Tuesday, October 6, 2009

Linux Securirty Notes 6: Xinetd & TCPWrappers

Securing the Xinted services

Securing the Xinetd example with Telnet:

Checking the disabled services inside the xinted
#cd /etc/xinetd.d/
# grep disable *

    This shows all the disabled services inside the xinetd.d directory.

Enabling the Telnet in Xientd (Telnet has been outdated and fully replaced with ssh. But this will give more idea about securing the Xinetd services).
    Change the "disable" directive to "no" or comment it out to enable the service on boot.
The key directive that applies to all deamons defined in xinetd is configured in /etc/xinetd.conf, which is called the global configuration.
Eg:- Maximum instalnce (instance = 50), log_type = SYSLOG authpriv (check the syslog configuration to find the facility authpriv where that logs to), The maximum number of connections to the service (cps = 25 30). This can be overwritten by the indivigual configuration of the xinetd directives.

Securing the Telnet (can use the same procedure to secure other Xinetd services):

Step 1:
    Telnet uses /etc/issue.net file as "banner" while users trying to connect. So make a banner with security warning and remove the superfluos information about the version of the OS / Patch etc.
Step 2:
    Use /etc/securetty file to edit the available terminals
Step 3:
    Include the follwing directive to telnet deamon configuration file.
# vim /etc/xinetd.d/telnet
------
only_from = 192.168.10.1
# or if need more hosts to allow
only_from = 192.168.10.1 192.168.10.2 host2 10.0.0.1

------
    So this makes telnet service can be only access from 192.168.10.1. Even the access to the localhost will be only provided when the IP (127.0.0.1) has been listed to the derivative, else xinetd will deny the request from localhost.
Step 4:
    Allow the service access at given time only
-----
# access_times   = hour:min-hour:min
 access_times  = 20:00-20:20

-----
    This makes the service available only between 20:00 to 20:20, and any request coming beyond the time will be rejected
-------
   no_access = 10:30-16:30 #makes the service "to not listen" for the time period of 10:30AM to 4:30PM
-------
Note:-
    Xinetd logs with the facility "authpriv" (log_type derivative in xinted)and according the syslog the authpriv will be logged to /var/log/secure.

Step 5:
    Change the standard port to non standard port
------
port = 23354
------
    This makes the service to new port. And it makes the hackers a bit harder to findout the new running port (Always keep in mind security should be implemented in layers).

TCPWrappers: (Other layer of security)

Security Layers that will be implemented for a xinetd service.

TCPWrappers(source address) -> XINETD(based on timing/connection address) -> TELNET(credentials) (/usr/sbin/in.telnetd)
Or
XINETD(based on timing/connection address) -> TCPWrappers(source address) -> TELNET(credentials) (/usr/sbin/in.telnetd)

    Here is the 3 layers of security and one more layer can be added with IPTables as 4th layer of security.

TCPWrappers relies ipon 2 files
/etc/hosts.allow
/etc/hosts.deny

    TCPWrappers first reads the file /etc/hosts.allow and process i. If no match is found it will read the file /etc/hosts.deny and will process. If there isn't any match in both the file then it permits the access to deamon.
Note:-
    Usuallly rules are defined in hosts.allow and a catchall rule is defined in hosts.deny. As soon a change is made to each file the TCPWrappers takes effect immediately.

Editing /etc/hosts.allow
---------
#syntax
#service: client_list : programs to spawn
in.telnetd :    192.168.1.10

---------
    This permits the access from the host 192.168.1.10 to telnet.
Editing /etc/hosts.deny
-----
#service: client_list
in.telnetd :    ALL

-----
    This will make the service to deny all.
"Now in the above scenario when a new connection makes to the telnet service the TCPWrappers will check the hosts.allow file first. Now the rule for IP 192.168.1.10 is set to allow the connection. So TCPWrapper allows the request from this source. But if other request is coming from any other source address the TCPWrappers will deny the request, bcoz the hosts.deny file has been defined as a catchall rule for in.telnetd.
Overall only the IP 192.168.1.10 will be allowed. TCPWrapper first process the hosts.allow file then the hosts.deny"

No comments:

Post a Comment

tag ur valuable ideas below