Solaris Resources at Kempston
Installing and configuring TCP Wrappers on Solaris 7 and Solaris 8
| www.kempston.net/solaris/ | www.kempston.org/solaris/ |
Introduction
If you put a unix system on the Net, even if it is intermittently connected through a dial-up connection, sooner or later someone will try to break into your system and probe it for vulnerabilities. There are several precautions you can take and this page covers just one of these, the installation of access control with TCP Wrappers.
For an excellent introduction to TCP Wrappers, I recommend having a look at the article from the Unix Review Trick Hackers with TCP Wrappers.
It's important to realise that TCP Wrappers do not provide full security against unwelcome visitors. A further level of security is provided by IP filtering which will be covered on these pages when I get around to it and there are other techniques which can be employed.
It's quite easy to understand how TCP Wrappers work. There's a TCP daemon running on Solaris all the time, called inetd, which responds to most (but not all) incoming TCP/IP connections and starts the appropriate program to service the request. Have a look at inetd's configuration file, /etc/inetd.conf. This contains a list of services, such as ftp, with the name of the program which should be started by inetd to provide the service. For example, /etc/inetd.conf contains the line:
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
and this tells inetd to start the program /usr/sbin/in.ftpd to service an incoming ftp request.
TCP Wrappers surround the service daemon with another program called tcpd which logs the incoming request and optionally provides access control, allowing or denying the connection depending on where the request originates. The /etc/inetd.conf configuration file is changed so that inetd starts, in this example, /usr/sbin/tcpd instead of /usr/sbin/in.ftpd to service an incoming ftp connection. If tcpd allows the incoming request, it starts the in.ftpd program; if it denies the incoming request, it logs but otherwise ignores the attempt.
The TCP Wrappers program is supplied in source form and you need to compile it. This isn't difficult! Before doing so, you need to have installed the g(un)zip program and a C compiler. All of these are freely downloadable from the Net and instructions for installing C, gzip and flex are here.
Installing TCP Wrappers
The source of TCP Wrappers is available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/. At the time of writing, the latest version is V7.6 and the source code is provided as a compressed tar archive in the file tcp_wrappers_7.6.tar.gz.
This version is suitable for Solaris 7 and earlier but not for Solaris 8. Solaris 8 contains support for IPv6 and the standard TCP wrappers program is not yet compatible with the IPv6 implementation in Solaris 8. However, Casper Dik, a Network Security Engineer with Sun Microsystems, has modified the standard version 7.6 to make it compatible with Solaris 8 and has kindly made his modified version available at ftp://playground.sun.com/pub/casper in the file tcp_wrappers_7.6-ipv6.tar.gz.
Download the appropriate version to a temporary directory, such as /tmp.
In Solaris 7:
Make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example:
# mkdir -p /opt/source/TCPwrappers # cd /opt/source/TCPwrappers # cp /tmp/tcp_wrappers_7.6.tar.gz .
Unzip and untar the source and then change to the directory created by tar:
# gunzip tcp* # tar xvf tcp* # cd tcp_wrappers_7.6
In Solaris 8:
Make a directory at a convenient point in the file system to hold the source code and copy the source into this directory. For example:
# mkdir -p /opt/source/TCPwrappers # cd /opt/source/TCPwrappers # cp /tmp/tcp_wrappers_7.6-ipv6.tar.gz .
Unzip and untar the source and then change to the directory created by tar:
# gunzip tcp* # tar xvf tcp* # cd tcp_wrappers_7.6-ipv6
At this point, you may like to have a look at the README file which contains a list of features, a tutorial and installation instructions.
First, you need to edit the Makefile in the tcp_wrappers_7.6 directory (Solaris 7) or in the tcp_wrappers_7.6-ipv6 directory (Solaris 8) to tell it where it find most of the daemons started by inetd. Unless you've purchased Sun's expensive C compiler, you also need to tell the compilation process to use the gcc compiler instead. Edit Makefile and look for the two lines:
# SysV.4 Solaris 2.x OSF AIX #REAL_DAEMON_DIR=/usr/sbin
and remove the comment (#) sign from the seond of these two lines, so that it reads:
REAL_DAEMON_DIR=/usr/sbin
Then look for the lines:
# SunOS 5.x is another SYSV4 variant. sunos5: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \ NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \ BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
and change the fourth of these lines to read:
LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv CC=gcc VSYSLOG= \
If you're installing Casper Dik's version on Solaris 8, also look for the lines:
############################################################### # System dependencies: whether or not your system has IPV6 # # If your system has IPv6 and supports getipnode* and inet_pton/inet_ntop # comment out the following (Solaris 8) #IPV6 = -DHAVE_IPV6
and remove the comment (#) sign from the last of these lines, so that it reads:
IPV6 = -DHAVE_IPV6
Finally, compile the source code:
# make sunos5
Installing TCP Wrappers is a manual process. There are several programs compiled by the "make" process and the main one is tcpd. The others are described in the README file but won't be covered further here.
Copy the tcpd program into the /usr/sbin directory:
# cp tcpd /usr/sbin
and edit inetd's configuration file, /etc/inetd.conf, to use the new tcpd program. First, save the original file:
# cd /etc # cp inetd.conf inetd.conf.original
Then edit /etc/inetd.conf, making the following changes:
Each non-commented line in this file consists of a service name, several attributes of the service and, in the sixth field of the line, the name of the program which inetd should start to process an incoming request for the service. Where this program name is of the form "/usr/sbin/some program name", change it to read "/usr/sbin/tcpd". For example, the line which reads:
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd
in Solaris 7 should be changed so that it reads:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
Note that the protocol field, "tcp", appears in some of these entries on Solaris 8 as "tcp6". This is part of the IPv6 support in Solaris 8.
