HPE Community
Operating System - HP-UX
1834757 Members
2893 Online
110070 Solutions
New Discussion

Network Services - system access

 
SOLVED
Go to solution
Peter Gillis
Super Advisor

‎03-05-2003 04:49 PM

‎03-05-2003 04:49 PM

Network Services - system access

HI,
UX11.00

What are would happen if disallow this service.
chargen Inetd internal server ARPA Allowed

I cant find info for chargen ? Would someone be able to give a location of this type of data and other system access info, Not too in depth - at the moment just want to know the basics - like why allow access / why disallow access.
Thanks
Maria
0 Kudos
Reply
8 REPLIES 8
Sridhar Bhaskarla
Honored Contributor

‎03-05-2003 04:57 PM

‎03-05-2003 04:57 PM

Solution

Re: Network Services - system access

Hi Maria,

chargen as indicated by it's name - character generator. This can be safely turned off.

Try this for fun

telnet your_system 19

There are other services like daytime, echo, tftp, ntalk, finger, ident and other rpc services that you may not require. However, check with the users on the box to see if the application uses them by anychance. Once comment them out, you will need to 'inetd -c' to refresh the configuration.

-Sri


You may be disappointed if you fail, but you are doomed if you don't try
Reply
Patrick Wallek
Honored Contributor

‎03-05-2003 05:10 PM

‎03-05-2003 05:10 PM

Re: Network Services - system access

From TKB document KBRC00001288

chargen (TCP and UDP port 19) - echos complete set of character
set repeatedly on this port upon connection


I would disable this and other extraneous services in inetd.conf.
Reply
Peter Gillis
Super Advisor

‎03-05-2003 05:37 PM

‎03-05-2003 05:37 PM

Re: Network Services - system access

How come I can go into sam system access and modify system permissions to denied; and then I can look at the inetd.conf file and chargen is still there with no comment out character.
Can I not disable the chargen service via sam?

Thanks.
Maria
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-05-2003 05:44 PM

‎03-05-2003 05:44 PM

Re: Network Services - system access

HP-UX enables most all of the services in /eetc/inetd.conf--it assumes that you know you should turn off these archaic or specialized network services (chargen tftp daytime ntalk uucp ident time echo discard finger bootps printer rpc.).

In the world of security, it is much safer to deny everything in inetd.conf and add back a denied service if it is truly required. I would start with everything commented out except telnet and perhaps ftp. Look at shell and exec since these may be misused. In the above list, you should also check on ident. bootps, printer, tftp as a possibly required service. The rest are almost never used in typical HP-UX systems.


Bill Hassell, sysadmin
Reply
Sridhar Bhaskarla
Honored Contributor

‎03-05-2003 05:53 PM

‎03-05-2003 05:53 PM

Re: Network Services - system access

SAM does modify /var/adm/inetd.sec. If you view that file, you will see a line called

chargen deny

And that's what your SAM action did.

This is effectively equivalent to disabling it in /etc/inetd.conf.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Patrick Wallek
Honored Contributor

‎03-05-2003 05:56 PM

‎03-05-2003 05:56 PM

Re: Network Services - system access

Look in your /var/adm/ directory and see if you have a file called inetd.sec there. SAM could possibly be modifying this file to deny access to inetd services.

For more information do a 'man inetd.sec'.
Reply
Peter Gillis
Super Advisor

‎03-05-2003 06:52 PM

‎03-05-2003 06:52 PM

Re: Network Services - system access

Bill, How/where would I find info on just what the indidual services are:
chargen tftp daytime ntalk uucp ident time echo discard finger bootps printer rpc.
I am feeling cautious about denying access to some of the services eg time echo finger etc, because I am thinking that they might stop the actual cmds echo finger or even the date command from working correctly. I have a feeling that this sounds pretty naive, but I would rather be sure than stuff things up.

Thanks Maria.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎03-05-2003 07:21 PM

‎03-05-2003 07:21 PM

Re: Network Services - system access

These are all network services and have nothing to do with similar commands in HP-UX. The date command has no relationship to the date network service. finger (actually, fingerd in inetd.conf) does not affect the local finger command. fingerd is a hacker's favorite tattletale about a remote system. You don't want to advertise user information across the network. Same with echo, etc. These services are network daemons that provide the named service for a remote requestor. The man page for each service (the program's name is on the righthand side of the inetd.conf listing) is available and describes what it provides.

Since you can disable and re-enable services in inetd.conf without rebooting, you can start by commenting out something like finger(d), then run inetd -c and try the finger command to see that it still works. Then try the remote finger format pointed to another Unix system where fingerd is enabled:

finger root@remote_machine

Connection refused will be the response if fingerd is not enabled. Otherwise, you'll gain access to user information on the remote machine without ever logging in--which is why fingerd should be disbled.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.