HP 3000 Manuals HP 3000 Manuals
The inetd security file
There is an optional security file associated with inetd that allows you
to control which nodes have access to the Internet Services available on
your system. The inetd security file will prevent inetd from starting a
service unless the node making the request has permission to do so.
Individual entries in the inetd security file determine which nodes are
allowed or disallowed for a particular service.
The inetd security file is not the only security provided for Internet
Services. It constitutes an extra layer of security in addition to the
normal checks done by the services themselves. If the inetd security
file does not exist, if a remote service is not listed in the security
file, or if it is listed but it is not followed by the allow or deny key
word, all remote hosts can attempt to use it. Such an attempt will
succeed if it passes the security checks imposed by the requested
service.
If inetd refuses a connection for security reasons, and inetd connection
logging is enabled, a message is sent to the console indicating that
there was an unsuccessful connection attempt.
Creating and linking the inetd security file
You may already have a security file for inetd installed on your system.
If you know that you have such a file, and it is accessible by the POSIX
file name /usr/adm/inetd.sec you may skip these steps.
If not, follow the steps below to to create the file and link to it. If
you have such a file, but are unsure whether or not it is linked, perform
step 2 only.
1. Create your own inetd security file by using the COPY command to
rename the sample file. Enter:
:COPY INSECSMP.NET.SYS TO INETDSEC.NET.SYS
2. Create a symbolic link from /usr/adm/inetd.sec' in the POSIX name
space to INETDSEC.NET.SYS. Enter:
:NEWLINK /usr/adm/inetd.sec, INETDSEC.NET.SYS
3. Check the security provisions of the file and change them, if
necessary. Hewlett-Packard recommends that only MANAGER.SYS has
write access to INETDSEC.NET.SYS, and write and purge access to
/usr/adm/inetd.sec.
Updating the inetd security file
Each line in the inetd security file contains a service name, a
permission field, and the IP addresses or domain names of the hosts and
networks allowed to use that service on your host system. You can open
the file to view the current security restraints or to change them. To
do so:
1. Open the security file with a text editor. You may edit the
/usr/adm/inetd.sec file from the POSIX shell or open the
INETDSEC.NET.SYS file from MPE/iX, whichever you prefer. Both
file names should point to the same file. The contents will
resemble the figure below.
______________________________________________________________________________________
| |
| |
| # The lines in the file contain a service name, permission field and |
| # the Internet addresses or names of the hosts and/or networks |
| # allowed to use that service in the local machine. |
| # The form for each entry in this file is: |
| # |
| # <service name> <allow/deny> <host/network addresses, host/network names> |
| # |
| # For example: |
| # |
| # telnet allow 10.3-5 192.34.56.5 ahost anetwork |
| # |
| # The above entry allows the following hosts to attempt to access your system |
| # using telnet: |
| # hosts in subnets 3 through 5 in network 10, |
| # the host with Internet Address of 192.34.56.5, |
| # the host by the name of "ahost", |
| # all the hosts in the network "anetwork" |
| # |
| # tftp deny 192.23.4.3 |
| # |
| # The tftp entry denies host 192.23.4.3 to access your system using tftp |
| # |
| # Hosts and network names must be official names, not aliases. |
| # See the Configuring and Installing Internet Services Manual for more |
| # information. |
| |
______________________________________________________________________________________
The word allow or deny in the second column determines whether the
list of remote hosts in the next field to the right has access to
the specified service. If there is more than one line for a
service, regardless of whether a statement indicates allow or
deny, the inetd server ignores all but the last line.
2. Make any necessary editing changes. Refer to the following three
sections, "Editing tips", "Using wildcard characters" and "Using
the range character" for more information.
3. Save your file and exit the editor.
Editing tips.
When you edit the inetd security file, remember the following points:
* To "comment out" a line, begin column 1 with a pound symbol (#).
To enable a security provision that has been commented out, delete
the pound symbol and any blank spaces preceding the service name.
* Enter the real service name, not the alias, of a valid service in
the inetd configuration file.
* Separate the IP addresses and domain names by a white space. You
may enter any mix of addresses and names. For example, the
following entry denies Telnet access to host hp22.cup.hp.com, any
hosts on the network named "testlan," and the host with IP address
192.54.24.5:
telnet deny hp22.cup.hp.com testlan 192.54.24.5
* To continue an entry on the next line, place a slash (/) at the
end of the line to be continued. The Internet daemon will ignore
a slash that appears in the middle of the line, continue reading
to the end, and ignore the next line. In this case, it will
probably misinterpret the entry and you'll see an error message.
Using wildcard characters.
You may use wildcard characters (*) in any of the fields of the address
to specify permissions for a group of hosts or networks. This makes it
more convenient to specify an entire network, since you will not need to
specify each host in that network. The sample entry below, for example,
allows all hosts with network addresses starting with a 10, as well as
the single host whose address is 192.54.24.5 to use Telnet:
telnet allow 10.* 192.54.24.5
You cannot use the wildcard character in combination with other integers
in one part of an address field. For example, this entry in the inetd
security file will generate an error message because the second field
includes a 5 followed by the * character.:
tftp deny 10.5*.8.7
Either integers or the wildcard character is allowed in one part of an
address field.
Using the range character.
You may use the range indicator (-) in any of the fields of the address
to specify which hosts or networks in a group are exempted from the
permission assignment. This makes it more convenient to allow or deny a
service for a subnet within the network you specify. The sample entry
below, for example, denies hosts in subnets 3 through 5 of network 10
access to Telnet. Note that the wildcard character * at the end of the
address lets you avoid specifying the individual hosts within the subnet.
telnetd deny 10.3-5.*