Make this change in the lines which start ftp, telnet, name, shell, login, exec, comsat, talk, uucp, #tftp, finger, #systat, #netstat and kerbd.
That takes care of most of the inetd services but there are some where the program to be started by inetd lives somewhere other than in /usr/sbin. For these lines in the file, insert the absolute path-name as the parameter to /usr/sbin/tcpd. For example, the line which reads:
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
should be changed so that it reads:
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/sbin/tcpd /usr/lib/netsvc/rusers/rpc.rusersd
Make this change in the lines which start rusersd, sprayd, walld, rstatd and printer.
Tell inetd that its configuration file has changed:
# pkill -HUP inetd
and that completes the installation of TCP Wrappers. The tcpd program will now log incoming service requests to /var/log/syslog but no access control rules are active so all incoming requests will be accepted.
If you're using Solaris 2.6 or an earlier version, please note that the pkill command was introduced in Solaris 7 and isn't available in earlier versions. The equivalent command to pkill -HUP inetd in Solaris 2.6 and earlier is:
# kill -HUP `ps -e | grep inetd | awk '{print $1}'`
If your Solaris machine is on a local network and connected to some other systems, it's instructive to test the action of TCP Wrappers before connecting your Solaris machine to the Net. Don't worry if your system isn't networked but read through the following to gain an idea of how it works. More detail on the format of the access control files is covered in the next section.
Monitor the /var/log/syslog file by doing:
# tail -f /var/log/syslog
and telnet into your Solaris box from another machine on your local network. In the window which is monitoring the syslog file, you should see a line logged such as:
Mar 21 16:18:02 gateway in.telnetd[894]: connect from laptop
This line is written by the TCP Wrappers program and records an incoming telnet connection from my Windows 95 laptop system which is called laptop, to my Solaris box, which is called gateway.
Note that this line may report an IP address in the "connect from..." report if the system is unable to convert the IP address to a host name.
If this line reads something like:
Mar 21 16:18:05 gateway in.telnetd[894]: connect from 0.0.0.0
and you're running Solaris 8, you've probably compiled the standard version of TCP wrappers. Install Casper Dik's version as described earlier to fix this problem.
There has been one report that messages logged by TCP wrappers don't appear in /var/log/syslog until syslogd is signalled with a HUP. So, if you experience this problem, simply do:
# pkill -HUP syslogd
and try the telnet again.
Then create a file called /etc/hosts.deny, containing:
ALL: ALL
and try connecting again. This time, the window monitoring the syslog file should record:
Mar 21 16:19:41 gateway in.telnetd[911]: refused connect from laptop
and the machine which is trying to connect to your Solaris box will fail to do so.
Finally, create a file called /etc/hosts.allow, containing:
ALL: LOCAL
and try the telnet again. This time, syslog records:
Mar 21 16:21:12 gateway in.telnetd[915]: connect from laptop
What we've done here is prohibit incoming TCP connections from the Net in general, while allowing connections from machines on the local network.
TCP Wrappers allow or deny incoming service requests depending on the contents of the files /etc/hosts.allow and /etc/hosts.deny
hosts.allow contains a list of hosts that are allowed to access TCP services on the machine in question and hosts.deny contains a list of hosts that are denied access. If these files don't exist, all access is allowed.
Whenever an incoming service request arrives, inetd starts tcpd and this program first looks in the file /etc/hosts.allow to see whether the connection is explicitly allowed. If so, it allows the connection and starts the daemon which deals with the request. If /etc/hosts.allow doesn't explicity allow the request, tcpd then looks in /etc/hosts.deny to see whether the connection is explicitly denied. If it is, tcpd denies the request, otherwise it starts the appropriate daemon and allows the request. tcpd stops looking at the files as soon as it finds a match for the host and service in question. Therefore, access granted by hosts.allow cannot be denied by hosts.deny. If no match is found, tcpd allows the request.
Each line in each of these access control files has the general format:
service-list: host-list
where service-list is a comma separated list of services as listed in thelast field of entries in /etc/inetd.conf and host-list is a comma separated list of hostnames, domain names or IP addresses. A hostname or IP address matches an individual host, whereas a domain name (which must start with a dot) matches all hosts within that domain. The special keyword "ALL" matches all services or all hosts and the special keyword LOCAL matches all hosts.
As an example, consider a hosts.allow file which contains:
in.ftpd,in.telnetd: .kempston.demon.co.uk,192.168.1.9
This explicitly allows incoming ftp and telnet requests from all hosts within the kempston.demon.co.uk domain and also from the machine with IP address 192.168.1.9. This line doesn't match incoming requests for other services or incoming ftp and telnet requests from other hosts; these will be allowed unless denied by lines in the hosts.deny file.
That's a very short introduction to the use of access control files. Please see the TCP Wrappers README file for a more complete tutorial and there's also an excellent description in "TCP/IP Network Administration" by Craig Hunt, published by O'Reilly, ISBN 1-56592-322-7.
Has this guide been useful?
I hope these instructions prove useful. If you have any comments or suggestions for improvement, or have found any technical errors, please email me at mike@kempston.net
This page is copyright © mike@kempston.net 2000. Reproduction is forbidden without the author's permission. You are welcome to link to these pages if you wish but please point to the pages at www.kempston.net: Solaris Resources at Kempston
| Home | Free Solaris | Connecting to an ISP |
| Configuring mail | Configuring modem dialup | Configuring a PPP server |
| Installing Software | Solaris FAQs and Software | Site Index |
This page is maintained by the
Kempston Webmaster
Last updated 19 July 2000