Thanks to:
Patrick farley_at_Manassas1.TDS-GN.LMCO.COM
Jim Neeland neeland_at_madmax.hrl.hac.com
Ken Teh teh_at_chinook.phy.anl.gov
Kirsten Clayton kfdc_at_gerulf.acsu.unsw.edu.au
Shari skinner_at_zko.dec.com
for replying to a rather garbled query about how TCP-Wrappers worked and
what they were. Now that I understand better I know the question that I
SHOULD have asked ;-)
I hope I didn't miss anyone
I found an excellant article at
http://www.alw.nih.gov/Security/FIRST/papers/firewall/tcpwrap.ps
via an excellant security page at
http://www.alw.nih.gov/Security/first-papers.html
The one recommended by Shari is also worth looking at (some overlap
between the two).
Now for the summary - really its a digest - I've edited Kirsten's a bit
to remove quotes of the question. I've looked at the book by Nemeth she
recommended and intend buying it - it looks VERY good
------------------------------------------------------------------------
----------------------------------------
The question asked was <briefly>:
I'm after any URL's for docs explaining the use of "TCP Wrapping" when
it comes to tracing the origin terminal of a process when the user is on
the other side of a term server.
For Example:
$ps
PID TTY S TIME COMMAND
19645 ttytb I + 0:01.65 udt
- Now I KNOW that the "ttytb" has got almost NOTHING to do with the
terminal I'm working on.
My real query I guess is "what does TCP Wrapping actually *DO*?" and
also "Why do term-servers mask the origin terminal of the process?"
------------------------------------------------------------------------
-----------------------------------------
FROM: Patrick farley_at_Manassas1.TDS-GN.LMCO.COM
I just installed TCP Wrapper three days ago. Pretty easy.
Any use of the specified applications, ie Finger, Telnet, FTP etc..
will result in the wrapper consulting an authorization list.
Whether the person is on the list or not will result in a log entry
being placed
in the mail.log. This entry will have reverse finger information.
------------------------------------------------------------------------
-----------------------------------------
FROM: Jim Neeland neeland_at_madmax.hrl.hac.com
Well, my feeling is that terminal servers mask ID's because the
input side is not running any network protocol (in many cases), and thus
there's no network tracing that can be done. Depending on the terminal
server, you may be able to get it to answer finger requests, so that you
can see who is at what port, and/or you may be able to get it to log
(either locally or via syslogd) the logins to the various ports. That
may help track who is doing what and when. However, other than seeing
who is connected, it is hard to determine what they are doing, aside
from
which host they are connected to.
If they are running PPP or SLIP from the terminal server, then
you can look at packets coming from the terminal server to see more of
what they are doing.
------------------------------------------------------------------------
-----------------------------------------
FROM: Ken Teh teh_at_chinook.phy.anl.gov
Try ftp.info.cert.org. They are a repository of documents and tools
related to unix security.
IP transactions are done via daemons and remote clients. The client
contacts the inetd super daemon on the host to request services. The
inetd
daemon has a configuration file, /etc/inetd.conf, that tells it which
daemon
to invoke to service a request from a remote client. For example, if
you
ftp to a host machine, the inetd daemon will spawn an ftp daemon,
typically
called ftpd to handle further transactions once the connection is made.
tcp
wrapping means that instead of directly invoking ftpd, the inetd config
file
is modified so that it invokes a wrapper function that eventually
invokes
ftpd. The wrapper function consults an additional file,
/etc/hosts.allow,
in which you describe which remote hosts are allowed what type of
connections, ftp, telnet, etc, before actually invoking the daemon.
This
way you filter out unwanted machines.
------------------------------------------------------------------------
-----------------------------------------
FROM: Kirsten kfdc_at_gerulf.acsu.unsw.edu.au
Firstly, the TTY you see listed in the ps output in this case refers to
a
'network pseudoterminal'. These pseudoterminals refer to connections to
a
host that are not associated with any physical connection to the machine
(unlike, say, a direct serial link). They are device special files that
live in /dev. TCP wrappers and their function are a different matter
The TTY refers to where a session is connected *to* on the host, not
where
it's connected *from*. You could use the 'w' command to get the info
you're looking for. In the following output you can see that the user
'admin' is connected to ttyp2, and that they're connected from xterm060:
~# w
User tty from login_at_ idle JCPU PCPU what
admin p2 xterm060.phys 23:06 w
A 'wrapper' is simply a filtering mechanism which listens for
connections on
certain ports and controls access to the real daemon services associated
with
these ports. For example, if a connection is made to port 23 (the telnet
port) normally the telnetd daemon will be invoked to handle the
connection. If, however, a wrapper is installed to handle the telnet
connection, then the wrapper daemon itself will be run in place of
telnetd. The wrapper will then do checking and decide whether or not to
invoke the real telnetd daemon (based on authorisation settings stored
in
a configuration file) and perform logging via syslog.
I guess the second question has been answered more or less in the first
part of my reply, so I'll leave it at that (ie. they don't mask it, ps
just doesn't list it -- doesn't have much to do with the functionality
of
the terminal server itself).
I hope my e-mail has cleared some things up for you. If you want more
info
on wrappers, pseudoterminals, and lots of practical information on Unix
system administration in general, you could do worse than taking a look
at
the book "UNIX System Administration, Second Edition" by Evi Nemeth et
al
(1995, Prentice Hall). It really is very good. Check out:
http://www.admin.com
for more info on this.
------------------------------------------------------------------------
-----------------------------------------
FROM: Shari skinner_at_zko.dec.com
Try
ftp://ftp.win.tue.nl/pub/security/index.html
------------------------------------------------------------------------
-----------------------------------------
Again, many thanks for the replies and tips
Dave
--
Clinical Account Manager, Information Systems
Healthcare Otago (Dunedin NZ)
Ph internal: 8453 External: 64-3-4747699
email: daveb_at_healthotago.co.nz
Pretentious quote of the week:
>"The first step on the road to wisdom is the admission of ignorance. The
>second step is realising that you don't have to blab it to the world"
Joseph C Giarratano
Received on Sun Nov 03 1996 - 23:26:28 NZDT