TCP WRAPPERS
TCP Wrappers were developed in 1992 at The Eindhoven University of
Technology in The Netherlands. They evolved from a computer security breach on their
UNIX server. Their was a cracker, who continued to gain root access to their system. He
would randomly use the UNIX command, rm -rf /, which would have the effect of
formatting a disk in DOS. They would be able to restore the system with a tape backup,
but often times large amounts of data would still be lost. The system administrator began
to track the cracker, and noticed a lot of activity using the finger and systat network
daemons. The cracker would watch the network by using these commands. The finger
command in particular, because it does not require a password. The administrator, Wietse
Venema, developed what he called TCP Wrappers to track and identify the crackers
activity. Through many versions and modifications, TCP Wrappers have become an
effective way the track down unauthorized or questionable activity on a network.
TCP Wrappers have been proven effective in monitoring and controlling access to
TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, and SYSTAT network
daemons. The TCP Wrappers are designed to intercept requests for communication with
the networks inetd daemon. The inetd daemon is responsible for monitoring activity on
the ports that run TFTP, TELNET...etc. A remote system client will send a command to
use a particular port. The inetd daemon will listen to these ports and will then see the
request coming in, and will then direct it to the proper process. After routing the request
it will go back to waiting for another incoming request. TCP Wrappers are used to act as
a first step between the remote request and the inetd daemon. When a request comes in
the TCP Wrapper in its first form will simply record the name of the remote host from
whence it came. The time of the command and the command itself are also recorded.
Then the process will be routed to the inetd daemon. This is a simple way of tracking
which remote hosts are accessing the machine, and what command they are using. The
potential cracker is not aware that his remote host name is being recorded in a log file.
The next version of TCP Wrappers used a simple access control method, which
allowed the administrator to turn off remote access to insecure processes. Remote access
denial can also be specified to certain sights. In this way, sights that are known trouble
spots can be denied access to your processes. A directory is maintained in your system to
keep track of determining who is granted access. This aides in tracking and discouraging
crackers.
Further modifications of the TCP Wrappers allow the tracking of computer
accounts that have been accessing your system. Instead of simply logging the host name
of the remote access the computer name and user name can be logged, so that it can be
determined exactly where the security breach is occurring. It is easy to see in a log file if a
burst of activity from a system has occurred and the potential for a security breach has
occurred.
One of the latest versions of TCP Wrappers will perform a reverse finger on the
host. The result of this reverse finger can be mailed to the system administrator and can
lead to an identification of the cracker. This process is called "booby trapping". There is
a specific file, which will allow the administrator to perform the reverse finger on specific
remote hosts. `The cracker who was responsible for all of the TCP Wrapper development
was eventually found. No criminal charges were placed on him at that time, because no
guidlines for that sort of thing had been set up until later on in 1992.
One of the unique features of TCP Wrappers, which makes it so desirable is that it
will work with existing software. It was developed on a UNIX system and is written as
"c" code. The "c" scripts work on most systems, and the designer performed many tests
to determine that this was true.
TCP Wrappers are also usable on UDP systems. This is the case providing that
the UDP system has a central daemon for routing processes to appropriate processes.
The Wrappers are dependent on that central daemon architecture.
This system is widely used among UNIX servers. It is a popular tool because of
its ability to detect security breaches. If a cracker is good enough he can get around the
Wrappers of course, but it does prevent some crackers from getting away with breaking in
to a system. It is possible to send false host names on the TCP packet, and in this way to
disguise the fact that you are accessing from a system that is insecure. This takes more
work for the cracker to perform. He must determine what systems are considered
"trusted" and then do the TCP modifications. This is not even an effective way of
defeating the Wrappers, because they do a DNS lookup to get a "second opinion" on the
address send. No security system will keep out every cracker, but it is all built to help
make things more difficult for them.
The TCP Wrappers software may be downloaded from many sights on the WWW.
One of which is the //cert.org/pub/tools/tcp_wrappers/ and another
//coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers/. Related documents to the creation of
the TCP Wrappers system can be found at ftp.win.tue.nl/pub/security/tcp_wrapper.txt.Z
and research.att.com:/dist/internet_security/berferd.ps. Each of these files describes the
tracking of a computer cracker and the development of the TCP Wrappers software
program.
This software is designed to be used with a standard UNIX system and in
conjunction with other security devices. Firewalls work effectively with Wrappers.
Socks, a package designed to control internal traffic to the outside world is also a useful
program to be run with Wrappers. Router based packet filtering is also suggested to be
used. All related software suggestions and documentation are available from the README
file distributed with every copy of the TCP Wrappers software. Setup and limitations are
also discussed in the documentation as well as any bugs that have been known to occur.
TCP Wrappers is a very effective tool in averting system crackers. TCP wrappers
may be used by themselves, but added protection is always recommended. It is designed
to be used with other security protection devices and is very useful if installed with these
other devices. It is important to remember that no system is totally safe from crackers, but
with added security, a relative level of confidence can be maintained.
References
1) Venema, Wietse. TCP/IP Wrapper 7.1, README.TXT. 30 February 1995
2) Venema, Wietse. TCP WRAPPER Network Monitoring, access control, and booby
traps. 15 July 1992.
Related Pages and Documents