TCP Wrapper:修订间差异
删除的内容 添加的内容
小 增加或调整分类 |
小 使用HotCat已移除Category:TCP; 已添加Category:TCP协议 |
||
| (未显示2个用户的8个中间版本) | |||
| 第1行: | 第1行: | ||
__NOTOC__ |
__NOTOC__ |
||
{{NoteTA|G1=IT}} |
{{NoteTA|G1=IT}} |
||
{{Translating|||tpercent=0|tfrom=[[:en:TCP Wrapper]]|time=2014-09-11T09:59:12+00:00}} |
|||
{{Infobox software |
{{Infobox software |
||
|name = TCP Wrapper |
|name = TCP Wrapper |
||
| 第16行: | 第15行: | ||
'''TCP Wrapper'''是一个基于主机的网络[[访问控制表]]系统,用于{{link-en|过滤器 (软件)|Filter (software)|过滤}}对[[类Unix系统]](如[[Linux]]或[[BSD]])的网络访问。其能将主机或[[子网]][[IP地址]]、[[主機名稱|名称]]及{{link-en|Ident协议|ident protocol|ident}}查询回复作为筛选标记,实现[[访问控制]]。 |
'''TCP Wrapper'''是一个基于主机的网络[[访问控制表]]系统,用于{{link-en|过滤器 (软件)|Filter (software)|过滤}}对[[类Unix系统]](如[[Linux]]或[[BSD]])的网络访问。其能将主机或[[子网]][[IP地址]]、[[主機名稱|名称]]及{{link-en|Ident协议|ident protocol|ident}}查询回复作为筛选标记,实现[[访问控制]]。 |
||
原始代码是1990年左右由[[荷兰人]]Wietse Venema编写的,目的是监视[[埃因霍温理工大学]]数学和计算机科学系的[[Unix]][[工作站]]上的黑客行动。<ref> |
原始代码是1990年左右由[[荷兰人]]Wietse Venema编写的,目的是监视[[埃因霍温理工大学]]数学和计算机科学系的[[Unix]][[工作站]]上的黑客行动。<ref>{{Cite web |url=ftp://ftp.porcupine.org/pub/security/tcp_wrapper.pdf |title=''TCP WRAPPER - Network monitoring, access control, and booby traps.'' by Wietse Venema |accessdate=2014-09-11 |archive-date=2008-07-04 |archive-url=https://web.archive.org/web/20080704180901/http://ftp.porcupine.org/pub/security/tcp_wrapper.pdf |dead-url=no }}</ref>Wietse Venema一直维护这个程序到1995年;2001年6月1日,在其自己的[[BSD许可证|BSD风格的许可证]]下发布。 |
||
== 1999年木马事件 == |
|||
The [[tar (file format)|tar]]ball includes a [[Library (computer science)|library]] named '''[[libwrap]]''' that implements the actual functionality. Initially, only services that were spawned for each connection from a [[super-server]] (such as [[inetd]]) got ''wrapped'', utilizing the '''tcpd''' program. However most common network service [[Daemon (computer software)|daemons]] today can be [[Linker (computing)|linked]] against libwrap directly. This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections. Otherwise, only the first connection attempt would get checked against its ACLs. |
|||
1999年1月,软件在[[埃因霍温理工大学]]的分发包被修改后的版本替换,其包含一个被[[特洛伊木马 (电脑)|木马]]感染的软件版本,入侵者可以访问安装了此版本软件的任何一个服务器。作者在几个小时内发现了这个问题,此后他将主分发站点改为其个人网站<ref>{{Cite web |url=http://www.cert.org/advisories/CA-1999-01.html |title=CC/CERT Advisory CA-1999-01 |accessdate=2014-09-11 |archive-date=2013-11-05 |archive-url=https://web.archive.org/web/20131105152436/https://www.cert.org/advisories/CA-1999-01.html |dead-url=no }}</ref><ref>{{Cite web |url=http://www.cert.org/advisories/CA-1999-02.html |title=CC/CERT Advisory CA-1999-02 |accessdate=2014-09-11 |archive-date=2013-12-18 |archive-url=https://web.archive.org/web/20131218075452/http://www.cert.org/advisories/CA-1999-02.html |dead-url=no }}</ref><ref>{{Cite web |url=http://seclists.org/bugtraq/1999/Jan/0257.html |title=''backdoored tcp wrapper source code'', by Wietse Venema, on [[Bugtraq]], Jan 21, 1999 |accessdate=2014-09-11 |archive-date=2008-12-04 |archive-url=https://web.archive.org/web/20081204114327/http://seclists.org/bugtraq/1999/Jan/0257.html |dead-url=no }}</ref><ref>{{Cite web |url=http://seclists.org/bugtraq/1999/Jan/0314.html |title=''Announcement: Wietse's FTP site has moved'', by Wietse Venema, on [[Bugtraq]], Jan 21, 1999 |accessdate=2014-09-11 |archive-date=2008-10-29 |archive-url=https://web.archive.org/web/20081029082342/http://seclists.org/bugtraq/1999/Jan/0314.html |dead-url=no }}</ref>。 |
|||
When compared to host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of [[Run time (program lifecycle phase)|runtime]] ACL reconfiguration (i.e., services don't have to be reloaded or restarted) and a generic approach to network administration. |
|||
This makes it easy to use for anti-[[Worm (computing)|Worm]] scripts, such as [[DenyHosts]] or [[Fail2ban]], to add and expire client-blocking rules, when excessive connections and/or many failed login attempts are encountered. |
|||
