LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-06-2018, 04:29 AM   #1
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Rep: Reputation: 168Reputation: 168
TCP Wrappers support for OpenSSH


From Current (pre-release) ChangeLog for x86_64
Quote:
Thu Apr 5 21:21:24 UTC 2018
n/openssh-7.7p1-x86_64-2.txz: Rebuilt.
Restored tcp_wrappers support. Thanks to ecd102 for the patch.
If I want to check the TCP Wrappers support for SSHD with the command:
Code:
ldd /usr/sbin/sshd | grep libwrap
there is no result returned!
If I run
Code:
ldd /usr/sbin/sshd
result is
Quote:
linux-vdso.so.1 (0x00007ffe1636d000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fb039c23000)
libcrypto.so.1 => /lib64/libcrypto.so.1 (0x00007fb0397c4000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fb0395c0000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007fb0393bd000)
libz.so.1 => /lib64/libz.so.1 (0x00007fb0391a6000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fb038f6e000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fb038d54000)
libc.so.6 => /lib64/libc.so.6 (0x00007fb03896a000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb03a0f8000)
They are already installed:
openssh-7.7p1-x86_64-2
tcp_wrappers-7.6-x86_64-1
but libwrap.so.0 is missing.

Last edited by teoberi; 04-06-2018 at 04:58 AM. Reason: Complete answer
 
Old 04-06-2018, 05:04 AM   #2
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 629

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
There was no shared libwrap before, either.

Last edited by Petri Kaukasoina; 04-06-2018 at 05:05 AM.
 
Old 04-06-2018, 06:04 AM   #3
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Original Poster
Rep: Reputation: 168Reputation: 168
I have build OpenSSH from sources (openssh.SlackBuild) and I found:
Quote:
checking for libwrap... yes
and
Quote:
OpenSSH has been configured with the following options:
...
TCP Wrappers support: yes
...
 
Old 04-06-2018, 06:35 AM   #4
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Original Poster
Rep: Reputation: 168Reputation: 168
Quote:
Originally Posted by Petri Kaukasoina View Post
There was no shared libwrap before, either.
Yes, I found it here:
https://www.linuxquestions.org/quest...kernel-554912/
but there's a patch for "shared libwrap"
https://www.linuxquestions.org/quest...ce-4175608633/
 
Old 04-06-2018, 06:50 AM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,529
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
<digression>
Can I ask what use-case(s) you have for TCPwrappers (tcpd) that is not already met by iptables?
</digression>
 
Old 04-06-2018, 11:52 AM   #6
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Original Poster
Rep: Reputation: 168Reputation: 168
TCP Wrappers provide an additional layer of security after firewall and before service daemon.
Is a good approach, because even if firewall is breached, the attacker still has to overcome the extra wrapper.
I'm using an iptables-based firewall (it will be replaced by nftables) but I've been using TCP Wrappers since I started using Linux for servers.
Example: I use TCP Wrappers to restrict SSH server access by workstations in the internal network.
 
Old 04-06-2018, 12:31 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,529
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by teoberi View Post
TCP Wrappers provide an additional layer of security after firewall and before service daemon.
Is a good approach, because even if firewall is breached, the attacker still has to overcome the extra wrapper.
I'm using an iptables-based firewall (it will be replaced by nftables) but I've been using TCP Wrappers since I started using Linux for servers.
Example: I use TCP Wrappers to restrict SSH server access by workstations in the internal network.
Thanks, can you explain in a little more detail about which tcpd-specific features you are using or plan to use? Restricting by IP number or subnet can be done with iptables (or nftables) alone so in that regard tcpd is redundant and provides no added help.
 
Old 04-06-2018, 02:27 PM   #8
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Original Poster
Rep: Reputation: 168Reputation: 168
I use TCP Wrappers mainly to restrict SSH access. External IP addresses that can access the SSH server are filtered by firewall (iptables) and TCP Wrappers but internal IP addresses only by TCP Wrappers.
It is your point of view that tcpd is redundant, for me it adds an extra level of protection.
 
Old 04-06-2018, 02:55 PM   #9
Petri Kaukasoina
Member
 
Registered: Mar 2007
Posts: 629

Rep: Reputation: 406Reputation: 406Reputation: 406Reputation: 406Reputation: 406
You could also use DenyUsers, AllowUsers, and Match conditional blocks in sshd_config.
 
Old 04-07-2018, 12:35 AM   #10
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,529
Blog Entries: 3

Rep: Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787Reputation: 2787
Quote:
Originally Posted by teoberi View Post
It is your point of view that tcpd is redundant, for me it adds an extra level of protection.
No. It is not a point of view. It is a fact that tcpd, for that use-case, is redundant. There is no need to use it for filtering since iptables does that without adding extra code or requiring modifications to the OpenSSH package. If you do not believe me, then look at iptables and see that you can filter by IP address and subnet, including LAN addresses. iptables can even filter by date, day of the month, day of week, or hour of day. Also, the NFQUEUE target can trigger user-space activvity. See "man iptables" and "man iptables-extensions"

See also the manual page for sshd_config itself and check the configuration directives AllowUsers, AllowGroups, DenyUsers, DenyGroups, or Match's Address. Notice that they provide filtering by IP address and even by subnet using CIDR notation in addition to some basic wildcard substitutions.

By being redundant, an argument can be made that tcpd actually lowers the protection you have available by introducing undesired complexity and large amounts of legacy code. If it's not there, it can't break.

Keep it simple.

Again, I used to use tcpd and so have been honestly curious about other use-cases that are above and beyond filtering, ones that would really be something extra. So I was really hoping to read something interesting like using it to trigger shell scripts from hosts.allow or hosts.deny upon receiving requests for incoming connections. Back when a finger daemon was part of every server, it used to be reasonable sometimes to probe the incoming machine for that user's account. I suppose nowadays you could use tcpd for a quick nmap scan of the remote machine or something similar. That's the kind of use-case I was hoping to read about.

Anyway thanks for explaining, even if I disagree, and sorry for the digression.
 
Old 04-07-2018, 02:30 AM   #11
teoberi
Member
 
Registered: Jan 2018
Location: Romania
Distribution: Slackware64-current (servers)/Ubuntu (workstations)
Posts: 287

Original Poster
Rep: Reputation: 168Reputation: 168
Quote:
Originally Posted by Petri Kaukasoina View Post
You could also use DenyUsers, AllowUsers, and Match conditional blocks in sshd_config.
I'm already using the AllowUsers directive but I have not yet used Match's Address.
It was easier to configure the permissions in the hosts.allow file.
I read that TCP Wrappers is deprecated in many distributions but there are other solutions.
Thanks for your explanations, they helped me better understand this situation.
 
Old 04-07-2018, 04:57 AM   #12
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,802

Rep: Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722
Quote:
Originally Posted by Turbocapitalist View Post
By being redundant, an argument can be made that tcpd actually lowers the protection you have available by introducing undesired complexity and large amounts of legacy code. If it's not there, it can't break.

Keep it simple.
This reasoning is why I rebuilt the OpenSSH package after Pat decided to add tcp_wrapper back in. I'm not suggesting there's anything wrong with the patch he's using, but as the infamous debian openssl debacle taught us: when you start messing with other peoples code bad things can happen. OpenSSH is a high risk component, so I prefer it to be as true to upstream as possible. If they dropped support for tcp_wrappers then I'm not going to second guess them and add it back in.
 
2 members found this post helpful.
Old 04-07-2018, 08:54 AM   #13
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 5,592

Rep: Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167Reputation: 2167
Yeah - I have been in two minds about that one as well. iptables maybe a single point of failure, but it is also a single point of maintenance. On balance, I prefer to go with iptables only.
 
1 members found this post helpful.
Old 04-07-2018, 12:22 PM   #14
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,968

Rep: Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449Reputation: 6449
Quote:
Originally Posted by GazL View Post
This reasoning is why I rebuilt the OpenSSH package after Pat decided to add tcp_wrapper back in. I'm not suggesting there's anything wrong with the patch he's using, but as the infamous debian openssl debacle taught us: when you start messing with other peoples code bad things can happen. OpenSSH is a high risk component, so I prefer it to be as true to upstream as possible. If they dropped support for tcp_wrappers then I'm not going to second guess them and add it back in.
At this point, tcp_wrappers is so well audited that I'd be very surprised if a security problem exists there.

You almost changed my mind, though. Next time the patch breaks I'll be much harder to convince.
 
1 members found this post helpful.
Old 04-07-2018, 02:18 PM   #15
GazL
LQ Veteran
 
Registered: May 2008
Posts: 5,802

Rep: Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722Reputation: 3722
I have the luxury of only having to consider my own preferences, which makes the decision much easier.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux TCP Wrappers & Which Services can be secured via TCP Wrappers LXer Syndicated Linux News 0 12-16-2013 09:01 AM
Are TCP Wrappers still used dazdaz Linux - Software 3 06-14-2012 12:07 AM
How to install OpenSSH on CentOS with tcp wrappers support Brandon.Wamboldt Linux - Server 4 05-05-2009 10:20 PM
Tcp wrappers sysconfig Linux - Security 4 09-08-2006 08:20 AM
TCP Wrappers ltrain Linux - Security 6 05-31-2001 10:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 08:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration