topic Re: inetd.sec file not working in Operating System - HP-UX

inetd.sec file not working

jerry1 — Mon, 05 Jan 2009 21:05:41 GMT

I cannot seem to get the inetd.sec file to
work for me. What is missing?
Did a inetd -c if that is needed.

I have ip of host I am testing from and
tried with hostname also.

* deny 166.18.10.112

Re: inetd.sec file not working

Autocross.US — Mon, 05 Jan 2009 21:11:48 GMT

Don't think that the wildcard for the service name is valid. Have you tried putting a valid name from inetd.conf in place of it?

Re: inetd.sec file not working

jerry1 — Mon, 05 Jan 2009 21:14:41 GMT

Yes, tried using just ftp.

Re: inetd.sec file not working

VK2COT — Mon, 05 Jan 2009 22:59:42 GMT

Hello,

From the on-line manual:

service name { allow | deny }
{ hostaddrs | hostnames | netaddrs | netnames }

Service name is the name (not alias) of a
valid service in file /etc/services. The
service name for RPC-based services (NFS) is
the name (not alias) of a valid service in
file /etc/rpc. A service name in /etc/rpc
corresponds to a unique RPC program number.

...

The * and the - can be present in any of the
fields of the address. An address field is a
string of characters separated by a dot (.).

You cannot use wildcard for service name!

Hence, this is INVALID in /var/adm/inetd.sec:

* deny 166.18.10.112

And this is valid:

ftp deny 166.18.10.112
login deny 166.18.10.112
telnet deny 166.18.10.112

By the way, if your remote server at IP
address 166.18.10.112 has multiple network
interfaces, make sure that the way it
connects to your server with inetd.sec setup
comes through the correct interface!

Cheers,

VK2COT

Re: inetd.sec file not working

jerry1 — Tue, 06 Jan 2009 17:12:56 GMT

Yes on ip address I am coming from.
I can see that in "last -R" and "who".

This does not work with ip or hostname.

ftp deny 166.18.10.112
ftp deny jc-db-01-dm-01

Re: inetd.sec file not working

Autocross.US — Tue, 06 Jan 2009 18:20:38 GMT

Just to be sure - the file you are editing is /var/adm/inetd.sec?

Also, are you able to allow or deny any other services to other hosts?

Re: inetd.sec file not working

jerry1 — Tue, 06 Jan 2009 18:28:38 GMT

No, I tested from other hosts and also
tried putting just:

ftp deny

Re: inetd.sec file not working

Autocross.US — Tue, 06 Jan 2009 18:54:51 GMT

Strange...

If you are on 11.11 - Do you have this patch installed?

swlist -l product | grep -i inet:
PHNE_35017 - 1.0 inetd(1M) cumulative patch

Also, take a look at IPFilter:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

You could block the host with something like this in /etc/opt/ipf/ipf.conf:

block in quick on lan0 from 166.18.10.112 to any port = 21

Assuming lan0 is you primary interface. Other than that, i'm not sure what the problem is. Your inetd.sec entry looks ok.

Re: inetd.sec file not working

jerry1 — Tue, 06 Jan 2009 19:30:01 GMT

What about hp-ux 11.0 ?

Re: inetd.sec file not working

VK2COT — Tue, 06 Jan 2009 20:46:20 GMT

Hello,

Well, a nice surprise :)

I did not even suspect someone would
still use unsupported version of the O/S.

Do you have these two patches on the server?

PHNE_28312
PHNE_26828

They deal with various inetd bugs
(including inetd.sec support).
It might help.

Cheers,

VK2COT

Re: inetd.sec file not working

jerry1 — Wed, 07 Jan 2009 15:52:49 GMT

I downloaded the first patch but cannot
find any reference to PHNE_26828.

HP-UX 11.0? We are still running HP-UX 9
also, but not by choice. It's custom manufacturing
hardware/software.

There is a growing market now on old legacy
hardware/software support. HP/SUN are
loosing millions because they won't support
their own products. We even have old VAX
systems that are under support with third
party support company with ex HP/SUN/VAX
technicians that HP and SUN thought were
getting paid to much.

