https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920398#M109403 HI,<BR />UX11.00<BR /><BR />What are would happen if disallow this service.<BR />chargen Inetd internal server ARPA Allowed <BR /><BR />I cant find info for chargen ? Would someone be able to give a location of this type of data and other system access info, Not too in depth - at the moment just want to know the basics - like why allow access / why disallow access.<BR />Thanks<BR />Maria Thu, 06 Mar 2003 00:49:23 GMT Peter Gillis 2003-03-06T00:49:23Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920398#M109403 HI,<BR />UX11.00<BR /><BR />What are would happen if disallow this service.<BR />chargen Inetd internal server ARPA Allowed <BR /><BR />I cant find info for chargen ? Would someone be able to give a location of this type of data and other system access info, Not too in depth - at the moment just want to know the basics - like why allow access / why disallow access.<BR />Thanks<BR />Maria Thu, 06 Mar 2003 00:49:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920398#M109403 Peter Gillis 2003-03-06T00:49:23Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920399#M109404 Hi Maria,<BR /><BR />chargen as indicated by it's name - character generator. This can be safely turned off.<BR /><BR />Try this for fun<BR /><BR />telnet your_system 19<BR /><BR />There are other services like daytime, echo, tftp, ntalk, finger, ident and other rpc services that you may not require. However, check with the users on the box to see if the application uses them by anychance. Once comment them out, you will need to 'inetd -c' to refresh the configuration.<BR /><BR />-Sri<BR /><BR /><BR /> Thu, 06 Mar 2003 00:57:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920399#M109404 Sridhar Bhaskarla 2003-03-06T00:57:38Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920400#M109405 From TKB document KBRC00001288<BR /><BR />chargen (TCP and UDP port 19) - echos complete set of character<BR />set repeatedly on this port upon connection<BR /><BR /><BR />I would disable this and other extraneous services in inetd.conf. Thu, 06 Mar 2003 01:10:24 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920400#M109405 Patrick Wallek 2003-03-06T01:10:24Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920401#M109406 How come I can go into sam system access and modify system permissions to denied; and then I can look at the inetd.conf file and chargen is still there with no comment out character. <BR />Can I not disable the chargen service via sam?<BR /><BR />Thanks.<BR />Maria Thu, 06 Mar 2003 01:37:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920401#M109406 Peter Gillis 2003-03-06T01:37:58Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920402#M109407 HP-UX enables most all of the services in /eetc/inetd.conf--it assumes that you know you should turn off these archaic or specialized network services (chargen tftp daytime ntalk uucp ident time echo discard finger bootps printer rpc.<SERVICES>). <BR /><BR />In the world of security, it is much safer to deny everything in inetd.conf and add back a denied service if it is truly required. I would start with everything commented out except telnet and perhaps ftp. Look at shell and exec since these may be misused. In the above list, you should also check on ident. bootps, printer, tftp as a possibly required service. The rest are almost never used in typical HP-UX systems.<BR /></SERVICES> Thu, 06 Mar 2003 01:44:59 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920402#M109407 Bill Hassell 2003-03-06T01:44:59Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920403#M109408 SAM does modify /var/adm/inetd.sec. If you view that file, you will see a line called<BR /><BR />chargen deny<BR /><BR />And that's what your SAM action did.<BR /><BR />This is effectively equivalent to disabling it in /etc/inetd.conf. <BR /><BR />-Sri Thu, 06 Mar 2003 01:53:26 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920403#M109408 Sridhar Bhaskarla 2003-03-06T01:53:26Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920404#M109409 Look in your /var/adm/ directory and see if you have a file called inetd.sec there. SAM could possibly be modifying this file to deny access to inetd services.<BR /><BR />For more information do a 'man inetd.sec'. Thu, 06 Mar 2003 01:56:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920404#M109409 Patrick Wallek 2003-03-06T01:56:41Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920405#M109410 Bill, How/where would I find info on just what the indidual services are:<BR />chargen tftp daytime ntalk uucp ident time echo discard finger bootps printer rpc.<SERVICES><BR />I am feeling cautious about denying access to some of the services eg time echo finger etc, because I am thinking that they might stop the actual cmds echo finger or even the date command from working correctly. I have a feeling that this sounds pretty naive, but I would rather be sure than stuff things up.<BR /><BR />Thanks Maria.</SERVICES> Thu, 06 Mar 2003 02:52:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920405#M109410 Peter Gillis 2003-03-06T02:52:23Z https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920406#M109411 These are all network services and have nothing to do with similar commands in HP-UX. The date command has no relationship to the date network service. finger (actually, fingerd in inetd.conf) does not affect the local finger command. fingerd is a hacker's favorite tattletale about a remote system. You don't want to advertise user information across the network. Same with echo, etc. These services are network daemons that provide the named service for a remote requestor. The man page for each service (the program's name is on the righthand side of the inetd.conf listing) is available and describes what it provides.<BR /><BR />Since you can disable and re-enable services in inetd.conf without rebooting, you can start by commenting out something like finger(d), then run inetd -c and try the finger command to see that it still works. Then try the remote finger format pointed to another Unix system where fingerd is enabled:<BR /><BR />finger root@remote_machine<BR /><BR />Connection refused will be the response if fingerd is not enabled. Otherwise, you'll gain access to user information on the remote machine without ever logging in--which is why fingerd should be disbled. Thu, 06 Mar 2003 03:21:15 GMT https://community.hpe.com/t5/operating-system-hp-ux/network-services-system-access/m-p/2920406#M109411 Bill Hassell 2003-03-06T03:21:15Z