Most services on a machine to which one can connect remotely may be "wrapped": when a connection is made, a security service looks at it, and if it satisfies given criteria the connection is passed on to the OS service in question, such as telnet or FTP; if not the connection is dropped. The criteria usually consist of access control lists --- does the connection come from a known, trusted host or domain? Such a security service can come in the form of a super-daemon (possibly with auxilliary software), e.g., inetd (with TCP Wrappers) or xinetd, or in the form of a proxy.
On older Linuces and on Solaris, service wrapping is usually done with TCP Wrappers. The source can be freely downloaded from porcupine.org; binaries are available from sunfreeware.com for Solaris and with most older Linux distributions.
After compilation and linking, if necessary, there are two ways in which installation and configuration can be completed:
## ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
## telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
#
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Then restart inetd as described above.
Finally, the associated access-control lists, /etc/hosts.allow and /etc/hosts.deny, must be edited, for example:
# -- /etc/hosts.deny --- a default-deny stance :
in.telnetd: ALL
in.ftpd: ALL
in.rexecd: ALL
in.rlogind: ALL
in.rshd: ALL
and
# -- /etc/hosts.allow --- let a few friends in :
in.telnetd: myhost.umist.ac.uk, friend.umist.ac.uk
in.ftpd: friend.umist.ac.uk
in.rexecd: friend.umist.ac.uk, collegue.dept.umist.ac.uk
This should be simple, but be warned, some versions of
TCP Wrappers can be fussy over details of whitespace and comments within
the configuration files --- use the utility tcpdchk (which comes
with TCP Wrappers) to check the files' syntax.
On recent Linux distributions xinetd access control lists have replaced TCP Wrappers. (The required daemons and configuration files should already be installed.) The configuration files are to be found in /etc/xinetd.d.
After changing configuration files restart xinetd as described above.
A standard xinetd configuration file which can be trivially-modified for FTP and other services --- note the use of Cosmos as a gateway machine so that this machine can be accessed globally:
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
only_from = 192.168.1.3 # my PC
only_from += 192.168.1.123 # my trusted friend's machine
only_from += 192.168.1.67 # my co-researcher's machine
only_from += 130.88.99.10 # cosmos --- use as
# globally-accessible gateway
}
If you have a need to run a SMTP service, wrap it like this --- note the server arguments:
service smtp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/lib/sendmail
server_args = -bs
#NO!# server_args = -bd -q15m
disable = no
instances = 10
nice = 10
log_on_failure += HOST
only_from = 127.0.0.1
only_from += 130.88.99.10 # cosmos --- for testing
#
only_from += 130.88.119.65 # rainstorm }
only_from += 130.88.120.65 # downpour } the ISD mail
only_from += 130.88.119.66 # cloudburst } routers
only_from += 130.88.120.66 # deluge }
no_access = 0.0.0.0
}
| ...cont's | next... |