 850
 851
 852
 853
 854
 855
 856
 857
 858
 859
 860
 861
 862
 863
 864
 865
 866
 867
 868
 869
 870
 871
 872
 873
 874
 875
 876
 877
 878
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898
 899
 900
 901
 902
 903
 904
 905
 906
 907
 908
 909
 910
 911
 912
 913
 914
 915
 916
 917
 918
 919
 920
 921
 922
 923
 924
 925
 926
 927
 928
 929
 930
 931
 932
 933
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954
 955
 956
 957
 958
 959
 960
 961
 962
 963
 964
 965
 966
 967
 968
 969
 970
 971
 972
 973
 974
 975
 976
 977
 978
 979
 980
 981
 982
 983
 984
 985
 986
 987
 988
 989
 990
 991
 992
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
@(#) README 1.30 97/03/21 19:27:21

This is the 7.6 version of the TCP/IP daemon wrapper package.

Thank you for using this program. If you like it, send me a postcard.
My postal address is at the bottom of this file.

Read the BLURB file for a brief summary of what is new. The CHANGES
file gives a complete account of differences with respect to previous
releases.

Announcements of new releases of this software are posted to Usenet
(comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
and to a dedicated mailing list.  You can subscribe to the dedicated
mailing list by sending an email message to majordomo@wzv.win.tue.nl
with in the body (not subject):  subscribe tcp-wrappers-announce.

Table of contents
-----------------

    1 - Introduction
    2 - Disclaimer
    3 - Tutorials
                3.1 - How it works
                3.2 - Where the logging information goes
    4 - Features
                4.1 - Access control
                4.2 - Host name spoofing
                4.3 - Host address spoofing
                4.4 - Client username lookups
                4.5 - Language extensions
		4.6 - Multiple ftp/gopher/www archives on one host
		4.7 - Banner messages
		4.8 - Sequence number guessing
    5 - Other works
                5.1 - Related documents
                5.2 - Related software
    6 - Limitations
                6.1 - Known wrapper limitations
                6.2 - Known system software bugs
    7 - Configuration and installation
                7.1 - Easy configuration and installation
                7.2 - Advanced configuration and installation
                7.3 - Daemons with arbitrary path names
                7.4 - Building and testing the access control rules
                7.5 - Other applications
    8 - Acknowledgements

1 - Introduction
----------------

With this package you can monitor and filter incoming requests for the
SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
network services.

It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
yourself lucky if you don't know what that means.

The package provides tiny daemon wrapper programs that can be installed
without any changes to existing software or to existing configuration
files.  The wrappers report the name of the client host and of the
requested service; the wrappers do not exchange information with the
client or server applications, and impose no overhead on the actual
conversation between the client and server applications.

Optional features are: access control to restrict what systems can
connect to what network daemons; client user name lookups with the RFC
931 etc. protocol; additional protection against hosts that pretend to
have someone elses host name; additional protection against hosts that
pretend to have someone elses host address.

The programs are very portable. Build procedures are provided for many
common (and not so common) environments, and guidelines are provided in
case your environment is not among them.

Requirements are that network daemons are spawned by a super server
such as the inetd; a 4.3BSD-style socket programming interface and/or
System V.4-style TLI programming interface; and the availability of a
syslog(3) library and of a syslogd(8) daemon.  The wrappers should run
without modification on any system that satisfies these requirements.
Workarounds have been implemented for several common bugs in systems
software.

What to do if this is your first encounter with the wrapper programs:
1) read the tutorial sections for an introduction to the relevant
concepts and terminology; 2) glance over the security feature sections
in this document; 3) follow the installation instructions (easy or
advanced). I recommend that you first use the default security feature
settings.  Run the wrappers for a few days to become familiar with
their logs, before doing anything drastic such as cutting off access or
installing booby traps.

2 - Disclaimer
--------------

The wrapper programs rely on source address information obtained from
network packets. This information is provided by the client host. It is
not 100 percent reliable, although the wrappers do their best to expose
forgeries.

In the absence of cryptographic protection of message contents, and of
cryptographic authentication of message originators, all data from the
network should be treated with sound scepticism.

THIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS.

3 - Tutorials
-------------

The tutorial sections give a gentle introduction to the operation of
the wrapper programs, and introduce some of the terminology that is
used in the remainder of the document: client, server, the inetd and
syslogd daemons, and their configuration files.

3.1 - How it works
------------------

Almost every application of the TCP/IP protocols is based on a client-
server model. For example, when a user invokes the telnet command to
connect to one of your systems, a telnet server process is executed on
the target host. The telnet server process connects the user to a login
process. A few examples of client and server programs are shown in the
table below:

              client   server    application
              --------------------------------
              telnet   telnetd   remote login
              ftp      ftpd      file transfer
              finger   fingerd   show users

The usual approach is to run one single daemon process that waits for
all kinds of incoming network connections. Whenever a connection is
established, this daemon (usually called inetd) runs the appropriate
server program and goes back to sleep, waiting for other connections.

