[vox-tech] TCP wrappers

Jeff Newmiller jdnewmil at dcn.davis.ca.us
Sat Jan 14 14:53:57 PST 2006 

Cylar Z wrote:
> Hey all,
> 
> I'm thinking of bolstering system security via TCP
> wrappers - that is, configuring the hosts.allow and
> hosts.deny file to control who can access my system.
> (It has a static, public IP.)

TCP wrappers is a useful tool, but isn't a cure-all.
There have been exploits in the past that allowed
attackers to craft special packets that triggered
bugs deep in the OS handling of networking.  Since
TCP wrappers works in userland, a lot of code
can be triggered before it steps in.

Also, it requires careful attention by the sysadmin
to make sure all apps are using it... either by
using the /usr/sbin/tcpd front-end or by insuring
that your applications are compiled with support.

Alternatives are firewall code or application-specific
access control, each of which has advantages and
disadvantages. More below...

> Here's my question. If I set hosts.deny to "ALL"
> (meaning deny all services to all users) then set
> hosts.allow to (ALLOW FROM 198.34.xxx.xxx) meaning
> allow users from 198.34.xxx.xxx to connect, how will
> that affect those who try to access the server's
> website?

Those attaching from 198.34.xxx.xxx should be able to
connect to that service, and others (including 127.0.0.1)
should not.

> It's my understanding from books I've read that the
> server looks at hosts.allow, THEN hosts.deny, meaning
> that allow takes precedence over deny. However, the
> texts don't say how httpd.conf factors in. There is a
> setting in httpd.conf that controls "who can get stuff
> from this server" as the comments say.

hosts.allow and hosts.deny are both part of TCP wrappers,
which lets hosts.allow take precedence over hosts.deny.

httpd.conf tells apache how to behave... if TCP wrappers
lets the connection through, then apache will have
a chance to consider the contents of httpd.conf.

> So my question is this. Do the settings in
> hosts.allow/deny override the settings in httpd.conf?

If TCP wrappers says no connection allowed, it wins because
apache never sees the connection.  If TCP wrappers says
connection allowed, then the httpd.conf settings get
invoked.  Both have to agree in order for the connection
to succeed.

----

A firewall ruleset can guard against specific types of
TCP or UDP connections, and minimize the chance of crafted
packets triggering buggy OS code.  TCP wrappers can enable
specific daemons to communicate via TCP with specific
ranges if client IP addresses.  Apache can control which
directories/cgi code different clients can access, as
well as limiting clients by IP address.

The most important element of security is that you
understand your configuration... failure will leave you
exposed. Apache can probably do most of what you are after,
but there is probably a greater risk of screwing it up than
with TCP wrappers or a firewall.

-- 
---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil at dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                       Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...1k
---------------------------------------------------------------------------

More information about the vox-tech mailing list