BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Securing BSD Daemons
Pages: 1, 2

Now, I'll try the telnet command again:



telnet 24.141.117.39
Trying 24.141.117.39...
Connected to genisis.
Escape character is '^]'.
You are not welcome to use telnetd from biko.
Connection closed by foreign host.

Looks like I've effectively blocked all telnet connections to my system. Let's take a look at the rest of the /etc/hosts.allow to see where to go from here to allow limited access via telnet.

Continuing with more of /etc/hosts.allow:

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny 

# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
ALL : localhost 127.0.0.1 : allow
ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
ALL : [fe80::%fxp0]/10 : allow
ALL : [fe80::]/10 : deny
ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny
ALL : [3ffe:fffe:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : .nice.guy.example.com : allow
sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
exim : .nice.guy.example.com : allow
exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Portmapper is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
portmap : 192.0.2.32/255.255.255.224 : allow
portmap : 192.0.2.96/255.255.255.224 : allow
portmap : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : .nice.guy.example.com : allow
ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
	: spawn (echo Finger. | \
	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
	: deny

# The rest of the daemons are protected.
ALL : ALL \
	: severity auth.info \
	: twist /bin/echo "You are not welcome to use %d from %h."

Notice that there aren't any rules that specifically mention telnetd. The last rule in the file is intended to cover all the left over daemons that didn't match earlier rules. Notice that the last rule allowed the connection, but closed it after echoing a message, which is what we saw when I attempted the telnet connection. The %d was replaced by the name of the daemon (telnetd), and the %h was replaced by the hostname of the client trying to connect (biko).

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

We could have predicted this outcome if we had used the tcpdmatch utility. The syntax to use this utility is very simple:

tcpdmatch daemon_name host_name_of_client

You do not have to be the superuser to run this utility. Let's see what it says will happen if the host "biko" tries to connect to the telnetd on my FreeBSD system:

tcpdmatch telnetd biko

client:   hostname biko
client:   address  24.141.117.40
server:   process  telnetd
matched:  /etc/hosts.allow line 77
option:   severity auth.info
option:   twist /bin/echo "You are not welcome to use telnetd from biko."
access:   delegated

This is very useful output as it tells us which line number in /etc/hosts.allow contains the matching rule and what the result of that rule will be for that client.

Let's modify /etc/hosts.allow to allow telnetd to accept connections form the hosts "genisis" and "biko", but to disallow connections from any other clients. I'll become the superuser and add the following lines; it doesn't matter where in the file I add the lines as long as they appear before that last rule.

telnetd: biko,genisis :ALLOW
telnetd: ALL :DENY 

I'll then check that my rules work by running tcpdmatch on biko, genisis, and a third host called creed:

tcpdmatch telnetd biko
client:   hostname biko
client:   address  24.141.117.40
server:   process  telnetd
matched:  /etc/hosts.allow line 74
option:   ALLOW 
access:   granted

tcpdmatch telnetd genisis
client:   hostname genisis
client:   address  24.141.117.39
server:   process  telnetd
matched:  /etc/hosts.allow line 74
option:   ALLOW 
access:   granted

tcpdmatch telnetd creed
client:   hostname creed
client:   address  24.141.117.41
server:   process  telnetd
matched:  /etc/hosts.allow line 75
option:   DENY 
access:   denied

Let's see what happens when the host creed tries to telnet into my FreeBSD system:

telnet 24.141.117.39
Trying 24.141.117.39...
Connected to genisis.
Escape character is '^]'.
Connection closed by foreign host.

Notice that I didn't receive any message, as the rule on line 75 was the first match, not the rule on line 77.

We've just scratched the surface of the functionality provided by tcp wrappers, but it should be enough to get you started. Depending on your needs, your rules can range from being very simple to quite elegant. You'll definitely want to check out man 5 hosts.access and man 5 hosts.options to see all the configurable options available.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Discuss this article in the Operating Systems Forum.

Return to the BSD DevCenter.





Sponsored by: