Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 5 Remote Access Security Administration

Protection Against Spoofing with TCP Wrappers


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Transmission Control Protocol (TCP) Wrappers provide enhanced security for services spawned by inetd. TCP Wrappers are an alternative to using /etc/inetd.sec. TCP Wrappers provide protection against host name and host address spoofing. Spoofing is a method of pretending to be a valid user or host to gain unauthorized access to a system.

To prevent spoofing, TCP Wrappers uses Access Control Lists (ACLs). The ACLs are lists of systems in the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers provide some protection against IP spoofing when configured to verify host name to IP address mapping and to reject packets with IP source routing.

However, TCP Wrappers do not provide cryptographic authentication or data encryption. Like inetd, information is passed in clear text.

TCP Wrappers are part of the HP-UX Internet Services software. For more information, see the HP-UX Internet Services Administrator's Guide at: http://www.docs.hp.com/en/netcom.html#Internet%20Services and to the following manpages:

tcpd(1M), tcpdmatch(1), tcpdchk(1), tcpd.conf(4), hosts_access(3), hosts_access(5), and hosts_options(5).

When you enable TCP Wrappers, inetd runs a TCP wrapper daemon, tcpd, instead of running the requested service directly. The TCP Wrappers work as follows:

  1. Clients send connection requests to inetd as they normally do, for example, telnet.

  2. Instead of invoking the server process, inetd calls the TCP Wrapper daemon (tcpd).

  3. The TCP Wrapper daemon determines the validity of the client's connection request. The tcpd daemon logs the request and checks the access control files (/etc/hosts.allow and /etc/hosts.deny).

  4. If the client is valid,tcpd calls the appropriate server process.

  5. The server process processes the client's request, for example, the telnet connection completes.

Additional Features of TCP Wrappers

You can also define configuration parameters in the /etc/tcpd.conf configuration file, such as logging behavior, user name lookups, and reverse look up failure behavior. The tcpd daemon reads this configuration file to look for configuration parameters during run time.

You can configure the /etc/hosts.allow and /etc/hosts.deny files for other security features, such as trap setting and banner message.

The trap setting feature of TCP Wrappers enables you to trigger appropriate action on the host depending upon the number of denied connection attempts from a remote host.

The banner message feature causes a message to be sent to the client when an ACL rule is included in an access control file.

TCP Wrappers Do Not Work with RPC Services

TCP Wrappers do not work with remote procedure call (RPC) services over TCP. These services are registered as rpc or tcp in the /etc/inetd.conf file. The only important service that is affected by this limitation is rexd, used by the on command.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.