4.12. 使用 tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they’re still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5) manual page.
Debian 中安装的很多服务可以:
通过 tcpwrapper(
tcpd
)服务加载通过编入libwrapper 来内建支持.
On the one hand, for services configured in /etc/inetd.conf
(this includes telnet
, ftp
, netbios
, swat
and finger
) you will see that the configuration file executes /usr/sbin/tcpd
first. On the other hand, even if a service is not launched by the inetd
superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh
, portmap
, in.talk
, rpc.statd
, rpc.mountd
, gdm
, oaf
(the GNOME activator daemon), nessus
and many others.
To see which packages use tcpwrappers [25] try:
- $ apt-cache rdepends libwrap0
考虑到 tcpchk
(非常有用的 CP wrappers 配置文件规则和符号检查器)的运行. 当您在 hosts.deny
和 hosts.allow
文件中添加独立的服务时(它们时 wrapper 库的符号连接), tcpdchk
会因找不到那些服务而发出警告, 因为它通过 /etc/inetd.conf
查找(联机手册 不是很准确).
Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN
[26] command in /etc/hosts.deny
that sends mail to root whenever a denied service triggers wrappers:
- ALL: ALL: SPAWN ( \
- echo -e "\n\
- TCP Wrappers\: Connection refused\n\
- By\: $(uname -n)\n\
- Process\: %d (pid %p)\n\
- User\: %u\n\
- Host\: %c\n\
- Date\: $(date)\n\
- " | /usr/bin/mail -s "Connection to %d blocked" root) &
当心: 上边的例子对于短时间内建立许多连接的 Dos 攻击是开放的. 很多邮件就意味着很少的数据包就会浪费大量的文件 I/O.
[25] On older Debian releases you might need to do this:
- $ apt-cache showpkg libwrap0 | egrep '^[[:space:]]' | sort -u | \
- sed 's/,libwrap0$//;s/^[[:space:]]\+//'
[26] be sure to use uppercase here since spawn will not work