inetd.sec deny services

jerry1 — Wed, 18 Apr 2007 13:09:12 GMT

How can you deny all the possible services
to one host with one line in inetd.sec?

"*" does not work for "all" services field.

* deny 10.40.111.10

Re: inetd.sec deny services

Patrick Wallek — Wed, 18 Apr 2007 13:14:14 GMT

I don't think you can. The way I read the inetd.sec man page is that you MUST specify a particular service name on each line. Wild cards can only be used for the hosts/ip addresses that you wish to allow or deny.

Re: inetd.sec deny services

Marco A. — Wed, 18 Apr 2007 13:24:38 GMT

Why you don't try to use the /etc/host.allow /etc/host.deny to do that? that's a good option, the /etc/inetd.sec doesn't allow you to put an * in the field

Regards

Re: inetd.sec deny services

Senthil Prabu.S_1 — Wed, 18 Apr 2007 22:56:36 GMT

Hi,
What you are trying will not work. Since you want to deny complete network services, it is best to use TCP WRAPPERS for hosts based access control with /etc/hosts.deny.

Refer the last section in this link;
http://www.stanford.edu/group/itss-ccs/security/unix/tcpwrappers.html

HTH,
Prabu.S

Re: inetd.sec deny services

jerry1 — Thu, 19 Apr 2007 10:06:12 GMT

For now, I gathered everything from all
the /etc/services listings and took the
first column and added them to the
/var/adm/inetd.sec file on all the systems.
The reason I have to block this box is
because it's a Nagios scanning server that
probes all ports causing me headaches. Just
like the tool Satin.