While originally written to protect [[Transmission Control Protocol|TCP]] and [[User Datagram Protocol|UDP]] accepting services, examples of usage to filter on certain [[Internet Control Message Protocol|ICMP]] packets exist too, such as 'pingd' – the [[userspace]] [[Ping (networking utility)|ping]] request responder.<ref>[http://artofhacking.com/files/phrack/phrack52/P52-07.TXT Linux Ping Daemon] by route|daemon9 - Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 07{{dead link|date=January 2014}}</ref> |
|||
==1999 Trojan== |
|||
In January 1999, the distribution package at [[Eindhoven University of Technology]] (the primary distribution site until that day) was replaced by a modified version. The replacement contained a trojaned version of the software that would allow the intruder access to any server that it was installed on. The author spotted this within hours, upon which he relocated the primary distribution to his personal site.<ref>[http://www.cert.org/advisories/CA-1999-01.html CC/CERT Advisory CA-1999-01]</ref><ref>[http://www.cert.org/advisories/CA-1999-02.html CC/CERT Advisory CA-1999-02]</ref><ref>[http://seclists.org/bugtraq/1999/Jan/0257.html ''backdoored tcp wrapper source code'', by Wietse Venema, on [[Bugtraq]], Jan 21, 1999]</ref><ref>[http://seclists.org/bugtraq/1999/Jan/0314.html ''Announcement: Wietse's FTP site has moved'', by Wietse Venema, on [[Bugtraq]], Jan 21, 1999]</ref> |
|||
== 参见 == |
== 参见 == |
||
{{Portal|自由软件}} |
{{Portal|自由软件}} |
||
* |
*{{tsl|en|DNSBL}} |
||
* |
*{{tsl|en|Forward-confirmed reverse DNS|FCrDNS}} |
||
*[[防火墙]] |
|||
*[[Firewall (networking)|Firewall]] |
|||
*[[IP |
*[[IP封锁]] |
||
* |
*{{tsl|en|Nullroute}} |
||
== 参考文献 == |
== 参考文献 == |
||
<div class="references-small"> |
<div class="references-small"> |
||
<references /> |
<references /> |
||
*Lee Brotzman: [http://www.linuxjournal.com/article/2180 <cite>Wrap a Security Blanket Around Your Computer</cite>] Linuxjournal article 1997-08-01 |
*Lee Brotzman: [http://www.linuxjournal.com/article/2180 <cite>Wrap a Security Blanket Around Your Computer</cite>]{{Wayback|url=http://www.linuxjournal.com/article/2180 |date=20140723011310 }} Linuxjournal article 1997-08-01 |
||
</div> |
</div> |
||
== 外部链接 == |
== 外部链接 == |
||
*[http://www.softpanorama.org/Net/Network_security/TCP_wrappers/index.shtml Softpanorama |
*[http://www.softpanorama.org/Net/Network_security/TCP_wrappers/index.shtml Softpanorama上有关TCP Wrappers的信息]{{Wayback|url=http://www.softpanorama.org/Net/Network_security/TCP_wrappers/index.shtml |date=20141019092611 }} |
||
| ⚫ | |||
*[http://www.360is.com/03-tcpwrappers.htm A laymans guide to TCP Wrappers and its history] |
|||
| ⚫ | |||
{{DEFAULTSORT:Tcp Wrapper}} |
{{DEFAULTSORT:Tcp Wrapper}} |
||
| 第53行: | 第43行: | ||
[[Category:BSD软件]] |
[[Category:BSD软件]] |
||
[[Category:自由安全软件]] |
[[Category:自由安全软件]] |
||
[[Category:TCP|Wrapper]] |
[[Category:TCP协议|Wrapper]] |
||
[[Category:网络软件]] |
[[Category:网络软件]] |
||
2024年3月19日 (二) 07:46的最新版本
| 開發者 | Wietse Venema |
|---|---|
| 当前版本 | 7.6 (1997年4月8日) |
| 操作系统 | 类Unix系统 |
| 类型 | 安全 |
| 许可协议 | BSD许可证 |
| 网站 | [1] |
TCP Wrapper是一个基于主机的网络访问控制表系统,用于过滤对类Unix系统(如Linux或BSD)的网络访问。其能将主机或子网IP地址、名称及ident查询回复作为筛选标记,实现访问控制。
原始代码是1990年左右由荷兰人Wietse Venema编写的,目的是监视埃因霍温理工大学数学和计算机科学系的Unix工作站上的黑客行动。[1]Wietse Venema一直维护这个程序到1995年;2001年6月1日,在其自己的BSD风格的许可证下发布。
1999年木马事件
[编辑]1999年1月,软件在埃因霍温理工大学的分发包被修改后的版本替换,其包含一个被木马感染的软件版本,入侵者可以访问安装了此版本软件的任何一个服务器。作者在几个小时内发现了这个问题,此后他将主分发站点改为其个人网站[2][3][4][5]。
参见
[编辑]
参考文献
[编辑]- ^ TCP WRAPPER - Network monitoring, access control, and booby traps. by Wietse Venema (PDF). [2014-09-11]. (原始内容存档 (PDF)于2008-07-04).
- ^ CC/CERT Advisory CA-1999-01. [2014-09-11]. (原始内容存档于2013-11-05).
- ^ CC/CERT Advisory CA-1999-02. [2014-09-11]. (原始内容存档于2013-12-18).
- ^ backdoored tcp wrapper source code, by Wietse Venema, on [[Bugtraq]], Jan 21, 1999. [2014-09-11]. (原始内容存档于2008-12-04).
- ^ Announcement: Wietse's FTP site has moved, by Wietse Venema, on [[Bugtraq]], Jan 21, 1999. [2014-09-11]. (原始内容存档于2008-10-29).
- Lee Brotzman: Wrap a Security Blanket Around Your Computer(页面存档备份,存于互联网档案馆) Linuxjournal article 1997-08-01