From: Ramon Pasetes [rayp@frosty.fnal.gov]
Sent: Friday, July 16, 1999 10:29 AM
To: oss-dept@fnal.gov
Cc: kaletka@fnal.gov
Subject: tcp_wrappers with banners
This is message is to sum up all the information we have on tcp_wrappers with banners.
1) A new version of the tcp_wrapper product, tcp_wrapper v7_6_banners, has been placed in KITS and is available via upd.
2) If you install this product in a cluster, you will need to do a ups current tcp_wrapper on all other systems in the cluster since executables are copied into local system areas.
3) There is an INSTALL_NOTE under the ups directory of the product which gives information on configuring tcp_wrapper on your system as well as setting them up to use the DOE banners for Fermilab. There are example access files also in case you just want to slap something in without thinking about it too much.
4) The banners will be installed in /etc/banners. There is a known problem with placing a banner on rsh. Therefore, we have removed the rshd banner from the distributed product.
5) Other notes: For IRIX 6.2 systems, once you send a HUP signal to inetd, it could take a while for the changes in /etc/inetd.conf to take affect (as long as 60 seconds). In some cases, during this time, connections may be refused from the wrapped service. This isn't the fault of the wrappers, it's SGIs code for inetd.
If you have customized /etc/hosts.allow and /etc/hosts.deny files already, DO NOT replace them with the sample files in the product. You will have to merge the changes.
You need to use an /etc/hosts.allow and /etc/hosts.deny file in order to get the banners.
Since some services such as ssh and rsh can not have banners, you should also place the DOE message in the /etc/motd and/or /etc/issue file. This will also handle the case for people logging in via the console.
Below is the text from the tcp_wrapper v7_6_banners
INSTALL_NOTE:
TCP_WRAPPERS v7_6_banners Installation Notes
This is tcp_wrapper version 7_6 with prebuilt banners for Fermilab.
To install:
1) Declare product as current. You should have seen the safe_finger, tcpd, tcpdchk, tcpdmatch, and try-from copied to your system area. The system areas for each OS are listed below:
Default System Areas
IRIX+6 : /usr/etc
SunOS+5: /usr/sbin
AIX+4 : /usr/sbin
OSF1+V4: /usr/sbin
2) Banner files should have been created under /etc/banners.
3) To wrap a service, edit your inetd.conf file so that tcpd is executed first instead of the actual service you are wrapping. The last field of the entry in inetd.conf should be the actual service you wish to start along with any arguments.
Example: wrapping telnetd
Original inetd.conf line for telnetd:
telnet stream tcp nowait root /usr/etc/telnetd telnetd
Wrapped inetd.conf line for telnetd:
telnet stream tcp nowait root /usr/etc/tcpd telnetd
Notice that in the 6th field, tcpd is now being executed. The 7th field is telnetd, the actual service we want.
4) By default, tcpd looks for the service to run in the system area. Should your service not be in the normal system area, then you must specify full path in the last field.
Example: wrapping a service not in normal system area
ftp stream tcp nowait root /usr/etc/tcpd /usr/local/etc/wu-ftpd
Note that in the last field, the full path to the service had to be included.
5) We suggest that the following services be wrapped: telnet, rsh, rlogin, finger, ftp and rexec. If you can turn any of these services off, that would be even better.
6) Send a HUP signal to the inetd.
-------------------------------------------------------------------------
Setting up the Banners
Banners are provided for the following services: telnet, rlogin, fingerd and ftp. Rexec does not have a banner since it is not an interactive program. Rsh does not have a banner by default since we have found this to break certain utilities like fmb. If you place banners on rsh you may run into problems. As the Banners.Makefile suggests, place a banner on rsh if you plan on restricting access to it. To set up banners, you need to place entries in the /etc/hosts.allow and/or /etc/hosts.deny file(s).
/etc/hosts.allow : Explicit list of hosts allowed to access the wrapped service
/etc/hosts.deny: Explicit list of hosts NOT allowed to access the wrapped service
****** The default behavior for tcp_wrappers is to allow hosts
access to a service unless
****** specifically denied in the /etc/hosts.deny file.
****** A sample hosts.allow file and hosts.deny file has been
provided in the /etc/banners
****** area. By default, these files allow all sites access to
the system, except finger.
****** Finger is restricted to allow fnal.gov sites only.
The syntax in the files would be: <service>: <HOST_MATCH> : banners /etc/banners
Example: Placing a banner on telnetd (for an IRIX machine)
telnetd: ALL : banners /etc/banners
If the above line were placed in the /etc/hosts.allow file, then ALL systems trying to connect to your system will see the banner and then receive a login prompt.
If the above line were placed in the /etc/hosts.deny file, then ALL systems trying to connect to your system will see the banner and then get a "connection closed". They would not be permitted to log in.
Example: Placing a banner on telnetd with .fnal.gov access to service only
In /etc/hosts.allow
telnetd: .fnal.gov : banners /etc/banners
In /etc/hosts.deny
telnetd: ALL except .fnal.gov : banners /etc/banners
In the above example, all hosts coming in from fnal.gov will be allowed access into the system via telnetd. They will also see the banner.
The /etc/hosts.deny file is used to 1) show banners to non-fnal.gov sites and 2) to deny theses sites access to the telnet service.
For a complete list of all the options available to you with tcp_wrappers, please consult the man pages: hosts_access(3), hosts_access(5), hosts_options(5), tcpd(8), tcpdchk(8), tcpdmatch(8).