msec configuration causes libwrap to refuse connections
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
msec configuration causes libwrap to refuse connections
I am configuring a webserver with Mandrake 9.1 at security level higher (msec level 4). I now have two services, sgi_fam and pop3, which are being refused connection by libwrap resulting in the error message "libwrap refused connection". Lowering the security level to 3 or setting the service flag NOLIBWRAP solves the problem. Although I am not an expert both solutions seem to me like shooting yourself in the leg i.e. installing a highly secure system only to disable security.
I like to fine tune my security settings to allow local connections for these services. I tried a couple of things but none of them seemed to work. Among others I tried to add both services to hosts.allow and enabled them with the chkconfig --add 'service' command. Both services should be enabled according to chkconfig --list.
Does anyone have a couple of other ideas I could try? Is there someting I could add to /etc/security/msec/level.local?
I am currently going through a painfully slow trial and error process, so any expert tip would be a blessing.
Try adding the ip addresses of the local computers you want to allow to your /etc/hosts.allow file.
First test if xinetd is the problem. Add a line to hosts.allow that says:
ALL: ALL
This will open up xinetd (libwrap) to allow everything. Now test and see if it works. If it does work than delete that line and add lines for the specific services you want to allow like this:
sgi_fam: xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
in the form of:
<servicename>: <ip.you.want.to.allow>
Make sure you don't leave the ALL: ALL line in the file.
I already tried modifying hosts.allow with sgi_fam: xx.xx.xx.xx and pop3: xx.xx.xx.xx, but this does not open the connection for these two services. I did not try ALL: ALL before and this did remove the problem again. It is even more strange that it allows me to open the connection for ssh with sshd: xx.xx.xx.xx, but apparantly not for the other two services.
Downloaded fresh MDK9.1 and experienced same problems with msec levels 4 & 5.
Workaround:
1) add flag NOLIBWRAP to /etc/xinetd.d/fam
2) change local_only to true in /etc/fam.conf
This works and restricts access in similar way as /etc/hosts.deny setting for
msec level 4. The root cause (ie. libwrap not resolving IP address) still needs
to be addressed however. HTH.
You might try doing:
sgi_fam: ALL
in your hosts.allow file and then using iptables to restrict access, but It certainly sounds like that bug.
I actually stumbled over this bug report at some point but failed to make the connection at this point. The workaround works for sgi_fam but I can't use it for pop3. I found one more workaround, which is good enough for me. Modify the line in host.deny to:
ALL: ALL EXCEPT 127.0.0.1 xx.xx.xx.xx: DENY
However, this opens for all services to the specified address. In my case it is OK. Cheers.
If you want to tighten access further, just use iptables to deny access to services you don't want open to the local clients.
You can use iptables to restrict access, just like libwrap does. It's just that the hosts.allow/deny is just easier to use. Of course libwrap allows you to do some cool stuff like spawn other processes, but for basic access restriction iptables will work just as well.
I discovered that the fix for the libwrap problem with fam produces the following warning in my syslog.
"Warning! Started by inetd, so -L (local_only) option is being ignored!"
The documentation in /etc/fam.conf states that the local_only flag is ingored when fam is started from inetd.
Is there a fix for this? If not, do I have an security problem to worry about with respect to the external net? If it is not an external security problem I would just leave it as it is. I have a firewall in place with only ports 80, 443 and 25 open to the external net.
Originally posted by MJatIFAD If not, do I have an security problem to worry about with respect to the external net?
Access control by hosts.allow/deny certainly goes out the window, but as long as you are protecting those ports with the firewall you will be fine. In fact, libwrap will never even see a packet destined for those ports, because iptables should drop or reject the packet before it even gets there. Just make sure that you have a sensible firewall (preferably with a default INPUT policy of DROP) and that when you scan your machine from the outside you don't have any exposed ports that shouldn't be open. Using both iptables and hosts.allow/deny gives you redundant layers of security, so losing one really doesn't compromise the security of your system. However, I would think about upgrading your distro at some point, hopefully Mandrake will fix that bug in a new release.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.