1 | .TH TCPD 8 |
---|
2 | .SH NAME |
---|
3 | tcpd \- access control facility for internet services |
---|
4 | .SH DESCRIPTION |
---|
5 | .PP |
---|
6 | The \fItcpd\fR program can be set up to monitor incoming requests for |
---|
7 | \fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR, |
---|
8 | \fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services |
---|
9 | that have a one-to-one mapping onto executable files. |
---|
10 | .PP |
---|
11 | The program supports both 4.3BSD-style sockets and System V.4-style |
---|
12 | TLI. Functionality may be limited when the protocol underneath TLI is |
---|
13 | not an internet protocol. |
---|
14 | .PP |
---|
15 | Operation is as follows: whenever a request for service arrives, the |
---|
16 | \fIinetd\fP daemon is tricked into running the \fItcpd\fP program |
---|
17 | instead of the desired server. \fItcpd\fP logs the request and does |
---|
18 | some additional checks. When all is well, \fItcpd\fP runs the |
---|
19 | appropriate server program and goes away. |
---|
20 | .PP |
---|
21 | Optional features are: pattern-based access control, client username |
---|
22 | lookups with the RFC 931 etc. protocol, protection against hosts that |
---|
23 | pretend to have someone elses host name, and protection against hosts |
---|
24 | that pretend to have someone elses network address. |
---|
25 | .SH LOGGING |
---|
26 | Connections that are monitored by |
---|
27 | .I tcpd |
---|
28 | are reported through the \fIsyslog\fR(3) facility. Each record contains |
---|
29 | a time stamp, the client host name and the name of the requested |
---|
30 | service. The information can be useful to detect unwanted activities, |
---|
31 | especially when logfile information from several hosts is merged. |
---|
32 | .PP |
---|
33 | In order to find out where your logs are going, examine the syslog |
---|
34 | configuration file, usually /etc/syslog.conf. |
---|
35 | .SH ACCESS CONTROL |
---|
36 | Optionally, |
---|
37 | .I tcpd |
---|
38 | supports a simple form of access control that is based on pattern |
---|
39 | matching. The access-control software provides hooks for the execution |
---|
40 | of shell commands when a pattern fires. For details, see the |
---|
41 | \fIhosts_access\fR(5) manual page. |
---|
42 | .SH HOST NAME VERIFICATION |
---|
43 | The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies |
---|
44 | on host names. Some implementations believe the host name that they get |
---|
45 | from any random name server; other implementations are more careful but |
---|
46 | use a flawed algorithm. |
---|
47 | .PP |
---|
48 | .I tcpd |
---|
49 | verifies the client host name that is returned by the address->name DNS |
---|
50 | server by looking at the host name and address that are returned by the |
---|
51 | name->address DNS server. If any discrepancy is detected, |
---|
52 | .I tcpd |
---|
53 | concludes that it is dealing with a host that pretends to have someone |
---|
54 | elses host name. |
---|
55 | .PP |
---|
56 | If the sources are compiled with -DPARANOID, |
---|
57 | .I tcpd |
---|
58 | will drop the connection in case of a host name/address mismatch. |
---|
59 | Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard, |
---|
60 | after which suitable action can be taken. |
---|
61 | .SH HOST ADDRESS SPOOFING |
---|
62 | Optionally, |
---|
63 | .I tcpd |
---|
64 | disables source-routing socket options on every connection that it |
---|
65 | deals with. This will take care of most attacks from hosts that pretend |
---|
66 | to have an address that belongs to someone elses network. UDP services |
---|
67 | do not benefit from this protection. This feature must be turned on |
---|
68 | at compile time. |
---|
69 | .SH RFC 931 |
---|
70 | When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR |
---|
71 | will attempt to establish the name of the client user. This will |
---|
72 | succeed only if the client host runs an RFC 931-compliant daemon. |
---|
73 | Client user name lookups will not work for datagram-oriented |
---|
74 | connections, and may cause noticeable delays in the case of connections |
---|
75 | from PCs. |
---|
76 | .SH EXAMPLES |
---|
77 | The details of using \fItcpd\fR depend on pathname information that was |
---|
78 | compiled into the program. |
---|
79 | .SH EXAMPLE 1 |
---|
80 | This example applies when \fItcpd\fR expects that the original network |
---|
81 | daemons will be moved to an "other" place. |
---|
82 | .PP |
---|
83 | In order to monitor access to the \fIfinger\fR service, move the |
