These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/TCPWrappers Advanced Usage

Classnotes | UNIX03 | RecentChanges | Preferences

No diff available--this is the first major revision. (no other diffs)
There may be additional fields after the second field already described. These may be zero or more fields of shell commands, and the feilds allow or deny. The allow feild will cause the service to be allowed, assuming that the service and host match. Similarily, the deny field will cause the service to be denied. These enable the lines of /etc/hosts.allow and /etc/hosts.deny to be combined into a single file if desired.

The shell commands may be used in any way desired, such as logging or generating alarms. A clever use of this is to booby-trap denied services. This could mean to alert you if someone attempts to get a service and is denied, or the implementation of a honey pot or tarpit.

Typical usage would be to add the following to the /etc/hosts.deny file. Note that the alert is mailed to the System Administrator's work and home e-mail accounts in this example. Also note that the e-mail could be sent to the address of a System Administrator's pager.

 ALL: ALL: \
   spawn=(/usr/sbin/safe_finger -l @%h | \
   /bin/mail -s DENIEDdefault_%h/%d/%a/U=%u \
   hart@physics.arizona.edu criswell@geekcomix.com \
   ) &:deny

A "%" character introduces an expansion sequence. They may be used as much as desired. The following expansions are recognized:

 %a   The client's numeric address
 %A   The server's numeric address
 %c   The user@client.system.com
 %d   The daemon program name
 %h   The client host name
 %H   The server host name
 %p   The server's PID
 %s   The daemon@server.system.com
 %u   The client user's name, if supplied by ident
 %%   The "%" character

The tcpd program is even smart enough to replace any characters in the "%" expansion that might be special to the shell with underscores. This means that it cannot be easily used as an entrypoint to your system. Also not that, unlike the regular finger program, safe_finger will resist attacks from the cracker system, such as buffer overflow attacks and non-ASCII characters.



Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 21, 2003 2:26 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.