Re: hosts.{allow,deny} vs iptables.

To: debian-security@lists.debian.org
Subject: Re: hosts.{allow,deny} vs iptables.
From: Will Aoki <waoki@umnh.utah.edu>
Date: Mon, 4 Mar 2002 11:29:05 -0700
Message-id: <[🔎] 20020304112905.F30587@umnh.utah.edu>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3C83A645.303DE119@novator.com>; from mmoore@novator.com on Mon, Mar 04, 2002 at 11:52:21AM -0500
References: <[🔎] Pine.LNX.4.21.0203031921280.13631-100000@cranicola.localnet> <[🔎] 3C83A645.303DE119@novator.com>

On Mon, Mar 04, 2002 at 11:52:21AM -0500, Moses Moore wrote:
> Joao Luis Meloni Assirati wrote:
> > I want to know if my point of view is right, or if there is any
> > functionality that hosts.{allow,deny} scheme provides which iptables
> > can't.
> 
> - You have daemon-by-daemon settings instead of port-by-port or
> protocol-by-protocol.
> - the aforementioned 'extra layer of security incase your iptables get
> cleared'.
> - the 'PARANOID' host definition, which matches any host that has
> doesn't have sane DNS-to-reverse-DNS settings.
> 
> Bastille does something nice (apt-get install bastille) I didn't know
> about tcpwrappers.  I found this in my /etc/hosts.allow after running
> Bastille's automated setup tool:
> 
> ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s "Port
> Denial noted %d-%h" root) & : DENY

ALL:ALL with a fingering booby trap may not be such a good idea if you
have anything tcpwrappered that's listening on the finger port. From the
hosts_access(5) manpage (emphasis mine):

       The next example permits tftp requests from hosts  in  the
       local  domain (notice the leading dot).  Requests from any
       other hosts are denied.  Instead of the requested file,  a
       finger  probe is sent to the offending host. The result is
       mailed to the superuser.

       /etc/hosts.allow:
          in.tftpd: LOCAL, .my.domain

       /etc/hosts.deny:
          in.tftpd: ALL: (/some/where/safe_finger -l @%h | \
               /usr/ucb/mail -s %d-%h root) &

       The safe_finger command comes with the  tcpd  wrapper  and
       should  be installed in a suitable place. It limits possi
       ble damage from data sent by the remote finger server.  It
       gives  better protection than the standard finger command.

       The expansion of the %h  (client  host)  and  %d  (service
       name)  sequences is described in the section on shell com
       mands.

       Warning: do not booby-trap your finger daemon, unless  you
       are prepared for infinite finger loops.
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

       On network firewall systems this trick can be carried even
       further.  The typical network  firewall  only  provides  a
       limited set of services to the outer world. All other ser
       vices can be "bugged" just like the  above  tftp  example.
       The result is an excellent early-warning system.

If someone on another host with a finger daemon also installed and
similarly wrappered tries to connect to anything wrappered on your
host, your computers will happily finger each other forever. This
will also fill up your mailbox.

For similar reasons, it's bad to booby-trap tcp/113, the ident port,
with anything that fingers or does ident lookups.

(Of course, if nothing using tcpwrappers is listening on tcp/79, ALL:ALL
is okay, just as long as you remember to fix it should you ever install
a finger daemon.)

-- 
William Aoki     waoki@umnh.utah.edu       /"\  ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92              \ /  No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B               X
                                           / \

Reply to:

References:
- hosts.{allow,deny} vs iptables.
  - From: Joao Luis Meloni Assirati <assirati@visviva.com.br>
- Re: hosts.{allow,deny} vs iptables.
  - From: Moses Moore <mmoore@novator.com>

Prev by Date: Re: hosts.{allow,deny} vs iptables.
Next by Date: Re: iptables vs DHCP
Previous by thread: Re: hosts.{allow,deny} vs iptables.
Next by thread: unsubsribe
Index(es):
- Date
- Thread