From: wswietse@wsbs06.bs.win.tue.nl (Wietse Venema)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: "Future" TCP/IP and Security?
Message-ID: <3219@svin02.info.win.tue.nl>
Date: 30 Mar 92 10:41:27 GMT
References: <1992Mar28.095735.792@drycas.club.cc.cmu.edu>

greenie@drycas.club.cc.cmu.edu writes:

>Does anyone know of any future implementations of TCP/IP or modifications
>to the current processes which would improve security?  IE, preventing
>"anybody" from TELNETting to the SMTP port and sending anonymous hate
>mail and other such things like that?

For a simple way to implement access control to network daemons, see:

    cert.sei.cmu.edu:/pub/network_tools:/tcp_wrapper.shar
    ftp.win.tue.nl:/pub/security/log_tcp.shar.Z
    ftp.win.tue.nl:/pub/security/log_tcp_patch

It was originally intended to add some security to daemons started by
the inetd, but it can be used for the sendmail daemon, too, by having
it run "on demand". A sample inetd.conf entry would be:

    smtp stream tcp nowait root /usr/etc/tcpd /usr/lib/sendmail -bs

Where tcpd is the tcp wrapper from the above archives. You'll probably
need to apply the log_tcp_patch file if the sendmail daemon needs to be
specified with an absolute path name.

Now that the sendmail daemon is started "on demand", you will also have
to run a cron job that at regular intervals scans the sendmail mail
queue. Something like:

    0,15,30,45 * * * * /usr/lib/sendmail -q

should take care of that.

	Wietse