Re: hosts.{allow,deny} vs iptables.
On Mon, Mar 04, 2002 at 11:52:21AM -0500, Moses Moore wrote:
> Joao Luis Meloni Assirati wrote:
> > I want to know if my point of view is right, or if there is any
> > functionality that hosts.{allow,deny} scheme provides which iptables
> > can't.
>
> - You have daemon-by-daemon settings instead of port-by-port or
> protocol-by-protocol.
> - the aforementioned 'extra layer of security incase your iptables get
> cleared'.
> - the 'PARANOID' host definition, which matches any host that has
> doesn't have sane DNS-to-reverse-DNS settings.
>
> Bastille does something nice (apt-get install bastille) I didn't know
> about tcpwrappers. I found this in my /etc/hosts.allow after running
> Bastille's automated setup tool:
>
> ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> Denial noted %d-%h" root) & : DENY
ALL:ALL with a fingering booby trap may not be such a good idea if you
have anything tcpwrappered that's listening on the finger port. From the
hosts_access(5) manpage (emphasis mine):
The next example permits tftp requests from hosts in the
local domain (notice the leading dot). Requests from any
other hosts are denied. Instead of the requested file, a
finger probe is sent to the offending host. The result is
mailed to the superuser.
/etc/hosts.allow:
in.tftpd: LOCAL, .my.domain
/etc/hosts.deny:
in.tftpd: ALL: (/some/where/safe_finger -l @%h | \
/usr/ucb/mail -s %d-%h root) &
The safe_finger command comes with the tcpd wrapper and
should be installed in a suitable place. It limits possi
ble damage from data sent by the remote finger server. It
gives better protection than the standard finger command.
The expansion of the %h (client host) and %d (service
name) sequences is described in the section on shell com
mands.
Warning: do not booby-trap your finger daemon, unless you
are prepared for infinite finger loops.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On network firewall systems this trick can be carried even
further. The typical network firewall only provides a
limited set of services to the outer world. All other ser
vices can be "bugged" just like the above tftp example.
The result is an excellent early-warning system.
If someone on another host with a finger daemon also installed and
similarly wrappered tries to connect to anything wrappered on your
host, your computers will happily finger each other forever. This
will also fill up your mailbox.
For similar reasons, it's bad to booby-trap tcp/113, the ident port,
with anything that fingers or does ident lookups.
(Of course, if nothing using tcpwrappers is listening on tcp/79, ALL:ALL
is okay, just as long as you remember to fix it should you ever install
a finger daemon.)
--
William Aoki waoki@umnh.utah.edu /"\ ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92 \ / No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B X
/ \
Reply to: