LISTSERV - HP3000-L Archives

HP3000-L Archives

June 2000, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L June 2000, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: inetd message - side stepping the current thread
From:	Jeff Kell <[log in to unmask]>
Reply To:	Jeff Kell <[log in to unmask]>
Date:	Wed, 21 Jun 2000 11:59:13 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (61 lines)

Tony Summers wrote:
>
> I have a grumble about INETD.

> It does not explain (except in passing) what the existing (internal)
> entries in the sample configuration files do.  I.e  Are these
> internal services optional or mandatory  ? and what are the
> security risks associated with these internal services ?.

The sample that ships with 5.5 is (slightly edited):

> # Internet server configuration database
> #
> echo         stream tcp nowait MANAGER.SYS internal
> echo         dgram  udp nowait MANAGER.SYS internal
> daytime      stream tcp nowait MANAGER.SYS internal
> daytime      dgram  udp nowait MANAGER.SYS internal
> time         stream tcp nowait MANAGER.SYS internal
> time         dgram  udp nowait MANAGER.SYS internal
> discard      stream tcp nowait MANAGER.SYS internal
> discard      dgram  udp nowait MANAGER.SYS internal
> chargen      stream tcp nowait MANAGER.SYS internal
> chargen      dgram  udp nowait MANAGER.SYS internal
> #telnet       stream tcp nowait MANAGER.SYS internal
> #bootps       dgram  udp wait   MANAGER.SYS /SYS/NET/BOOTPD bootpd
> #tftp         dgram  udp wait   USER.TFTP /SYS/NET/TFTPD tftpd

All that is needed for telnet is to uncomment (remove the "#") from the
telnet line.  As for the others:

echo does just that, any data sent to the echo port is sent back to the
originator.  discard likewise does just that, it accepts data from
anything the drops it in the bit bucket.  chargen generates an ASCII
stream of data until the connection is closed.  All 3 were originally
intended for debugging or checking connectivity at layer 4 (ping only
checks layer 3).

daytime gives you a human-readable timestamp, for example:
   Wed Jun 21 11:52:07 2000

time returns a binary timestamp (unix ctime() I think.

These services have been known to be abused for denial of service or
general horseplay, for example, spoofing packets to line a chargen port
to an echo port, or other weirdness.  It is generally recommended that
these services be turned OFF unless you have a designated need.

In addition to this configuration file, an often overlooked facility is
the /usr/adm/inetd.sec file, which should be symlinked to INETDSEC.NET
(or vice versa).  You can restrict access to any of your inetd services
by setting up the allowed network ranges for each service, preventing
arbitrary connections.

Jeff Kell <[log in to unmask]>

--
Jeff Kell <[log in to unmask]>

ATOM RSS1 RSS2

RAVEN.UTC.EDU