Re: best practices uses of inetd.sec

Gale Austin-Moore · ‎12-11-2002

We would like to implement inetd.sec within our organization. I'm not seeing much in the way of "best practice" and/or standards for the use of this file. I'd like to use the information as a baseline for our organization. Can anyone out there help? Exmaples, etc. would be great

Never enough time to do things right; always enough time to do it over..

Ken Hubnik_2 · ‎12-11-2002

We use it to limit the use of services (ftp etc) for only those ip addresses. You basically use this to secure the services to a range of IP addresses.

Shannon Petry · ‎12-11-2002

I dont think you will find a best practices anywhere. What you need to do is look at the man page for inetd.sec, and restrict the services you want restrictions on. The man page gives you the basic inetd services, which you can get from /etc/inetd.conf, as well as information on how to restrict access to these services.

Not all sites will run the same services, so it would be very difficult to give a best practices for it.

NOTE: You should disable unused services on any UNIX system. I.E. mountd on non NFS servers, ftpd on non ftp servers, etc... This will limit how much editing of inetd.sec you have to do, and have greater impact on security than inetd.sec.

Regards,
Shannon

Microsoft. When do you want a virus today?

Sridhar Bhaskarla · ‎12-11-2002

Hi,

The thumb rule is "deny" everything and "allow" only what you want. For ex., to restrict ftp to only few hosts, add the following to your inetd.sec

ftp deny
ftp allow host1, host2

You can enable wild characters. For syntax look at inetd.sec man page.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try

F. X. de Montgolfier · ‎12-11-2002

If you're using inetd.sec, it means you're interested in security...
the following link is one which I found very useful in setting up "manually" a relatively secured server:

http://people.hp.se/stevesk/bastion11.html

gives step-by-step instructions. It's IMO rather nice and give a good view of the paranoid mindset you need to have when dealing with security ;-)

Cheers,

FiX

Gale Austin-Moore · ‎12-11-2002

Thank you for the replies..

Never enough time to do things right; always enough time to do it over..

Steven E. Protter · ‎12-11-2002

We use it to limit the hosts we will accept various kinds of protocols from.

since we still run a telnet legacy app, we have to allow telnet from virtually our entire network.

I actually authorize ftp users by ip address because I don't want anyone but development using this protocol and shipping clear text passwords across the network.

I'll give you an example from a non production machine.

If you need it I can provide you a blow by blow.

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Gale Austin-Moore · ‎12-11-2002

Steven,
Thank you for your offer. I believe I have a pretty good file for what the entries should look like.

Never enough time to do things right; always enough time to do it over..

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: best practices uses of inetd.sec

best practices uses of inetd.sec