[rescue] TCP Wrappers

Loomis, Rip rescue at sunhelp.org
Mon Oct 8 15:51:23 CDT 2001 

> How can I install TCP wrappers through jumpstart.
> 
> Where can i fine more info about TCP wrappers.
> 

If you're asking the second question, you aren't
ready to do the first, IMHO.

Installing TCP wrappers through jumpstart is
non-trivial.  TCP wrappers can be used to
protect *some* system components by re-compiling
them against libwrap, but a jumpstart install
wouldn't do that for you.  It can be used to
provide some additional protection for any
daemon run out of inetd--but that also requires
some configuration and testing.

Due to well-publicized problems with a trojaned
version a while back, no one is likely to offer
pre-compiled binaries of TCP wrappers--so you'll
need to compile from source and install.  It's
not hard to do, but the best way you might get
it into a jumpstart install is to add a post-
install script that does your local customizations.
One of those *always* should be locking down
inetd.conf (*please* tell me that no one is
running sadmind or KCMS, right?) and you could
easily get TCP Wrappers loaded at the same time.

Wietse's site (the author) is at
  http://www.porcupine.org/
(TCP Wrappers is under "tools and papers")
and while you're there check out Postfix to
replace Sendmail.  You'll be glad you did.
You might also want to look at his other
tools...

Unsolicited but possibly relevant advice:
As a general rule, the Sun bundled versions of
even the standard Internet tools are often
way behind the source-code-available versions.
If you care enough to add TCP wrappers, you
should *first* fix any SMTP and DNS servers
you're running.  If you don't need them, then
don't run them (remember the difference between
"sendmail -bd -q15m" and "sendmail -q15m").

If you do need inbound service for SMTP and DNS,
and security is of interest, then do check out:
  SMTP:  	Postfix	http://www.porcupine.org
		Qmail		http://cr.yp.to
  DNS:	BIND 9	http://www.isc.org
		djbdns	http://cr.yp.to

I use the former in each case for a variety of
reasons, but Prof. Bernstein's software works
well for many others.  If you're going to use
BIND, then go to BIND 9.1.3--I've been using
it operationally for long enough that I have
much greater confidence in it than in any BIND 8.x
version.

--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security
http://www.brainbench.com  [Transcript 1923411]

More information about the rescue mailing list