Discussion:
IPTABLES & TCP WRAPPERS
(too old to reply)
justin
20 years ago
Permalink
Question:

Would it make sense to use both IPTABLES and TCP wrappers on a linux
system?

Is this too much redunancy?

Why would you choose one over the other?
Jose Maria Lopez Hernandez
20 years ago
Permalink
Post by justin
Would it make sense to use both IPTABLES and TCP wrappers on a linux
system?
Yes, they are different things and they have their use in
the security.
Post by justin
Is this too much redunancy?
No, you should have as much redundancy as you can.
Post by justin
Why would you choose one over the other?
If I had to choose just one I would choose iptables, but
it's much better if you choose both.

An example: The ssh dictionary attacks. You can slow them
or even stop some of them with iptables, but you'll be better off
saying ssh not to accept remote root logins.

Regards.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
***@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
justin
20 years ago
Permalink
On Tue, 10 May 2005 10:15:34 +0200, Jose Maria Lopez Hernandez
...
Ok so what i don't understand is then if you have a DROP statement in
IPTables denying traffic from lets say 1 IP for TCP. What purpose
would it serve also to have and entry in /etc/ hosts.deny for TCP
Wrappers? The only thing I can think of is if for some reason your
system rebooted and IPTABLES didn't start backup for some reason, or
vice versa.

How would a dictionary attack with a system setup with tcp wrappers
respond? Is there more CPU processing involved with TCP Wrappers with
IPTABLES?

Just looking for some clarification before I start tinkering.
Jose Maria Lopez Hernandez
20 years ago
Permalink
Post by justin
Ok so what i don't understand is then if you have a DROP statement in
IPTables denying traffic from lets say 1 IP for TCP. What purpose
would it serve also to have and entry in /etc/ hosts.deny for TCP
Wrappers? The only thing I can think of is if for some reason your
system rebooted and IPTABLES didn't start backup for some reason, or
vice versa.
The reason would be that someone could find a way to bypass your
firewall rules, and then you have the tcp wrappers for that. Or
to prevent some kind of spoofing. Obviusly if you are *totally*
sure that the firewall will stop it then there's no use for
tcp wrappers.

But I find quite useful to have wrappers that allow the connections
to some services from just a group of machines, let's say for example
the ssh service and the machines you use to administer a server, or
the monitoring services, as nagios and the console you use to view the
data.

But I don't find it very useful to stop attacks from IPs. So I use
the tpc wrappers with a "drop" policy, using iptables sintax, and
then allow the machines I want.
Post by justin
How would a dictionary attack with a system setup with tcp wrappers
respond? Is there more CPU processing involved with TCP Wrappers with
IPTABLES?
Yes, there's more CPU processsing involving TCP wrappers. You should
use iptables if you can and then tcp wrappers.

The dictionary attacks I was talking about where the ones that tries
to find the password for root on Linux machines through ssh. This is
not easy to stop using iptables, but if you disallow the root logins
from outside the machine (not really tcp wrappers but similar) then
even if you can't stop the attacks you are sure they won't succeed.

Regards.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
***@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
justin
20 years ago
Permalink
On Tue, 10 May 2005 19:32:16 +0200, Jose Maria Lopez Hernandez
...
Ok with your response you have raised another question for me: How do
you bypass an IPTABLES firewall rule? Even if I have a statement like:

# iptables -A INPUT -i external_interface -s My_IP_address -j REJECT

Also I have another question in this area: for example let us say you
have 3 systems:
2 Linux web servers and 1 Linux dedicated IPTABLES firewall/router
system.

Would you enable IPTABLES on the two web servers behind the Linux
firewal/routerl? Or just TCP Wrappers? Is that making it too
complicated to manage?

Just using this simple example what would be a recommended
configuration? Is there documentation somewhere I could read about
recommended topology config based on the number of systems and their
function you could point me to?

Or
justin
20 years ago
Permalink
...
I found this really awesome link regarding IPTABLES:
http://www.spotswood-computer.net/present/iptables2.html

This is some really good stuff. If you happen to have anything
similiar to this in your bookmarks, please share!

