Wrap a Security Blanket Around Your Computer
As we have seen, TCP_wrappers provide a simple and effective means to control access to our machines. However, we must still remember “There is no secure in computer security, only more secure or less secure.” As with all security measures, TCP_wrappers have their limitations.
First and foremost, wrappers cannot control access for those services started at boot-time and run until system shutdown. Services like sendmail and httpd (the World Wide Web server) fit this category. These services are always listening to their own ports and require their own access controls. Discussions of the security of sendmail and the World Wide Web fill entire volumes and are certainly outside the scope of this article.
TCP_wrappers may also be vulnerable to “host name spoofing”. Services like rsh and rlogin depend on the host name being correct. If you use a DNS server on which you cannot look up host names, it is possible for an attacker to “spoof” the name lookup by hiding his computer's name behind one your machine “trusts”. You can thwart these attacks by putting an entry for the Internet address and host name in your local /etc/hosts file, so that you do not depend on outside DNS lookups (an added benefit is that host name lookups are a lot faster). Be aware that you are now responsible for keeping the /etc/hosts file up to date. If a computer in the /etc/hosts file changes its Internet address, access will be denied until you change its entry. Fortunately, this is a rare event, and I regularly put entries in my /etc/hosts file for computers I contact often and for every host allowed access to my machine.
TCP_wrappers also do some additional homework to avoid name spoofing attacks. When compiled with the default option PARANOID (see the discussion of wild cards above), the wrappers not only check an Internet address by looking up its name but also by looking up its address. If the two don't match, access is automatically denied.
Another vulnerability can come from “source routing”, a situation where a computer from some “outside” address claims to be a trusted computer on the “inside”. TCP_ wrappers can be compiled with KILL_IP_OPTIONS to disable source routing. Luckily, we Linux users generally do not have to worry about this sort of attack, since IP source routing is turned off by default in the kernel itself.
Finally, even though you can use wrappers to control access to certain services, the best way to avoid exploitation of a service is to completely shut it off from the beginning. If you have no use for rsh or rlogin, edit your /etc/inetd.conf file and put a hash mark, #, in front of the lines for the shell and login services. This advice goes for any other service you don't use. Security holes cannot be exploited on services that are never started. “When in doubt, comment it out” is my motto.
TCP_wrappers are cheap and effective tools for controlling access to your Linux computer. Even without employing the access control features of wrappers, the ability to trace each and every connection to your machine through your system logs can be extremely valuable. TCP_wrappers can control access with a broad brush or a single pen stroke. Either way, I hope this article has raised your awareness of the ease with which you can control the “network face” of your machine.
Lee Brotzman is the Vice President of Advanced Data Solutions, a consulting firm in State College, Pennsylvania. He currently works as an instructor in Internet security, and has presented courses in Unix system security at many U.S. Government facilities. He also serves as a consultant in the design and development of networked information systems and electronic publishing. He resides in State College with his wife/business partner of fifteen years, their three children, one dog, two cats and a goldfish that thrives on dog biscuits (which makes the cats extremely nervous). He can be reached via e-mail at email@example.com.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Non-Linux FOSS: Caffeine!
- Managing Linux Using Puppet
- SuperTuxKart 0.9.2 Released
- Doing for User Space What We Did for Kernel Space
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- Rogue Wave Software's Zend Server