---|
84 | original finger daemon to the "other" place and install tcpd in the |
---|
85 | place of the original finger daemon. No changes are required to |
---|
86 | configuration files. |
---|
87 | .nf |
---|
88 | .sp |
---|
89 | .in +5 |
---|
90 | # mkdir /other/place |
---|
91 | # mv /usr/etc/in.fingerd /other/place |
---|
92 | # cp tcpd /usr/etc/in.fingerd |
---|
93 | .fi |
---|
94 | .PP |
---|
95 | The example assumes that the network daemons live in /usr/etc. On some |
---|
96 | systems, network daemons live in /usr/sbin or in /usr/libexec, or have |
---|
97 | no `in.\' prefix to their name. |
---|
98 | .SH EXAMPLE 2 |
---|
99 | This example applies when \fItcpd\fR expects that the network daemons |
---|
100 | are left in their original place. |
---|
101 | .PP |
---|
102 | In order to monitor access to the \fIfinger\fR service, perform the |
---|
103 | following edits on the \fIinetd\fR configuration file (usually |
---|
104 | \fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR): |
---|
105 | .nf |
---|
106 | .sp |
---|
107 | .ti +5 |
---|
108 | finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd |
---|
109 | .sp |
---|
110 | becomes: |
---|
111 | .sp |
---|
112 | .ti +5 |
---|
113 | finger stream tcp nowait nobody /some/where/tcpd in.fingerd |
---|
114 | .sp |
---|
115 | .fi |
---|
116 | .PP |
---|
117 | The example assumes that the network daemons live in /usr/etc. On some |
---|
118 | systems, network daemons live in /usr/sbin or in /usr/libexec, the |
---|
119 | daemons have no `in.\' prefix to their name, or there is no userid |
---|
120 | field in the inetd configuration file. |
---|
121 | .PP |
---|
122 | Similar changes will be needed for the other services that are to be |
---|
123 | covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8) |
---|
124 | process to make the changes effective. AIX users may also have to |
---|
125 | execute the `inetimp\' command. |
---|
126 | .SH EXAMPLE 3 |
---|
127 | In the case of daemons that do not live in a common directory ("secret" |
---|
128 | or otherwise), edit the \fIinetd\fR configuration file so that it |
---|
129 | specifies an absolute path name for the process name field. For example: |
---|
130 | .nf |
---|
131 | .sp |
---|
132 | ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd |
---|
133 | .sp |
---|
134 | .fi |
---|
135 | .PP |
---|
136 | Only the last component (ntalkd) of the pathname will be used for |
---|
137 | access control and logging. |
---|
138 | .SH BUGS |
---|
139 | Some UDP (and RPC) daemons linger around for a while after they have |
---|
140 | finished their work, in case another request comes in. In the inetd |
---|
141 | configuration file these services are registered with the \fIwait\fR |
---|
142 | option. Only the request that started such a daemon will be logged. |
---|
143 | .PP |
---|
144 | The program does not work with RPC services over TCP. These services |
---|
145 | are registered as \fIrpc/tcp\fR in the inetd configuration file. The |
---|
146 | only non-trivial service that is affected by this limitation is |
---|
147 | \fIrexd\fR, which is used by the \fIon(1)\fR command. This is no great |
---|
148 | loss. On most systems, \fIrexd\fR is less secure than a wildcard in |
---|
149 | /etc/hosts.equiv. |
---|
150 | .PP |
---|
151 | RPC broadcast requests (for example: \fIrwall, rup, rusers\fR) always |
---|
152 | appear to come from the responding host. What happens is that the |
---|
153 | client broadcasts the request to all \fIportmap\fR daemons on its |
---|
154 | network; each \fIportmap\fR daemon forwards the request to a local |
---|
155 | daemon. As far as the \fIrwall\fR etc. daemons know, the request comes |
---|
156 | from the local host. |
---|
157 | .SH FILES |
---|
158 | .PP |
---|
159 | The default locations of the host access control tables are: |
---|
160 | .PP |
---|
161 | /etc/hosts.allow |
---|
162 | .br |
---|
163 | /etc/hosts.deny |
---|
164 | .SH SEE ALSO |
---|
165 | .na |
---|
166 | .nf |
---|
167 | hosts_access(5), format of the tcpd access control tables. |
---|
168 | syslog.conf(5), format of the syslogd control file. |
---|
169 | inetd.conf(5), format of the inetd control file. |
---|
170 | .SH AUTHORS |
---|
171 | .na |
---|
172 | .nf |
---|
173 | Wietse Venema (wietse@wzv.win.tue.nl), |
---|
174 | Department of Mathematics and Computing Science, |
---|
175 | Eindhoven University of Technology |
---|
176 | Den Dolech 2, P.O. Box 513, |
---|
177 | 5600 MB Eindhoven, The Netherlands |
---|
178 | \" @(#) tcpd.8 1.5 96/02/21 16:39:16 |
---|