SUMMARY: Preventing "finger" request

Date: Wed Feb 12 1992 - 19:55:19 CST

I would like to thank everyone for thier response to my info request:

-> We would like to stop finger requests from outside of our domain.


The most common response was:

Comment off the line for finger in /etc/inetd.conf and /etc/services,
then do kill -1 on inetd.

This isn't what I was looking for, it prevents finger request from inside
the domain also.

The other responses are listed below:

Get the ftpd code from uunet. Modify the code so that incoming requests
must be in your domain. We run something here that we hacked up so that
any incoming finger request MUST have a username associated with it and that
information and the machine the request is coming from is logged.


If you are connected to the world through a router box, you could set up the
router to block traffic to the finger port (port 79 according to /etc/services).

If you have a cisco router and it is the gateway to your domain, you
can filter incoming finger requests. Put an entry in your cisco config
that looks like this:

access-list 135 deny tcp eq 79

However, if you don't have a cisco, you'll have to consult the manuals
for the router(s) you have for how they filter IP packets.



   Location: /pub/in.gate
       Directory drwxr-xr-x 00000512 1992 Jan 09 10:20:00 GMT in.gate

02 Host
    Location: /pub/in.gate/in.gate-1.01.shar
            File -r--r--r-- 00021281 1992 Jan 09 10:20:00 GMT in.gate-1.01.shar


     in.gate - security gate for inetd


in.gate server-program server-arguments

     in.gate allows control over which hosts are allowed to use
     services provided from inetd(8C).

     in.gate works by sitting between inetd(8C) and the server
     programs. inetd(8C) starts in.gate which then checks to see
     if the requesting host has permissions to use the service.
     If the host does have permissions then in.gate starts up the
     requested server, otherwise in.gate reports `Access denied'
     to the requesting host and exits.

     A syslog(8) entry is made for every request consisting of
     the host IP address who requested the service, the service
     requested, and whether or not access was granted.

     The access list for in.gate is stored in
     /etc/local/in.gate.conf .

     To allow telnet access to any host on network you
     would use:
               123.45.*.* in.telnetd yes

     To disable rsh for host use:
               92.333.1.2 in.rshelld no

     Allow finger use by network 45.678.0.0 between 8am and 5pm.
               45.678.*.* in.fingerd yes 08:00-17:00

     To limit telnet access to 9am-11am and 2pm-4pm use:
          *.*.*.* in.telnetd yes 09:00-11:00,14:00-16:00

     To limit use of rlogin to use:
      in.rlogind yes
               *.*.*.* in.rlogind no


>From outside of your domain? That's a little tricky. Try this: edit
your inetd.conf, and replace running /usr/etc/in.fingerd with
/usr/etc/in.locald (perhaps), which is the program below. It'll exit
if the connection's not from your local network. (It's Wietse Venema's
old tcp daemon whittled down to a stick.)

#include <stdio.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define LOCAL_NET 0x86440000

main(argc, argv)

int argc; char **argv; { int length; struct sockaddr sa; struct sockaddr_in *sin = (struct sockaddr_in *) (&sa); char path[256];

length = sizeof(sa); if (getpeername(fileno (stdin), &sa, &length) < 0) exit (0);

/* If they aren't in our network, skip 'em. */ if ((sin->sin_addr.s_addr & LOCAL_NET) != LOCAL_NET) exit (0);

sprintf(path, "/usr/etc/%s", argv[0]); execv(path, argv); }


Get something like tcp_wrapper (available via anonymous ftp from which lets you put access control lists on inetd run services and configure it so that finger requests from outside your domain (or whatever list of hostnames you want) get rejected.

Get log_tcp. It's been posted to some of the sources groups on usenet. (I can mail a copy if you can't get it another way.)

You can allow/deny any TCP service. For example, I have things setup to allow finger from the local network, but not from the "outside" world. This is as easy as:

%> cat /etc/hosts.allow # Services for rain-net only. in.fingerd : LOCAL,, in.named : LOCAL,, in.routed : LOCAL,, in.rwhod : LOCAL,, nntpd : LOCAL,, # Services for onion-net only. in.uucpd : LOCAL,,


%> cat /etc/hosts.deny ALL: TERMINUS.LCS.MIT.EDU # Deny access to any host that is not given explicit access. in.fingerd : ALL in.named : ALL in.routed : ALL in.rwhod : ALL nntpd : ALL in.uucpd : ALL

It works quite well, and logs all valid connections as well.


**** tcp_wrapper and log_tcp are identical programs

I chose to use tcp_wrapper. It does exactly what I wanted to do. Although, I will probably move to in.gate, it is far more flexible.

My thanks to:

Fuat Baran Jeff Beadles Mark Mann Eckhard Rueggeberg Hermann Kuhn Travis L Priest Chris Peckham John Stewart John Warren, Jr. Karl A. Anderson Craig Hunt Gregory Higgins Leonard E. Sitongia Matt Crawford Hanh Vu Terry Rosenbaum Wes Boudville Mike Raffety Andrew Scherpbier John Stanley Charles Greg Skinner Kayvan Sylvan Morry Katz Anil Katakam Dan Kegel lyndon Brendan Kehoe Anyone that I might have forgotten

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:36 CDT