I would like to thank everyone for thier response to my info request:
CTRIBBET@INDYVAX.IUPUI.EDU writes:
->
-> We would like to stop finger requests from outside of our domain.
----------------
The most common response was:
Comment off the line for finger in /etc/inetd.conf and /etc/services,
then do kill -1 on inetd.
This isn't what I was looking for, it prevents finger request from inside
the domain also.
The other responses are listed below:
Get the ftpd code from uunet. Modify the code so that incoming requests
must be in your domain. We run something here that we hacked up so that
any incoming finger request MUST have a username associated with it and that
information and the machine the request is coming from is logged.
-----------------------------
If you are connected to the world through a router box, you could set up the
router to block traffic to the finger port (port 79 according to /etc/services).
If you have a cisco router and it is the gateway to your domain, you
can filter incoming finger requests. Put an entry in your cisco config
that looks like this:
access-list 135 deny tcp 0.0.0.0 255.255.255.255 192.5.49.0 0.0.0.255 eq 79
However, if you don't have a cisco, you'll have to consult the manuals
for the router(s) you have for how they filter IP packets.
-------------------------------
Host cse.ogi.edu
Location: /pub/in.gate
Directory drwxr-xr-x 00000512 1992 Jan 09 10:20:00 GMT in.gate
02 Host cse.ogi.edu
Location: /pub/in.gate/in.gate-1.01.shar
File -r--r--r-- 00021281 1992 Jan 09 10:20:00 GMT in.gate-1.01.shar
IN.GATE(8) MAINTENANCE COMMANDS IN.GATE(8)
NAME
in.gate - security gate for inetd
SYNOPSIS
in.gate server-program server-arguments
DESCRIPTION
in.gate allows control over which hosts are allowed to use
services provided from inetd(8C).
in.gate works by sitting between inetd(8C) and the server
programs. inetd(8C) starts in.gate which then checks to see
if the requesting host has permissions to use the service.
If the host does have permissions then in.gate starts up the
requested server, otherwise in.gate reports `Access denied'
to the requesting host and exits.
A syslog(8) entry is made for every request consisting of
the host IP address who requested the service, the service
requested, and whether or not access was granted.
The access list for in.gate is stored in
/etc/local/in.gate.conf .
EXAMPLE CONFIG
To allow telnet access to any host on network 123.45.0.0 you
would use:
123.45.*.* in.telnetd yes
To disable rsh for host 92.33.1.2 use:
92.333.1.2 in.rshelld no
Allow finger use by network 45.678.0.0 between 8am and 5pm.
45.678.*.* in.fingerd yes 08:00-17:00
To limit telnet access to 9am-11am and 2pm-4pm use:
*.*.*.* in.telnetd yes 09:00-11:00,14:00-16:00
To limit use of rlogin to 34.56.3.12 use:
34.56.3.12 in.rlogind yes
*.*.*.* in.rlogind no
------------------------------------------
>From outside of your domain? That's a little tricky. Try this: edit
your inetd.conf, and replace running /usr/etc/in.fingerd with
/usr/etc/in.locald (perhaps), which is the program below. It'll exit
if the connection's not from your local network. (It's Wietse Venema's
old tcp daemon whittled down to a stick.)
-- #include <stdio.h> #include <sys/types.h> #include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h>#define LOCAL_NET 0x86440000
main(argc, argv)
int argc; char **argv; { int length; struct sockaddr sa; struct sockaddr_in *sin = (struct sockaddr_in *) (&sa); char path[256];
length = sizeof(sa); if (getpeername(fileno (stdin), &sa, &length) < 0) exit (0);
/* If they aren't in our network, skip 'em. */ if ((sin->sin_addr.s_addr & LOCAL_NET) != LOCAL_NET) exit (0);
sprintf(path, "/usr/etc/%s", argv[0]); execv(path, argv); }
---------------------------------------------------------
Get something like tcp_wrapper (available via anonymous ftp from cert.sei.cmu.edu) which lets you put access control lists on inetd run services and configure it so that finger requests from outside your domain (or whatever list of hostnames you want) get rejected.
Get log_tcp. It's been posted to some of the sources groups on usenet. (I can mail a copy if you can't get it another way.)
You can allow/deny any TCP service. For example, I have things setup to allow finger from the local network, but not from the "outside" world. This is as easy as:
%> cat /etc/hosts.allow # Services for rain-net only. in.fingerd : LOCAL, .rain.com, .psg.com in.named : LOCAL, .rain.com, .psg.com in.routed : LOCAL, .rain.com, .psg.com in.rwhod : LOCAL, .rain.com, .psg.com nntpd : LOCAL, .rain.com, .psg.com # Services for onion-net only. in.uucpd : LOCAL, onion.rain.com, neon.rain.com
And,
%> cat /etc/hosts.deny ALL: TERMINUS.LCS.MIT.EDU # Deny access to any host that is not given explicit access. in.fingerd : ALL in.named : ALL in.routed : ALL in.rwhod : ALL nntpd : ALL in.uucpd : ALL
It works quite well, and logs all valid connections as well.
--------------------------------------------------
**** tcp_wrapper and log_tcp are identical programs
I chose to use tcp_wrapper. It does exactly what I wanted to do. Although, I will probably move to in.gate, it is far more flexible.
My thanks to:
Fuat Baran Jeff Beadles Mark Mann Eckhard Rueggeberg Hermann Kuhn Travis L Priest Chris Peckham John Stewart John Warren, Jr. Karl A. Anderson Craig Hunt Gregory Higgins Leonard E. Sitongia Matt Crawford Hanh Vu Terry Rosenbaum Wes Boudville Mike Raffety Andrew Scherpbier John Stanley Charles Greg Skinner Kayvan Sylvan Morry Katz Anil Katakam Dan Kegel lyndon Brendan Kehoe Anyone that I might have forgotten
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:36 CDT