Arch announcment "Dropping tcp_wrappers support" Questions

jeff story · 2011-07-19 04:48:28

Arch announcement "Dropping tcp_wrappers support"

As I see it, this involves so much and is critical, I'd like to try to figure out when, how, and what is going to be effected.
I don't see much discussion here other than this https://bbs.archlinux.org/viewtopic.php?id=122651.

Not all Arch Linux users are at the developer/programmer level of expertise, myself included. Keeping this in mind, I'd like to know if there are any plans for a WIKI installation or other documented course of action to avoid the potential problems that may arise from this change. I see a lot of wiki pages needing updated to reflect this....true?

I just barely manage to fight my way through most network issues via following directions carefully, and I am not really looking forward to this. The following are a few questions I have.

1) When? When could I expect to start seeing problems with no actions taken? (Updating a few times per week)

2) ssh sessions are going to be effected how? Several months ago, I installed and setup fail2ban to stop all the log in attempts via ssh. Am I already covered for ssh? How about configuring to accept my connections?

3) What other possible problems? I commonly use ssh, sftp, and occasional VNC.

4) Effects on regular lan / wan connections?

5) If all of the above are effected, would fail2ban be a reasonable, single package solution and how to configure it (source of info)?

6) Any thing else I may have overlooked?

Last edited by jeff story (2011-07-19 04:55:45)

buzzqw · 2011-07-19 06:02:45

i use denyhost on my download box, will it become obsolete or non fuctional ?
(it is adding/banning about 15 ip per day... so it's working well)

BHH

cybertorture · 2011-07-19 06:35:24

Not all Arch Linux users are at the developer/programmer level of expertise

True, my self included

ssh sessions are going to be effected how? Several months ago, I installed and setup fail2ban to stop all the log in attempts via ssh. Am I already covered for ssh? How about configuring to accept my connections?

ssh is already prooven to be secure, but you must not relay on another applications to secure it for you ... take a look at /etc/ssh/sshd_config (as example)
there are 3 easy steps there to make it secure enough
Port 22 - take a 222 for example
PermitRootLogin no (recommended)
MaxAuthTries 3
Of copurse there is a lot more you can do, but this IMO is pretty good to go

Now .... tell me why u need to

(it is adding/banning about 15 ip per day... so it's working well)

in that case ?

wonder · 2011-07-19 06:39:50

buzzqw wrote:

i use denyhost on my download box, will it become obsolete or non fuctional ?
(it is adding/banning about 15 ip per day... so it's working well)
BHH

yes. use fail2ban. It has the same functionality and more and is using iptables

buzzqw · 2011-07-19 06:40:56

cybertorture wrote:

ssh is already prooven to be secure, but you must not relay on another applications to secure it for you ... take a look at /etc/ssh/sshd_config (as example)
there are 3 easy steps there to make it secure enough
Port 22 - take a 222 for example
PermitRootLogin no (recommended)
MaxAuthTries 3
Of copurse there is a lot more you can do, but this IMO is pretty good to go
Now .... tell me why u need to
(it is adding/banning about 15 ip per day... so it's working well)
in that case ?

i got these crack attempt from ssh access, even if using all your recommend security fix (different port, no root, strong password..)

i need to know if denyhost will continue to work... or i should change my blocking software

BHH

EDIT: thanks wonder! i will start configuring/using fail2ban

Last edited by buzzqw (2011-07-19 06:42:11)

puuff · 2011-07-23 07:09:15

When I first started using ArchLinux I was annoyed due to tcp_wrappers, but now I consider it to be a good initial protection against outside intrusion. Now that tcp_wrappers will get removed I wonder how that will affect the security of people's machines. I agree that everyone is responsible for their machine's security but wouldn't it be nice if there would be a temp. replacement for tcp_wrappers?

Maybe adding iptables to the default installations and setup a default policy that blocks incoming traffic (which didn't originated with a outgoing connection from the inside). Perhaps something like this would do (I'm far from good at iptables...):

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT

Sorry for my bad english, it's not my native tongue.

jelly · 2011-07-23 09:10:52

puuff wrote:

When I first started using ArchLinux I was annoyed due to tcp_wrappers, but now I consider it to be a good initial protection against outside intrusion. Now that tcp_wrappers will get removed I wonder how that will affect the security of people's machines. I agree that everyone is responsible for their machine's security but wouldn't it be nice if there would be a temp. replacement for tcp_wrappers?
Maybe adding iptables to the default installations and setup a default policy that blocks incoming traffic (which didn't originated with a outgoing connection from the inside). Perhaps something like this would do (I'm far from good at iptables...):
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT

Sorry for my bad english, it's not my native tongue.