Thanks,

Justin
Jose Maria Lopez Hernandez
20 years ago
Permalink
Post by justin
http://www.spotswood-computer.net/present/iptables2.html
This is some really good stuff. If you happen to have anything
similiar to this in your bookmarks, please share!
I suppose you already know the Iptables Tutorial. It's the
best source of information for iptables I've found.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Post by justin
Thanks,
Justin
Regards.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
***@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
Llanzlan Klazmon
20 years ago
Permalink
Post by justin
On Tue, 10 May 2005 19:32:16 +0200, Jose Maria Lopez Hernandez
<SNIP>
Post by justin
Ok with your response you have raised another question for me: How do
# iptables -A INPUT -i external_interface -s My_IP_address -j REJECT
I personally think that you should DROP not REJECT. If you get hit by a
DDOS attack, doing a reject will double the load on your system caused by
the ip stack processing. It will also dump useless reject packets back
onto the net, generally wasting bandwidth.
...
I believe there are some pretty good howto's out there. Also note that
there are iptables front end's such as Guarddog and Shorewall that are
supposed to make it easier to set up iptables (I Haven't used them
myself). A really useful tool is webmin, which allows you to configure
iptables (and a lot of other stuff like apache, samba etc) via a web
browser.

Klazmon.
Post by justin
Or
Moe Trin
20 years ago
Permalink
Post by Llanzlan Klazmon
I personally think that you should DROP not REJECT. If you get hit by a
DDOS attack, doing a reject will double the load on your system caused by
the ip stack processing. It will also dump useless reject packets back
onto the net, generally wasting bandwidth.
It depends on the attacker's program. A reject may actually result in less
traffic. Use tcpdump to see why one in and one out might be less trouble
than three in and none out.
Post by Llanzlan Klazmon
I believe there are some pretty good howto's out there. Also note that
there are iptables front end's such as Guarddog and Shorewall that are
supposed to make it easier to set up iptables (I Haven't used them
myself). A really useful tool is webmin, which allows you to configure
iptables (and a lot of other stuff like apache, samba etc) via a web
browser.
Why would you be running servers on a firewall? Nearly all of the firewalls
I work with are running headless, and won't accept connections to their
addresses (except for three specific hosts on the inside). Normal
administration is a simple SSH login, with a remote serial console as a
backup for network failure. Likewise, no host on the DMZ or internal net
will accept a connection originating from the firewall.

Old guy
Llanzlan Klazmon
20 years ago
Permalink
Post by Moe Trin
Post by Llanzlan Klazmon
I personally think that you should DROP not REJECT. If you get hit by
a DDOS attack, doing a reject will double the load on your system
caused by the ip stack processing. It will also dump useless reject
packets back onto the net, generally wasting bandwidth.
It depends on the attacker's program. A reject may actually result in
less traffic. Use tcpdump to see why one in and one out might be less
trouble than three in and none out.
YYMV.
Post by Moe Trin
Post by Llanzlan Klazmon
I believe there are some pretty good howto's out there. Also note that
there are iptables front end's such as Guarddog and Shorewall that are
supposed to make it easier to set up iptables (I Haven't used them
myself). A really useful tool is webmin, which allows you to configure
iptables (and a lot of other stuff like apache, samba etc) via a web
browser.
Why would you be running servers on a firewall?
I was just pointing out what the webmin tool can do. Not suggesting that
the OP should be running apache and samba on his firewall.
Post by Moe Trin
Nearly all of the
firewalls I work with are running headless, and won't accept
connections to their addresses (except for three specific hosts on the
inside). Normal administration is a simple SSH login, with a remote
serial console as a backup for network failure. Likewise, no host on
the DMZ or internal net will accept a connection originating from the
firewall.
Standard stuff.


Klazmon.
Post by Moe Trin
Old guy
Jose Maria Lopez Hernandez
20 years ago
Permalink
Post by justin
Ok with your response you have raised another question for me: How do
# iptables -A INPUT -i external_interface -s My_IP_address -j REJECT
For this rule... just using another source IP address. But I get your
point. You can be quite sure that your rules are good and they can't
be bypassed, but if you add a second level of security, that doesn't
add complexity or slow down the system, then it's even better.