The wrapper programs rely on a simple, but powerful mechanism.  Instead
of directly running the desired server program, the inetd is tricked
into running a small wrapper program. The wrapper logs the client host
name or address and performs some additional checks.  When all is well,
the wrapper executes the desired server program and goes away.

The wrapper programs have no interaction with the client user (or with
the client process).  Nor do the wrappers interact with the server
application. This has two major advantages: 1) the wrappers are
application-independent, so that the same program can protect many
kinds of network services; 2) no interaction also means that the
wrappers are invisible from outside (at least for authorized users).

Another important property is that the wrapper programs are active only
when the initial contact between client and server is established. Once
a wrapper has done its work there is no overhead on the client-server
conversation.

The simple mechanism has one major drawback: the wrappers go away after
the initial contact between client and server processes, so the
wrappers are of little use with network daemons that service more than
one client.  The wrappers would only see the first client attempt to
contact such a server. The NFS mount daemon is a typical example of a
daemon that services requests from multiple clients. See the section on
related software for ways to deal with such server programs.

There are two ways to use the wrapper programs:

1) The easy way: move network daemons to some other directory and fill
   the resulting holes with copies of the wrapper programs.  This
   approach involves no changes to system configuration files, so there
   is very little risk of breaking things.

2) The advanced way: leave the network daemons alone and modify the
   inetd configuration file.  For example, an entry such as:

     tftp  dgram  udp  wait  root  /usr/etc/tcpd  in.tftpd -s /tftpboot

   When a tftp request arrives, inetd will run the wrapper program
   (tcpd) with a process name `in.tftpd'.  This is the name that the
   wrapper will use when logging the request and when scanning the
   optional access control tables.  `in.tftpd' is also the name of the
   server program that the wrapper will attempt to run when all is
   well.  Any arguments (`-s /tftpboot' in this particular example) are
   transparently passed on to the server program.

For an account of the history of the wrapper programs, with real-life
examples, see the section below on related documents.

3.2 - Where the logging information goes
----------------------------------------

The wrapper programs send their logging information to the syslog
daemon (syslogd). The disposition of the wrapper logs is determined by
the syslog configuration file (usually /etc/syslog.conf). Messages are
written to files, to the console, or are forwarded to a @loghost. Some
syslogd versions can even forward messages down a |pipeline.

Older syslog implementations (still found on Ultrix systems) only
support priority levels ranging from 9 (debug-level messages) to 0
(alerts). All logging information of the specified priority level or
more urgent is written to the same destination.  In the syslog.conf
file, priority levels are specified in numerical form.  For example,

    8/usr/spool/mqueue/syslog

causes all messages with priority 8 (informational messages), and
anything that is more urgent, to be appended to the file
/usr/spool/mqueue/syslog.

Newer syslog implementations support message classes in addition to
priority levels.  Examples of message classes are: mail, daemon, auth
and news. In the syslog.conf file, priority levels are specified with
symbolic names: debug, info, notice, ..., emerg. For example,

    mail.debug                  /var/log/syslog

causes all messages of class mail with priority debug (or more urgent)
to be appended to the /var/log/syslog file.

By default, the wrapper logs go to the same place as the transaction
logs of the sendmail daemon. The disposition can be changed by editing
the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
syslogd after changing its configuration file. Remember that syslogd,
just like sendmail, insists on one or more TABs between the left-hand
side and the right-hand side expressions in its configuration file.

Solaris 2.x note: the syslog daemon depends on the m4 macro processor.
The m4 program is installed as part of the software developer packages.

Trouble shooting note: when the syslogging does not work as expected,
run the program by hand (`syslogd -d') and see what really happens.

4 - Features
------------

4.1 - Access control
--------------------

When compiled with -DHOSTS_ACCESS, the wrapper programs support a
simple form of access control.  Access can be controlled per host, per
service, or combinations thereof. The software provides hooks for the
execution of shell commands when an access control rule fires; this
feature may be used to install "booby traps".  For details, see the
hosts_access.5 manual page, which is in `nroff -man' format. A later
section describes how you can test your access control rules.

Access control can also be used to connect clients to the "right"
service. What is right may depend on the requested service, the origin
of the request, and what host address the client connects to. Examples:

(1) A gopher or www database speaks native language when contacted from
    within the country, otherwise it speaks English.

(2) A service provider offers different ftp, gopher or www services
    with different internet hostnames from one host (section 4.6).

Access control is enabled by default. It can be turned off by editing
the Makefile, or by providing no access control tables. The install
instructions below describe the Makefile editing process.

The hosts_options.5 manual page (`nroff -man' format) documents an
extended version of the access control language. The extensions are
disabled by default. See the section below on language extensions.

Later System V implementations provide the Transport Level Interface
(TLI), a network programming interface that performs functions similar
to the Berkeley socket programming interface.  Like Berkeley sockets,
TLI was designed to cover multiple protocols, not just Internet.

