Pick a Free OS

User login

Navigation

Network monitoring, access control & booby traps using TCP Wrappers: Part 1


            -----------------      -----------------    ---------

     user---| telnet client |---------| telnet server |-------| login |

            -----------------      -----------------    ---------

                   (foo1.bar)                            (foo2.bar)

Figure 4. The tcp wrapper program has started the real

telnet server and no longer participates. The user can-

not notice any difference.

Lets look at the logs capable of being generated by our TCP wrapper application.

May 22 14:43:29 tuegate: systatd: connect from monk.rutgers.edu

May 22 15:08:30 tuegate: systatd: connect from monk.rutgers.edu

May 22 15:09:19 tuewse: fingerd: connect from monk.rutgers.edu

May 22 15:14:27 tuegate: telnetd: connect from cumbic.bmb.columbia.edu

May 22 15:23:06 tuegate: systatd: connect from cumbic.bmb.columbia.edu

May 22 15:23:56 tuewse: fingerd: connect from cumbic.bmb.columbia.edu

Some of the first cracker connections observed with the tcp wrapper program by the author. Each connection is recorded with: time stamp, the name of the local host, the name of the requested service (actually, the network server process name), and the name of the remote host.

Automatic reverse fingers had proven useful in the authors fight against the cracker, so he decided to integrate the "ad hoc" reverse finger tool with TCP Wrappers. To this end, the access control language was extended so that arbitrary shell commands could be specified.

/etc/hosts.allow:

in.tftpd: LOCAL, .foo.bar

/etc/hosts.deny:

in.tftpd: ALL: /usr/ucb/finger -l @%h 2>&1 | /usr/ucb/mail wswietse

This is an example of a booby trap on the tftp service. The entry in the first access control file says that tftp connections from hosts within its own domain are allowed. The entry in the second file causes the TCP Wrapper to perform a reverse finger in all other cases. The "%h" sequence is replaced by the actual remote host name. The result is sent to the administrator by email.

Our discussion till now gives only a limited illustration of the use of booby traps. Booby traps can be much more useful when installed on firewall systems, whose primary purpose is to separate an organizational network from the rest of the world. A typical firewall system provides only a limited collection of network services to the outer world. For example, telnet and smtp. By placing booby traps on the remaining network ports one can implement an effective early-warning system.

Conclusions