|
|
Configuring and Managing MPE/iX Internet Services: HP 3000 MPE/iX Computer Systems > Chapter 2 Internet Daemoninetd Security File |
|
There is an optional security file associated with inetd that allows you to control which nodes have access to the Internet Services available on your system. The inetd security file will prevent inetd from starting a service unless the node making the request has permission to do so. Individual entries in the inetd security file determine which nodes are allowed or disallowed for a particular service. The inetd security file is not the only security provided for Internet Services. It constitutes an extra layer of security in addition to the normal checks done by the services themselves. If the inetd security file does not exist, if a remote service is not listed in the security file, or if it is listed but it is not followed by the allow or deny key word, all remote hosts can attempt to use it. Such an attempt will succeed if it passes the security checks imposed by the requested service. If inetd refuses a connection for security reasons, and inetd connection logging is enabled, a message is sent to the console indicating that there was an unsuccessful connection attempt. You may already have a security file for inetd installed on your system. If you know that you have such a file, and it is accessible by the POSIX file name /usr/adm/inetd.sec you may skip these steps. If not, follow the steps below to create the file and link to it. If you have such a file, but are unsure whether or not it is linked, perform step 2 only.
Each line in the inetd security file contains a service name, a permission field, and the IP addresses or domain names of the hosts and networks allowed to use that service on your host system. You can open the file to view the current security restraints or to change them. To do so:
When you edit the inetd security file, remember the following points:
You may use wildcard characters (*) in any of the fields of the address to specify permissions for a group of hosts or networks. This makes it more convenient to specify an entire network, since you will not need to specify each host in that network. The following sample entry, for example, allows all hosts with network addresses starting with a 10, as well as the single host whose address is 192.54.24.5 to use Telnet: telnet allow 10.* 192.54.24.5 You cannot use the wildcard character in combination with other integers in one part of an address field. For example, this entry in the inetd security file will generate an error message because the second field includes a 5 followed by the * character: tftp deny 10.5* Either integers or the wildcard character is allowed in one part of an address field. You may use the range indicator (-) in any of the fields of the address to specify which hosts or networks in a group are exempted from the permission assignment. This makes it more convenient to allow or deny a service for a subnet within the network you specify. The following sample entry, for example, denies hosts in subnets 3 through 5 of network 10 access to Telnet. Note that the wildcard character * at the end of the address lets you avoid specifying the individual hosts within the subnet. telnetd deny 10.3-5.* |
|