Wrap a Security Blanket Around Your Computer
With the Internet growing by leaps and bounds, the security of computer systems has become a major focus of large corporations, small businesses and individuals alike. Hardly a week goes by without a security flaw being discovered in some network. Many companies are reducing the threat by installing firewalls between their internal networks and the Internet, but this option is generally too expensive and cumbersome for single users running Linux from home or office. TCP_wrappers was written by Wietse Venema, Eindhoven University of Technology, The Netherlands. It provides a simple, elegant and effective means to safeguard your network services from being accessed and possibly abused by intruders.
In this article we will discuss what TCP_wrappers are and how they work, and how to configure TCP_wrappers to protect your machine from unauthorized access. We'll also discuss some of the more advanced features of TCP_wrappers which provide detailed logging and can even help track attempts to break into your machine.
First, we need to know how a transmission control protocol (TCP) connection, such as telnet, is accomplished. TCP network connections are based on the “client/server” model. The telnet program is a client that communicates with a server program, or daemon, called telnetd or in.telnetd, depending on how your machine is set up. Since most Linux distributions use the name in.serviced in the directory /usr/sbin for network daemons, I will use that naming convention for the remainder of this article.
All requests for network services first go through the “Internet daemon”, inetd. (As with all things in life, there are exceptions to this rule, see “What TCP_wrappers Cannot Do” below.) This daemon uses two configuration files to determine how to respond to requests for network connections. The file /etc/services lists the names of particular services and the port numbers for those services. The file /etc/inetd.conf lists the names of the services and the names of the programs or daemons providing the services. Listing 1 and Listing 2 contain some sample lines from the /etc/services and /etc/inetd.conf files.
If I sit down at my.linux-box.com and type the command:
My telnet client sends a packet of information containing (among other things) the Internet address of the source my.linux-box.com, the Internet address of the destination your.machine.com and the port number for the connection. The port number for telnet is 23. inetd looks up port 23 in /etc/services and finds the service name telnet. It then looks up telnet in /etc/inetd.conf and finds that it needs to run the daemon called in.telnetd, listed in the rightmost column of Listing 2. inetd runs in.telnetd connecting it to port 23 and then goes about the business of listening for more connections. in.telnetd responds to my client, asking for a user name and password and starting up the telnet session.
What if you don't want anyone else to telnet into your computer? You can modify the code for in.telnetd to look at the source address of the connection request and to reject any addresses from outside your local machine or domain. If telnet were the only network service this would be easy, but there are dozens of network services, and it would be a nightmare to modify every daemon to limit access to your machine.
At this point TCP_wrappers comes to the rescue. The wrapper program is a tiny daemon that stands between inetd and network daemons such as in.telnetd and in.ftpd. Since all TCP connections are started up in basically the same fashion, a single wrapper program can be used to control access to almost all TCP network services.
When wrappers are installed, the Internet daemon is reconfigured to run the wrapper instead of the ordinary network daemon. The wrapper checks the source address of the connection and the service it wishes to connect to and decides whether to allow the connection. If your.machine.com denies my request for a telnet session, all I see is a dropped connection. If the request is allowed, everything proceeds normally, and the wrapper never actually interacts with my telnet client. In either case, the wrappers write a note in the system logs to let you know whether I was successful in connecting to your machine.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- A Topic for Discussion - Open Source Feature-Richness?
- New Products
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- The Secret Password Is...
3 hours 38 min ago
- Keeping track of IP address
5 hours 29 min ago
- Roll your own dynamic dns
10 hours 42 min ago
- Please correct the URL for Salt Stack's web site
13 hours 53 min ago
- Android is Linux -- why no better inter-operation
16 hours 9 min ago
- Connecting Android device to desktop Linux via USB
16 hours 37 min ago
- Find new cell phone and tablet pc
17 hours 35 min ago
19 hours 4 min ago
- Automatically updating Guest Additions
20 hours 13 min ago
- I like your topic on android
20 hours 59 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?