SUMMARY: Preventing "finger" request

From: CTRIBBET@INDYVAX.IUPUI.EDU
Date: Wed Feb 12 1992 - 19:55:19 CST


I would like to thank everyone for thier response to my info request:

CTRIBBET@INDYVAX.IUPUI.EDU writes:
->
-> We would like to stop finger requests from outside of our domain.

----------------

The most common response was:

Comment off the line for finger in /etc/inetd.conf and /etc/services,
then do kill -1 on inetd.

This isn't what I was looking for, it prevents finger request from inside
the domain also.

The other responses are listed below:

Get the ftpd code from uunet. Modify the code so that incoming requests
must be in your domain. We run something here that we hacked up so that
any incoming finger request MUST have a username associated with it and that
information and the machine the request is coming from is logged.

-----------------------------

If you are connected to the world through a router box, you could set up the
router to block traffic to the finger port (port 79 according to /etc/services).

If you have a cisco router and it is the gateway to your domain, you
can filter incoming finger requests. Put an entry in your cisco config
that looks like this:

access-list 135 deny tcp 0.0.0.0 255.255.255.255 192.5.49.0 0.0.0.255 eq 79

However, if you don't have a cisco, you'll have to consult the manuals
for the router(s) you have for how they filter IP packets.

-------------------------------

Host cse.ogi.edu

   Location: /pub/in.gate
       Directory drwxr-xr-x 00000512 1992 Jan 09 10:20:00 GMT in.gate

02 Host cse.ogi.edu
    Location: /pub/in.gate/in.gate-1.01.shar
            File -r--r--r-- 00021281 1992 Jan 09 10:20:00 GMT in.gate-1.01.shar

IN.GATE(8) MAINTENANCE COMMANDS IN.GATE(8)

NAME
     in.gate - security gate for inetd

SYNOPSIS

in.gate server-program server-arguments

DESCRIPTION
     in.gate allows control over which hosts are allowed to use
     services provided from inetd(8C).

     in.gate works by sitting between inetd(8C) and the server
     programs. inetd(8C) starts in.gate which then checks to see
     if the requesting host has permissions to use the service.
     If the host does have permissions then in.gate starts up the
     requested server, otherwise in.gate reports `Access denied'
     to the requesting host and exits.

     A syslog(8) entry is made for every request consisting of
     the host IP address who requested the service, the service
     requested, and whether or not access was granted.

     The access list for in.gate is stored in
     /etc/local/in.gate.conf .

EXAMPLE CONFIG
     To allow telnet access to any host on network 123.45.0.0 you
     would use:
               123.45.*.* in.telnetd yes

     To disable rsh for host 92.33.1.2 use:
               92.333.1.2 in.rshelld no

     Allow finger use by network 45.678.0.0 between 8am and 5pm.
               45.678.*.* in.fingerd yes 08:00-17:00

     To limit telnet access to 9am-11am and 2pm-4pm use:
          *.*.*.* in.telnetd yes 09:00-11:00,14:00-16:00

     To limit use of rlogin to 34.56.3.12 use:
               34.56.3.12 in.rlogind yes
               *.*.*.* in.rlogind no

------------------------------------------

>From outside of your domain? That's a little tricky. Try this: edit
your inetd.conf, and replace running /usr/etc/in.fingerd with
/usr/etc/in.locald (perhaps), which is the program below. It'll exit
if the connection's not from your local network. (It's Wietse Venema's
old tcp daemon whittled down to a stick.)

--
#include <stdio.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define LOCAL_NET 0x86440000

main(argc, argv)

int argc; char **argv; { int length; struct sockaddr sa; struct sockaddr_in *sin = (struct sockaddr_in *) (&sa); char path[256];

length = sizeof(sa); if (getpeername(fileno (stdin), &sa, &length) < 0) exit (0);

/* If they aren't in our network, skip 'em. */ if ((sin->sin_addr.s_addr & LOCAL_NET) != LOCAL_NET) exit (0);

sprintf(path, "/usr/etc/%s", argv[0]); execv(path, argv); }

---------------------------------------------------------

Get something like tcp_wrapper (available via anonymous ftp from cert.sei.cmu.edu) which lets you put access control lists on inetd run services and configure it so that finger requests from outside your domain (or whatever list of hostnames you want) get rejected.

Get log_tcp. It's been posted to some of the sources groups on usenet. (I can mail a copy if you can't get it another way.)

You can allow/deny any TCP service. For example, I have things setup to allow finger from the local network, but not from the "outside" world. This is as easy as:

%> cat /etc/hosts.allow # Services for rain-net only. in.fingerd : LOCAL, .rain.com, .psg.com in.named : LOCAL, .rain.com, .psg.com in.routed : LOCAL, .rain.com, .psg.com in.rwhod : LOCAL, .rain.com, .psg.com nntpd : LOCAL, .rain.com, .psg.com # Services for onion-net only. in.uucpd : LOCAL, onion.rain.com, neon.rain.com

And,

%> cat /etc/hosts.deny ALL: TERMINUS.LCS.MIT.EDU # Deny access to any host that is not given explicit access. in.fingerd : ALL in.named : ALL in.routed : ALL in.rwhod : ALL nntpd : ALL in.uucpd : ALL

It works quite well, and logs all valid connections as well.

--------------------------------------------------

**** tcp_wrapper and log_tcp are identical programs

I chose to use tcp_wrapper. It does exactly what I wanted to do. Although, I will probably move to in.gate, it is far more flexible.

My thanks to:

Fuat Baran Jeff Beadles Mark Mann Eckhard Rueggeberg Hermann Kuhn Travis L Priest Chris Peckham John Stewart John Warren, Jr. Karl A. Anderson Craig Hunt Gregory Higgins Leonard E. Sitongia Matt Crawford Hanh Vu Terry Rosenbaum Wes Boudville Mike Raffety Andrew Scherpbier John Stanley Charles Greg Skinner Kayvan Sylvan Morry Katz Anil Katakam Dan Kegel lyndon Brendan Kehoe Anyone that I might have forgotten



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:36 CDT