There will never be a default config, there is a simple config though in /etc/iptables/simple_firewall.rules

@buzzqw: you should really start using ssh key login only

new2arch · 2011-07-23 16:42:33

Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;

nntp: 127.0.0.1

puuff · 2011-07-23 17:08:35

jelly wrote:

There will never be a default config, there is a simple config though in /etc/iptables/simple_firewall.rules
@buzzqw: you should really start using ssh key login only

Oh, is simple_firewall.rules applied by default?

toofishes · 2011-07-23 17:11:26

new2arch wrote:

Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1

No, but you can safely uninstall the package now. We never force removals.

You don't need anything at all, nntp will just be exposed if you configure stunnel to serve it up on all interfaces. Set it up to only serve on 127.0.0.1 if you don't want it exposed.

toofishes · 2011-07-23 17:12:53

puuff wrote:

jelly wrote:
There will never be a default config, there is a simple config though in /etc/iptables/simple_firewall.rules
@buzzqw: you should really start using ssh key login only
Oh, is simple_firewall.rules applied by default?

No, but if you copy it to /etc/iptables/iptables.rules and then start the iptables daemon, it will be used.

karol · 2011-07-23 17:14:16

new2arch wrote:

Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1

You can adopt and use http://aur.archlinux.org/packages.php?ID=50890

new2arch · 2011-07-23 18:07:51

karol wrote:

new2arch wrote:
Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1
You can adopt and use http://aur.archlinux.org/packages.php?ID=50890

Ok, now I'm lost. If tcp_wrapper hasn't been updated for years (?) what is the reason I should uninstall it and then use the tcp_wrappers from AUR?

new2arch · 2011-07-23 18:11:03

toofishes wrote:

new2arch wrote:
Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1
No, but you can safely uninstall the package now. We never force removals.
You don't need anything at all, nntp will just be exposed if you configure stunnel to serve it up on all interfaces. Set it up to only serve on 127.0.0.1 if you don't want it exposed.

Thanks for the tip.
I am not certain where to put the 127.0.0.1 but in my stunnel.conf it already accepts localhost, but I remember I read that nntp through stunnel needs to be altered in hosts.allow file.

karol · 2011-07-23 18:13:16

new2arch wrote:

Ok, now I'm lost. If tcp_wrapper hasn't been updated for years (?) what is the reason I should uninstall it and then use the tcp_wrappers from AUR?

It wasn't updated upstream, but it was patched. http://aur.archlinux.org/packages/tcp_wrappers/PKGBUILD If you want to still use it, better have a way to patch it further.

new2arch · 2011-07-23 18:22:01

karol wrote:

new2arch wrote:
Ok, now I'm lost. If tcp_wrapper hasn't been updated for years (?) what is the reason I should uninstall it and then use the tcp_wrappers from AUR?
It wasn't updated upstream, but it was patched. http://aur.archlinux.org/packages/tcp_wrappers/PKGBUILD If you want to still use it, better have a way to patch it further.

Hi Karol, thanks for reply. So if I keep the core version, I might run into trouble later e.g. confusion or collision situation?
I'm ashamed to say it, but I've used Arch for several years, bit I've never used AUR! ^^

toofishes · 2011-07-23 18:24:34

karol wrote:

new2arch wrote:
Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1
You can adopt and use http://aur.archlinux.org/packages.php?ID=50890

No you can't, because any package built without support doesn't use it, installed or not. As stunnel is in the official repos, it will not use it. Please don't point to an AUR package without understanding the implications of compile-time library inclusion.

karol · 2011-07-23 18:26:20

new2arch wrote:

karol wrote:
new2arch wrote:
Ok, now I'm lost. If tcp_wrapper hasn't been updated for years (?) what is the reason I should uninstall it and then use the tcp_wrappers from AUR?
It wasn't updated upstream, but it was patched. http://aur.archlinux.org/packages/tcp_wrappers/PKGBUILD If you want to still use it, better have a way to patch it further.
Hi Karol, thanks for reply. So if I keep the core version, I might run into trouble later e.g. confusion or collision situation?
I'm ashamed to say it, but I've used Arch for several years, bit I've never used AUR! ^^

No, you should be fine. You should switch to a more modern solution but if you're really bent on sticking to tcp_wrappers, AUR gives you the option of easily patching the package if need arises.
If everything is working, there's no need to remove the regular package and install the one from the AUR. If you do so in the future, there should be no problems with it either.

