HP-UX Reference (11i v2 07/12) - 1M System Administration Commands N-Z (vol 4)
t
tcpd(1M) tcpd(1M)
NAME
tcpd - access control facility for internet services
DESCRIPTION
The tcpd program can be set up to monitor the incoming requests for
telnet, finger, ftp, exec,
rsh, rlogin, tftp, talk
, and other services that have a one-to-one mapping onto executable files.
The program supports both 4.3BSD-style sockets and System V.4-style TLI. The functionality may be lim-
ited when the protocol underneath TLI is not an internet protocol.
The operation is as follows: Whenever a request for service is received, the
inetd daemon runs the tcpd
program instead of the desired server. tcpd logs the request and checks its access control files for match-
ing (daemon, client) pair entries to either grant or deny access to the requested service. If access to the
requested service is granted, then tcpd runs the appropriate server program and exits. Configuration
parameters, such as logging behaviour, username lookup and reverse lookup failure behaviour can be
defined in the configuration file
/etc/tcpd.conf. See tcpd.conf(4) for more details.
Features of
tcpd are: pattern-based access control, client username lookups with the RFC 931 protocol,
protection against hosts that pretend to have someone else’s host name, and protection against hosts that
pretend to have someone else’s network address.
Logging
Connections monitored by
tcpd are reported through the syslog(3C) facility. Each record contains a time
stamp, the client host name and the name of the requested service. The information can be used to detect
unwanted activities, especially when logfile information from several hosts is merged.
In order to find out where your information is logged, examine the syslog configuration file,
/etc/syslog.conf
.
Access Control
tcpd supports a simple form of access control that is based on pattern matching. The access-control
software provides hooks for the execution of shell commands when a pattern fires. For details, see
hosts_access(5)).
Host Name Verification
The authentication scheme of some protocols (
rlogin, rsh) relies on host names. Some implementa-
tions trust the host name that they get from any random name server; other implementations are more
careful but use a flawed algorithm.
tcpd verifies the client host name returned by the "address to name" lookup on the client’s address. It
compares the client’s address with the address returned by the "resultant name to address" lookup. If any
discrepancy is detected, tcpd concludes that it is dealing with a host, which pretends to have someone
else’s host name.
If the configuration parameter on_reverselookup_fail
in /etc/tcpd.conf is set to deny, then
tcpd will drop the connection in case of a host name/address mismatch. Otherwise, the hostname can be
matched with the PARANOID wildcard, after which suitable action can be taken.
Host Address Spooking
tcpd disables source-routing socket options on every connection that it deals with. This will take care of
most attacks from hosts that pretend to have an address belonging to someone else’s network. UDP ser-
vices benefit from this protection.
NOTE: This functionality is not applicable to IPv6 connections.
RFC 931
When RFC 931 lookup is enabled (in /etc/tcpd.conf) tcpd will attempt to establish the name of the
client user. This will succeed only if the client host runs an RFC 931-compliant daemon. Client user name
lookups will not work for datagram-oriented connections, and may cause noticeable delays in the case of
connections from PCs. The configuration file, /etc/tcpd.conf provides an option to set the time-out
value, within which tcpd should get the remote user name. See the tcpd.conf(4) for more information.
EXAMPLES
There are two ways to configure the system to monitor access to selected services via tcpd. The examples
below use the ftp and telnet daemon to demonstrate the two possible configurations.
548 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: December 2007 Update