Manualshelf

HP-UX Internet Services Administrator's Guide (August 2003)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 ONC and NFS Software
41424344454647484950
TCP Wrappers
The tcpd Features
Chapter 3 45
1. The /etc/hosts.allow file – If a daemon-client pair matches an
entry in this file, access is granted.
2. The /etc/hosts.deny file – If a daemon-client pair matches an
entry in this file, access is denied.
3. If a daemon-client pair match is not found in either of the access
control files, access is granted.
Following are examples of different entries in the files
/etc/hosts.allow and /etc/hosts.deny:
1. To grant access to the ftp service to all the users, specify the
following entry in the /etc/hosts.allow file:
ftpd:ALL
2. To deny access to the host blue.rainbow.com and all hosts in the
domain rainbow.com to all the services, specify the following entry
in the /etc/hosts.deny file:
ALL:blue.rainbow.com, .rainbow.com
3. To grant the telnet service to all the hosts in the domain xyz.com
except the host abc.xyz.com, specify the following entry in the
/etc.hosts.allow file:
telnetd:.xyz.com EXCEPT abc.xyz.com
For more information on the access control language and ACL options,
type man 5 hosts_access or man 5 hosts_options at the HP-UX
prompt.
Host Name/Address Spoofing
tcpd prevents an illegal host that behaves as a legal host from accessing
services. If any discrepancy is identified in the client address or name,
the wrapper program denies access to that host and logs the information.
tcpd also disables the source-routing socket options on all the host’s
connections. This protection mechanism benefits UDP services.
Client User Name Lookup
tcpd determines the identity of a client requesting a particular TCP
connection using the RFC 931 (Authentication Server) protocol. By
default, the client user name lookup is disabled in the /etc/tcpd.conf