Wrap a Security Blanket Around Your Computer

TCP_wrappers provide a simple, elegant and effective means to safeguard your network services.
What TCP_wrappers Cannot Do

As we have seen, TCP_wrappers provide a simple and effective means to control access to our machines. However, we must still remember “There is no secure in computer security, only more secure or less secure.” As with all security measures, TCP_wrappers have their limitations.

First and foremost, wrappers cannot control access for those services started at boot-time and run until system shutdown. Services like sendmail and httpd (the World Wide Web server) fit this category. These services are always listening to their own ports and require their own access controls. Discussions of the security of sendmail and the World Wide Web fill entire volumes and are certainly outside the scope of this article.

TCP_wrappers may also be vulnerable to “host name spoofing”. Services like rsh and rlogin depend on the host name being correct. If you use a DNS server on which you cannot look up host names, it is possible for an attacker to “spoof” the name lookup by hiding his computer's name behind one your machine “trusts”. You can thwart these attacks by putting an entry for the Internet address and host name in your local /etc/hosts file, so that you do not depend on outside DNS lookups (an added benefit is that host name lookups are a lot faster). Be aware that you are now responsible for keeping the /etc/hosts file up to date. If a computer in the /etc/hosts file changes its Internet address, access will be denied until you change its entry. Fortunately, this is a rare event, and I regularly put entries in my /etc/hosts file for computers I contact often and for every host allowed access to my machine.

TCP_wrappers also do some additional homework to avoid name spoofing attacks. When compiled with the default option PARANOID (see the discussion of wild cards above), the wrappers not only check an Internet address by looking up its name but also by looking up its address. If the two don't match, access is automatically denied.

Another vulnerability can come from “source routing”, a situation where a computer from some “outside” address claims to be a trusted computer on the “inside”. TCP_ wrappers can be compiled with KILL_IP_OPTIONS to disable source routing. Luckily, we Linux users generally do not have to worry about this sort of attack, since IP source routing is turned off by default in the kernel itself.

Finally, even though you can use wrappers to control access to certain services, the best way to avoid exploitation of a service is to completely shut it off from the beginning. If you have no use for rsh or rlogin, edit your /etc/inetd.conf file and put a hash mark, #, in front of the lines for the shell and login services. This advice goes for any other service you don't use. Security holes cannot be exploited on services that are never started. “When in doubt, comment it out” is my motto.

Conclusion

TCP_wrappers are cheap and effective tools for controlling access to your Linux computer. Even without employing the access control features of wrappers, the ability to trace each and every connection to your machine through your system logs can be extremely valuable. TCP_wrappers can control access with a broad brush or a single pen stroke. Either way, I hope this article has raised your awareness of the ease with which you can control the “network face” of your machine.

Where to Get TCP_Wrappers

Lee Brotzman is the Vice President of Advanced Data Solutions, a consulting firm in State College, Pennsylvania. He currently works as an instructor in Internet security, and has presented courses in Unix system security at many U.S. Government facilities. He also serves as a consultant in the design and development of networked information systems and electronic publishing. He resides in State College with his wife/business partner of fifteen years, their three children, one dog, two cats and a goldfish that thrives on dog biscuits (which makes the cats extremely nervous). He can be reached via e-mail at leb@vicon.net.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState