Mailing List Archive

* Peter Volkov | 2005-10-13 11:26:55 [+0400]:

>So why many people and security guides still suggest the use of tcpd
>over simple iptables rules?

Not sure, maybe this pros
- if you forget to start your iptables script your ports are open
- you can check with 'PARANOID' whether hostname and ip record match

:)

>
>Thank you for your time,
>Peter.
--
Regards
Sebastian Siewior
--
gentoo-security@gentoo.org mailing list

quoth the Peter Volkov:
> Hello.
>
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?
>
> I thought that fewer programs I have on my server the more secure it is.
> But gentoo security guide and some people on this list suggest usage of
> hosts.allow, hosts.deny files, which only work if I have tpcd installed,
> thus another service which weaken server's security. But normaly each
> server has iptables installed. So every sysadmin can obtain hosts.allow,
> hosts.deny functionality with simple iptables rule like the following:
>
> iptables -A INPUT -s bad_host -j DROP
>
> This is the base functionality of iptables. No PoM is nescesary for such
> kind of things.
>
> More. I think some portable bash script that will parse host.* files and
> create iptables rules is very simple to write!
>
> So why many people and security guides still suggest the use of tcpd
> over simple iptables rules?
>
> Thank you for your time,
> Peter.

This is a good question, and one for which I am anticipating many responses
more informative and comprehensive than mine...all I can do is offer opinion.

As I see it, iptables is best used to guard the network gateway, and live
internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best
suited for internal LAN security, where you may want to easily control access
to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc...

I suppose the listing of services is arbitrary, depending on your
circumstances. For me it comes down to iptables for servers directly
accessable from the internet, and tcpwrappers for internal stuff.

-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

> >So why many people and security guides still suggest the use of tcpd
> >over simple iptables rules?
>
> Not sure, maybe this pros
> - if you forget to start your iptables script your ports are open
> - you can check with 'PARANOID' whether hostname and ip record match
>

This could end up being a very interesting thread.

Iptables is nice because it is at kernel level, if someone were to try
to hack it so that your Iptables commands were ignored then they would
need to be able to reboot the box, something that you would probably
notice in a managed environment.

Tcpd runs in userspace, so given root access is a lot easier to
compromise the executable.

Just my 2c




NOTICE: This e-mail message and all attachments
transmitted with it may contain legally privileged and
confidential information intended solely for the use of
the addressee. If the reader of this message is not the
intended recipient, you are hereby notified that any
reading, dissemination, distribution, copying, or other
use of this message or its attachments, hyperlinks, or
any other files of any kind is strictly prohibited. If you
have received this message in error, please notify the
sender immediately by telephone (+44-1865-265500) or by
a reply to this electronic mail message and delete this
message and all copies and backups thereof.


--
gentoo-security@gentoo.org mailing list

One reason I can think of is to keep it simple across platforms.
tcpd is, in general OS non-specific. When you need to make security
suggestions that span platforms (Linux, Solaris, BSD, etc) this is what
you want. You can install tcpd on all platforms, and the configuration
is the same.

iptables is Linux specific. To create the same functionallity on other
platforms, you will be stuck with several different packages and config
files to provide the same functionallity. This can become hard to manage
very quickly.



.------[ Peter Volkov wrote (2005/10/13 at 12:32:05 AM) ]------
|
> Hello.
>
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?
>
> I thought that fewer programs I have on my server the more secure it is.
> But gentoo security guide and some people on this list suggest usage of
> hosts.allow, hosts.deny files, which only work if I have tpcd installed,
> thus another service which weaken server's security. But normaly each
> server has iptables installed. So every sysadmin can obtain hosts.allow,
> hosts.deny functionality with simple iptables rule like the following:
>
> iptables -A INPUT -s bad_host -j DROP
>
> This is the base functionality of iptables. No PoM is nescesary for such
> kind of things.
>
> More. I think some portable bash script that will parse host.* files and
> create iptables rules is very simple to write!
>
> So why many people and security guides still suggest the use of tcpd
> over simple iptables rules?
>
> Thank you for your time,
> Peter.


|
`^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


--
--
gentoo-security@gentoo.org mailing list

On Thursday 13 October 2005 02:26 am, Peter Volkov wrote:
> Can anybody explain the differences, pro/con between the mentioned two
> approaches in the subject?

First, I must say that this is a very interesting read on the original
intended purpose of tcpd:
ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z

IMO, security works best in layers. So, why not use both?

I see the following downsides:

- hosts.(allow|deny) seems to be implementation specific in the sense that not
everything supports it. You might need to check to see if it's supported, or
simply use tcpwrappers/inetd if it is not.

- IPTables is platform specific, in that not every (*nix) operating system
uses it.


On the other hand, these days it seems easier to setup a firewall in some form
of a firewall builder app/script that can compile firewalls for multiple
platforms from a centralized workstation. Then have it push the firewalls
out to each host and restart them appropriately. Perhaps someday these apps
may provide hosts.(allow|deny) support(?).

If forced to choose, I would go with firewalls (or rather, IPTables), you have
a lot more options especially when the firewall is stateful.

My 0.02..

Robert
--
gentoo-security@gentoo.org mailing list

10/13/2005, "Giles Coochey" <giles.coochey@mirada-solutions.com>
napisa³(a):

>Iptables is nice because it is at kernel level, if someone were to try
>to hack it so that your Iptables commands were ignored then they would
>need to be able to reboot the box, something that you would probably

Do I understand correctly that you claim that to undo the iptables you
need to reboot box ? Or maybe you claim something that you assume but do
not tell (non-vanilla hardened systemem) ?

>notice in a managed environment.
>
>Tcpd runs in userspace, so given root access is a lot easier to
>compromise the executable.

I don't get your point... If you give me root access - what's the
difference in r00ting the box via fake iptables or tcpd ?

Anyway comparing iptables with tcpd is rather useless, they seem to
perform the same job but they fight on different fronts.

>
>NOTICE: This e-mail message and all attachments
>transmitted with it may contain legally privileged and
>confidential information intended solely for the use of
>the addressee. If the reader of this message is not the

Well, pretty much anybody can subs to this list.

>intended recipient, you are hereby notified that any
>reading, dissemination, distribution, copying, or other
>use of this message or its attachments, hyperlinks, or
>any other files of any kind is strictly prohibited. If you
>have received this message in error, please notify the
>sender immediately by telephone (+44-1865-265500) or by
>a reply to this electronic mail message and delete this
>message and all copies and backups thereof.

And how can you enforce that ?

Excuse me but I think such notices are complete waste of space & time,
while attached to public mailing list. Please do not attach them, thank
you!

--
gentoo-security@gentoo.org mailing list