Securing BSD Daemons
Pages: 1, 2
Now, I'll try the telnet command again:
telnet 126.96.36.199 Trying 188.8.131.52... Connected to genisis. Escape character is '^]'. You are not welcome to use telnetd from biko. Connection closed by foreign host.
Looks like I've effectively blocked all telnet connections to my system. Let's take a look at the rest of the
/etc/hosts.allow to see where to go from here to allow limited access via telnet.
Continuing with more of
# Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Prevent those with no reverse DNS from connecting. ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost. Note that an IP address (not a host # name) *MUST* be specified for portmap(8). ALL : localhost 127.0.0.1 : allow ALL : my.machine.example.com 192.0.2.35 : allow # To use IPv6 addresses you must enclose them in 's ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny ALL : [3ffe:fffe:2:1::]/64 : allow # Sendmail can help protect you against spammers and relay-rapers sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny sendmail : ALL : allow # Exim is an alternative to sendmail, available in the ports tree exim : localhost : allow exim : .nice.guy.example.com : allow exim : .evil.cracker.example.com : deny exim : ALL : allow # Portmapper is used for all RPC services; protect your NFS! # (IP addresses rather than hostnames *MUST* be used here) portmap : 192.0.2.32/255.255.255.224 : allow portmap : 192.0.2.96/255.255.255.224 : allow portmap : ALL : deny # Provide a small amount of protection for ftpd ftpd : localhost : allow ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow # You need to be clever with finger; do _not_ backfinger!! You can easily # start a "finger war". fingerd : ALL \ : spawn (echo Finger. | \ /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ : deny # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h."
Notice that there aren't any rules that specifically mention
telnetd. The last rule in the file is intended to cover all the left over daemons that didn't match earlier rules. Notice that the last rule allowed the connection, but closed it after echoing a message, which is what we saw when I attempted the telnet connection. The
%d was replaced by the name of the daemon (
telnetd), and the
%h was replaced by the hostname of the client trying to connect (
Also in FreeBSD Basics:
We could have predicted this outcome if we had used the
tcpdmatch utility. The syntax to use this utility is very simple:
tcpdmatch daemon_name host_name_of_client
You do not have to be the superuser to run this utility. Let's see what it says will happen if the host "biko" tries to connect to the
telnetd on my FreeBSD system:
tcpdmatch telnetd biko client: hostname biko client: address 184.108.40.206 server: process telnetd matched: /etc/hosts.allow line 77 option: severity auth.info option: twist /bin/echo "You are not welcome to use telnetd from biko." access: delegated
This is very useful output as it tells us which line number in
/etc/hosts.allow contains the matching rule and what the result of that rule will be for that client.
/etc/hosts.allow to allow
telnetd to accept connections form the hosts "genisis" and "biko", but to disallow connections from any other clients. I'll become the superuser and add the following lines; it doesn't matter where in the file I add the lines as long as they appear before that last rule.
telnetd: biko,genisis :ALLOW telnetd: ALL :DENY
I'll then check that my rules work by running
tcpdmatch on biko, genisis, and a third host called creed:
tcpdmatch telnetd biko client: hostname biko client: address 220.127.116.11 server: process telnetd matched: /etc/hosts.allow line 74 option: ALLOW access: granted tcpdmatch telnetd genisis client: hostname genisis client: address 18.104.22.168 server: process telnetd matched: /etc/hosts.allow line 74 option: ALLOW access: granted tcpdmatch telnetd creed client: hostname creed client: address 22.214.171.124 server: process telnetd matched: /etc/hosts.allow line 75 option: DENY access: denied
Let's see what happens when the host creed tries to telnet into my FreeBSD system:
telnet 126.96.36.199 Trying 188.8.131.52... Connected to genisis. Escape character is '^]'. Connection closed by foreign host.
Notice that I didn't receive any message, as the rule on line 75 was the first match, not the rule on line 77.
We've just scratched the surface of the functionality provided by
tcp wrappers, but it should be enough to get you started. Depending on your needs, your rules can range from being very simple to quite elegant. You'll definitely want to check out
man 5 hosts.access and
man 5 hosts.options to see all the configurable options available.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Discuss this article in the Operating Systems Forum.
Return to the BSD DevCenter.