Most services on a machine to which one can connect remotely may be "wrapped": when a connection is made, a security service looks at it, and if it satisfies given criteria the connection is passed on to the OS service in question, such as telnet or FTP; if not the connection is dropped. The criteria usually consist of access control lists --- does the connection come from a known, trusted host or domain? Such a security service can come in the form of a super-daemon (possibly with auxilliary software), e.g., inetd (with TCP Wrappers) or xinetd, or in the form of a proxy.
On older Linuces and on Solaris, service wrapping is usually done with TCP Wrappers. The source can be freely downloaded from porcupine.org; binaries are available from sunfreeware.com for Solaris and with most older Linux distributions.
After compilation and linking, if necessary, there are two ways in which installation and configuration can be completed:
## ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd ## telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd telnet stream tcp nowait root /usr/sbin/tcpd in.telnetdThen restart inetd as described above.
Finally, the associated access-control lists, /etc/hosts.allow and /etc/hosts.deny, must be edited, for example:
# -- /etc/hosts.deny --- a default-deny stance : in.telnetd: ALL in.ftpd: ALL in.rexecd: ALL in.rlogind: ALL in.rshd: ALLand
# -- /etc/hosts.allow --- let a few friends in : in.telnetd: myhost.umist.ac.uk, friend.umist.ac.uk in.ftpd: friend.umist.ac.uk in.rexecd: friend.umist.ac.uk, collegue.dept.umist.ac.ukThis should be simple, but be warned, some versions of TCP Wrappers can be fussy over details of whitespace and comments within the configuration files --- use the utility tcpdchk (which comes with TCP Wrappers) to check the files' syntax.
On recent Linux distributions xinetd access control lists have replaced TCP Wrappers. (The required daemons and configuration files should already be installed.) The configuration files are to be found in /etc/xinetd.d.
After changing configuration files restart xinetd as described above.
A standard xinetd configuration file which can be trivially-modified for FTP and other services --- note the use of Cosmos as a gateway machine so that this machine can be accessed globally:
# default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no
only_from = 192.168.1.3 # my PC only_from += 192.168.1.123 # my trusted friend's machine only_from += 192.168.1.67 # my co-researcher's machine only_from += 130.88.99.10 # cosmos --- use as # globally-accessible gateway }
If you have a need to run a SMTP service, wrap it like this --- note the server arguments:
service smtp { socket_type = stream protocol = tcp wait = no user = root server = /usr/lib/sendmail server_args = -bs #NO!# server_args = -bd -q15m disable = no instances = 10 nice = 10 log_on_failure += HOST only_from = 127.0.0.1 only_from += 130.88.99.10 # cosmos --- for testing # only_from += 130.88.119.65 # rainstorm } only_from += 130.88.120.65 # downpour } the ISD mail only_from += 130.88.119.66 # cloudburst } routers only_from += 130.88.120.66 # deluge } no_access = 0.0.0.0 }
...cont's | next... |