|
|
TCP Wrappers for httpd 1.3.x
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chico, CA and Carlsbad, CA.
Status:
Offline
|
|
I've been playing with port sentry on a few Mac OS X client and server boxes lately and I've got a few questions about TCP Wrappers. Port sentry binds to a series of customizable (and usually sequential) ports and detects connections (usually port scans because of their "scanning" from low to high nature) and performs several actions depending on how it is set up. Port sentry can be set to immediately ban hosts from the machine (via ipfw rules) on detection, run external commands, add attacking hosts to /etc/hosts.deny (any binary compiled with TCP Wrappers respects this list), and return arbitrary banners to the host making the connections. I'm particularly interested in using hosts.deny as a secondary security layer in addition to the ipfw rules.
My question is about TCP Wrappers and Apache 1.3 (default in Panther client and server). Apache is not compiled with libwrap and it is not controlled by xinetd, meaning that it ignores the hosts.deny file. I understand that there are Apache directives for allowing/disallowing access to services, but as I'll be doing a lot of script manipulation of some of these files, I'd rather not have to deal with multiple host lists.
[list=1][*]Is there a way to get Apache to respect TCP Wrappers?[*]If I were to run apache in inetd mode, would I be able to create an entry for apache to be used by xinetd?[*]Should I even worry about this if there will be ipfw rules against these hosts?[/list=1]
Thanks.
|
"In Nomine Patris, Et Fili, Et Spiritus Sancti"
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Nov 2004
Location: Am�rica
Status:
Offline
|
|
The default apache on OS X is not compiled with libwrap -- doing so slows down the server considerably; it shouldn't be a problem on a non-busy server though.
[list=1]Yes. Get the apache sources from Apple and modify the top-level Makefile - it's[*]Fairly easy... just add something like '--enable-libwrap' or '--enable-tcpwrappers' (run ./configure --help in the apache dir within to find out) in the configure line, make and sudo make install DSTROOT=/[*]Yes, but that is not recommended.[*]It depends on the level of security you want to achieve... ipfw rules will be flushed at reboot, while modifications of the /etc/hosts.access files will stay in place. It shouldn't be necessary to block http access, as apache is pretty solid. You may want to look into the mod_security module if you're really concerned.[/list=1]
|
�somehow we find it hard to sell our values, namely that the rich should plunder the poor. - J. F. Dulles
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2001
Location: Chico, CA and Carlsbad, CA.
Status:
Offline
|
|
Originally posted by Curios Meerkat:
The default apache on OS X is not compiled with libwrap -- doing so slows down the server considerably; it shouldn't be a problem on a non-busy server though.
[list=1]Yes. Get the apache sources from Apple and modify the top-level Makefile - it's[*]Fairly easy... just add something like '--enable-libwrap' or '--enable-tcpwrappers' (run ./configure --help in the apache dir within to find out) in the configure line, make and sudo make install DSTROOT=/[*]Yes, but that is not recommended.[/list=1]
I could have figured that recompiling Apache with wrappers was the way to go. Thanks, I'll look into that.
Originally posted by Curlos Meerkat:
It depends on the level of security you want to achieve... ipfw rules will be flushed at reboot, while modifications of the /etc/hosts.access files will stay in place.
Regarding the ipfw rules being flushed, I was planning on writing a custom script to go hand-in-hand with portsentry to keep track of hosts that have been banned in the past, adding those hosts to Mac OS X Server's /etc/ipfilter/ipfw.conf where they will be added when the server or ipfw restarts.
Originally posted by CurlosMeerkat:
It shouldn't be necessary to block http access, as apache is pretty solid. You may want to look into the mod_security module if you're really concerned.
I've already got mod_security doing some other stuff on the server in question, but I was hoping that I could just use TCP wrappers so I wouldn't have to figure out how to script up something that catered to multiple services. I know it is possible to add deny directives in Apache's configurations, but adding hosts to /etc/hosts.deny is just so much easier. You're right, Apache IS pretty solid, but when I (or portsentry) decide that a host is malicious I want to ban it several times. I feel more comfortable with several lines of defense.
Thanks for the tips.
|
"In Nomine Patris, Et Fili, Et Spiritus Sancti"
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Nov 2004
Location: Am�rica
Status:
Offline
|
|
If you're really that concerned about security, a second machine as a dedicated firewall is the way to go. I found bld to be extremely useful, as different hosts/services report to it (portsentry, logcheck, etc.) and its violation counters are more flexible than what portsentry/hostsentry alone can do.
Oh, and IMO multiple lines of defense are a must in this day and age, there's a lot to say about being paranoid
|
�somehow we find it hard to sell our values, namely that the rich should plunder the poor. - J. F. Dulles
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|