inetd.sec - optional security file for inetd
When inetd accepts a connection from a remote system, it checks the
address of the host requesting the service against the list of hosts
to be allowed or denied access to the specific service (see
inetd(1M)). The file inetd.sec allows the system administrator to
control which hosts (or networks in general) are allowed to use the
system remotely. This file constitutes an extra layer of security in
addition to the normal checks done by the services. It precedes the
security of the servers; that is, a server is not started by the
Internet daemon unless the host requesting the service is a valid host
according to inetd.sec.
If file /var/adm/inetd.sec does not exist, security is limited to that
implemented by the servers. inetd.sec and the directory /var/adm
should be writable only by their owners. Changes to inetd.sec apply
to any subsequent connections.
Lines in inetd.sec beginning with # are comments. Comments are not
allowed at the end of a line of data.
The lines in the file contain a service name, permission field, and
the Internet addresses or official names of the hosts and networks
allowed to use that service in the local host. The fields in each
line are as follows:
<service name> <allow|deny> <host/net addresses, host/net names>
service name is the name (not alias) of a valid service in file
/etc/services. The service name for RPC-based services (NFS) is the
name (not alias) of a valid service in file /etc/rpc. A service name
in /etc/rpc corresponds to a unique RPC program number.
allow|deny determines whether the list of remote hosts in the next
field is allowed or denied access to the specified service. Multiple
allow|deny lines for each service are not unsupported. If there are
multiple allow|deny lines for a particular service, all but the last
line are ignored.
Addresses and names are separated by white space. Any mix of
addresses and names is allowed. To continue a line, terminate it with
Host names and network names are the official names of the hosts or
networks as returned by gethostbyaddr() or getnetbynumber(),
respectively. Wildcard characters (*) and range characters (-) are
allowed. The * and the - can be present in any of the fields of the
address. An address field is a string of characters separated by a
Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000
Use a wildcard character to permit a whole network to communicate with
the local host without having to list all the hosts in that network.
For example, to allow all hosts with network addresses starting with a
10, as well as the single host with address 126.96.36.199 to use rlogin:
login allow 10.* 188.8.131.52
On a system running NFS, deny host 184.108.40.206 access to sprayd, an
sprayd deny 220.127.116.11
A range is a field containing a - character. To deny hosts in network
10 (arpa) with subnets 3 through 5 access to remsh:
shell deny 10.3-5.*
The following entry denies rlogin access to host cory.berkeley.edu,
any hosts on the network named testlan, and the host with internet
login deny 18.104.22.168 cory.berkeley.edu testlan
If a remote service is not listed in the security file, or if it is
listed but it is not followed by allow or deny, all remote hosts can
attempt to use it. Security is then provided by the service itself.
The following lines, if present in inetd.sec, allow or deny access to
the service indicated:
Allow all hosts to use ftp:
Deny all access to the shell service; i.e., remsh:
Allow access to the shell service by any host:
inetd.sec was developed by HP.
NFS was developed by Sun Microsystems, Inc.
Hewlett-Packard Company - 2 - HP-UX Release 11i: November 2000
inetd(1M), gethostent(3N), getnetent(3N), hosts(4), inetd.conf(4),
networks(4), protocols(4), rpc(4), services(4).
Hewlett-Packard Company - 3 - HP-UX Release 11i: November 2000