HPE Community
Operating System - HP-UX
1753894 Members
7821 Online
108809 Solutions
New Discussion юеВ

Re: TCP Wrapper questions

 
SOLVED
Go to solution
Anthony_141
Regular Advisor

тАО04-02-2009 11:03 AM

тАО04-02-2009 11:03 AM

TCP Wrapper questions

Our SOX/PCI audit showed we needed to install TCP Wrappers (which we did).

Not knowing much about the wrappers (which will become very apparent as you read this), we proceeded to put the TCP wrapper entries into our /etc/inetd.conf (adding /usr/lbin/tcpd to the appropriate lines). We did the "inetd -c" after doing this to have the changes take effect.

We noticed that certain things worked with wrappers installed (like telnet, login, shell, exec, etc) but other things did not (like omni for our backups and some hacl protocols for serviceguard).

We are assuming that the things that don't work fail because we didn't do a hosts.allow file yet.

Now we're curious as to why anything works without hosts.allow. Why does FTP and Telnet (and RSH commands) work even though they are wrapped? Isn't the default behavior for the wrappers to be "deny" unless there are entries in hosts.allow?

Any other tips or examples for the Wrappers would also be appreciated.

Thanks!
0 Kudos
12 REPLIES 12
Mark McDonald_2
Trusted Contributor

тАО04-02-2009 04:42 PM

тАО04-02-2009 04:42 PM

Solution

Re: TCP Wrapper questions

On our boxes we have "ALL : ALL" in hosts.deny

Then only allow what is needed in the hosts.deny

According to my book (red hat) there are 3 stages of access tracking:
1-Is access explicitly permitted
2-Is access explicitly denied
3-Otherwise permit access.

So it will check host.allow to see if it allowed, if its not there it will check if it is denied hence why I use ALL:ALL here. This then stops the 3rd point above.

Hope this helps.
0 Kudos
Emil Velez
Honored Contributor

тАО04-02-2009 05:44 PM

тАО04-02-2009 05:44 PM

Re: TCP Wrapper questions

The additional delay may be killing the data protector disk agent.

Data Protector has its own security since it only accepts connections from the cell manager which is defined in the cell_server file which is outside the realm of hosts.allow and hosts.deny

0 Kudos
Mark McDonald_2
Trusted Contributor

тАО04-08-2009 10:03 PM

тАО04-08-2009 10:03 PM

Re: TCP Wrapper questions

Anthiny - how about providing some points for answers to your questions?

From your profile: you have assigned points to 14 of 81 responses....

Thanks
Mark
0 Kudos
Anthony_141
Regular Advisor

тАО04-09-2009 02:46 AM

тАО04-09-2009 02:46 AM

Re: TCP Wrapper questions

I've spoken with many HP customer colleagues over the years- and there is a general agreement that we don't care about "points" and don't understand why anyone else does either.

In fact, most people make fun of the entire point system - the other day some people here at work were joking that the people who beg for points live in their parents basement with the hopes of someday becoming a "Grand Wizard". (Their words not mine).

Obviously that's probably harsh - but the point is that many of us come here for answers when Google doesn't help and could care less who does the answering - we just want the answer. The "point system" gives the impression that we're somehow now involved in some kind of "geek olympics" and we'd rather just get our answer and then implement the solution - usually we don't have time in our busy work day to go back an assign points.
0 Kudos
Anthony_141
Regular Advisor

тАО04-09-2009 02:54 AM

тАО04-09-2009 02:54 AM

Re: TCP Wrapper questions

Also, if there's people out there who track who doesn't give points and therefore don't answer those questions (for fear of not getting points) then that defeats the whole "I'm freely giving back to the community" philosophy that we thought was the point of these forums.

Anyway, I'm sure I just got put on the "don't ever answer this guys questions list" so it was nice getting free advice while it lasted.

PS- no one has answered our real question anyway (why does telnet work without the host.allow file), so I guess it doesn't matter.
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО04-09-2009 08:24 PM

тАО04-09-2009 08:24 PM

Re: TCP Wrapper questions

>PS- no one has answered our real question anyway

There is that. ;-)
But you can assign 0 or some trivial amount of points.
http://forums.itrc.hp.com/service/forums/helptips.do?#34
0 Kudos
Heironimus
Honored Contributor

тАО04-10-2009 07:17 AM

тАО04-10-2009 07:17 AM

Re: TCP Wrapper questions

You say you didn't create hosts.allow, but did you create hosts.deny? Nonexistant or empty files mean "do nothing", not "deny". If nothing matches in either hosts.allow or hosts.deny the default is to allow the connection. If you want to create a default-deny configuration you have to do so explicitly with an ALL rule in hosts.deny.
0 Kudos
Mark McDonald_2
Trusted Contributor

тАО04-11-2009 01:01 AM

тАО04-11-2009 01:01 AM

Re: TCP Wrapper questions

>PS- no one has answered our real question anyway

As I said above: there are 3 stages of access tracking:
1-Is access explicitly permitted
2-Is access explicitly denied
3-Otherwise permit access.

So if you do not have ALL:ALL in hosts.deny then number 3 comes in to play. So please let us know if you have a hosts.dent and what the content is.

AND - just for the record, my mother does not have a basement, she does have a rather nice attic. I am not aspiring to be a "grand wizard", I had a $100 bet with a colleague that I could get to "Royalty" before him - he is ahead and I am playing catch up. Perhaps that is just as sad.... ? I'm sure me and my colleagues may find some of your interests just as sad? NOW GIVE ME SOME BLOODY POINTS!!! :-) I WANT THIS $100.

0 Kudos
Anthony_141
Regular Advisor

тАО04-13-2009 04:38 AM

тАО04-13-2009 04:38 AM

Re: TCP Wrapper questions

for $99 I'll assign some meaningless points.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.