Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
09-25-2006, 02:39 AM
|
#1
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Rep:
|
preformance: tcpwrapers v iptables
My server is constantly getting hammered by brute force attempts so I finally decided to set strict allowance policies (deny all and allow the privileged few). My question, is which method provides the best performance results, blocking in iptables, or with tcp wrappers? It seems to make sense to me that stuff get's parsed in iptables before it hits the tcpwrapers, but I'm not exactly an expert.
Thanks!
...drkstr
**edit**
Sorry, one other side though. does tcp wrappers protect the services running in a chroot environment as well?
Last edited by drkstr; 09-25-2006 at 02:41 AM.
|
|
|
09-25-2006, 02:56 AM
|
#2
|
Senior Member
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Rep:
|
This would just be a guess, but it stands to reason that Iptables will be faster because it runs in kernel space, and thus will block the packets before they get to the application layer, where tcpwrappers is run from. Plus, for tcpwrappers, each application that is allowd must be started anew per request.
|
|
|
09-25-2006, 02:59 AM
|
#3
|
Senior Member
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555
Rep:
|
The short answer is Run them Both. IPtables is a packet filtering technology, were TCPwrappers is an application service security tool. If security is the #1 priority, then use both or all three (including chroot) and if performance suffers slightly, then at least you less likely to get hacked or victim of a DoS
|
|
|
09-25-2006, 09:34 AM
|
#4
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Original Poster
Rep:
|
Thanks for the replies! Security isn't all that important for me, I'm mainly just tossing in the strict allowance policies to cut down the work load of so many log in attempts. I keep good password policies so the chances of a brute force attempt being successful is not very likely. However, I think I am going to add to both just in case. Must stuff will probably be cause in the iptable level, so I doubt it will impact performance having tcp wrappers enabled as well.
Thanks for the help!
...drkstr
|
|
|
09-27-2006, 01:31 AM
|
#5
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
Never trust TCP wrappers because it's harder to be sure that each and every server is using it...
|
|
|
09-27-2006, 03:04 AM
|
#6
|
Senior Member
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191
Original Poster
Rep:
|
Thanks for the word of warning. I have never used tcp wrappers before as it seems kind of redundant to me. I suppose I was really inquiring about what they are used for more then anything. Iptables (in my opinion at least) seems like a much more secure way of controlling policies.
I am not to worried about the security issue, the only reason I am locking down the policies is to cut down on server work. I ended up just adding the policies to my existing iptable rules, but is it more work to check packets here or to just let it go through without traversing a bunch of chains, then stop it application level. If there is no performance benefit for the later method, then what the heck are tcp wrappers for? ...half assed fire wall maybe?
Thanks!
...drkstr
|
|
|
09-27-2006, 03:18 AM
|
#7
|
Member
Registered: Jun 2005
Posts: 542
Rep:
|
Quote:
Originally Posted by drkstr
Thanks for the word of warning. I have never used tcp wrappers before as it seems kind of redundant to me. I suppose I was really inquiring about what they are used for more then anything. Iptables (in my opinion at least) seems like a much more secure way of controlling policies.
I am not to worried about the security issue, the only reason I am locking down the policies is to cut down on server work. I ended up just adding the policies to my existing iptable rules, but is it more work to check packets here or to just let it go through without traversing a bunch of chains, then stop it application level. If there is no performance benefit for the later method, then what the heck are tcp wrappers for? ...half assed fire wall maybe?
Thanks!
...drkstr
|
This redundancy doesn't hurt anyone... Some call it a "multi-layered security approach". Consider the case where iptables is applied after connectivity or a new interface is set up with no rules in the firewall or that tiny space between the flushing of these rules and reload in a firewall script. Never take TCP wrappers as being a wannabe firewall or IPTables lacking the functionality present in TCP wrappers. Some use the latter for logging purposes, reverse DNS (which may not be present in a server). Anyway xinetd is better at this than TCP wrappers.
|
|
|
All times are GMT -5. The time now is 12:15 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|