From: wietse@wzv.win.tue.nl (Wietse Venema)
Newsgroups: comp.security.misc,alt.security,comp.unix.admin,comp.sys.sun.admin
Subject: new tcp wrappers and related stuff
Message-ID: <3424@wzv.win.tue.nl>
Date: 21 Jun 92 22:14:27 GMT
Organization: Eindhoven University of Technology, The Netherlands

A new release of the tcp wrapper programs is available. These programs
maintain a log of the use of TCP/IP and UDP/IP network daemons, and
provide optional access control.

The source has been posted to comp.sources.misc and is available for
anonymous ftp as ftp.win.tue.nl:/pub/security/log_tcp.shar.Z.

Enhancements over the previous release are: 

    1 - network daemons no longer have to live within a common directory
    2 - the access control code now uses both the host address and name
    3 - an access control pattern that supports netmasks
    4 - additional protection against forged host names (DNS spoofing)
    5 - a pattern that matches hosts whose name or address lookup fails
    6 - an operator that prevents hosts or services from being matched
    7 - optional remote username lookup with the RFC 931 protocol
    8 - an optional umask to prevent the creation of world-writable files
    9 - hooks for access control language extensions
   10 - last but not least, thoroughly revised documentation.

Except for the change described under (2) the present version should be
backwards compatible with earlier ones.

The logdaemon package (SunOS 4.x rsh/rlogin daemons that log user names
in addition to host names) has been updated to take advantage of the
above access control language extensions. The documentation and the
installation instructions have been completely revised. Available for
anon ftp as ftp.win.tue.nl:/pub/security/logdaemon.tar.Z.  The rshd
works with Ultrix 4.x, too.  These programs have already survived their
first cracker attacks :-)

Finally, a new portmap replacement is available for testing. It uses
the same access control mechanisms as the tcp wrappers and should
improve the security of systems with naive NFS or NIS implementations
(i.e. not SunOS 4.x; use securelib and patch 100482-02 instead for even
better protection). You probably have a naive NFS or NIS implementation
if rpcinfo says that all those daemons run on port numbers >= 1024.  It
works with Ultrix 4.x, and an update for HP-UX is in the works.
Available for anon ftp as ftp.win.tue.nl:/pub/security/portmap.shar.Z.

	Wietse