Date: Thu, 17 Apr 2014 17:05:53 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44593 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201404171705.s3HH5rhs047488@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Apr 17 17:05:53 2014 New Revision: 44593 URL: http://svnweb.freebsd.org/changeset/doc/44593 Log: Editorial review of TCP Wrapper chapter. Change application name to singular. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 16 21:07:48 2014 (r44592) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 17:05:53 2014 (r44593) @@ -51,7 +51,7 @@ </listitem> <listitem> - <para>How to configure <acronym>TCP</acronym> Wrappers for use + <para>How to configure <application>TCP Wrapper</application> for use with &man.inetd.8;.</para> </listitem> @@ -866,7 +866,7 @@ Enter secret pass phrase: <userinput>< <sect1 xml:id="tcpwrappers"> <info> - <title>TCP Wrappers</title> + <title>TCP Wrapper</title> <authorgroup> <author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written @@ -874,55 +874,61 @@ Enter secret pass phrase: <userinput>< </authorgroup> </info> - <indexterm><primary>TCP Wrappers</primary></indexterm> + <indexterm><primary>TCP Wrapper</primary></indexterm> - <para><acronym>TCP</acronym> Wrappers extends the abilities of - <xref linkend="network-inetd"/> to provide support for every - server daemon under its control. It can be configured - to provide logging support, return messages to connections, and - permit a daemon to only accept internal connections. While some - of these features can be provided by implementing a firewall, - <acronym>TCP</acronym> Wrappers adds an extra layer of - protection and goes beyond the amount of control a firewall can - provide.</para> + <para><application>TCP Wrapper</application> is a host-based + access control system which extends the abilities of + <xref linkend="network-inetd"/>. It can be configured + to provide logging support, return messages, and + connection restrictions for the + server daemons under the control of + <application>inetd</application>. Refer to &man.tcpd.8; for + more information about + <application>TCP Wrapper</application> and its features.</para> - <para><acronym>TCP</acronym> Wrappers should not be considered a + <para><application>TCP Wrapper</application> should not be considered a replacement for a properly configured firewall. - <acronym>TCP</acronym> Wrappers should be used in conjunction - with a firewall and other security enhancements.</para> + Instead, <application>TCP Wrapper</application> should be used in conjunction + with a firewall and other security enhancements in order to + provide another layer of protection in the implementation of a + security policy.</para> <sect2> <title>Initial Configuration</title> - <para>To enable <acronym>TCP</acronym> Wrappers in &os;, ensure - the &man.inetd.8; server is started from - <filename>/etc/rc.conf</filename> with - <option>-Ww</option>. Then, properly configure + <para>To enable <application>TCP Wrapper</application> in &os;, + add the following lines to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>inetd_enable="YES" +inetd_flags="-Ww"</programlisting> + + <para>Then, properly configure <filename>/etc/hosts.allow</filename>.</para> <note> - <para>Unlike other implementations of <acronym>TCP</acronym> - Wrappers, the use of <filename>hosts.deny</filename> has - been deprecated. All configuration options should be placed + <para>Unlike other implementations of + <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is + deprecated in &os;. All configuration options should be placed in <filename>/etc/hosts.allow</filename>.</para> </note> <para>In the simplest configuration, daemon connection policies - are set to either be permitted or blocked depending on the + are set to either permit or block, depending on the options in <filename>/etc/hosts.allow</filename>. The default - configuration in &os; is to allow a connection to every daemon - started with &man.inetd.8;.</para> + configuration in &os; is to allow all connections to the daemons + started with <application>inetd</application>.</para> <para>Basic configuration usually takes the form of <literal>daemon : address : action</literal>, where - <literal>daemon</literal> is the daemon which &man.inetd.8; + <literal>daemon</literal> is the daemon which <application>inetd</application> started, <literal>address</literal> is a valid hostname, <acronym>IP</acronym> address, or an IPv6 address enclosed in brackets ([ ]), and <literal>action</literal> is either <literal>allow</literal> or <literal>deny</literal>. - <acronym>TCP</acronym> Wrappers uses a first rule match - semantic, meaning that the configuration file is scanned in - ascending order for a matching rule. When a match is found, + <application>TCP Wrapper</application> uses a first rule match + semantic, meaning that the configuration file is scanned + from the beginning for a matching rule. When a match is found, the rule is applied and the search process stops.