=======================================================================

These C codes monitor TCP wrapped events and send safe_finger to an
offending host keeping track of the requests. The reason that I wrote them
was because of a programming challenge that I recognized from the
warning given in the section on BOOBY TRAPS in the man 5 hosts_access
page for tcp wrappers. It said:

"Warning: do not booby-trap your finger daemon, unless you are
 prepared for infinite finger loops."

The fhost client-server model gets around finger loops by detecting
multiple requests from the same remote host. Using fhost one can then
booby-trap the finger daemon. fhost will send only one safe_finger to
the offending host and then mail the results to root or whomever.

fhost is called through tcp wrappers via the hosts.allow and hosts.deny
files. The /etc/hosts.allow file has an entry like this:

ALL EXCEPT in.fingerd in.tftpd ps netstat:  (your local domain here)

and the /etc/hosts.deny file has entries like this:

ALL EXCEPT in.fingerd in.tftpd ps netstat: ALL
in.fingerd: ALL EXCEPT localhost:(/usr/local/sbin/fhost @%h %d) &
in.tftpd: ALL EXCEPT localhost:(/usr/local/sbin/fhost @%h %d) &
ps: ALL EXCEPT localhost:(/usr/local/sbin/fhost @%h %d) &
netstat: ALL EXCEPT localhost:(/usr/local/sbin/fhost @%h %d) &

In the above fhost is located in /usr/local/sbin. You can locate
it somewhere else; in that case the directory path must be modified.

fhost takes two arguments: @hostname service; where the @ sign must
preceed and be next to (no whitespace) the remote host's name; service
is the service that was requested by the remote host like finger
or tftp or something.

The above example will monitor all external requests for finger, tftp,
ps and netstat except those for your local domain. Please see the man
pages for configuring the hosts.allow and hosts.deny files that come with
tcp wrappers for other possibilities.

There are two sets of fhost client-server codes. The first set named:
fhostUNIX.c and fhostdUNIX.c monitor tcp events on a single machine.
They do this by communicating through a UNIX domain socket on the machine.
They are compiled as follows:

		make unix

Before compilation be sure that all of the defines are correct. The
relevant defines are located in the include file: defines.h. Some
examples of defines that must be set are:

	PATH_TO_UNIX_SOCKET	The place for the socket.
	PATH_SERVER		The place you put fhostd.
	SERVER_NAME		The name of the server: "fhostd" say.

For fhostdUNIX.c there are in addition to the above:

	ADDRESS_FOR_MAIL	Address to send mail: "root" say.
	HOST_TABLE_SIZE		Maximum number of entries saved.
	PATH_TO_MAIL		Path to mail: "/usr/bin/Mail" say.
	PATH_TO_SAFE_FINGER	Path to safe_finger.

In addition you might want to set the fhostd time-out. This is a static
long integer currently set to 1020L (equal to 17 minutes).

The second set of fhost client-server codes can monitor events on a
network as well as a single maching. However, it is not recommended
that fhost be run this way because if care isn't taken to protect the
daemon (say behind a firewall) it will be vulnerable to attacks from
external hosts over the network. The reason that the network version
was written was the challenge itself (;->). The sources are called
fhostNET.c and fhostdNET.c. In this case fhostd is run as a daemon
on one machine on the network by the command: fhostd -d . This can be
done by the boot up script if you wish when the other daemons are started.
In this case fhostd opens two sockets: the first is a UNIX domain socket
for listening on its own machine and the other is a network socket
for listening on the network. The machine running fhostd can use
either fhostUNIX as the client or fhostNET. The other machines must
run fhostNET to communicate with the server. As before for the UNIX
domain codes you must ensure that all of the defines are correct.
These can be found in the include file: defines.h.

For fhostNET.c this includes:

	FHOSTD_NET_PORT		Fhostd's unprivileged port number.
				(I choose a number above 5000 for this).
	FHOSTD_NET_ADDRESS	Server IP addr: "10.0.0.10" for example.
	FHOST_NET_HOST		Client machine on which fhost is running;
				for example:	"red.brew.com"

In the above examples the machine running fhostd is virt.brew.com with
an IP address of 10.0.0.10. The machine that is running the
client, fhost, is red.brew.com. The default port number is set to 6789
in the listings; it can easily be changed to another number. I recommend
keeping the port number above 5000.

Finally after all of the defines have been set correctly compile as:

		make net

and install in an appropriate place. It should be noted that it is not
necessary to run these programs SUID root since they need no special priv-
ileges to run successfully. However, if fhostd is run as a daemon from a
boot-up script, it will run with root privileges. If fhostd runs with
root privileges it can run nmap in a more aggressive mode. Also, it will
create a file called /var/run/fhostd.pid that contains the pid of the
daemon. This is useful for sending SIGHUP to fhostd to stimulate it
to empty the table it is keeping on all of the host-service requests
it has received before it times out; as root you type:
	kill -SIGHUP `cat /var/run/fhostd.pid`
to do this.

Have fun!

		Ed Alley
		wea@llnl.gov


	
