每個熟 inetd(8) 的人幾乎都會聽過 TCP Wrappers 這個東西,但很少人能完全瞭解它在網路環境上的好用在哪。 大多數的人都會裝防火牆來保護網路,雖然,防火牆用途非常廣泛,但並非萬能。 例如:若打算回傳一段文字給連線來源者等之類的。而 TCP 軟體卻可以做到這點,還有其他更多事情。在以下段落內,我們將繼續介紹 TCP Wrappers 提供的功能,以及一些實際運用的例子。
TCP Wrappers 可以讓 inetd
所管理的每個 server daemon ,都會在 TCP Wrappers
的掌握之下。透過 TCP Wrappers 這種方式可以支援連線紀錄(logging)
、回傳一段文字給連線來源者、可以讓 daemon 只接受內部連線等等。
雖然其中部份功能用防火牆也可以做到,但 TCP Wrappers
不只是增加了一層保護,還提供了防火牆所辦不到的事情。
然而, 由 TCP Wrappers 所提供的這些額外安全功能, 不應該視為優秀防火牆的替代方案。應該結合 TCP Wrappers 及防火牆、其他加強安全措施來一併運用才對,這樣才可以為系統提供多層安全防護。
由於這些設定是主要針對
inetd
所提供的,所以我們建議您先參閱 inetd 設定 一節。
雖然 inetd(8) 所啟動的程式並非全部都是真正的 『daemons』,但一般來講,我們都還是會稱呼為『daemons』, 下面我們仍將使用這字眼來表達。
若要在 FreeBSD 中使用 TCP
Wrappers 的話,只要確定 inetd
在啟動時,有在 /etc/rc.conf
加上
-Ww
的參數即可,這個設定在系統預設就有了。
當然還需要適當修改 /etc/hosts.allow
設定檔,但
syslogd(8) 仍會在系統 log 檔內,紀錄相關資料下來。
FreeBSD 的 TCP Wrappers 實作方式與其他作業系統上的
TCP Wrappers 不太一樣,目前 FreeBSD 已經廢棄不用
/etc/hosts.deny
,而一律改用
/etc/hosts.allow
。
最簡單的設定方式是,每個對 daemon 的連線都由
/etc/hosts.allow
來決定是否允許或拒絕。 The default
configuration in FreeBSD is to allow a connection to every daemon
started with inetd
. Changing this will be
discussed only after the basic configuration is covered.
Basic configuration usually takes the form of
daemon : address : action
. Where
daemon
is the daemon name which
inetd
started. The
address
can be a valid hostname, an
IP address or an IPv6 address enclosed in
brackets ([ ]). The action field can be either allow
or deny to grant or deny access appropriately. Keep in mind
that configuration works off a first rule match semantic,
meaning that the configuration file is scanned in ascending
order for a matching rule. When a match is found the rule
is applied and the search process will halt.
Several other options exist but they will be explained
in a later section. A simple configuration line may easily be
constructed from that information alone. For example, to
allow POP3 connections via the
mail/qpopper daemon,
the following lines should be appended to
hosts.allow
:
# This line is required for POP3 connections: qpopper : ALL : allow
加上上面這行之後,必須重新啟動 inetd
。重新啟動的方式可以用
kill(1) 指令,或打『 /etc/rc.d/inetd
restart
』 來完成。
TCP Wrappers has advanced
options too; they will allow for more control over the
way connections are handled. In some cases it may be
a good idea to return a comment to certain hosts or
daemon connections. In other cases, perhaps a log file
should be recorded or an email sent to the administrator.
Other situations may require the use of a service for local
connections only. This is all possible through the use of
configuration options known as wildcards
,
expansion characters and external command execution. The
next two sections are written to cover these situations.
Suppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
individual who attempted to establish that connection. How
could it be done? That action can be made possible by
using the twist
option. When a connection
attempt is made, twist
will be called to
execute a shell command or script. An example already exists
in the hosts.allow
file:
# The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h."
This example shows that the message,
“You are not allowed to use daemon
from hostname
.” will be returned
for any daemon not previously configured in the access file.
This is extremely useful for sending a reply back to the
connection initiator right after the established connection
is dropped. Note that any message returned
must be wrapped in quote
"
characters; there are no exceptions to
this rule.
It may be possible to launch a denial of service attack on the server if an attacker, or group of attackers could flood these daemons with connection requests.
Another possibility is to use the spawn
option in these cases. Like twist
, the
spawn
implicitly denies the connection and
may be used to run external shell commands or scripts.
Unlike twist
, spawn
will
not send a reply back to the individual who established the
connection. For an example, consider the following
configuration line:
# We do not allow connections from example.com: ALL : .example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny
This will deny all connection attempts from the
*.example.com
domain;
simultaneously logging the hostname, IP
address and the daemon which they attempted to access in the
/var/log/connections.log
file.
Aside from the already explained substitution characters above, e.g. %a, a few others exist. See the hosts_access(5) manual page for the complete list.
Thus far the ALL
example has been used
continuously throughout the examples. Other options exist
which could extend the functionality a bit further. For
instance, ALL
may be used to match every
instance of either a daemon, domain or an
IP address. Another wildcard available is
PARANOID
which may be used to match any
host which provides an IP address that may
be forged. In other words, paranoid
may
be used to define an action to be taken whenever a connection
is made from an IP address that differs
from its hostname. The following example may shed some more
light on this discussion:
# Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny
In that example all connection requests to
sendmail
which have an
IP address that varies from its hostname
will be denied.
Using the PARANOID
may severely
cripple servers if the client or server has a broken
DNS setup. Administrator discretion
is advised.
To learn more about wildcards and their associated functionality, see the hosts_access(5) manual page.
Before any of the specific configuration lines above will
work, the first configuration line should be commented out
in hosts.allow
. This was noted at the
beginning of this section.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.