</para> <para>For example, to allow <acronym>POP</acronym>3 connections @@ -933,8 +939,8 @@ Enter secret pass phrase: <userinput>< <programlisting># This line is required for POP3 connections: qpopper : ALL : allow</programlisting> - <para>After adding this line, &man.inetd.8; needs to be - restarted:</para> + <para>Whenever this file is edited, restart + <application>inetd</application>:</para> <screen>&prompt.root; <userinput>service inetd restart</userinput></screen> </sect2> @@ -942,7 +948,7 @@ qpopper : ALL : allow</programlisting> <sect2> <title>Advanced Configuration</title> - <para><acronym>TCP</acronym> Wrappers provides advanced options + <para><application>TCP Wrapper</application> provides advanced options to allow more control over the way connections are handled. In some cases, it may be appropriate to return a comment to certain hosts or daemon connections. In other cases, a log @@ -950,15 +956,12 @@ qpopper : ALL : allow</programlisting> administrator. Other situations may require the use of a service for local connections only. This is all possible through the use of configuration options known as - <literal>wildcards</literal>, expansion characters and + wildcards, expansion characters, and external command execution.</para> - <sect3> - <title>External Commands</title> - <para>Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the - individual who attempted to establish that connection. That + host who attempted to establish that connection. That action is possible with <option>twist</option>. When a connection attempt is made, <option>twist</option> executes a shell command or script. An example exists in @@ -970,9 +973,9 @@ ALL : ALL \ : twist /bin/echo "You are not welcome to use %d from %h."</programlisting> <para>In this example, the message <quote>You are not allowed - to use <literal>daemon</literal> from - <literal>hostname</literal>.</quote> will be returned for - any daemon not previously configured in the access file. + to use <replaceable>daemon name</replaceable> from + <replaceable>hostname</replaceable>.</quote> will be returned for + any daemon not configured in <filename>hosts.allow</filename>. This is useful for sending a reply back to the connection initiator right after the established connection is dropped. Any message returned <emphasis>must</emphasis> be wrapped in @@ -980,8 +983,8 @@ ALL : ALL \ <warning> <para>It may be possible to launch a denial of service - attack on the server if an attacker, or group of - attackers, could flood these daemons with connection + attack on the server if an attacker + floods these daemons with connection requests.</para> </warning> @@ -990,9 +993,9 @@ ALL : ALL \ implicitly denies the connection and may be used to run external shell commands or scripts. Unlike <option>twist</option>, <option>spawn</option> will not send - a reply back to the individual who established the + a reply back to the host who established the connection. For example, consider the following - configuration line:</para> + configuration:</para> <programlisting># We do not allow connections from example.com: ALL : .example.com \ @@ -1004,46 +1007,38 @@ ALL : .example.com \ class="fqdomainname">*.example.com</systemitem> and log the hostname, <acronym>IP</acronym> address, and the daemon to which access was attempted to - <filename>/var/log/connections.log</filename>.</para> - - <para>This example uses the substitution characters + <filename>/var/log/connections.log</filename>. This example + uses the substitution characters <literal>%a</literal> and <literal>%h</literal>. Refer to &man.hosts.access.5; for the complete list.</para> - </sect3> - <sect3> - <title>Wildcard Options</title> - - <para>The <literal>ALL</literal> option may be used to match - every instance of a daemon, domain, or an - <acronym>IP</acronym> address. Another wildcard is + <para>To match every instance of a daemon, domain, or + <acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is <literal>PARANOID</literal> which may be used to match any host which provides an <acronym>IP</acronym> address - that may be forged. For example, - <literal>PARANOID</literal> may be used to define an action - to be taken whenever a connection is made from an - <acronym>IP</acronym> address that differs from its + that may be forged because the + <acronym>IP</acronym> address differs from its resolved hostname. In this example, all connection requests to - &man.sendmail.8; which have an <acronym>IP</acronym> address + <application>Sendmail</application> which have an <acronym>IP</acronym> address that varies from its hostname will be denied:</para> <programlisting># Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny</programlisting> <caution> - <para>Using the <literal>PARANOID</literal> wildcard may - severely cripple servers if the client or server has a - broken <acronym>DNS</acronym> setup. Administrator - discretion is advised.</para> + <para>Using the <literal>PARANOID</literal> wildcard will + result in denied connections if the client or server has a + broken <acronym>DNS</acronym> setup.</para> </caution> <para>To learn more about wildcards and their associated functionality, refer to &man.hosts.access.5;.</para> - <para>Before any of the specific configuration lines above - will work, the first configuration line should be commented + <note> + <para>When adding new configuration lines, make sure that any + unneeded entries for that daemon are commented out in <filename>hosts.allow</filename>.</para> - </sect3> + </note> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404171705.s3HH5rhs047488>