When the wrapper discovers that the TLI interface sits on top of a
TCP/IP or UDP/IP conversation it uses this knowledge to provide the
same functions as with traditional socket-based applications.  When
some other protocol is used underneath TLI, the host address will be
some universal magic cookie that may not even be usable for access
control purposes.

4.2 - Host name spoofing
------------------------

With some network applications, such as RSH or RLOGIN, the client host
name plays an important role in the authentication process. Host name
information can be reliable when lookups are done from a _local_ hosts
table, provided that the client IP address can be trusted.

With _distributed_ name services, authentication schemes that rely on
host names become more problematic. The security of your system now may
depend on some far-away DNS (domain name server) outside your own
control. 

The wrapper programs verify the client host name that is returned by
the address->name DNS server, by asking for a second opinion.  To this
end, the programs look at the name and addresses that are returned by
the name->address DNS server, which may be an entirely different host. 

If any name or address discrepancies are found, or if the second DNS
opinion is not available, the wrappers assume that one of the two name
servers is lying, and assume that the client host pretends to have
someone elses host name.

When compiled with -DPARANOID, the wrappers will always attempt to look
up and double check the client host name, and will always refuse
service in case of a host name/address discrepancy.  This is a
reasonable policy for most systems.

When compiled without -DPARANOID, the wrappers by default still perform
hostname lookup. You can match hosts with a name/address discrepancy
with the PARANOID wildcard and decide whether or not to grant service.

Automatic hostname verification is enabled by default. Automatic
hostname lookups and verification can be turned off by editing the
Makefile. The configuration and installation section below describes
the Makefile editing process.

4.3 - Host address spoofing
---------------------------

While host name spoofing can be found out by asking a second opinion,
it is much harder to find out that a host claims to have someone elses
network address. And since host names are deduced from network
addresses, address spoofing is at least as effective as name spoofing.

The wrapper programs can give additional protection against hosts that
claim to have an address that lies outside their own network.  For
example, some far-away host that claims to be a trusted host within
your own network. Such things are possible even while the impersonated
system is up and running.

This additional protection is not an invention of my own; it has been
present for at least five years in the BSD rsh and rlogin daemons.
Unfortunately, that feature was added *after* 4.3 BSD came out, so that
very few, if any, UNIX vendors have adopted it.  Our site, and many
other ones, has been running these enhanced daemons for several years,
and without any ill effects.

When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
programs refuse to service TCP connections with IP source routing
options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
that can stop source-routed traffic in the kernel. Examples are
4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
for details.

If you are going to use this feature on SunOS 4.1.x you should apply
patch 100804-03+ or 101790-something depending on your SunOS version.
Otherwise you may experience "BAD TRAP" and "Data fault" panics when
the getsockopt() system call is executed after a TCP RESET has been
received. This is a kernel bug, it is not the fault of the wrappers.

The feature is disabled by default. It can be turned on by editing the
Makefile.  The configuration and installation section below describes
the Makefile editing process.

UDP services do not benefit from this additional protection. With UDP,
all you can be certain of is the network packet's destination address.

4.4 - Client username lookups
-----------------------------

The protocol proposed in RFC 931 provides a means to obtain the client
user name from the client host.  The requirement is that the client
host runs an RFC 931-compliant daemon. The information provided by such
a daemon is not intended to be used for authentication purposes, but it
can provide additional information about the owner of a TCP connection.

The RFC 931 protocol has diverged into different directions (IDENT,
TAP, RFC 1413). To add to the confusion, they all use the same network
port.  The daemon wrappers implement a common subset of the protocols.

There are some limitations: the number of hosts that run an RFC 931 (or
compatible) daemon is limited (but growing); client user name lookups
do not work for datagram (UDP) services. More seriously, client user
name lookups can cause noticeable delays with connections from non-UNIX
PCs. Recent PC software seem to have fixed this (for example NCSA
telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
accommodate slow networks and slow hosts.

By default, the wrappers will do username lookup only when the access
control rules require them to do so (via user@host client patterns, see
the hosts_access.5 manual page) or when the username is needed for
%<letter> expansions.

You can configure the wrappers to always perform client username
lookups, by editing the Makefile.  The client username lookup timeout
period (10 seconds default) can be changed by editing the Makefile. The
installation sections below describe the Makefile editing process.

On System V with TLI-based network services, client username lookups
will be possible only when the underlying network protocol is TCP/IP.

4.5 - Language extensions
-------------------------

The wrappers sport only a limited number of features. This is for a
good reason: programs that run at high privilege levels must be easy to
verify. And the smaller a program, the easier to verify. There is,
however, a provision to add features.

The options.c module provides a framework for language extensions.
Quite a few extensions have already been implemented; they are
documented in the hosts_options.5 document, which is in `nroff -man'
format. Examples: changing the severity level at which a request for
service is logged; "allow" and "deny" keywords; running a customized
server instead of the standard one; many others.