dtspc allow 127.0.0.1 loopback
DAServer deny 10.40.167.110
SNAplus deny 10.40.167.110
SrpCentralDaemon deny 10.40.167.110
SrpSiteDaemon deny 10.40.167.110
actcp deny 10.40.167.110
bftp deny 10.40.167.110
bgp deny 10.40.167.110
biff deny 10.40.167.110
bootpc deny 10.40.167.110
bootps deny 10.40.167.110
bpcd deny 10.40.167.110
bpjava-msvc deny 10.40.167.110
bprd deny 10.40.167.110
c34_main deny 10.40.167.110
chargen deny 10.40.167.110
clvm-cfg deny 10.40.167.110
comms_high deny 10.40.167.110
comms_normal deny 10.40.167.110
conference deny 10.40.167.110
console deny 10.40.167.110
courier deny 10.40.167.110
cvmmon deny 10.40.167.110
cvmon deny 10.40.167.110
daytime deny 10.40.167.110
desmevt deny 10.40.167.110
diagmond deny 10.40.167.110
discard deny 10.40.167.110
domain deny 10.40.167.110
dtspc deny 10.40.167.110
echo deny 10.40.167.110
efs deny 10.40.167.110
eklogin deny 10.40.167.110
ekshell deny 10.40.167.110
erdb_bck deny 10.40.167.110
erdb_svr deny 10.40.167.110
eusrv deny 10.40.167.110
exec deny 10.40.167.110
finger deny 10.40.167.110
ftp deny 10.40.167.110
ftp-data deny 10.40.167.110
ftp-ftam deny 10.40.167.110
grmd deny 10.40.167.110
hacl-cfg deny 10.40.167.110
hacl-dlm deny 10.40.167.110
hacl-gs deny 10.40.167.110
hacl-hb deny 10.40.167.110
hacl-local deny 10.40.167.110
hacl-probe deny 10.40.167.110
hacl-test deny 10.40.167.110
hcserver deny 10.40.167.110
hostnames deny 10.40.167.110
hp-clic deny 10.40.167.110
hp-sca deny 10.40.167.110
hp-sco deny 10.40.167.110
hpidsadmin deny 10.40.167.110
hpidsagent deny 10.40.167.110
hpoms-ci-lstn deny 10.40.167.110
hpoms-dps-lstn deny 10.40.167.110
hpwebjetd deny 10.40.167.110
http deny 10.40.167.110
iasqlsvr deny 10.40.167.110
ident deny 10.40.167.110
ingreslock deny 10.40.167.110
instl_bootc deny 10.40.167.110
instl_boots deny 10.40.167.110
isakmp deny 10.40.167.110
kerberos deny 10.40.167.110
kerberos5 deny 10.40.167.110
kerberos_master deny 10.40.167.110
klogin deny 10.40.167.110
kpasswd deny 10.40.167.110
krbupdate deny 10.40.167.110
kshell deny 10.40.167.110
lanmgrx.osB deny 10.40.167.110
lansrm deny 10.40.167.110
ldcconn deny 10.40.167.110
link deny 10.40.167.110
login deny 10.40.167.110
mcsemon deny 10.40.167.110
msql deny 10.40.167.110
ncpm-ft deny 10.40.167.110
ncpm-hip deny 10.40.167.110
ncpm-pm deny 10.40.167.110
netbios_dgm deny 10.40.167.110
netbios_ns deny 10.40.167.110
netbios_ssn deny 10.40.167.110
netdist deny 10.40.167.110
netnews deny 10.40.167.110
netwall deny 10.40.167.110
nfsd deny 10.40.167.110
nfsd-keepalive deny 10.40.167.110
nfsd-status deny 10.40.167.110
nft deny 10.40.167.110
nntp deny 10.40.167.110
ntalk deny 10.40.167.110
ntp deny 10.40.167.110
omni deny 10.40.167.110
p7_c32 deny 10.40.167.110
p7_c33 deny 10.40.167.110
p7_c33upd deny 10.40.167.110
p7_c35 deny 10.40.167.110
p7_e30 deny 10.40.167.110
p7_g06 deny 10.40.167.110
pdclientd deny 10.40.167.110
pdeventd deny 10.40.167.110
pmlockd deny 10.40.167.110
pop deny 10.40.167.110
pop3 deny 10.40.167.110
portmap deny 10.40.167.110
printer deny 10.40.167.110
psmond deny 10.40.167.110
pvalarm deny 10.40.167.110
pvserver deny 10.40.167.110
qotd deny 10.40.167.110
r4-sna-cs deny 10.40.167.110
r4-sna-ft deny 10.40.167.110
recserv deny 10.40.167.110
registrar deny 10.40.167.110
remotefs deny 10.40.167.110
rfa deny 10.40.167.110
rje deny 10.40.167.110
rlb deny 10.40.167.110
rlp deny 10.40.167.110
route deny 10.40.167.110
samd deny 10.40.167.110
sftp deny 10.40.167.110
shell deny 10.40.167.110
smtp deny 10.40.167.110
sna-cs deny 10.40.167.110
snmp deny 10.40.167.110
snmp-trap deny 10.40.167.110
spc deny 10.40.167.110
supdup deny 10.40.167.110
swat deny 10.40.167.110
syslog deny 10.40.167.110
systat deny 10.40.167.110
talk deny 10.40.167.110
tcpmux deny 10.40.167.110
telaagui deny 10.40.167.110
telaaguig deny 10.40.167.110
telaaguim deny 10.40.167.110
telaaguis deny 10.40.167.110
telaconf deny 10.40.167.110
telaconfstart deny 10.40.167.110
telainetd deny 10.40.167.110
telainetdstart deny 10.40.167.110
telalert deny 10.40.167.110
telalertstart deny 10.40.167.110
telaremt deny 10.40.167.110
telnet deny 10.40.167.110
tempo deny 10.40.167.110
tftp deny 10.40.167.110
time deny 10.40.167.110
timed deny 10.40.167.110
tsap deny 10.40.167.110
uucp deny 10.40.167.110
uucp-path deny 10.40.167.110
veesm deny 10.40.167.110
vnetd deny 10.40.167.110
vopied deny 10.40.167.110
who deny 10.40.167.110
whois deny 10.40.167.110

Re: inetd.sec deny services

Mel Burslan — Thu, 19 Apr 2007 10:15:16 GMT

Jerry,

together with feeling your pain, I am under the impression that, the scanning server, Naggios or with any other name, is doing the scans for a purpose, which is more than likely security vulnerability analysis.

Most what you have listed that you denied to this box, should have been turned off anyways for any host, in inetd.conf. And the ones that you have a legitimate need for, should be exceptions to scanning this server, which should be controlled by your IT security department.

Shutting your server to this scanning server, may get you into trouble with SOX audits as this will create a false sense of security. But again, if the security people are wise enough, the ip address of the scanning server should be a floating one to circumvent what you have done. It is a cat and mouse game.

Good luck.

topic Re: inetd.sec deny services in Operating System - HP-UX

inetd.sec deny services

Re: inetd.sec deny services

Re: inetd.sec deny services

Re: inetd.sec deny services

Re: inetd.sec deny services

Re: inetd.sec deny services