[ILUG] Ubuntu and inet.d

Badger badger at scattermail.com
Mon Aug 28 17:07:16 IST 2006 

On Mon, Aug 28, 2006 at 01:36:12PM +0100, Kevin Philp wrote:
> So far I have installed Apache2, Mysql, SSH, Postfix, NIS, NFS and Squid and 
> the configuration is still empty. Am I missing something, this was originally 
> a default desktop installation? They were all installed with sudo aptitude 
> install XXXXX
> 
> Kevin.
> 

This area of access control is a bit complicated so bear with me and
I'll try and depart my (relativly basic) understanding of it. 

First off, the files hosts.allow and hosts.deny are a part of the
Tcp Wrappers package not the Inetd package. They come into play when
using inetd through the use of the tcpd program. So, if you wanted to 
apply access control to an rsync daemon, you would specify the program
to call as "/usr/sbin/tcpd /sbin/rsyncd --daemon" in your inetd.conf.

Now, the tcpd program is not the only way to get tcp-wrappers to carry
out access control checks on incoming connections. The tcp-wrappers
package also ships with a library called libwrap. A standalone server
(such as SSH, MySQL, or Apache2), which is a server that doesn't use
inetd can still avail of the Tcp Wrappers access control by using the
libwrap library. For instance, on my system (fedora), the sshd daemon
was built to use Tcp Wrappers via the libwrap library. This allows me to
write something like this in my hosts.deny file to deny access from a
particular host on my network:

    sshd: 172.16.55.5

Then when I try and connect from that machine I am denied access (mind
you, if truth be told, I never actually use this stuff in practice). 

If you want to find out what other servers are compiled with support for
Tcp Wrappers - and hence, that can have access controlled by hosts.allow
and hosts.deny - I recommend that you check their library dependencies
using the ldd tool. To test sshd for example do:

$ ldd /usr/sbin/sshd
        linux-gate.so.1 =>  (0xffffe000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7f20000)
        libpam.so.0 => /lib/libpam.so.0 (0xb7f18000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7f14000)
        ....

You're looking for libwrap obviously. There may be some other way to
find out, but this is what I'd do.

Incidentally, Inetd (and even Xinetd) have been found buggy and
suseptible to various security exploits in the past. You will find that
most servers (Apache, sshd, etc) are standalone servers, but every now
and then you will come accross servers that do use inetd (or xinetd)
which is probably why it was installed on your machine. Examples of
servers which use inetd on my machine are cupsd (print server), rsyncd,
and many of the kerberos servers (klogin, etc). Personally, I wouldn't
expose any such servers on an Internet facing machine without giving it
a whole lot of thought, but I'm fairly risk averse.

- badge

More information about the ILUG mailing list