Re: inetd.sec file not working

VK2COT — Thu, 08 Jan 2009 04:16:10 GMT

Hello,

I understand your pain. Having
old operating systems is not pleasant
and I heard many companies believing
they were neglected by major vendors.

a) I just did a test on an HP-UX 11.00
server. I was ucky fo find one nearby.

/var/adm/inetd.sec contained:

ftp allow 192.168.30.55

It worked well. This is the syslog entry:

Jan 8 15:09:06 myhost inetd[3688]: ftp/tcp: Connection from myhost2 (192.168.30.55) at Thu Jan 8 15:09:06 2009
Jan 8 15:09:08 vmyhost ftpd[3688]: USER dusan
Jan 8 15:09:08 myhost ftpd[3688]: PASS password

And when I disabled ftp services in /var/adm/inetd.sec:

ftp deny

or

ftp deny 192.168.30.55

... I got correct response from the server:

Jan 8 15:06:04 myhost inetd[885]: ftp/tcp: Access denied for myhost2 (192.168.30.55) at Thu Jan 8 15:06:04 2009
Jan 8 15:05:35 myhost inetd[885]: ident/tcp: Exit status 1

I am not really sure why you are having problems.

It works fine on HP-UX 11.00.

What do you syslog entries show?

Cheers,

VK2COT

Re: inetd.sec file not working

jerry1 — Thu, 08 Jan 2009 22:46:37 GMT

I found the problems.

1. You cannot have just a hostname if the
host is in another domain. Even if it
is aliased in DNS as being in the same
domain it will not work.
It has to be what it is connecting as.
Just hostname will work if both hosts
are in the same domain. IP will always
work. Better to use IP.
I had tried FQHN but number two below
was breaking it.

2. You cannot have multiple server entries.
e.g.
ftp deny
ftp deny

The last one will override the first
ones.

I had another ftp entry farther down in the
file that was overriding the first ftp entry.

There is no need to do an inetd -c.

Re: inetd.sec file not working

jerry1 — Thu, 08 Jan 2009 22:57:38 GMT

I guess for Sun systems you have to
install TCPwrappers or other.

Re: inetd.sec file not working

VK2COT — Fri, 09 Jan 2009 00:57:10 GMT

Ahh Jerry,

You should have told us earlier :)

Here is the excerpt from inetd.sec(4)
on-line manual:

"Multiple allow|deny lines for each service are not unsupported. If there are multiple allow|deny lines for a particular service, all but the last line are ignored."

I think we all deserve some points from you
before you close the thread :)

Cheers,

VK2COT

Re: inetd.sec file not working

jerry1 — Fri, 09 Jan 2009 02:56:01 GMT

Sorry about that.

Re: inetd.sec file not working

VK2COT — Sat, 10 Jan 2009 00:35:40 GMT

Hello Jerry,

Your problem gave me an idea. Why not
automate this check? So, I updated my own
Perl script for Operations Acceptance
Testing and Auditing of HP-UX servers:

http://www.circlingcycle.com.au/Unix-sources/HP-UX-check-OAT.pl.txt

It will, among the other things, report:

AUDIT-PASS: Inetd managed through ACLs (/var/adm/inetd.sec used)
AUDIT-NOTE: Multiple allow or deny lines for each service are not unsupported.
AUDIT-NOTE: If there are multiple allow or deny lines for a particular service,
AUDIT-NOTE: all but the last line are ignored

AUDIT-INFO: Active services in /var/adm/inetd.sec
ftp 192.168.40.30
telnet
shell deny
ftp 10.15.20.30 172.16.1.4

AUDIT-WARN: Entry for service "ftp" exists more than once in /var/adm/inetd.sec

Thanks for giving me an idea :)

Cheers,

VK2COT

Re: inetd.sec file not working

VK2COT — Sat, 10 Jan 2009 00:42:53 GMT

Hey,

I just realised: there is an error in
language style. It is actually wrong in
HP-UX on-line manual for inetd.sec:

QUOTE
Multiple allow|deny lines for each service are not unsupported.
END QUOTE

It should state:

"Multiple allow|deny lines for each service are not supported."

or even:

"Multiple allow|deny lines for each service are unsupported."

I made a change in my Perl script too.

Cheers,

VK2COT