The language extensions are not enabled by default because they
introduce an incompatible change to the access control language
syntax.  Instructions to enable the extensions are given in the
Makefile.

4.6 - Multiple ftp/gopher/www archives on one host
--------------------------------------------------

Imagine one host with multiple internet addresses. These addresses do
not need to have the same internet hostname. Thus, it is possible to
offer services with different internet hostnames from just one host.

Service providers can use this to offer organizations a presence on the
"net" with their own internet hostname, even when those organizations
aren't connected to the Internet at all.  To the end user it makes no
difference, because applications use internet hostnames.

There are several ways to assign multiple addresses to one machine.
The nice way is to take an existing network interface and to assign
additional internet addresses with the `ifconfig' command. Examples:

    Solaris 2:	ifconfig le0:1 <address> netmask <mask> up
    4.4 BSD:	ifconfig en0 alias <address> netmask <mask>

On other systems one has to increase the number of network interfaces:
either with hardware interfaces, or with pseudo interfaces like SLIP or
PPP.  The interfaces do not need to be attached to anything. They just
need to be up and to be assigned a suitable internet address and mask.

With the wrapper software, `daemon@host' access control patterns can be
used to distinguish requests by the network address that they are aimed
at.  Judicious use of the `twist' option (see the hosts_options.5 file,
`nroff -man' format) can guide the requests to the right server.  These
can be servers that live in separate chroot areas, or servers modified
to take additional context from the command line, or a combination.

Another way is to modify gopher or www listeners so that they bind to
only one specific network address. Multiple gopher or www servers can
then be run side by side, each taking requests sent to its respective
network address.

4.7 - Banner messages
---------------------

Some sites are required to present an informational message to users
before they attempt to login.  Banner messages can also be useful when
denying service:  instead of simply dropping the connection a polite
explanation is given first. Finally, banners can be used to give your
system a more personal touch.

The wrapper software provides easy-to-use tools to generate pre-login
banners for ftp, telnet, rlogin etc. from a single prototype banner
textfile.  Details on banners and on-the-fly %<letter> expansions are
given in the hosts_options.5 manual page (`nroff -man' format). An
example is given in the file Banners.Makefile.

In order to support banner messages the wrappers have to be built with
language extensions enabled. See the section on language extensions.

4.8 - Sequence number guessing
------------------------------

Recently, systems came under attack from intruders that exploited a
well-known weakness in TCP/IP sequence number generators.  This
weakness allows intruders to impersonate trusted hosts. Break-ins have
been reported via the rsh service. In fact, any network service can be
exploited that trusts the client host name or address.

A long-term solution is to stop using network services that trust the
client host name or address, and to use data encryption instead.

A short-term solution, as outlined in in CERT advisory CA-95:01, is to
configure network routers so that they discard datagrams from "outside"
with an "inside" source address. This approach is most fruitful when
you do not trust any hosts outside your local network.

The IDENT (RFC931 etc.) client username lookup protocol can help to
detect host impersonation attacks.  Before accepting a client request,
the wrappers can query the client's IDENT server and find out that the
client never sent that request.

When the client host provides IDENT service, a negative IDENT lookup
result (the client matches `UNKNOWN@host') is strong evidence of a host
impersonation attack.

A positive IDENT lookup result (the client matches `KNOWN@host') is
less trustworthy.  It is possible for an attacker to spoof both the
client request and the IDENT lookup connection, although doing so
should be much harder than spoofing just a client request. Another
possibility is that the client's IDENT server is lying.

Client username lookups are described in more detail in a previous
section. Pointers to IDENT daemon software are described in the section
on related software.

5 - Other works
---------------

5.1 - Related documents
-----------------------

The war story behind the tcp wrapper tools is described in:

    W.Z. Venema, "TCP WRAPPER, network monitoring, access control and
    booby traps", UNIX Security Symposium III Proceedings (Baltimore),
    September 1992. 

    ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript)
    ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text)

The same cracker is also described in:

    W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is
    Lured, Endured, and Studied", Proceedings of the Winter USENIX
    Conference (San Francisco), January 1992.

    research.att.com:/dist/internet_security/berferd.ps

An updated version of the latter paper appeared in:

    W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security",
    Addison-Wesley, 1994.

Discussions on internet firewalls are archived on ftp.greatcircle.com.
Subscribe to the mailing list by sending a message to 

    majordomo@greatcircle.com

With in the body (not subject): subscribe firewalls.

5.2 - Related software
----------------------

Network daemons etc. with enhanced logging capabilities can generate
massive amounts of information: our 150+ workstations generate several
hundred kbytes each day. egrep-based filters can help to suppress some
of the noise.  A more powerful tool is the Swatch monitoring system by
Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
real time and can associate arbitrary actions with patterns; its
applications are by no means restricted to security.  Swatch is
available ftp.stanford.edu, directory /general/security-tools/swatch.

Socks, described in the UNIX Security III proceedings, can be used to
control network traffic from hosts on an internal network, through a
firewall host, to the outer world. Socks consists of a daemon that is
run on the firewall host, and of a library with routines that redirect
application socket calls through the firewall daemon.  Socks is
available from s1.gov in /pub/firewalls/socks.tar.Z.

For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
ftp.nec.com, directory /pub/security/socks.cstc.

Tcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp
and telnet commands across a firewall. Unlike socks it can be used with
unmodified client software. Available from ftp.alantec.com, /pub/tcpr.

The TIS firewall toolkit provides a multitude of tools to build your
own internet firewall system. ftp.tis.com, directory /pub/firewalls.

Versions of rshd and rlogind, modified to report the client user name
in addition to the client host name, are available for anonymous ftp
(ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z).  These programs are
drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
9.x. This archive also contains ftpd/rexecd/login versions that support
S/Key or SecureNet one-time passwords in addition to traditional UNIX
reusable passwords.

The securelib shared library by William LeFebvre can be used to control
access to network daemons that are not run under control of the inetd
or that serve more than one client, such as the NFS mount daemon that
runs until the machine goes down.  Available from eecs.nwu.edu, file
/pub/securelib.tar.

xinetd (posted to comp.sources.unix) is an inetd replacement that
provides, among others, logging, username lookup and access control.
However, it does not support the System V TLI services, and involves
much more source code than the daemon wrapper programs. Available
from ftp.uu.net, directory /usenet/comp.sources.unix.

netlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to
passively watch all TCP and UDP network traffic on a network.  The
current version is on net.tamu.edu in /pub/security/TAMU.

Where shared libraries or router-based packet filtering are not an
option, an alternative portmap daemon can help to prevent hackers
from mounting your NFS file systems using the proxy RPC facility.
ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
protection is less effective than that of the securelib library because
portmap is mostly a dictionary service.

An rpcbind replacement (the Solaris 2.x moral equivalent of portmap)
can be found on ftp.win.tue.nl in /pub/security. It prevents hackers
from mounting your NFS file systems by using the proxy RPC facility.

Source for a portable RFC 931 (TAP, IDENT, RFC 1413) daemon by Peter
Eriksson is available from ftp.lysator.liu.se:/pub/ident/servers.

Some TCP/IP implementations come without syslog library. Some come with
the library but have no syslog daemon. A replacement can be found in
ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z.  The fakesyslog
library that comes with the nntp sources reportedly works well, too.

6 - Limitations
---------------

6.1 - Known wrapper limitations
-------------------------------

Many UDP (and rpc/udp) daemons linger around for a while after they
have serviced a request, just in case another request comes in.  In the
inetd configuration file these daemons are registered with the `wait'
option. Only the request that started such a daemon will be seen by the
wrappers.  Such daemons are better protected with the securelib shared
library (see: Related software).

The wrappers do not work with RPC services over TCP. These services are
registered as rpc/tcp in the inetd configuration file. The only non-
trivial service that is affected by this limitation is rexd, which is
used by the on(1) command. This is no great loss.  On most systems,
rexd is less secure than a wildcard in /etc/hosts.equiv.

Some RPC requests (for example: rwall, rup, rusers) appear to come from
the server host. What happens is that the client broadcasts its request
to all portmap daemons on its network; each portmap daemon forwards the
request to a daemon on its own system. As far as the rwall etc.  daemons
know, the request comes from the local host.

Portmap and RPC (e.g. NIS and NFS) (in)security is a topic in itself.
See the section in this document on related software.

6.2 - Known system software bugs
--------------------------------

Workarounds have been implemented for several bugs in system software.
They are described in the Makefile. Unfortunately, some system software
bugs cannot be worked around. The result is loss of functionality.

IRIX has so many bugs that it has its own README.IRIX file.

Older ConvexOS versions come with a broken recvfrom(2) implementation.
This makes it impossible for the daemon wrappers to look up the
client host address (and hence, the name) in case of UDP requests.
A patch is available for ConvexOS 10.1; later releases should be OK.

With early Solaris (SunOS 5) versions, the syslog daemon will leave
behind zombie processes when writing to logged-in users.  Workaround:
increase the syslogd threshold for logging to users, or reduce the
wrapper's logging severity.

On some systems, the optional RFC 931 etc. client username lookups may
trigger a kernel bug.  When a client host connects to your system, and
the RFC 931 connection from your system to that client is rejected by a
router, your kernel may drop all connections with that client.  This is
not a bug in the wrapper programs: complain to your vendor, and don't
enable client user name lookups until the bug has been fixed.

Reportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2
and later are OK.

Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
Reportedly, a fix for Ultrix is available (CXO-8919).