@toofishes
1. OP should stop using tcp_wrappers.
2. If the current setup is working however, why not keep using it? If, as you say, it becomes more and more difficult to maintain a working solution based on tcp_wrappers (by e.g. using ABS to recompile some stuff to include support for tcp_wrappers), it will serve as a motivation to switch to another solution :-)

Last edited by karol (2011-07-23 18:32:07)

new2arch · 2011-07-23 19:22:16

karol wrote:

new2arch wrote:
karol wrote:
It wasn't updated upstream, but it was patched. http://aur.archlinux.org/packages/tcp_wrappers/PKGBUILD If you want to still use it, better have a way to patch it further.
Hi Karol, thanks for reply. So if I keep the core version, I might run into trouble later e.g. confusion or collision situation?
I'm ashamed to say it, but I've used Arch for several years, bit I've never used AUR! ^^
No, you should be fine. You should switch to a more modern solution but if you're really bent on sticking to tcp_wrappers, AUR gives you the option of easily patching the package if need arises.
If everything is working, there's no need to remove the regular package and install the one from the AUR. If you do so in the future, there should be no problems with it either.
[snip]

Thanks again Karol. I will keep tcp_wrappers until there's a clear solution as to what to do with nntp through Stunnel.

new2arch · 2011-07-23 19:25:07

toofishes wrote:

karol wrote:
new2arch wrote:
Isn't my intention to hijack the thread, but does it mean the tcp_wrapper package will be uninstalled by Pacman by force?
I use hosts.allow for Stunnel (nntp) and have no clue how to manage it without it ;
nntp: 127.0.0.1
You can adopt and use http://aur.archlinux.org/packages.php?ID=50890
No you can't, because any package built without support doesn't use it, installed or not. As stunnel is in the official repos, it will not use it. Please don't point to an AUR package without understanding the implications of compile-time library inclusion.

The weird thing is, if I don't add 127.0.0.1 in hosts.allow file, nntp through Stunnel won't work.

karol · 2011-07-23 19:27:44

new2arch wrote:

Thanks again Karol. I will keep tcp_wrappers until there's a clear solution as to what to do with nntp through Stunnel.

But the support for tcp_wrappers has already been removed http://projects.archlinux.org/svntogit/ … 1503348e66 so you shouldn't update (which is a bad idea because Arch is a rolling release distro).

new2arch · 2011-07-23 19:39:57

karol wrote:

new2arch wrote:
Thanks again Karol. I will keep tcp_wrappers until there's a clear solution as to what to do with nntp through Stunnel.
But the support for tcp_wrappers has already been removed http://projects.archlinux.org/svntogit/ … 1503348e66 so you shouldn't update (which is a bad idea because Arch is a rolling release distro).

Ok, something must've happened since the day I installed Stunnel, configured nntp to use it to connect ; Stunnel then, I clearly remember, required me to add the line in hosts.allow configuration file. I remember I couldn't connect nntp and looked for the remedy and read the how-to's and finally discovered that I had forgotten to alter the hosts.allow file.
Today I tried disabling the particular line and nntp has access internet through Stunnel. I tried removing tcp_wrappers and nntp still works.

Thanks!

eerok · 2011-09-26 20:47:57

Since the last stunnel update, I can't connect to nntp. I uninstalled tcp_wrappers, but this didn't make any difference. In /etc/stunnel/stunnel.conf I have

[nntp]
client = yes
accept = 119
connect = ssl.astraweb.com:443

which worked before. My newsreader is configured to connect to 127.0.0.1:119

Anyone else have this problem?

EDIT: Never mind, apparently I just needed to reboot. Everything is fine now.

Last edited by eerok (2011-09-26 23:22:56)

dabbi2000 · 2011-09-28 19:25:27

Ouch I am in the same situation as jeff here, lots of unanswered questions... Will this in the end affect debian too? Do you have any good articles on how to accomodate this huge change? (for Linux amateurs!)

Arch Linux

#1 2011-07-19 04:48:28

Arch announcment "Dropping tcp_wrappers support" Questions

#2 2011-07-19 06:02:45

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#3 2011-07-19 06:35:24

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#4 2011-07-19 06:39:50

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#5 2011-07-19 06:40:56

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#6 2011-07-23 07:09:15

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#7 2011-07-23 09:10:52

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#8 2011-07-23 16:42:33

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#9 2011-07-23 17:08:35

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#10 2011-07-23 17:11:26

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#11 2011-07-23 17:12:53

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#12 2011-07-23 17:14:16

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#13 2011-07-23 18:07:51

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#14 2011-07-23 18:11:03

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#15 2011-07-23 18:13:16

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#16 2011-07-23 18:22:01

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#17 2011-07-23 18:24:34

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#18 2011-07-23 18:26:20

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#19 2011-07-23 19:22:16

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#20 2011-07-23 19:25:07

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#21 2011-07-23 19:27:44

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#22 2011-07-23 19:39:57

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#23 2011-09-26 20:47:57

Re: Arch announcment "Dropping tcp_wrappers support" Questions

#24 2011-09-28 19:25:27

Re: Arch announcment "Dropping tcp_wrappers support" Questions

Board footer