HP-UX Reference (11i v2 03/08) - 1M System Administration Commands N-Z (vol 4)
t
tcpd(1M) tcpd(1M)
Example 1
Move the original daemon to the /usr/lbin/wrapper
directory and install
tcpd in place of the origi-
nal daemon. No changes are required to the
inetd configuration file, /etc/inetd.conf
.
# mkdir /usr/lbin/wrapper
# mv /usr/lbin/ftpd /usr/lbin/wrapper
# cp /usr/lbin/tcpd /usr/lbin/ftpd
Example 2
Edit the inetd configuration file as follows:
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
becomes:
telnet stream tcp nowait root /usr/lbin/tcpd /usr/lbin/telnetd telnetd
Only the last component (telnetd) of the pathname will be used for access control and logging.
Send a
kill -HUP to the inetd process to make the changes effective.
If the above entry is specified without the absolute path of
telnetd then tcpd looks for the telnetd
binary in
/usr/lbin/wrapper
directory.
NOTE: To apply the access control mechanism to IPv6 connections of a service, enable IPv6 connections
for that service in the
/etc/inetd.conf
file. Refer to the manpage inetd.conf(4) for more details.
WARNINGS
Some UDP (and RPC) daemons linger around for a while after they have finished their work, in case
another request comes in. In the
inetd configuration file these services are registered with the
wait
option. Only the request that started such a daemon will be logged.
The program does not work with RPC services over TCP. These services are registered as
rpc/tcp in
the
inetd configuration file. The only non-trivial service that is affected by this limitation is
rexd,
which is used by the
on command. On most systems, rexd is less secure than a wildcard in
/etc/hosts.equiv.
RPC broadcast requests (for example:
rwall, rup, rusers) always appear to come from the respond-
ing host. What really happens is that the client broadcasts the request to all portmap daemons on its
network; each portmap daemon forwards the request to a local daemon. From daemon’s (like
rwall)
point of view, the request is coming from the local host.
AUTHOR
Wietse Venema (wietse@wzv.win.tue.nl)
Department of Mathematics and Computing Science,
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands
FILES
The default locations of the host access control tables are:
/etc/hosts.allow (daemon,client) pairs that are granted access.
/etc/hosts.deny (daemon,client) pairs that are denied access.
SEE ALSO
inetd(1M), internet services daemon.
syslogd(1M), format of the syslogd control file.
inetd.conf (4), format of the
inetd control file.
hosts_access (5), format of the
tcpd access control tables.
Section 1M−−804 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: August 2003