The following procedure can be used (from outside the tue.nl domain) to
find out if your kernel has the bug. From the system under test, do:

        % ftp 131.155.70.19

This command attempts to make an ftp connection to our anonymous ftp
server (ftp.win.tue.nl).  When the connection has been established, run
the following command from the same system under test, while keeping
the ftp connection open:

        % telnet 131.155.70.19 111

Do not forget the `111' at the end of the command. This telnet command
attempts to connect to our portmap process.  The telnet command should
fail with:  "host not reachable", or with a timeout error. If your ftp
connection gets messed up, you have the bug. If the telnet command does
not fail, please let me know a.s.a.p.!

For those who care, the bug is that the BSD kernel code was not careful
enough with incoming ICMP UNREACHABLE control messages (it ignored the
local and remote port numbers, and therefore zapped *all* connections
with the remote system). The bug is still present in the BSD NET/1
source release (1989) but apparently has been fixed in BSD NET/2 (1991). 

7 - Configuration and installation
----------------------------------

7.1 - Easy configuration and installation
-----------------------------------------

The "easy" recipe requires no changes to existing software or
configuration files.  Basically, you move the daemons that you want to
protect to a different directory and plug the resulting holes with
copies of the wrapper programs.

If you don't run Ultrix, you won't need the miscd wrapper program.  The
miscd daemon implements among others the SYSTAT service, which produces
the same output as the WHO command.

Type `make' and follow the instructions.  The Makefile comes with
ready-to-use templates for many common UNIX implementations (sun,
ultrix, hp-ux, aix, irix,...). 

IRIX has so many bugs that it has its own README.IRIX file.

When the `make' succeeds the result is five executables (six in case of
Ultrix).

You can use the `tcpdchk' program to identify the most common problems
in your wrapper and inetd configuration files.  

With the `tcpdmatch' program you can examine how the wrapper would
react to specific requests for service.  

The `safe_finger' command should be used when you implement booby
traps:  it gives better protection against nasty stuff that remote
hosts may do in response to your finger probes.

The `try-from' program tests the host and username lookup code.  Run it
from a remote shell command (`rsh host /some/where/try-from') and it
should be able to figure out from what system it is being called.

The tcpd program can be used to monitor the telnet, finger, ftp, exec,
rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
a one-to-one mapping onto executable files.

The tcpd program can also be used for services that are marked as
rpc/udp in the inetd configuration file, but not for rpc/tcp services
such as rexd.  You probably do not want to run rexd anyway. On most
systems it is even less secure than a wildcard in /etc/hosts.equiv.

With System V.4-style systems, the tcpd program can also handle TLI
services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
the same functions as with socket-based applications. When some other
protocol is used underneath TLI, functionality will be limited (no
client username lookups, weird network address formats).

Decide which services you want to monitor. Move the corresponding
vendor-provided daemon programs to the location specified by the
REAL_DAEMON_DIR constant in the Makefile, and fill the holes with
copies of the tcpd program. That is, one copy of (or link to) the tcpd
program for each service that you want to monitor. For example, to
monitor the use of your finger service:

    # mkdir REAL_DAEMON_DIR
    # mv /usr/etc/in.fingerd REAL_DAEMON_DIR
    # cp tcpd /usr/etc/in.fingerd

The example applies to SunOS 4. With other UNIX implementations the
network daemons live in /usr/libexec, /usr/sbin or in /etc, or have no
"in." prefix to their names, but you get the idea.

File protections: the wrapper, all files used by the wrapper, and all
directories in the path leading to those files, should be accessible
but not writable for unprivileged users (mode 755 or mode 555). Do not
install the wrapper set-uid.

Ultrix only:  If you want to monitor the SYSTAT service, move the
vendor-provided miscd daemon to the location specified by the
REAL_DAEMON_DIR macro in the Makefile, and install the miscd wrapper
at the original miscd location.

In the absence of any access-control tables, the daemon wrappers
will just maintain a record of network connections made to your system.

7.2 - Advanced configuration and installation
---------------------------------------------

The advanced recipe leaves your daemon executables alone, but involves
simple modifications to the inetd configuration file.

Type `make' and follow the instructions.  The Makefile comes with
ready-to-use templates for many common UNIX implementations (sun,
ultrix, hp-ux, aix, irix, ...). 

IRIX users should read the warnings in the README.IRIX file first.

When the `make' succeeds the result is five executables (six in case of
Ultrix).

You can use the `tcpdchk' program to identify the most common problems
in your wrapper and inetd configuration files.  

With the `tcpdmatch' program you can examine how the wrapper would
react to specific requests for service.  

The `try-from' program tests the host and username lookup code.  Run it
from a remote shell command (`rsh host /some/where/try-from') and it
should be able to figure out from what system it is being called.

The `safe_finger' command should be used when you implement a booby
trap:  it gives better protection against nasty stuff that remote hosts
may do in response to your finger probes.

The tcpd program can be used to monitor the telnet, finger, ftp, exec,
rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
a one-to-one mapping onto executable files.

