topic Re: inetd.sec in Operating System - HP-UX

inetd.sec

Matt Walls — Wed, 25 Oct 2000 17:32:15 GMT

I have a web server listening on port 7500. what i want to do is deny certain i.p. addresses from using that port.
i defined the service in /etc/services, and i have entered the service name and i.p. address to deny.

however, i can still connect to the port.

i.e. http://whatever:7500

any ideas would be appreciated.

Thank you

Re: inetd.sec

Rita C Workman — Wed, 25 Oct 2000 17:35:10 GMT

One question if you did your 'deny' correct...did you remember to recyle inetd.??

Just a thought,

Re: inetd.sec

Kofi ARTHIABAH — Wed, 25 Oct 2000 17:40:59 GMT

Matt:

If your webserver is not started from within inetd (ie if it is in standalone mode) then inetd.sec cannot control access to it. however, you can set up .htaccess files in the "root" of the webserver hierarchy that denies that IP:

1. Create a file called .htaccess in your documents_home directory. the file should contain:

deny from bad.bad.machine.com
allow from all

AuthUserFile authusr.pwd
AuthGroupFile /dev/null
AuthName "Privileged Member"
AuthType Basic

require valid-user

satisfy any

===================
check the documentation of apache for more information on htaccess

If you want to absolutely control it from within inetd.sec, then you have to set up your webserver to be started by inetd.conf

Re: inetd.sec

Matt Walls — Wed, 25 Oct 2000 17:48:01 GMT

yes i have tried restarting with inetd -c

we are using an oracle web server, not apache. is there a similiar function?

also, what are the benefits/disadvantages of starting and stopping the web server with inetd?

thanks again

Re: inetd.sec

Andreas Voss — Wed, 25 Oct 2000 17:55:59 GMT

Hi,

have you entered the deny ip addresses in one line at inetd.sec ?
There must not be any line break or line continue with
Reagards

Re: inetd.sec

Kofi ARTHIABAH — Wed, 25 Oct 2000 17:57:46 GMT

Yes, Matt, there must be similar functionality in the Oracle webserver... it is a standard means of restricting access to whole directories (look for security and access restriction) in your oracle webserver documentation.

I tend to prefer to have the webserver be standalone - when started from within inetd, every time a hit comes on port 7500, inetd wakes up and invokes a new instance of the webserver to service the request (potentially 2 steps). However, if started as a standalone, a new instance of the server is started, only if there isn't an idle one currently running.

Re: inetd.sec

Bill Thorsteinson — Mon, 30 Oct 2000 23:39:01 GMT

Depending on the version of Oracle you are running the web server may be a modified version of Apache. Newer versions (not sure when they switched) use Apache with modifications. Oracle are releasing some of their enhancements back to the open source world.

Re: inetd.sec

Philip Chan_1 — Tue, 31 Oct 2000 01:17:22 GMT

Matt,

As you machine boots up just make sure the webserver will not be started automatically. I think you also have to take out the "--daemon" parameter for the webserver entry in the inetd.conf file, then your security entries in inetd.sec should come into effect.

If your webserver will be a busy one, then I would agree that the standalone server approach is more appropriate.

Re: inetd.sec

Philip Chan_1 — Tue, 31 Oct 2000 01:17:46 GMT