HPE Community
Operating System - HP-UX
1819681 Members
3459 Online
109605 Solutions
New Discussion юеВ

TCP Wrapper

 
Kenn Chen_1
Advisor

тАО12-12-2002 10:08 PM

тАО12-12-2002 10:08 PM

TCP Wrapper

I have installed the tcp wrapper into my box and setting host.deny file to ALL:ALL. But i still can telnet or ftp to my box from other hosts. Please advice ....
0 Kudos
Reply
3 REPLIES 3
John Payne_2
Honored Contributor

тАО12-12-2002 10:30 PM

тАО12-12-2002 10:30 PM

Re: TCP Wrapper

Have you actually wrapped the daemons in /etc/inetd.conf? I believe one of the readme files explains how to do it.

Also, if the only reason you are doing this is to do user access, why not use the built-in system utility for it. The file /var/adm/inetd.sec is where you can allow or disallow access to the systems in this manner. The header in the file explains how specifically to use it. (You have to run 'inetd -c' to get inetd to re-read.)

If you are using tcp wrappers for logging, you can get the system to do this also. The file /etc/rc.config.d/netdaemons has a line called 'export INETD_ARGS=' If you add a '-l' to the end of this file, (as in -L, not -one, you activate inetd logging.)

The way I see it is that HPUX does everything that you get in tcpwrappers, so why add the extra layer of complexity. The less layers of complexity you have, the better and faster you can work when there are problems.

Hope it helps

John
Spoon!!!!
0 Kudos
Reply
F. X. de Montgolfier
Valued Contributor

тАО12-13-2002 12:19 AM

тАО12-13-2002 12:19 AM

Re: TCP Wrapper

Hi,

instead of using a TCP-wrapper, why not use inetd.sec? Man 4 inetd.sec will give you:

[...]
If file /var/adm/inetd.sec does not exist, security is limited to that implemented by the servers. inetd.sec and the directory /var/adm should be writable only by their owners. Changes to inetd.sec apply to any subsequent connections.

Lines in inetd.sec beginning with # are comments. Comments are not allowed at the end of a line of data.

The lines in the file contain a service name, permission field, and the Internet addresses or official names of the hosts and networks allowed to use that service in the local host. The fields in each line are as follows:



service name is the name (not alias) of a valid service in file /etc/services. The service name for RPC-based services (NFS) is the name (not alias) of a valid service in file /etc/rpc. A service name in /etc/rpc corresponds to a unique RPC program number.

allow|deny determines whether the list of remote hosts in the next field is allowed or denied access to the specified service. Multiple allow|deny lines for each service are not unsupported. If there are multiple allow|deny lines for a particular service, all but the last line are ignored.

Addresses and names are separated by white space. Any mix of addresses and names is allowed. To continue a line, terminate it with \.

Host names and network names are the official names of the hosts or networks as returned by gethostbyaddr() or getnetbynumber(), respectively. Wildcard characters (*) and range characters (-) are allowed. The * and the - can be present in any of the fields of the address. An address field is a string of characters separated by a dot (.).

[...]

This seems to be exactly what you're looking for.

using secure internet services (inetsvcs_sec) will also allow you to use Kerberos authentication:
man 1m inetsvcs
man 4 inetsvcs_sec.conf

You may also want to look at:
http://docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html

Cheers,

FiX
0 Kudos
Reply
Mihails Nikitins
Super Advisor

тАО12-13-2002 12:31 AM

тАО12-13-2002 12:31 AM

Re: TCP Wrapper

Hi,

IMHO, there were many discussions in the Forums 'TCP Wrappers vs, internal HP-UX inetd.sec', just search, you'll find a lot 'pro' and 'contra'.

Some daemons that do not use inetd, also inspect /etc/hosts.allow and /etc/hosts.deny (e.g. sshd). It's easier for me to keep all access data in a single place.

Just my 2 cents.

BR,
Mihails


KISS - Keep It Simple Stupid
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.