There could be a problem with your rules, or a problem with iptables.
I really don't know... accidents will happen, you know.
Post by justin
Also I have another question in this area: for example let us say you
2 Linux web servers and 1 Linux dedicated IPTABLES firewall/router
system.
Would you enable IPTABLES on the two web servers behind the Linux
firewal/routerl? Or just TCP Wrappers? Is that making it too
complicated to manage?
I prefer to have a totally controlled and well administered perimeter
firewall and then use tcp wrappers in the inner servers. If you add
too much complexity to the system then you can get to a point where
you make an error because of that. But other people can have different
opinions about this, it's something quite personal.
Post by justin
Just using this simple example what would be a recommended
configuration? Is there documentation somewhere I could read about
recommended topology config based on the number of systems and their
function you could point me to?
There's no real reccomended configuration. It's all about how good is
a configuration for your system, the time you can spend configuring
and mantaining it and the security you need.

My preference is having a good configured and mantained perimeter
firewall and no inner firewall. But other people would prefer a
DMZ or inner firewalls.

Regards.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
***@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
Menno Duursma
20 years ago
Permalink
Post by justin
Post by justin
How would a dictionary attack with a system setup with tcp wrappers
respond?
That very much depends on its configuration.
Post by justin
Is there more CPU processing involved with TCP Wrappers with IPTABLES?
Yes, there's more CPU processsing involving TCP wrappers. You should
use iptables if you can and then tcp wrappers.
Again that depends. Services that link against libwrap, only check upon
connecting. Wareas netfilter inspects every packet (as that largely
doesn't know about the upper-layer protocol.)

So _connecting_ will probably take more processing with libwrap (althogh
the hosts.{allow,deny} files are probably cached, and one might add often
connecting machines name/adress mappings to /etc/hosts .) How much will be
jet again be dependent on it's configuration. After that point, it
shouldn't take any processing at all though.
Post by justin
The dictionary attacks I was talking about where the ones that tries
to find the password for root on Linux machines through ssh. This is
not easy to stop using iptables, but if you disallow the root logins
from outside the machine (not really tcp wrappers but similar) then
even if you can't stop the attacks you are sure they won't succeed.
One can configure hosts.{allow,deny} to query an identd on the connecting
host. In which case an attacker would need to spoof that reply as well, or
be connecting from an actually (compromised) "allowed" account.
--
-Menno.
Moe Trin
20 years ago
Permalink
Post by justin
Post by Jose Maria Lopez Hernandez
Post by justin
Is this too much redunancy?
No, you should have as much redundancy as you can.
Agreed - cue the old joke about firemen wearing belts and suspenders.
Post by justin
Ok so what i don't understand is then if you have a DROP statement in
IPTables denying traffic from lets say 1 IP for TCP. What purpose
would it serve also to have and entry in /etc/ hosts.deny for TCP
Wrappers?
'iptables' doesn't know the purpose of a port number. All it can do is
to allow, drop (another ball of tar) or reject a connection.

You also need to review the philosophy of how tcp_wrappers are meant to
work - as detailed in the hosts_access(5) man page. BRIEFLY, tcp_wrappers
looks in /etc/hosts.allow to see if a connection is permitted. If so, end
of tests. If the connection (address or service) is not permitted in
/etc/hosts.allow, then tcp_wrappers looks in /etc/hosts.deny to see if the
connection should be rejected. If the connection is to be rejected, it is,
BUT OTHERWISE IT'S PERMITTED. Thus, the only thing that should be in
/etc/hosts.deny is a simple "ALL: ALL" so that connections not permitted
by /etc/hosts.allow are rejected.

One other problem with tcp_wrappers is that not all Internet services
use them. Only if the service is run by the super servers (inetd and
xinetd, and configured in the appropriate file) and those services that
are compiled with 'libwrap' are even aware of the /etc/hosts.(allow|deny).
Post by justin
The only thing I can think of is if for some reason your system rebooted
and IPTABLES didn't start backup for some reason, or vice versa.
These are computers, and they _should_ start/run the same way every time.
If it doesn't, then something is wrong. This could be a poorly written
boot script, but most of the distributions I've worked with a fairly
good in this manner.
Post by justin
How would a dictionary attack with a system setup with tcp wrappers
respond?
Depends on the setup.
Post by justin
Is there more CPU processing involved with TCP Wrappers with IPTABLES?
Less. tcp_wrappers are consulted at connection start only. iptables are
running all the time.
Post by justin
Just looking for some clarification before I start tinkering.
That's fine - that's how you learn. Do consult the HOWTOs, as there is some
good hints and background information there.

