From owner-svn-doc-head@FreeBSD.ORG Thu Apr 17 17:05:54 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 677553E1; Thu, 17 Apr 2014 17:05:54 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4814117D4; Thu, 17 Apr 2014 17:05:54 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3HH5rWh047489; Thu, 17 Apr 2014 17:05:53 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3HH5rhs047488; Thu, 17 Apr 2014 17:05:53 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404171705.s3HH5rhs047488@svn.freebsd.org> From: Dru Lavigne Date: Thu, 17 Apr 2014 17:05:53 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44593 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 17:05:54 -0000 Author: dru Date: Thu Apr 17 17:05:53 2014 New Revision: 44593 URL: http://svnweb.freebsd.org/changeset/doc/44593 Log: Editorial review of TCP Wrapper chapter. Change application name to singular. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Wed Apr 16 21:07:48 2014 (r44592) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 17:05:53 2014 (r44593) @@ -51,7 +51,7 @@ - How to configure TCP Wrappers for use + How to configure TCP Wrapper for use with &man.inetd.8;. @@ -866,7 +866,7 @@ Enter secret pass phrase: < - TCP Wrappers + TCP Wrapper TomRhodesWritten @@ -874,55 +874,61 @@ Enter secret pass phrase: < - TCP Wrappers + TCP Wrapper - TCP Wrappers extends the abilities of - to provide support for every - server daemon under its control. It can be configured - to provide logging support, return messages to connections, and - permit a daemon to only accept internal connections. While some - of these features can be provided by implementing a firewall, - TCP Wrappers adds an extra layer of - protection and goes beyond the amount of control a firewall can - provide. + TCP Wrapper is a host-based + access control system which extends the abilities of + . It can be configured + to provide logging support, return messages, and + connection restrictions for the + server daemons under the control of + inetd. Refer to &man.tcpd.8; for + more information about + TCP Wrapper and its features. - TCP Wrappers should not be considered a + TCP Wrapper should not be considered a replacement for a properly configured firewall. - TCP Wrappers should be used in conjunction - with a firewall and other security enhancements. + Instead, TCP Wrapper should be used in conjunction + with a firewall and other security enhancements in order to + provide another layer of protection in the implementation of a + security policy. Initial Configuration - To enable TCP Wrappers in &os;, ensure - the &man.inetd.8; server is started from - /etc/rc.conf with - . Then, properly configure + To enable TCP Wrapper in &os;, + add the following lines to + /etc/rc.conf: + + inetd_enable="YES" +inetd_flags="-Ww" + + Then, properly configure /etc/hosts.allow. - Unlike other implementations of TCP - Wrappers, the use of hosts.deny has - been deprecated. All configuration options should be placed + Unlike other implementations of + TCP Wrapper, the use of hosts.deny is + deprecated in &os;. All configuration options should be placed in /etc/hosts.allow. In the simplest configuration, daemon connection policies - are set to either be permitted or blocked depending on the + are set to either permit or block, depending on the options in /etc/hosts.allow. The default - configuration in &os; is to allow a connection to every daemon - started with &man.inetd.8;. + configuration in &os; is to allow all connections to the daemons + started with inetd. Basic configuration usually takes the form of daemon : address : action, where - daemon is the daemon which &man.inetd.8; + daemon is the daemon which inetd started, address is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and action is either allow or deny. - TCP Wrappers uses a first rule match - semantic, meaning that the configuration file is scanned in - ascending order for a matching rule. When a match is found, + TCP Wrapper uses a first rule match + semantic, meaning that the configuration file is scanned + from the beginning for a matching rule. When a match is found, the rule is applied and the search process stops. For example, to allow POP3 connections @@ -933,8 +939,8 @@ Enter secret pass phrase: < # This line is required for POP3 connections: qpopper : ALL : allow - After adding this line, &man.inetd.8; needs to be - restarted: + Whenever this file is edited, restart + inetd: &prompt.root; service inetd restart @@ -942,7 +948,7 @@ qpopper : ALL : allow Advanced Configuration - TCP Wrappers provides advanced options + TCP Wrapper provides advanced options to allow more control over the way connections are handled. In some cases, it may be appropriate to return a comment to certain hosts or daemon connections. In other cases, a log @@ -950,15 +956,12 @@ qpopper : ALL : allow administrator. Other situations may require the use of a service for local connections only. This is all possible through the use of configuration options known as - wildcards, expansion characters and + wildcards, expansion characters, and external command execution. - - External Commands - Suppose that a situation occurs where a connection should be denied yet a reason should be sent to the - individual who attempted to establish that connection. That + host who attempted to establish that connection. That action is possible with . When a connection attempt is made, executes a shell command or script. An example exists in @@ -970,9 +973,9 @@ ALL : ALL \ : twist /bin/echo "You are not welcome to use %d from %h." In this example, the message You are not allowed - to use daemon from - hostname. will be returned for - any daemon not previously configured in the access file. + to use daemon name from + hostname. will be returned for + any daemon not configured in hosts.allow. This is useful for sending a reply back to the connection initiator right after the established connection is dropped. Any message returned must be wrapped in @@ -980,8 +983,8 @@ ALL : ALL \ It may be possible to launch a denial of service - attack on the server if an attacker, or group of - attackers, could flood these daemons with connection + attack on the server if an attacker + floods these daemons with connection requests. @@ -990,9 +993,9 @@ ALL : ALL \ implicitly denies the connection and may be used to run external shell commands or scripts. Unlike , will not send - a reply back to the individual who established the + a reply back to the host who established the connection. For example, consider the following - configuration line: + configuration: # We do not allow connections from example.com: ALL : .example.com \ @@ -1004,46 +1007,38 @@ ALL : .example.com \ class="fqdomainname">*.example.com and log the hostname, IP address, and the daemon to which access was attempted to - /var/log/connections.log. - - This example uses the substitution characters + /var/log/connections.log. This example + uses the substitution characters %a and %h. Refer to &man.hosts.access.5; for the complete list. - - - Wildcard Options - - The ALL option may be used to match - every instance of a daemon, domain, or an - IP address. Another wildcard is + To match every instance of a daemon, domain, or + IP address, use ALL. Another wildcard is PARANOID which may be used to match any host which provides an IP address - that may be forged. For example, - PARANOID may be used to define an action - to be taken whenever a connection is made from an - IP address that differs from its + that may be forged because the + IP address differs from its resolved hostname. In this example, all connection requests to - &man.sendmail.8; which have an IP address + Sendmail which have an IP address that varies from its hostname will be denied: # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny - Using the PARANOID wildcard may - severely cripple servers if the client or server has a - broken DNS setup. Administrator - discretion is advised. + Using the PARANOID wildcard will + result in denied connections if the client or server has a + broken DNS setup. To learn more about wildcards and their associated functionality, refer to &man.hosts.access.5;. - Before any of the specific configuration lines above - will work, the first configuration line should be commented + + When adding new configuration lines, make sure that any + unneeded entries for that daemon are commented out in hosts.allow. - +