Tweaking Apache, TCP_wrappers

For those of you who might not know, PHP stands for "PHP: Hypertext PreProcessor." It allows you to embed scripting code into a normal HTML file. The Web server will execute those bits of code, then send back the resulting HTML file.

For those of you who might not know, PHP stands for “PHP: Hypertext PreProcessor.” It allows you to embed scripting code into a normal HTML file. The Web server will execute those bits of code, then send back the resulting HTML file.

If you’re running Red Hat or another distribution that uses RPM, you can run rpm -qa and look for the “php4″ package. This single large package will contain everything you need. However, Mandrake subdivides PHP into smaller RPM packages. This means you can install only the parts you need without wasting disk space. You will always need the base and common PHP packages, but you are free to choose from optional packages.

Debian also splits PHP into multiple packages. You can run the command dpkg –list “php4*” to see if it’s already on your system. If it isn’t, you can run apt-get install php4 to automatically install it.

If you wish to compile and build PHP by hand, you can find the latest source at http://www.php.net/ or one of its mirrors. Once you have unpackaged the source, you must decide exactly how you want to install PHP.

Most of the time, you will want to compile PHP as a Dynamic Shared Object (DSO). To find out if you can do this, run httpd -l and see if the string “mod_so” is present. If it is, run the following command to configure PHP:

# ./configure –with-apxs=/usr/local/apache/bin/apxs

Be sure to adjust the path to apxs to the correct one for your system. Once the configure command returns, running make; make install; will build and install PHP. Then, you should customize /usr/local/lib/php.ini to your taste and enable PHP in Apache’s httpd.conf file by adding:

AddType application/x-httpd-php .php

If your version of Apache doesn’t support DSO, you have two choices. Either recompile Apache with mod_so support or install PHP as a static module. You should consult the INSTALL files distributed with Apache and PHP for more details.

How Do I Limit Access to My Daemons?

One of the best ways to limit network access to any available system server is to have it secured using TCP_wrappers via tcpd and the inetd server. When using TCP_wrappers, it becomes very easy to manipulate which hosts from the Internet may connect to the various services made available via inetd To see if you have it enabled, check for the existence of /usr/sbin/ tcpd. Another place to look is /etc/ inetd.conf; you should try issuing the following command:

$ grep tcpd /etc/inetd.conf

Results will look something like Figure One if tcpd is enabled. If tcpd is not enabled, you won’t get any output from the grep command because the entries in /etc/inetd.conf look like Figure Two.

Figure One: Result of grep Command if tcpd is Enabled

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Figure Two: Entries in /etc/inetd.conf

telnet stream tcp nowait root in.telnetd

If you want to grab a copy of TCP_ wrappers, it is available as source code from ftp://ftp.porcupine.org/pub/ security/index.html.

TCP_wrappers provide two configuration files for defining what services may be connected through tcpd and from which hosts. These are available in /etc/hosts.allow and /etc/hosts.deny. As the names suggest, /etc/hosts.allow contains rules for permitting hosts to connect to services, and /etc/hosts. deny limits connections to the server.

Each line of these files configures tcpd to permit or deny access in a very simple manner. For most purposes, this is in the form of:

servicename: hostname

For example, you might append in. telnetd: to /etc/hosts. allow if you wanted to ensure that the localhost could connect to the telnet server. Alternatively, if you wanted localhost to have access to all services offered on the local server (that are controlled by tcpd), the keyword ALL could be used. For example, ALL: in /etc/hosts.allow will permit (localhost) to connect to every service monitored by tcpd. Similarly, adding ALL:ALL to /etc/ hosts.deny will stop any host not explicitly permitted in /etc/hosts. allow from connecting to any TCP_ wrappers service.

The example in Figure Three for /etc/ hosts.allow permits (line by line): (1) localhost to connect to anything; (2) two specific machines to connect to the telnet daemon; (3) any host that resolves on the .friendsandfamily.net domain to connect to the random daemon (e.g., tom.friendsandfamily. net would be permitted, just as jemma.friends- andfamily.net would be permitted, as the leading “.” indicates that everything in that domain is permitted); (4) in.otherd will allow ALL machines to connect, unless that machine resolved to something within the .badpeople.com domain.

Figure Three: Sample allow/deny Entries


in.otherdALL EXCEPT .badpeople.com



Because of the ALL:ALL rule defined in /etc/hosts.deny, all machines that are not listed explicitly in /etc/ hosts.allow will be denied access. To test and investigate the effects of these rules, take a look at tcpdcheck and tcpdmatch; both generally come bundled with tcpd. It’s also worth noting that tcpd has configuration options for allowing the execution of functions when it receives certain requests. Check the man pages for details.

Furthermore, tcpd will log connections, attempted connections, and refused connections to syslog (just as with many of the other system daemons). The information stored will normally be available in /var/log/ messages and should be included in any regular system audit.

In short, tcpd is an extremely useful utility for limiting external access to local daemon processes — but beware. It is just as vulnerable to DNS poisoning and spoofing as many other methods are, so always remember to implement security at multiple levels.

Comments are closed.