With System V.4-style systems, the tcpd program can also handle TLI
services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
the same functions as with socket-based applications. When some other
protocol is used underneath TLI, functionality will be limited (no
client username lookups, weird network address formats).

The tcpd program can also be used for services that are marked as
rpc/udp in the inetd configuration file, but not for rpc/tcp services
such as rexd.  You probably do not want to run rexd anyway. On most
systems it is even less secure than a wildcard in /etc/hosts.equiv.

Install the tcpd command in a suitable place. Apollo UNIX users will
want to install it under a different name because the name "tcpd" is
already taken; a suitable name would be "frontd".  

File protections: the wrapper, all files used by the wrapper, and all
directories in the path leading to those files, should be accessible
but not writable for unprivileged users (mode 755 or mode 555). Do not
install the wrapper set-uid.

Then perform the following edits on the inetd configuration file
(usually /etc/inetd.conf or /etc/inet/inetd.conf):

    finger  stream  tcp     nowait  nobody  /usr/etc/in.fingerd     in.fingerd
                                            ^^^^^^^^^^^^^^^^^^^
becomes:

    finger  stream  tcp     nowait  nobody  /usr/etc/tcpd           in.fingerd
                                            ^^^^^^^^^^^^^
Send a `kill -HUP' to the inetd process to make the change effective.
Some IRIX inetd implementations require that you first disable the
finger service (comment out the finger service and `kill -HUP' the
inetd) before you can turn on the modified version. Sending a HUP
twice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1.

AIX note: you may have to execute the `inetimp' command after changing
the inetd configuration file.

The example applies to SunOS 4. With other UNIX implementations the
network daemons live in /usr/libexec, /usr/sbin, or /etc, the network
daemons have no "in." prefix to their names, or the username field in
the inetd configuration file may be missing.

When the finger service works as expected you can perform similar
changes for other network services. Do not forget the `kill -HUP'.

The miscd daemon that comes with Ultrix implements several network
services. It decides what to do by looking at its process name. One of
the services is systat, which is a kind of limited finger service.  If
you want to monitor the systat service, install the miscd wrapper in a
suitable place and update the inetd configuration file:

    systat  stream  tcp     nowait  /suitable/place/miscd      systatd

Ultrix 4.3 allows you to specify a user id under which the daemon will
be executed. This feature is not documented in the manual pages.  Thus,
the example would become:

    systat  stream  tcp     nowait  nobody /suitable/place/miscd    systatd

Older Ultrix systems still run all their network daemons as root.

In the absence of any access-control tables, the daemon wrappers
will just maintain a record of network connections made to your system.

7.3 - Daemons with arbitrary path names
---------------------------------------

The above tcpd examples work fine with network daemons that live in a
common directory, but sometimes that is not practical. Having soft
links all over your file system is not a clean solution, either.

Instead you can specify, in the inetd configuration file, an absolute
path name for the daemon process name.  For example,

    ntalk   dgram   udp     wait    root    /usr/etc/tcpd /usr/local/lib/ntalkd

When the daemon process name is an absolute path name, tcpd ignores the
value of the REAL_DAEMON_DIR constant, and uses the last path component
of the daemon process name for logging and for access control.

7.4 - Building and testing the access control rules
---------------------------------------------------

In order to support access control the wrappers must be compiled with
the -DHOSTS_ACCESS option. The access control policy is given in the
form of two tables (default: /etc/hosts.allow and /etc/hosts.deny).
Access control is disabled when there are no access control tables, or
when the tables are empty.

If you haven't used the wrappers before I recommend that you first run
them a couple of days without any access control restrictions. The
logfile records should give you an idea of the process names and of the
host names that you will have to build into your access control rules.

The syntax of the access control rules is documented in the file
hosts_access.5, which is in `nroff -man' format. This is a lengthy
document, and no-one expects you to read it right away from beginning
to end.  Instead, after reading the introductory section, skip to the
examples at the end so that you get a general idea of the language.
Then you can appreciate the detailed reference sections near the
beginning of the document.

The examples in the hosts_access.5 document (`nroff -man' format) show
two specific types of access control policy:  1) mostly closed (only
permitting access from a limited number of systems) and 2) mostly open
(permitting access from everyone except a limited number of trouble
makers). You will have to choose what model suits your situation best.
Implementing a mixed policy should not be overly difficult either.

Optional extensions to the access control language are described in the
hosts_options.5 document (`nroff -man' format).

The `tcpdchk' program examines all rules in your access control files
and reports any problems it can find. `tcpdchk -v' writes to standard
output a pretty-printed list of all rules. `tcpdchk -d' examines the
hosts.access and hosts.allow files in the current directory. This
program is described in the tcpdchk.8 document (`nroff -man' format).

