[RFE] Enable tcp_wrapper support in Flatcar, especially with sshd but possibly other daemons as well.

[jhaprins]

Current situation

Setting up a high secure environment it is good practice to always deploy dual layered security. With respect to sshd, where you need to have the daemon running to be able to do some maintenance, you want both a firewall to prevent access of unwanted connections, but if the firewall fails on you for whatever reason, you want a second layer of defense, and tcp_wrappers is in general a good second layer to allow only connections from specific host names.
Implementing hosts.allow files in a Flatcar linux install resulted in no added security and checking with ldd we find that indeed tcp_wrapper support is not enabled.

node-1 ~ # ldd /usr/sbin/sshd
linux-vdso.so.1 (0x00007ffccdfde000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f23652c0000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007f23652ae000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2365259000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f236517f000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f2364d43000)
libz.so.1 => /lib64/libz.so.1 (0x00007f2364d29000)
libc.so.6 => /lib64/libc.so.6 (0x00007f2364b46000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f2364b18000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2364ae9000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2364ae2000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2364ad3000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2364ac1000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2365432000)
libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f2364ab7000)

On a normal linux install I would expect something like:

ldd /usr/sbin/sshd |grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f69bbf9f000)

Impact

There is no viable option to create dual layered security on a Flatcar host which results in having to deploy other second layers which are in general more cumbersome to implement, or don't give the added benefit tcp_wrappers gives you.

Ideal future situation

sshd is compiled with tcp_wrapper support and the needed libraries are installed as well.

Implementation options

compile sshd with tcp_wrapper support.

Additional information

Adding this into Flatcar should have minimal impact because there are no hosts.allow or hosts.deny files in /etc at the moment, which results in no rules being in place. When we enable this feature in sshd we can tell everyone that this feature can then be used by just adding the correct files in /etc.

[pothos]

I can also recommend to look into bpf programs if you want to filter a systemd unit: https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#BPFProgram=type:program-path
The benefit is that the kernel will handle this and not the program itself, meaning that even if the program doesn't go through the wrapper lib but uses direct syscalls, it will still work.

[jhaprins]

eBPF sounds like a good alternative but:

node-1 /etc/systemd/system/sshd.service.d # netstat -anp |grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2072/sshd: /usr/sbi
tcp 0 0 192.168.8.31:22 192.168.2.59:57408 ESTABLISHED 6421/sshd: jhp [pri
tcp 0 52 192.168.8.31:22 172.31.3.238:52202 ESTABLISHED 6180/sshd: jhp [pri
tcp6 0 0 :::22 :::* LISTEN 2072/sshd: /usr/sbi

node-1 /etc/systemd/system/sshd.service.d # systemctl show sshd |grep IPAddress
IPAddressAllow=2a02:b70:0:2:3238::1/128 2a02:b70:0:2:3246::1/128 172.31.3.238/32 172.31.3.246/32

Maybe I'm doing something wrong, but it does not seem to work.

[pothos]

I guess you also have to set it for sshd.socket

[jhaprins]

I have masked sshd.socket and according to the documentation of systemd you should be able to set it on any unit.

[jhaprins]

Looks like you need to create a global deny and then a specific allow.
Added: IPAddressDeny=0.0.0.0/0 ::/0
Now it works.

[jepio]

So if this is doable with systemd service configuration - i dont think we want to pull in another way of achieving the same result.

Would you agree?

[jhaprins]

I would agree. I think we can close this again.