topic Re: inetd.sec in Operating System - HP-UX

inetd.sec

TheJuiceman — Thu, 15 Dec 2005 22:36:15 GMT

Hi everyone,
I want to make sure I have secured inetd.conf as it should be. I am running a MCSG environment and have found that we should have a inetd.sec file to secure the identd service. What should this file contain? Thanks for your help.

Re: inetd.sec

Patrick Wallek — Thu, 15 Dec 2005 22:44:05 GMT

Unless you are using identd, which very few people do, you should comment the identd line in /etc/inetd.conf and restart inetd with 'inetd -c'.

Re: inetd.sec

TheJuiceman — Thu, 15 Dec 2005 23:06:35 GMT

I was told that we should have identd running since we have a ServiceGuard environment. Is this not true?

Re: inetd.sec

Patrick Wallek — Thu, 15 Dec 2005 23:40:40 GMT

We have two 2 node MC/SG clusters and I do not have identd running on any of the 4 machines.

Re: inetd.sec

TheJuiceman — Thu, 15 Dec 2005 23:49:39 GMT

What entry do you have for ident in /etc/services? Are you getting any identd messages in your syslog?

Re: inetd.sec

Tvs — Fri, 16 Dec 2005 04:32:07 GMT

hi

you can restrict the inetd services.

edit the /var/adm/inetd.sec

if u want to allow telnet only to a specific ip or network, put

telnetd allow (ipaddress or hostname )

iam not aware of identd service .

if it is there you can restrict the service like this.
identd allow 10.0.0.02
identd deny 10.0.0.25

...................

Re: inetd.sec

Muthukumar_5 — Fri, 16 Dec 2005 04:50:56 GMT

/var/adm/inetd.sec file is used to control service access. You can setup lines as,

servicename allow/deny ip-address/network/hostname

and save it.

You can get sample file as,
/usr/newconfig/var/adm/inetd.sec

use that and try it out.

Re: inetd.sec

Patrick Wallek — Fri, 16 Dec 2005 10:07:10 GMT

I have the standard line for identd in /etc/services.

ident 113/tcp authentication # RFC1413

No, I am not getting any messages in syslog for ident.

I also just downloaded the latest PDF of "Managing Serviceguard, 12th Edition, October 2005" and searched for ident in it. There is mention of it on page 194, but our cluster was not set up like they say it should be to not use identd and it is still running fine.

Re: inetd.sec

Greg Vaidman — Fri, 16 Dec 2005 16:44:48 GMT

MCSG 11.15 or 11.16 introduced the use of identd as a default option, although it can be disabled. If you don't have identd running, you'll get some errors in syslog until you change it..

From: http://docs.hp.com/en/B3936-90079/ch05s01.html

Username Validation

Serviceguard relies on the ident service of the client node to verify the username of the incoming network connection. If the Serviceguard daemon is unable to connect to the client's ident daemon, permission will be denied.

Root on a node is defined as any user who has the UID of 0. For a user to be identified as root on a remote system, the "root" user entry in /etc/passwd for the local system must come before any other user who may also be UID 0. The ident daemon will return the username for the first UID match. For Serviceguard to consider a remote user as a root user on that remote node, the ident service must return the username as "root".

It is possible to configure Serviceguard to not use the ident service, however this configuration is not recommended. Consult the whitepaper "Securing Serviceguard" for more information.

To disable the use of identd, add the -i option to the tcp hacl-cfg and hacl-probe inetd configurations.

For example, on HP-UX with Serviceguard A.11.16

1.

Change the cmclconfd entry in /etc/inetd.conf to appear as: hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd \ cmclconfd -c -i.
2.

Change the cmomd entry in /etc/inetd.conf to appear as: hacl-probe stream tcp nowait root \ /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i -f \ /var/opt/cmom/cmomd.log -r /var/opt/cmom.
3.

Restart inetd: /etc/init.d/inetd restart.

Re: inetd.sec

TheJuiceman — Fri, 16 Dec 2005 20:39:56 GMT

Two questions...

Are the backward slashs (\)suppose to be part of the hacl entries in /etc/inetd.conf? When I put them in and restart inetd, I get a message in my syslog stating an unexpected \ was encountered.

Also, the reason for this line of questioning is because we are getting the following message in our syslog that I can't seem to correct:

Dec 16 20:39:13 cmclconfd[12182]: cmclconfd running with weak security (id
entd disabled)
This message repeats several times a minute. How can I correct this?

Thanks.

Re: inetd.sec

Sameer_Nirmal — Fri, 16 Dec 2005 22:44:17 GMT

Hi,

As mentioned in the SG manual , bypassing the "identd" is not recommended.
Refer follwing HP doc and ensure the compliance mentioned therein.

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000081786362