Old guy
Menno Duursma
20 years ago
Permalink
On Tue, 10 May 2005 14:48:08 -0500, Moe Trin wrote:
[ ... ]
Post by Moe Trin
connection should be rejected. If the connection is to be rejected, it is,
BUT OTHERWISE IT'S PERMITTED. Thus, the only thing that should be in
/etc/hosts.deny is a simple "ALL: ALL" so that connections not permitted
by /etc/hosts.allow are rejected.
Well you might want to have it log to some separate file, send you mail
about this, do some lookup, or whatever.

ALL : ALL : spawn ( /usr/bin/logger libwrap deny %h ) &
Post by Moe Trin
One other problem with tcp_wrappers is that not all Internet services
use them.
Yes. Although most do support it, patching/recompiling for it sucks.

Another is that the makefile, by Mr. Vennema, compiles libwrap as a
(static) archive rather then shared object. (Most distros fix this, but it
would be nicer - for ./configure scripts to "just work" (with -lwrap)).

However i think it much simpler then (and therefor preferable over)
kernel-level filtering for network service protection.
--
-Menno.
Mogens V.
20 years ago
Permalink
Post by Menno Duursma
[ ... ]
Post by Moe Trin
connection should be rejected. If the connection is to be rejected, it is,
BUT OTHERWISE IT'S PERMITTED. Thus, the only thing that should be in
/etc/hosts.deny is a simple "ALL: ALL" so that connections not permitted
by /etc/hosts.allow are rejected.
Well you might want to have it log to some separate file, send you mail
about this, do some lookup, or whatever.
ALL : ALL : spawn ( /usr/bin/logger libwrap deny %h ) &
Exactly. The hosts.deny file can be used like this:

ALL : ALL : \
spawn ( \
/bin/echo -e "\n \
TCP wrappers refused connection\:\n \
Server \: $(uname -n)\n \
Process \: %d (pid %p)\n \
Date \: $(date)\n \
\n \
Offender\: %c\n \
User \: %u\n \
\n \
Dig\'d offender information\:\n \
$(dig +nocmd +nocomments +noquestion +nostats
+multiline -x %c ns)\n" \
|/bin/mail -s "$(uname -n) wrappers\: %d refused for %c"
***@my-ISP \
) &


Can also be used to create other trappings...
See the relevant man pages for ideas.
Mind you, not everything is about TCP. There's some meany options for
crackers wanting to exploit ICMP as well.
It's really worth investigating the Linux /proc filesystem for stuff to
limit DDoS attacks, nof open connections etc...
Take a look in /usr/src/linux/Documentation, and do some googling.
--
Kind regards,
Mogens Valentin
Menno Duursma
20 years ago
Permalink
Post by Mogens V.
Post by Menno Duursma
Well you might want to have it log to some separate file, send you mail
about this, do some lookup, or whatever.
ALL : ALL : spawn ( /usr/bin/logger libwrap deny %h ) &
groupadd libwrap
useradd -g libwrap -s /bin/bash -d /var/empty libwrap
passwd -l libwrap
Post by Mogens V.
ALL : ALL : \
user libwrap.libwrap : \
Post by Mogens V.
spawn ( \
/bin/echo -e "\n \
TCP wrappers refused connection\:\n \
Server \: $(uname -n)\n \
Process \: %d (pid %p)\n \
Date \: $(date)\n \
\n \
Offender\: %c\n \
User \: %u\n \
\n \
Dig\'d offender information\:\n \
$(dig +nocmd +nocomments +noquestion +nostats
+multiline -x %c ns)\n" \
|/bin/mail -s "$(uname -n) wrappers\: %d refused for %c"
) &
Nice.
Post by Mogens V.
Can also be used to create other trappings...
See the relevant man pages for ideas.
Yep.

man 5 hosts_access
man 5 hosts_options
Post by Mogens V.
Mind you, not everything is about TCP. There's some meany options for
crackers wanting to exploit ICMP as well.
Well, there normally is/are some dedicated firewall(s) filtering most junk
comming in from outside the LAN realm already.

To me it makes more sense to run something user-space like
tcplogd/iplogger on closed ports there then a Unix taste specific
packet-filter on all machiens. (I.e.: the former can be managed with
"cfengine" more easily and doesn't waste resorces on established (allowed)
connections, etc.)
Post by Mogens V.
It's really worth investigating the Linux /proc filesystem for stuff to
limit DDoS attacks, nof open connections etc...
Take a look in /usr/src/linux/Documentation, and do some googling.
I know, and did...
--
-Menno.
Loading...