Task - Installing TCP Wrappers. 1) Uncompress and unpack the tcp_wrapper distribution in the /usr/local/pkg directory. # cd /usr/local/pkg # gunzip tcp_wrappers_7.6.tar.gz # tar xvf tcp_wrappers_7.6.tar 2) Edit the Makefile to make the following changes: # cd tcp_wrappers_7.6 # vi Makefile o Under the "Advanced Installation" comments, locate the REAL_DAEMON_DIR and uncomment it. CHANGE: # SysV.4 Solaris 2.x OSF AIX # REAL_DAEMON_DIR=/usr/sbin TO: # SysV.4 Solaris 2.x OSF AIX REAL_DAEMON_DIR=/usr/sbin o Locate the "Launguage Extensions" option towards the bottom of the Makfile and uncomment the "STYLE" option. This will enable the "banners" feature of tcp_wrappers. CHANGE: # (examples: allow, deny, banners, twist and spawn). # #STYLE = -DPROCESS_OPTIONS # Enable language extensions. TO: # (examples: allow, deny, banners, twist and spawn). # STYLE = -DPROCESS_OPTIONS # Enable language extensions. 3) Compile the tcpd daemon. # pwd /export/extras/tcp_wrappers_7.6 # make sunos5 make[1]: Entering directory `/export/extras/tcp_wrappers_7.6' cc -O -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK -DSOLARIS_24_GETHOSTBYNAME_BUG -DDAEMON_UMASK=022 -DREAL_DAEMON_DIR=\"/usr/sbin\" -DPROCESS_OPTIONS -DSEVERITY=LOG_INFO -DRFC931_TIMEOUT=10 -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" -DTLI -DALWAYS_HOSTNAME -c tcpd.c cc -O -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK -DSOLARIS_24_GETH <> 3) Configure /etc/inetd.conf to have the tcpd daemon wrap telnet and ftp. # cp tcpd /usr/sbin # vi /etc/inetd.conf CHANGE: <> telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd TO: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd 4) Stop an start the inetd daemon. # cd /etc/rc2.d # ./S72inetsvc stop # ./S72inetsvc start 5) Edit the /etc/hosts.deny and deny all services to all users. # vi /etc/hosts.deny ALL:ALL 6) Attempt to use the telnet command to connect bacj to your host. # telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. 7) As you can see, tcp_wrappers will deny all inetd services, including local services. Fix this by editing the /etc/hosts.allow and adding your host and another host to be allowed to access inetd services. # vi /etc/hosts.allow ALL:localhost ALL:otherhost 8) Attempt to use the telnet command to connect back to yourself. # telnet localhost Trying 10.10.1.100... Connected to simms. Escape character is '^]'. SunOS 5.8 login: 9) Have your partner attempt to login to your workstation. Can they get in? Have another student in the class also attempt to login to your server. Can they get in? Task II -Enabling banners 1) Create a banners directory that will store all of the tcp_wrapper banners. # mkdir /etc/banners 2) There is a special Makefile provided by tcp_wrappers. This Makefile will take a template file called "prototype" and create a master banner file for all wrapped services. # cp /usr/local/pkg/tcp_wrappers_7.6/Banners.Makefile /etc/banners/Makefile 3) Create a template banner message by editing a file called "prototype" in /etc/banners. The % characters will expand to certain types of information like client IP address or server process ID. # cd /etc/banners # vi prototype *********************** Hello %c SERVER: %A PID: %p DAEMON: %d *********************** 4) Run the make utility on the prototype file. This file will create custom telnet and ftp banners. # ls Makefile prototype # make cp prototype in.telnetd chmod 644 in.telnetd sed 's/^/220-/' prototype > in.ftpd chmod 644 in.ftpd echo 'main() { write(1,"",1); return(0); }' >nul.c cc -s -o nul nul.c rm -f nul.c ( ./nul ; cat prototype ) > in.rlogind chmod 644 in.rlogind #ls in.ftpd in.rlogind in.telnetd Makefile nul prototype 5) Edit the /etc/hosts.allow file to include the /etc/banners directory. # vi /etc/hosts.allow ALL:localhost:banners /etc/banners ALL:otherhost:banners /etc/banners 6) Use the telnet command to connect to your workstation and then attempt to login to your partner's workstation. Notice the new banner message and the expansion of certain values: client IP, process ID, and server IP address. # telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. *********************** Hello localhost SERVER: 127.0.0.1 PID: 536 DAEMON: in.telnetd *********************** login: Task III - Using tcp_wrappers to spawn commands. In this task, you will configure tcp_wrappers to spawn a log entry to syslog in a custom log format. 1) Edit the /etc/hosts.allow file and configure the spawn command to execute a logger command upon a tcp_wrapper connection. # vi /etc/hosts.allow ALL:otherhost:banners /etc/banners: spawn (logger -p local2.info "inbound connection from %a %p %d on %A") 2) Configure syslog to accept the syslog message from the logger command and write it to a log file called /var/adm/tcpwrap.log. # vi /etc/syslog.conf local2.info /var/adm/tcpwrap.log # touch /var/adm/tcpwrap.log # /etc/init.d/syslog stop # /etc/init.d/syslog start 3) Using the tail command, monitor your log files in real time. # tail -f /var/adm/tcpwrap.log 4) Have your partner use the telnet command to login to your workstation. The output of your log file should look like this: Aug 2 12:44:01 simms root: [ID 702911 local2.info] inbound connection from 10.10.1.12 602 in.telnetd on 10.10.1.100 5) You have now configured tcp_wrappers to create custom log entries of which you may now run log checkers like swatch.