LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2006, 02:39 AM   #1
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
preformance: tcpwrapers v iptables


My server is constantly getting hammered by brute force attempts so I finally decided to set strict allowance policies (deny all and allow the privileged few). My question, is which method provides the best performance results, blocking in iptables, or with tcp wrappers? It seems to make sense to me that stuff get's parsed in iptables before it hits the tcpwrapers, but I'm not exactly an expert.

Thanks!
...drkstr

**edit**
Sorry, one other side though. does tcp wrappers protect the services running in a chroot environment as well?

Last edited by drkstr; 09-25-2006 at 02:41 AM.
 
Old 09-25-2006, 02:56 AM   #2
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Blog Entries: 4

Rep: Reputation: 78
This would just be a guess, but it stands to reason that Iptables will be faster because it runs in kernel space, and thus will block the packets before they get to the application layer, where tcpwrappers is run from. Plus, for tcpwrappers, each application that is allowd must be started anew per request.
 
Old 09-25-2006, 02:59 AM   #3
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
The short answer is Run them Both. IPtables is a packet filtering technology, were TCPwrappers is an application service security tool. If security is the #1 priority, then use both or all three (including chroot) and if performance suffers slightly, then at least you less likely to get hacked or victim of a DoS
 
Old 09-25-2006, 09:34 AM   #4
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Original Poster
Rep: Reputation: 45
Thanks for the replies! Security isn't all that important for me, I'm mainly just tossing in the strict allowance policies to cut down the work load of so many log in attempts. I keep good password policies so the chances of a brute force attempt being successful is not very likely. However, I think I am going to add to both just in case. Must stuff will probably be cause in the iptable level, so I doubt it will impact performance having tcp wrappers enabled as well.

Thanks for the help!
...drkstr
 
Old 09-27-2006, 01:31 AM   #5
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Never trust TCP wrappers because it's harder to be sure that each and every server is using it...
 
Old 09-27-2006, 03:04 AM   #6
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Original Poster
Rep: Reputation: 45
Thanks for the word of warning. I have never used tcp wrappers before as it seems kind of redundant to me. I suppose I was really inquiring about what they are used for more then anything. Iptables (in my opinion at least) seems like a much more secure way of controlling policies.

I am not to worried about the security issue, the only reason I am locking down the policies is to cut down on server work. I ended up just adding the policies to my existing iptable rules, but is it more work to check packets here or to just let it go through without traversing a bunch of chains, then stop it application level. If there is no performance benefit for the later method, then what the heck are tcp wrappers for? ...half assed fire wall maybe?

Thanks!
...drkstr
 
Old 09-27-2006, 03:18 AM   #7
primo
Member
 
Registered: Jun 2005
Posts: 542

Rep: Reputation: 34
Quote:
Originally Posted by drkstr
Thanks for the word of warning. I have never used tcp wrappers before as it seems kind of redundant to me. I suppose I was really inquiring about what they are used for more then anything. Iptables (in my opinion at least) seems like a much more secure way of controlling policies.

I am not to worried about the security issue, the only reason I am locking down the policies is to cut down on server work. I ended up just adding the policies to my existing iptable rules, but is it more work to check packets here or to just let it go through without traversing a bunch of chains, then stop it application level. If there is no performance benefit for the later method, then what the heck are tcp wrappers for? ...half assed fire wall maybe?

Thanks!
...drkstr
This redundancy doesn't hurt anyone... Some call it a "multi-layered security approach". Consider the case where iptables is applied after connectivity or a new interface is set up with no rules in the firewall or that tiny space between the flushing of these rules and reload in a firewall script. Never take TCP wrappers as being a wannabe firewall or IPTables lacking the functionality present in TCP wrappers. Some use the latter for logging purposes, reverse DNS (which may not be present in a server). Anyway xinetd is better at this than TCP wrappers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Debian Kernel Upgrade from 2.4.26-1-386 to 2.6.6-2-k7 harddrive preformance issues. Cohobin Linux - Software 0 06-29-2004 09:56 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
Slow preformance without wifi card in system KePSuX Linux - Hardware 3 03-14-2003 07:35 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration