l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2006 Jan 15 11:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] TCP wrappers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] TCP wrappers



Cylar Z wrote:
Hey all,

I'm thinking of bolstering system security via TCP
wrappers - that is, configuring the hosts.allow and
hosts.deny file to control who can access my system.
(It has a static, public IP.)
TCP wrappers is a useful tool, but isn't a cure-all.
There have been exploits in the past that allowed
attackers to craft special packets that triggered
bugs deep in the OS handling of networking.  Since
TCP wrappers works in userland, a lot of code
can be triggered before it steps in.

Also, it requires careful attention by the sysadmin
to make sure all apps are using it... either by
using the /usr/sbin/tcpd front-end or by insuring
that your applications are compiled with support.

Alternatives are firewall code or application-specific
access control, each of which has advantages and
disadvantages. More below...

Here's my question. If I set hosts.deny to "ALL"
(meaning deny all services to all users) then set
hosts.allow to (ALLOW FROM 198.34.xxx.xxx) meaning
allow users from 198.34.xxx.xxx to connect, how will
that affect those who try to access the server's
website?
Those attaching from 198.34.xxx.xxx should be able to
connect to that service, and others (including 127.0.0.1)
should not.

It's my understanding from books I've read that the
server looks at hosts.allow, THEN hosts.deny, meaning
that allow takes precedence over deny. However, the
texts don't say how httpd.conf factors in. There is a
setting in httpd.conf that controls "who can get stuff
from this server" as the comments say.
hosts.allow and hosts.deny are both part of TCP wrappers,
which lets hosts.allow take precedence over hosts.deny.

httpd.conf tells apache how to behave... if TCP wrappers
lets the connection through, then apache will have
a chance to consider the contents of httpd.conf.

So my question is this. Do the settings in
hosts.allow/deny override the settings in httpd.conf?
If TCP wrappers says no connection allowed, it wins because
apache never sees the connection.  If TCP wrappers says
connection allowed, then the httpd.conf settings get
invoked.  Both have to agree in order for the connection
to succeed.

----

A firewall ruleset can guard against specific types of
TCP or UDP connections, and minimize the chance of crafted
packets triggering buggy OS code.  TCP wrappers can enable
specific daemons to communicate via TCP with specific
ranges if client IP addresses.  Apache can control which
directories/cgi code different clients can access, as
well as limiting clients by IP address.

The most important element of security is that you
understand your configuration... failure will leave you
exposed. Apache can probably do most of what you are after,
but there is probably a greater risk of screwing it up than
with TCP wrappers or a firewall.

--
---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...1k
---------------------------------------------------------------------------
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.