From: Stephanie C (stepchung@gmail.com)
Date: Wed Mar 01 2006 - 12:13:23 EST
Thanks, Eef:
---------- Forwarded message ----------
From: Eef Hartman <E.J.M.Hartman@math.tudelft.nl>
Date: Mar 1, 2006 12:17 AM
Subject: Re: [HPADM] tcp_wrappers
To: Stephanie C <stepchung@gmail.com>
On Tue, Feb 28, 2006 at 04:23:45PM -0800, Stephanie C wrote:
> I installed tcp_wrappers to my server.
> - How do I know if tcp_wrappers is running on my server? I "ps -ef|grep
> tcpd" that does not show any thing.
Normally tcp wrappers are run (very temporarily) when a "inetd started
daemon"
starts up, just to test IF that daemon should be run.
> - Does this tcp_wrappers automatic startup when system startups, or I have
> to create a startup script for it?
Normally, if the system didn't come with tcp wrappers already, you will have
to change all entries in /etc/inetd.conf. As tcp wrappers only control the
startup OF the daemon, they're no use for daemons that are running
permanently
(like sendmail, nfs and mostly sshd), only the ones that are started
"on-demand"
most often through the inetd daemon.
Entries in the /etc/inetd.conf will have to look like:
login stream tcp nowait root /usr/lbin/tcpd rlogind -l
shell stream tcp nowait root /usr/lbin/tcpd /opt/shadow/lbin/remshd -l
exec stream tcp nowait root /usr/lbin/tcpd /opt/shadow/lbin/rexecd
^^^^^^^^^
whatever path you installed tcpd IN.
The actual daemon itself will need a pathname when it's NOT in the default
dir (in HP-UX 10.20, which the above lines are from, it was /usr/lbin),
so that's why "fingerd" doesn't have a path, but remshd and rexecd DO.
> c- What is the format to put in /etc/hosts.allow and /etc/hosts/deny if I
> want to 209.230.*.* to access the box?
Depends on which daemon, the format is:
daemon-name : accessing systems
Say I want 209.230.*.* to be able to use rexed:
rexecd : 209.230.
(note the trailing dot, it means "all after this is allowed").
The special keyword "ALL" can be used instead of a list of daemons,
like this
ALL: 130.161.210.1 192.168.210. 127.0.0.1
(means the local/private net 192.168.210.*, the machine itself as
"localhost"
AND the machine 130.161.210.1 (which is its firewall to the outer world)
have
all services enabled.
The hosts.deny mostly looks like:
ALL: ALL
which means, everything NOT specific allowed in the hosts.allow will be
denied (hosts.allow is scanned first, so has precedence).
PS: some daemons that ARE running permanently (openssh's "sshd" comes to
mind)
have tcp wrappers BUILT-in, which means you can put entries in hosts.allow
for them too, they will check it themselves:
sshd : 130.161. 145.94. .nl # SSH allowed from with .nl domain
Here you see you can also use partial domains with a LEADING dot.
--
\ / /
/#. # #- # /
## ## ## ## ##
# # ## ## ##
" " # ## ##
"." ". "./
TTTTTTTTTT UU UU Eef Hartman, System Administrator
TT UU UU
TT UU UU Delft University of Technology
TT UU UU Dept. EWI/Applied Mathematics
TT UU UU Mekelweg 4, P.O. Box 5031
TT UU UU 2600 GA Delft, The Netherlands
TT UU UU e-mail : E.J.M.Hartman@math.tudelft.nl
TT UUUUUU fax : +31-15-278 7295
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:52 EDT