Securing inetd, hosts.allow, and hosts.deny

Do we want to let people in ?

tcp_wrappers:
First lets open /etc/inetd.conf

Here's an example inetd.conf from my desktop box.

# /etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP ".
# The inetd will re-read this file whenever it gets that signal.
#

#
#
# The first 4 services are really only used for debugging purposes, so
# we comment them out since they can otherwise be used for some nasty
# denial-of-service attacks. If you need them, uncomment them.
# echo stream tcp nowait root internal
# echo dgram udp wait root internal
# discard stream tcp nowait root internal
# discard dgram udp wait root internal
# daytime stream tcp nowait root internal
# daytime dgram udp wait root internal
# chargen stream tcp nowait root internal
# chargen dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#
# These are standard services.
#

#ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -l -i -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i
#
# Use this one instead if you want to snoop on telnet users (try to use this
# for ethical purposes, ok folks?), and see 'man ttysnoop' and /etc/snooptab
# for further instructions:
# telnet stream tcp nowait root /usr/sbin/tcpd in.telnetsnoopd
#
# This is for BSD sendmail. NOTE: It's not a good idea to uncomment this
# one, since sendmail is already set up to run as a daemon in /etc/rc.d/rc.M.
# But, if you really want to run sendmail this way for some reason, you'll
# need to uncomment the smtp line below AND change the line in /etc/rc.d/rc.M
# to run sendmail like this: /usr/sbin/sendmail -q30m
# ...otherwise the queue will not be processed.
# smtp stream tcp nowait root /usr/sbin/tcpd sendmail -bs
#
# The comsat daemon notifies the user of new mail when biff is set to y:
#comsat dgram udp wait root /usr/sbin/tcpd in.comsat
#
# Shell, login, exec and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
# exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
# talk dgram udp wait root /usr/sbin/tcpd in.talkd
#ntalk dgram udp wait root /usr/sbin/tcpd in.talkd
#
# Kerberos authenticated services
#
# klogin stream tcp nowait root /usr/sbin/tcpd rlogind -k
# eklogin stream tcp nowait root /usr/sbin/tcpd rlogind -k -x
# kshell stream tcp nowait root /usr/sbin/tcpd rshd -k
#
# Services run ONLY on the Kerberos server
#
# krbupdate stream tcp nowait root /usr/sbin/tcpd registerd
# kpasswd stream tcp nowait root /usr/sbin/tcpd kpasswdd
#
# Pop et al
#
# pop2 stream tcp nowait root /usr/sbin/tcpd in.pop2d
#pop3 stream tcp nowait root /usr/sbin/tcpd in.pop3d
# The ipop3d POP3 server is part of the Pine distribution. If you've
# installed the Pine package, you may wish to switch to ipop3d by
# commenting out the pop3 line above, and uncommenting the pop3 line below.
# pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap2 stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
# uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
#
# tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd
# bootps dgram udp wait root /usr/sbin/in.bootpd in.bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
# Try "telnet localhost systat" and "telnet localhost netstat" to see that
# information yourself!
#
#finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -u
# systat stream tcp nowait nobody /usr/sbin/tcpd /bin/ps -auwwx
# netstat stream tcp nowait root /usr/sbin/tcpd /bin/netstat -a
#
# Ident service is used for net authentication
auth stream tcp wait nobody /usr/sbin/in.identd in.identd -w -t120 -l
#
# These are to start Samba, an smb server that can export filesystems to
# Pathworks, Lanmanager for DOS, Windows for Workgroups, Windows95, Lanmanager
# for Windows, Lanmanager for OS/2, Windows NT, etc.
# If you're running smbd and nmbd from daemons in /etc/rc.d/rc.samba, then you
# shouldn't uncomment these lines.
# netbios-ssn stream tcp nowait root /usr/sbin/smbd smbd
# netbios-ns dgram udp wait root /usr/sbin/nmbd nmbd
#
# Sun-RPC based services.
#
#
# rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rstatd
# rusersd/2-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rusersd
# walld/1 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rwalld
#
# End of inetd.conf.



Notice how everything has a hash mark/comment the '#' sign in front of it except for the auth server(inetd). This is my desktop, I don't need any daemons or services other than auth(man inetd) running on this box. Ya must look at it this way, if they(crackers) can't get in... they can't do any harm. I suggest until you learn more about certain types of services listed in this default inetd.conf and adding your own lines to inetd.conf you just comment(put a # in front of every line) except auth.

A brief explaination of how inetd works: To do this lets take a look at say the sshd line in this inetd.conf...


#ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i



So we have the service, socket type this service uses, protocol this service uses, flags(see the inetd manual page), what user will run the service, then the next line is /usr/sbin/tcpd. tcpd a.k.a. tcp_wrappers is used as an "access control facility for internet services". Then next we have the actually binary( sometimes a symlink to the binary) that does all the magic to make this service happen. But lets go back to tcpd(tcp_wrappers). How tcpd a.k.a. tcp_wrappers works is when a connection is made to say port 22 (the standard port for ssh) the remote hosts first has to make a 'handshake' with tcpd, tcpd looks to /etc/hosts.allow and /etc/hosts.deny; now say the host trying to connect in in /etc/hosts.deny guess what happens ? The connection is refused, otherwise tcpd says "Ok you're free to move on", then passes the connection to the appropriate server program(in this case /usr/sbin/sshd) and goes away. See the manual page for tcpd.

Now we'll look at /etc/hosts.allow and /etc/hosts.deny. And you guessed it! /etc/hosts.allow are hosts that are allowed to connect to said services using tcp_wrappers and /etc/hosts.deny are host that aren't allowed to connect to said services using tcp_wrappers.

Let's look at my /etc/hosts.deny


# /etc/hosts.deny
ALL:ALL EXCEPT localhost:DENY

#EOF



This is pretty simple to understand actually.
ALL:ALL specifies that noone is allowed to connect
EXCEPT localhost
Then DENY is just an extra flag, it's not needed but ensures much sharper tcp_wrappers functions.

So Noone is allowed to connect to any services on this box but localhost (127.0.01).

Now lets look at my /etc/hosts.allow


#/etc/hosts.allow

#Allow localhost
ALL : 127.0.0.1

# Allow my other box tr0n to connect to any service
ALL : 192.168.1.2

# Let everyone ssh here except 192.168.1.3 and 192.168.1.4
sshd: ALL EXCEPT 192.168.1.3, 192.168.1.4 .microsoft.com : ALLOW

#EOF



First line allow any connection to any services from localhost Second line allow any connections to any services from 192.168.1.2 Third line, this one may have confused you... Allow anyone from anywhere to connect to and use the ssh service EXCEPT 192.168.1.3, 192.168.1.4, and anyone coming from the domain of microsoft.com.

See the manuall page for hosts.allow and hosts.deny