Re: /etc/host.deny and co

To: Linh Dang <Linh.Dang.linhd@nt.com>
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: /etc/host.deny and co
From: Daniel Martin <dtm12@jhunix.hcf.jhu.edu>
Date: Tue, 27 Oct 1998 21:11:29 -0500
Message-id: <[🔎] 87lnm1306m.fsf@cush.dyn.ml.org>
In-reply-to: Linh Dang's message of "Tue, 27 Oct 1998 14:47:06 -0500"
References: <[🔎] 3635DE2C.8A5C9340@americasm01.nt.com> <[🔎] 87n26i2c02.fsf@cush.dyn.ml.org> <[🔎] 3636233A.85CC557C@americasm01.nt.com>

Linh Dang <Linh.Dang.linhd@nt.com> writes:

> Thank you very much!
> 
> Another question if you don't mind?
> 
> Someone mentionned ipfwadm. What do you think about it, how does it
> compare
> to tcpwrapper? Does one has to recompile the kernel to use ipfwadm ?

Yes, your kernel has to be compiled to support ipfwadm; no, I don't
know whether or not the default Debian kernel is.

The basic difference is where they operate.  tcpwrappers operates at
the socket level; it gets invoked after a network connection has been
made but before that connection is passed off to the actual program
that does telnet logins, or accepts mail, or ...

ipfwadm puts its blocks in at the kernel level, so that packets trying 
to establish network connections you don't want never make it
through to the kernel logic that would establish a connection.
ipfwadm is most useful when your box is acting as a router, and you
wish to protect machines on one side of the network from machines on
the other side.  But it can also be useful in your case.

As for which is "more secure" - ipfwadm is certainly the one to use
for the ultra-paranoid.  It is possible that a SYN-flood type DOS
attack (an attack where some malicious person tries to initiate as
many connections as possible in rapid succession - the idea isn't to
break in, but just to bog down your machine and so make your life
miserable) could get through on a tcpwrapper-protected machine and be
blocked on an ipfwadm-secured machine.  However, since you are leaving
port 80 (http connections) open anyway, the attacker would just have
to target that port in their SYN flood.  Also, in my case my machine
is just connected through a phone line, and so packets of any kind can 
only reach my machine comparatively slowly.

tcpwrappers provides for more extensive logging of what's going on in
my experience; I have this silly idea that some day I'm going to get
to file a CERT report because some hacker who'd hacked their way
across many systems wound up in my logs.  Hasn't happened yet, but you
never know...

By the way, that hosts.deny line I use is now:
ALL: ALL@ALL : rfc931 : spawn ((echo %c %a contacting %d; /bin/netstat --inet -n; traceroute -p 31434 %a) 2>&1 | mail root)

The "echo" and dumping to a file in /tmp were earlier debugging
features I meant to change but had never gotten around to.

Reply to:

Follow-Ups:
- Re: /etc/host.deny and co
  - From: George Bonser <grep@shorelink.com>

References:
- /etc/host.deny and co
  - From: "Linh Dang" <Linh.Dang.linhd@nt.com>
- Re: /etc/host.deny and co
  - From: Daniel Martin <dtm12@jhunix.hcf.jhu.edu>
- Re: /etc/host.deny and co
  - From: "Linh Dang" <Linh.Dang.linhd@nt.com>

Prev by Date: Re: xf86setup_3.3.2.3a-6
Next by Date: Re: /etc/host.deny and co
Previous by thread: Re: /etc/host.deny and co
Next by thread: Re: /etc/host.deny and co
Index(es):
- Date
- Thread