Classnotes | UNIX03 | RecentChanges | Preferences In the /etc/inetd.conf file, the sixth field on a line is the program to invoke to supply the requested service. Many of these program names begin with in; some common ones are imapd, ipop3d, and in.telnetd. Following this field are any arguments that are to be passed to the program. TCP Wrappers works by replacing this program with the name of the TCP Wrappers daemon, typically /usr/sbin/tcpd. The intended service program becomes tcpd's first argument and any arguments to the original program become subsequent arguments to tcpd.
The tcpd determines the numeric IP address and host name of the client requesting service and the user name offered by the client system's ident service, if any. The tcpd program then consults its two configuration files, /etc/hosts.allow and /etc/hosts.deny, and decides whether to allow the service. If the service is to be allowed, the program is exectued. If it is denied, the client is told to go away, the connection closed, and the matter logged.
/etc/hosts.allow and /etc/hosts.deny
Each of these configuration files contain one entry per line and each of these entries contains feilds separated by colons (:). For maximum security, the /etc/hosts.allow and /etc/hosts.deny files should only be readable by root.
The first field is a space-separated list of services that apply to this line's entry. The service is the name of the program invoked. If the program name has slashes (/) in it, this is the name starting after the last slash. It is not the name of the service specified in /etc/services. The wildcard ALL matches all services.
The second field is a space-separated list of hosts. A host may be named via /etc/hosts or DNS. Named domains may be specified (such as
.physics.arizona.edu
would match einstein.physics.arizona.edu, raman.physics.arizona.edu or lagrange.physics.arizona.edu. Numeric networks may be specified by using dotted quads but with the host portion left off. For example, the 192.168.*.* class-B network may be matched with
192.168.
Again, the wildcard ALL matches all hosts. Also, the LOCAL wildcard matches all hosts whose names do not contain a dot. The KNOWN and UNKNOWN wildcards match, respectively, hosts whose names are known and those that fail DNS lookups. The failure may be because a cracker with a spoofed IP or because of a temporary DNS problem or timeout.
If a service is denied, a syslogd entry is made listing the program name associated with the denied service, the PID, and the client system that was refused. For example, if phreaker.com tried to use in.telnetd, the log entry may look like this
Jan 8 08:12 geekcomix.com in.telnetd(342):
refused connect from phreaker.com
There is a very complete man page for hosts_access that covers everything that can be done with these files.
