source: trunk/third/tcp_wrappers/tcpd.8 @ 11717

Revision 11717, 6.9 KB checked in by danw, 26 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r11716, which included commits to RCS files with non-trunk default branches.
Line 
1.TH TCPD 8
2.SH NAME
3tcpd \- access control facility for internet services
4.SH DESCRIPTION
5.PP
6The \fItcpd\fR program can be set up to monitor incoming requests for
7\fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR,
8\fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services
9that have a one-to-one mapping onto executable files.
10.PP
11The program supports both 4.3BSD-style sockets and System V.4-style
12TLI.  Functionality may be limited when the protocol underneath TLI is
13not an internet protocol.
14.PP
15Operation is as follows: whenever a request for service arrives, the
16\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
17instead of the desired server. \fItcpd\fP logs the request and does
18some additional checks. When all is well, \fItcpd\fP runs the
19appropriate server program and goes away.
20.PP
21Optional features are: pattern-based access control, client username
22lookups with the RFC 931 etc. protocol, protection against hosts that
23pretend to have someone elses host name, and protection against hosts
24that pretend to have someone elses network address.
25.SH LOGGING
26Connections that are monitored by
27.I tcpd
28are reported through the \fIsyslog\fR(3) facility. Each record contains
29a time stamp, the client host name and the name of the requested
30service.  The information can be useful to detect unwanted activities,
31especially when logfile information from several hosts is merged.
32.PP
33In order to find out where your logs are going, examine the syslog
34configuration file, usually /etc/syslog.conf.
35.SH ACCESS CONTROL
36Optionally,
37.I tcpd
38supports a simple form of access control that is based on pattern
39matching.  The access-control software provides hooks for the execution
40of shell commands when a pattern fires.  For details, see the
41\fIhosts_access\fR(5) manual page.
42.SH HOST NAME VERIFICATION
43The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies
44on host names. Some implementations believe the host name that they get
45from any random name server; other implementations are more careful but
46use a flawed algorithm.
47.PP
48.I tcpd
49verifies the client host name that is returned by the address->name DNS
50server by looking at the host name and address that are returned by the
51name->address DNS server.  If any discrepancy is detected,
52.I tcpd
53concludes that it is dealing with a host that pretends to have someone
54elses host name.
55.PP
56If the sources are compiled with -DPARANOID,
57.I tcpd
58will drop the connection in case of a host name/address mismatch.
59Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard,
60after which suitable action can be taken.
61.SH HOST ADDRESS SPOOFING
62Optionally,
63.I tcpd
64disables source-routing socket options on every connection that it
65deals with. This will take care of most attacks from hosts that pretend
66to have an address that belongs to someone elses network. UDP services
67do not benefit from this protection. This feature must be turned on
68at compile time.
69.SH RFC 931
70When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR
71will attempt to establish the name of the client user. This will
72succeed only if the client host runs an RFC 931-compliant daemon.
73Client user name lookups will not work for datagram-oriented
74connections, and may cause noticeable delays in the case of connections
75from PCs.
76.SH EXAMPLES
77The details of using \fItcpd\fR depend on pathname information that was
78compiled into the program.
79.SH EXAMPLE 1
80This example applies when \fItcpd\fR expects that the original network
81daemons will be moved to an "other" place.
82.PP
83In order to monitor access to the \fIfinger\fR service, move the
84original finger daemon to the "other" place and install tcpd in the
85place of the original finger daemon. No changes are required to
86configuration files.
87.nf
88.sp
89.in +5
90# mkdir /other/place
91# mv /usr/etc/in.fingerd /other/place
92# cp tcpd /usr/etc/in.fingerd
93.fi
94.PP
95The example assumes that the network daemons live in /usr/etc. On some
96systems, network daemons live in /usr/sbin or in /usr/libexec, or have
97no `in.\' prefix to their name.
98.SH EXAMPLE 2
99This example applies when \fItcpd\fR expects that the network daemons
100are left in their original place.
101.PP
102In order to monitor access to the \fIfinger\fR service, perform the
103following edits on the \fIinetd\fR configuration file (usually
104\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
105.nf
106.sp
107.ti +5
108finger  stream  tcp  nowait  nobody  /usr/etc/in.fingerd  in.fingerd
109.sp
110becomes:
111.sp
112.ti +5
113finger  stream  tcp  nowait  nobody  /some/where/tcpd     in.fingerd
114.sp
115.fi
116.PP
117The example assumes that the network daemons live in /usr/etc. On some
118systems, network daemons live in /usr/sbin or in /usr/libexec, the
119daemons have no `in.\' prefix to their name, or there is no userid
120field in the inetd configuration file.
121.PP
122Similar changes will be needed for the other services that are to be
123covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
124process to make the changes effective. AIX users may also have to
125execute the `inetimp\' command.
126.SH EXAMPLE 3
127In the case of daemons that do not live in a common directory ("secret"
128or otherwise), edit the \fIinetd\fR configuration file so that it
129specifies an absolute path name for the process name field. For example:
130.nf
131.sp
132    ntalk  dgram  udp  wait  root  /some/where/tcpd  /usr/local/lib/ntalkd
133.sp
134.fi
135.PP
136Only the last component (ntalkd) of the pathname will be used for
137access control and logging.
138.SH BUGS
139Some UDP (and RPC) daemons linger around for a while after they have
140finished their work, in case another request comes in.  In the inetd
141configuration file these services are registered with the \fIwait\fR
142option. Only the request that started such a daemon will be logged.
143.PP
144The program does not work with RPC services over TCP. These services
145are registered as \fIrpc/tcp\fR in the inetd configuration file. The
146only non-trivial service that is affected by this limitation is
147\fIrexd\fR, which is used by the \fIon(1)\fR command. This is no great
148loss.  On most systems, \fIrexd\fR is less secure than a wildcard in
149/etc/hosts.equiv.
150.PP
151RPC broadcast requests (for example: \fIrwall, rup, rusers\fR) always
152appear to come from the responding host. What happens is that the
153client broadcasts the request to all \fIportmap\fR daemons on its
154network; each \fIportmap\fR daemon forwards the request to a local
155daemon. As far as the \fIrwall\fR etc.  daemons know, the request comes
156from the local host.
157.SH FILES
158.PP
159The default locations of the host access control tables are:
160.PP
161/etc/hosts.allow
162.br
163/etc/hosts.deny
164.SH SEE ALSO
165.na
166.nf
167hosts_access(5), format of the tcpd access control tables.
168syslog.conf(5), format of the syslogd control file.
169inetd.conf(5), format of the inetd control file.
170.SH AUTHORS
171.na
172.nf
173Wietse Venema (wietse@wzv.win.tue.nl),
174Department of Mathematics and Computing Science,
175Eindhoven University of Technology
176Den Dolech 2, P.O. Box 513,
1775600 MB Eindhoven, The Netherlands
178\" @(#) tcpd.8 1.5 96/02/21 16:39:16
Note: See TracBrowser for help on using the repository browser.