The `tcpdmatch' command can be used to try out your local access
control files.  The command syntax is:

    tcpdmatch process_name hostname (e.g.: tcpdmatch in.tftpd localhost)

    tcpdmatch process_name address  (e.g.: tcpdmatch in.tftpd 127.0.0.1)

This way you can simulate what decisions will be made, and what actions
will be taken, when hosts connect to your own system. The program is
described in the tcpdmatch.8 document (`nroff -man' format).

Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
current working directory. This is useful for testing new rules without
bothering your users.

Note 2: you cannot use the `tcpdmatch' command to simulate what happens
when the local system connects to other hosts.

In order to find out what process name to use, just use the service and
watch the process name that shows up in the logfile.  Alternatively,
you can look up the name from the inetd configuration file. Coming back
to the tftp example in the tutorial section above:

    tftp  dgram  udp  wait  root  /usr/etc/tcpd  in.tftpd -s /tftpboot

This entry causes the inetd to run the wrapper program (tcpd) with a
process name `in.tftpd'.  This is the name that the wrapper will use
when scanning the access control tables. Therefore, `in.tftpd' is the
process name that should be given to the `tcpdmatch' command. On your
system the actual inetd.conf entry may differ (tftpd instead of
in.tftpd, and no `root' field), but you get the idea.

When you specify a host name, the `tcpdmatch' program will use both the
host name and address. This way you can simulate the most common case
where the wrappers know both the host address and the host name.  The
`tcpdmatch' program will iterate over all addresses that it can find
for the given host name.

When you specify a host address instead of a host name, the `tcpdmatch'
program will pretend that the host name is unknown, so that you can
simulate what happens when the wrapper is unable to look up the client
host name.

7.5 - Other applications
------------------------

The access control routines can easily be integrated with other
programs.  The hosts_access.3 manual page (`nroff -man' format)
describes the external interface of the libwrap.a library.

The tcpd program can even be used to control access to the mail
service.  This can be useful when you suspect that someone is trying
out some obscure sendmail bug, or when a remote site is misconfigured
and keeps hammering your mail daemon.

In that case, sendmail should not be run as a stand-alone network
listener, but it should be registered in the inetd configuration file.
For example:

    smtp    stream  tcp     nowait  root    /usr/etc/tcpd /usr/lib/sendmail -bs

You will still need to run one sendmail background process to handle
queued-up outgoing mail. A command like:

    /usr/lib/sendmail -q15m

(no `-bd' flag) should take care of that. You cannot really prevent
people from posting forged mail this way, because there are many
unprotected smtp daemons on the network.

8 - Acknowledgements
--------------------

Many people contributed to the evolution of the programs, by asking
inspiring questions, by suggesting features or bugfixes, or by
submitting source code.  Nevertheless, all mistakes and bugs in the
wrappers are my own.

Thanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is)
and Dan Bernstein (kramden.acf.nyu.edu) for feedback on an early
release of this product.  The host name/address check was suggested by
John Kimball (src.honeywell.com).  Apollo's UNIX environment has some
peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
Schoenmakers (es.ele.tue.nl) and Charles S. Fuller (wccs.psc.edu)
provided assistance.  Hal R.  Brand (addvax.llnl.gov) told me how to
get the client IP address in case of datagram-oriented services, and
suggested the optional shell command feature.  Shabbir Safdar
(mentor.cc.purdue.edu) provided a first version of a much-needed manual
page.  Granville Boman Goza, IV (sei.cmu.edu) suggested to use the
client IP address even when the host name is available.  Casper H.S.
Dik (fwi.uva.nl) provided additional insight into DNS spoofing
techniques.  The bogus daemon feature was inspired by code from Andrew
Macpherson (BNR Europe Ltd).  Steve Bellovin (research.att.com)
confirmed some of my suspicions about the darker sides of TCP/IP
insecurity. Risks of automated fingers were pointed out by Borja Marcos
(we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try
my early TLI code and to work out how DG/UX differs from Solaris.

John P.  Rouillard (cs.umb.edu) deserves special mention for his
persistent, but constructive, nagging about wrong or missing things,
and for trying out and discussing embryonic code or ideas.

Last but not least, Howard Chu (hanauma.jpl.nasa.gov), Darren Reed
(coombs.anu.edu.au), Icarus Sparry (gdr.bath.ac.uk), Scott Schwartz
(cs.psu.edu), John A. Kunze (violet.berkeley.edu), Daniel Len Schales
(engr.latech.edu), Chris Turbeville (cse.uta.edu), Paul Kranenburg
(cs.few.eur.nl), Marc Boucher (cam.org), Dave Mitchell
(dcs.shef.ac.uk), Andrew Maffei, Adrian van Bloois, Rop Gonggrijp, John
C. Wingenbach, Everett F. Batey  and many, many others provided fixes,
code fragments, or ideas for improvements.

        Wietse Venema (wietse@wzv.win.tue.nl)
        Department of Mathematics and Computing Science
        Eindhoven University of Technology
        P.O. Box 513
        5600 MB Eindhoven
        The Netherlands

	Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.