5. cpd - access control facility for internet services tcpd

cpd - access control facility for internet services tcpd 


  • TCPD(1M)							      TCPD(1M)



NAME
       tcpd - access control facility for internet services

DESCRIPTION
       The tcpd	program	can be set up to monitor incoming requests for telnet,
       finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and  other  services
       that have a one-to-one mapping onto executable files.

       The  program  supports  both  4.3BSD-style sockets and System V.4-style
       TLI.  Functionality may be limited when the protocol underneath TLI  is
       not an internet protocol.

       Operation  is  as  follows: whenever a request for service arrives, the
       inetd daemon is tricked into running the	tcpd program  instead  of  the
       desired	server.	tcpd logs the request and does some additional checks.
       When all	is well, tcpd runs the appropriate  server  program  and  goes
       away.

       Optional	 features  are:	 pattern-based access control, client username
       lookups with the	RFC 931	etc. protocol, protection against  hosts  that
       pretend	to  have someone elses host name, and protection against hosts
       that pretend to have someone elses network address.

LIBWRAP	INTERFACE
       The same	monitoring and access control functionality  provided  by  the
       tcpd  standalone	 program  is also available through the	libwrap	shared
       library interface. Some programs, including the Solaris	inetd  daemon,
       have  been  modified   to  use  the  libwrap  interface and thus	do not
       require replacing the real  server  programs  with  tcpd.  The  libwrap
       interface  is  also  more  efficient and	can be used for	inetd internal
       services. See inetd(1M) for more	information.

LOGGING
       Connections that	are monitored by tcpd are reported  through  the  sys-
       log(3)  facility.  Each	record	contains a time	stamp, the client host
       name and	the name of the	requested service.   The  information  can  be
       useful  to detect unwanted activities, especially when logfile informa-
       tion from several hosts is merged.

       In order	to find	out where your logs are	going, examine the syslog con-
       figuration file,	usually	/etc/syslog.conf.

ACCESS CONTROL
       Optionally, tcpd	supports a simple form of access control that is based
       on pattern matching.  The access-control	software  provides  hooks  for
       the execution of	shell commands when a pattern fires.  For details, see
       the hosts_access(4) manual page.

HOST NAME VERIFICATION
       The authentication scheme of some protocols  (rlogin,  rsh)  relies  on
       host  names.  Some  implementations believe the host name that they get
       from any	random name server; other implementations are more careful but
       use a flawed algorithm.

       tcpd   verifies	 the   client  host  name  that	 is  returned  by  the
       address->name DNS server	by looking at the host name and	 address  that
       are  returned  by  the name->address DNS	server.	 If any	discrepancy is
       detected, tcpd concludes	that it	is dealing with	a host	that  pretends
       to have someone elses host name.

       If the sources are compiled with	-DPARANOID, tcpd will drop the connec-
       tion in case of a host name/address mismatch.  Otherwise, the  hostname
       can  be matched with the	PARANOID wildcard, after which suitable	action
       can be taken.

HOST ADDRESS SPOOFING
       Optionally, tcpd	disables source-routing	socket options on  every  con-
       nection	that  it  deals	with. This will	take care of most attacks from
       hosts that pretend to have an address that  belongs  to	someone	 elses
       network.	UDP services do	not benefit from this protection. This feature
       must be turned on at compile time.

RFC 931
       When RFC	931 etc. lookups are enabled (compile-time option)  tcpd  will
       attempt	to  establish  the  name of the	client user. This will succeed
       only if the client host runs an RFC 931-compliant daemon.  Client  user
       name  lookups  will not work for	datagram-oriented connections, and may
       cause noticeable	delays in the case of connections from PCs.

       Warning:	If the local system runs an RFC	931  server  it	 is  important
       that  it	be configured NOT to use TCP Wrappers, or that TCP Wrappers be
       configured to avoid RFC 931-based access	control	for this service.   If
       you  use	usernames in the access	control	files, make sure that you have
       a hosts.allow entry that	allows	the  RFC  931  service	(often	called
       "identd"	 or "auth") without any	username restrictions. Failure to heed
       this warning can	result in two hosts getting in an endless loop of con-
       sulting each other's identd services.

EXAMPLES
ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       +--------------------+-----------------+
       |  ATTRIBUTE TYPE    | ATTRIBUTE	VALUE |
       +--------------------+-----------------+
       |Availability	    | SUNWtcpd	      |
       +--------------------+-----------------+
       |Interface Stability | Committed	      |
       +--------------------+-----------------+
NOTES
       Source for tcp_wrappers is available in the SUNWtcpdS package.



								      TCPD(1M)
solaris manpages 2041
Log in to reply
 

© Lightnetics 2024