United States-English |
|
|
HP-UX Reference > Iinetd.sec(4)HP-UX 11i Version 3: February 2007 |
|
NAMEinetd.sec — optional security file for inetd DESCRIPTIONWhen inetd accepts a connection from a remote system, it checks the address of the host requesting the service against the list of hosts to be allowed or denied access to the specific service (see inetd(1M)). The file inetd.sec allows the system administrator to control which hosts (or networks in general) are allowed to use the system remotely. This file constitutes an extra layer of security in addition to the normal checks done by the services. It precedes the security of the servers; that is, a server is not started by the Internet daemon unless the host requesting the service is a valid host according to inetd.sec. If file /var/adm/inetd.sec does not exist, security is limited to that implemented by the servers. inetd.sec and the directory /var/adm should be writable only by their owners. Changes to inetd.sec apply to any subsequent connections. Lines in inetd.sec beginning with the pound sign (#) are comments. Comments are not allowed at the end of a line of data. The lines in the file contain a service name, permission field, and the Internet addresses or official names of the hosts and networks allowed to use that service in the local host. The fields in each line are as follows: service name { allow | deny } { hostaddrs | hostnames | netaddrs | netnames } Note: service name is the name (not alias) of a valid service in file /etc/services. The service name for RPC-based services (NFS) is the name (not alias) of a valid service in file /etc/rpc. A service name in /etc/rpc corresponds to a unique RPC program number. allow|deny determines whether the list of remote hosts in the next field is allowed or denied access to the specified service. Multiple allow|deny lines for each service are not unsupported. If there are multiple allow|deny lines for a particular service, all but the last line are ignored. Addresses (hostaddrs and netaddrs) and names (hostnames and netnames) are separated by white space. Any mix of addresses and names is allowed. To continue a line, terminate it with backslash, (\). Host names and network names are the official names of the hosts or networks as returned by gethostbyaddr() or getnetbyaddr(), respectively. Wildcard characters (*) and range characters (-) are allowed. The * and the - can be present in any of the fields of the address. An address field is a string of characters separated by a dot (.). Hostname resolution failure in inetd.sec may cause inetd to delay the processing of connection requests. To avoid such delays, configure host/network addresses instead of host/network names in the inetd.sec file. EXAMPLESUse a wildcard character to permit a whole network to communicate with the local host without having to list all the hosts in that network. For example, to allow all hosts with network addresses starting with a 10, as well as the single host with address 192.54.24.5 to use rlogin: login allow 10.* 192.54.24.5 On a system running NFS, deny host 192.54.24.5 access to sprayd, an RPC-based server: sprayd deny 192.54.24.5 A range is a field containing a - character. To deny hosts in network 10 (arpa) with subnets 3 through 5 access to remsh: shell deny 10.3-5.* The following entry denies rlogin access to host cory.berkeley.edu, any hosts on the network named testlan, and the host with internet address 192.54.24.5: login deny 192.54.24.5 cory.berkeley.edu testlan If a remote service is not listed in the security file, or if it is listed but it is not followed by allow or deny, all remote hosts can attempt to use it. Security is then provided by the service itself. The following lines, if present in inetd.sec, allow or deny access to the service indicated:
IPv6 FunctionalityFor an IPv6 service, an IPv6 address can be specified in the host address field of inetd.sec. The host address field can contain IPv6 addresses, IPv4 addresses, or both. This specification includes the IPv4 mapped IPv6 addresses also. Host names for IPv6 services are the official names of the hosts returned by getaddrinfo(). The wildcard characters (*) and range characters (-) are not supported for IPv6 addresses. The equivalent for the wildcard character (*) is provided in the form of subnet_prefix followed by a forward-slash (/) and prefix_length. See the IPv6 Examples section for more details. IPv6 ExamplesTo allow an IPv6 host with address fe80::210:83ff:feb9:903f and an IPv4 host with address 192.54.24.5 in order to use the telnet service, an entry in the inetd.sec file should be as follows: telnet allow fe80::210:83ff:feb9:903f 192.54.24.5 The following entry denies ftp access to all hosts with a prefix fe80: ftp deny fe80::/16 |
Printable version | ||
|