1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY tcpwrappers-download-http "http://files.ichilton.co.uk/nfs/tcp_wrappers_&tcpwrappers-version;.tar.gz">
|
---|
8 | <!ENTITY tcpwrappers-download-ftp "ftp://ftp.porcupine.org/pub/security/tcp_wrappers_&tcpwrappers-version;.tar.gz">
|
---|
9 | <!ENTITY tcpwrappers-size "100 KB">
|
---|
10 | <!ENTITY tcpwrappers-buildsize "720 KB">
|
---|
11 | <!ENTITY tcpwrappers-time "0.16 SBU">
|
---|
12 | ]>
|
---|
13 |
|
---|
14 | <sect1 id="tcpwrappers" xreflabel="tcpwrappers-&tcpwrappers-version;">
|
---|
15 | <?dbhtml filename="tcpwrappers.html"?>
|
---|
16 | <title>tcpwrappers-&tcpwrappers-version;</title>
|
---|
17 |
|
---|
18 | <sect2>
|
---|
19 | <title>Introduction to <application>tcpwrappers</application></title>
|
---|
20 |
|
---|
21 | <para>The <application>tcpwrappers</application> package provides daemon
|
---|
22 | wrapper programs that report the name of the client requesting network
|
---|
23 | services and the requested service.</para>
|
---|
24 |
|
---|
25 | <sect3><title>Package information</title>
|
---|
26 | <itemizedlist spacing='compact'>
|
---|
27 | <listitem><para>Download (HTTP): <ulink
|
---|
28 | url="&tcpwrappers-download-http;"/></para></listitem>
|
---|
29 | <listitem><para>Download (FTP): <ulink
|
---|
30 | url="&tcpwrappers-download-ftp;"/></para></listitem>
|
---|
31 | <listitem><para>Download size: &tcpwrappers-size;</para></listitem>
|
---|
32 | <listitem><para>Estimated Disk space required:
|
---|
33 | &tcpwrappers-buildsize;</para></listitem>
|
---|
34 | <listitem><para>Estimated build time:
|
---|
35 | &tcpwrappers-time;</para></listitem></itemizedlist>
|
---|
36 | </sect3>
|
---|
37 |
|
---|
38 | <sect3><title>Additional downloads</title>
|
---|
39 | <itemizedlist spacing='compact'>
|
---|
40 | <listitem><para>Required Patch (Fixes some build issues and adds building of a shared library):
|
---|
41 | <ulink url="&patch-root;/tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch"/></para>
|
---|
42 | </listitem>
|
---|
43 | </itemizedlist>
|
---|
44 | </sect3>
|
---|
45 |
|
---|
46 | </sect2>
|
---|
47 |
|
---|
48 | <sect2>
|
---|
49 | <title>Installation of <application>tcpwrappers</application></title>
|
---|
50 |
|
---|
51 | <para>Install <application>tcpwrappers</application> with the following
|
---|
52 | commands:</para>
|
---|
53 |
|
---|
54 | <screen><userinput><command>patch -Np1 -i ../tcp_wrappers-&tcpwrappers-version;-shared_lib_plus_plus-1.patch &&
|
---|
55 | make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux &&
|
---|
56 | make install</command></userinput></screen>
|
---|
57 |
|
---|
58 | </sect2>
|
---|
59 |
|
---|
60 | <sect2>
|
---|
61 | <title>Configuring <application>tcpwrappers</application></title>
|
---|
62 |
|
---|
63 | <sect3><title>Config files</title>
|
---|
64 | <para><filename>/etc/hosts.allow</filename>,
|
---|
65 | <filename>/etc/hosts.deny</filename></para>
|
---|
66 |
|
---|
67 | <para>File protections: the wrapper, all files used by the wrapper,
|
---|
68 | and all directories in the path leading to those files, should be
|
---|
69 | accessible but not writable for unprivileged users (mode 755 or mode
|
---|
70 | 555). Do not install the wrapper set-uid.</para>
|
---|
71 |
|
---|
72 | <para>Then perform the following edits on the
|
---|
73 | <filename>/etc/inetd.conf</filename> configuration file:</para>
|
---|
74 | <screen><userinput>finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd</userinput></screen>
|
---|
75 | <para>becomes:</para>
|
---|
76 | <screen><userinput>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</userinput></screen>
|
---|
77 |
|
---|
78 | <note><para>The finger server is used as an example here.</para></note>
|
---|
79 |
|
---|
80 | <para>Similar changes must be made if xinetd is used, with the emphasis being
|
---|
81 | on calling <command>/usr/sbin/tcpd</command> instead of calling the service
|
---|
82 | daemon directly, and passing the name of the service daemon to tcpd.</para>
|
---|
83 | </sect3>
|
---|
84 |
|
---|
85 | </sect2>
|
---|
86 |
|
---|
87 | <sect2>
|
---|
88 | <title>Contents</title>
|
---|
89 |
|
---|
90 | <para>The <application>tcpwrappers</application> package contains <command>
|
---|
91 | tcpd</command>, <command>tcpdchk</command>, <command>tcpdmatch</command>,
|
---|
92 | <command>try-from</command> and <command>safe_finger</command>.</para>
|
---|
93 | </sect2>
|
---|
94 |
|
---|
95 | <sect2><title>Description</title>
|
---|
96 |
|
---|
97 | <sect3><title>tcpd</title>
|
---|
98 | <para><command>tcpd</command> is the main access control daemon for all
|
---|
99 | Internet services, which <command>inetd</command> or
|
---|
100 | <command>xinetd</command> will run instead of running the
|
---|
101 | requested service daemon.</para></sect3>
|
---|
102 |
|
---|
103 | <sect3><title>tcpdchk</title>
|
---|
104 | <para><command>tcpdchk</command> is a tool to examine a tcpd wrapper
|
---|
105 | configuration and report problems with it.</para></sect3>
|
---|
106 |
|
---|
107 | <sect3><title>tcpdmatch</title>
|
---|
108 | <para><command>tcpdmatch</command> is used to predict how the tcp wrapper
|
---|
109 | would handle a specific request for a service.</para></sect3>
|
---|
110 |
|
---|
111 | <sect3><title>try-from</title>
|
---|
112 | <para><command>try-from</command> can be called via a remote shell command to
|
---|
113 | find out if the host name and address are properly recognized.</para></sect3>
|
---|
114 |
|
---|
115 | <sect3><title>safe_finger</title>
|
---|
116 | <para><command>safe_finger</command> is a wrapper for the <command>finger
|
---|
117 | </command> utility, to provide automatic reverse name lookups.</para></sect3>
|
---|
118 |
|
---|
119 | </sect2>
|
---|
120 |
|
---|
121 | </sect1>
|
---|
122 |
|
---|