I am configuring a webserver with Mandrake 9.1 at security level higher (msec level 4). I now have two services, sgi_fam and pop3, which are being refused connection by libwrap resulting in the error message "libwrap refused connection". Lowering the security level to 3 or setting the service flag NOLIBWRAP solves the problem. Although I am not an expert both solutions seem to me like shooting yourself in the leg i.e. installing a highly secure system only to disable security.

I like to fine tune my security settings to allow local connections for these services. I tried a couple of things but none of them seemed to work. Among others I tried to add both services to hosts.allow and enabled them with the chkconfig --add 'service' command. Both services should be enabled according to chkconfig --list.

Does anyone have a couple of other ideas I could try? Is there someting I could add to /etc/security/msec/level.local?

I am currently going through a painfully slow trial and error process, so any expert tip would be a blessing.

Try adding the ip addresses of the local computers you want to allow to your /etc/hosts.allow file.

First test if xinetd is the problem. Add a line to hosts.allow that says:
ALL: ALL

This will open up xinetd (libwrap) to allow everything. Now test and see if it works. If it does work than delete that line and add lines for the specific services you want to allow like this:

sgi_fam: xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

in the form of:
<servicename>: <ip.you.want.to.allow>

Make sure you don't leave the ALL: ALL line in the file.

HTH

I already tried modifying hosts.allow with sgi_fam: xx.xx.xx.xx and pop3: xx.xx.xx.xx, but this does not open the connection for these two services. I did not try ALL: ALL before and this did remove the problem again. It is even more strange that it allows me to open the connection for ssh with sshd: xx.xx.xx.xx, but apparantly not for the other two services.

What does this mean?

Looks like this bug:

http://qa.mandrakesoft.com/show_bug.cgi?id=749

They have a work around listed:

You might try doing:
sgi_fam: ALL
in your hosts.allow file and then using iptables to restrict access, but It certainly sounds like that bug.

I actually stumbled over this bug report at some point but failed to make the connection at this point. The workaround works for sgi_fam but I can't use it for pop3. I found one more workaround, which is good enough for me. Modify the line in host.deny to:

ALL: ALL EXCEPT 127.0.0.1 xx.xx.xx.xx: DENY

However, this opens for all services to the specified address. In my case it is OK. Cheers.

If you want to tighten access further, just use iptables to deny access to services you don't want open to the local clients.

You can use iptables to restrict access, just like libwrap does. It's just that the hosts.allow/deny is just easier to use. Of course libwrap allows you to do some cool stuff like spawn other processes, but for basic access restriction iptables will work just as well.

I discovered that the fix for the libwrap problem with fam produces the following warning in my syslog.

"Warning! Started by inetd, so -L (local_only) option is being ignored!"

The documentation in /etc/fam.conf states that the local_only flag is ingored when fam is started from inetd.

Is there a fix for this? If not, do I have an security problem to worry about with respect to the external net? If it is not an external security problem I would just leave it as it is. I have a firewall in place with only ports 80, 443 and 25 open to the external net.

Cheers.

Access control by hosts.allow/deny certainly goes out the window, but as long as you are protecting those ports with the firewall you will be fine. In fact, libwrap will never even see a packet destined for those ports, because iptables should drop or reject the packet before it even gets there. Just make sure that you have a sensible firewall (preferably with a default INPUT policy of DROP) and that when you scan your machine from the outside you don't have any exposed ports that shouldn't be open. Using both iptables and hosts.allow/deny gives you redundant layers of security, so losing one really doesn't compromise the security of your system. However, I would think about upgrading your distro at some point, hopefully Mandrake will fix that bug in a new release.