summaryrefslogtreecommitdiff
path: root/contrib/tcp_wrappers/tcpd.8
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/tcp_wrappers/tcpd.8')
-rw-r--r--contrib/tcp_wrappers/tcpd.8178
1 files changed, 0 insertions, 178 deletions
diff --git a/contrib/tcp_wrappers/tcpd.8 b/contrib/tcp_wrappers/tcpd.8
deleted file mode 100644
index 351390714be1..000000000000
--- a/contrib/tcp_wrappers/tcpd.8
+++ /dev/null
@@ -1,178 +0,0 @@
-.TH TCPD 8
-.SH NAME
-tcpd \- access control facility for internet services
-.SH DESCRIPTION
-.PP
-The \fItcpd\fR program can be set up to monitor incoming requests for
-\fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR,
-\fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services
-that have a one-to-one mapping onto executable files.
-.PP
-The program supports both 4.3BSD-style sockets and System V.4-style
-TLI. Functionality may be limited when the protocol underneath TLI is
-not an internet protocol.
-.PP
-Operation is as follows: whenever a request for service arrives, the
-\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
-instead of the desired server. \fItcpd\fP logs the request and does
-some additional checks. When all is well, \fItcpd\fP runs the
-appropriate server program and goes away.
-.PP
-Optional features are: pattern-based access control, client username
-lookups with the RFC 931 etc. protocol, protection against hosts that
-pretend to have someone elses host name, and protection against hosts
-that pretend to have someone elses network address.
-.SH LOGGING
-Connections that are monitored by
-.I tcpd
-are reported through the \fIsyslog\fR(3) facility. Each record contains
-a time stamp, the client host name and the name of the requested
-service. The information can be useful to detect unwanted activities,
-especially when logfile information from several hosts is merged.
-.PP
-In order to find out where your logs are going, examine the syslog
-configuration file, usually /etc/syslog.conf.
-.SH ACCESS CONTROL
-Optionally,
-.I tcpd
-supports a simple form of access control that is based on pattern
-matching. The access-control software provides hooks for the execution
-of shell commands when a pattern fires. For details, see the
-\fIhosts_access\fR(5) manual page.
-.SH HOST NAME VERIFICATION
-The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies
-on host names. Some implementations believe the host name that they get
-from any random name server; other implementations are more careful but
-use a flawed algorithm.
-.PP
-.I tcpd
-verifies the client host name that is returned by the address->name DNS
-server by looking at the host name and address that are returned by the
-name->address DNS server. If any discrepancy is detected,
-.I tcpd
-concludes that it is dealing with a host that pretends to have someone
-elses host name.
-.PP
-If the sources are compiled with -DPARANOID,
-.I tcpd
-will drop the connection in case of a host name/address mismatch.
-Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard,
-after which suitable action can be taken.
-.SH HOST ADDRESS SPOOFING
-Optionally,
-.I tcpd
-disables source-routing socket options on every connection that it
-deals with. This will take care of most attacks from hosts that pretend
-to have an address that belongs to someone elses network. UDP services
-do not benefit from this protection. This feature must be turned on
-at compile time.
-.SH RFC 931
-When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR
-will attempt to establish the name of the client user. This will
-succeed only if the client host runs an RFC 931-compliant daemon.
-Client user name lookups will not work for datagram-oriented
-connections, and may cause noticeable delays in the case of connections
-from PCs.
-.SH EXAMPLES
-The details of using \fItcpd\fR depend on pathname information that was
-compiled into the program.
-.SH EXAMPLE 1
-This example applies when \fItcpd\fR expects that the original network
-daemons will be moved to an "other" place.
-.PP
-In order to monitor access to the \fIfinger\fR service, move the
-original finger daemon to the "other" place and install tcpd in the
-place of the original finger daemon. No changes are required to
-configuration files.
-.nf
-.sp
-.in +5
-# mkdir /other/place
-# mv /usr/etc/in.fingerd /other/place
-# cp tcpd /usr/etc/in.fingerd
-.fi
-.PP
-The example assumes that the network daemons live in /usr/etc. On some
-systems, network daemons live in /usr/sbin or in /usr/libexec, or have
-no `in.\' prefix to their name.
-.SH EXAMPLE 2
-This example applies when \fItcpd\fR expects that the network daemons
-are left in their original place.
-.PP
-In order to monitor access to the \fIfinger\fR service, perform the
-following edits on the \fIinetd\fR configuration file (usually
-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
-.nf
-.sp
-.ti +5
-finger stream tcp nowait nobody /usr/etc/in.fingerd in.fingerd
-.sp
-becomes:
-.sp
-.ti +5
-finger stream tcp nowait nobody /some/where/tcpd in.fingerd
-.sp
-.fi
-.PP
-The example assumes that the network daemons live in /usr/etc. On some
-systems, network daemons live in /usr/sbin or in /usr/libexec, the
-daemons have no `in.\' prefix to their name, or there is no userid
-field in the inetd configuration file.
-.PP
-Similar changes will be needed for the other services that are to be
-covered by \fItcpd\fR. Send a `kill -HUP\' to the \fIinetd\fR(8)
-process to make the changes effective. AIX users may also have to
-execute the `inetimp\' command.
-.SH EXAMPLE 3
-In the case of daemons that do not live in a common directory ("secret"
-or otherwise), edit the \fIinetd\fR configuration file so that it
-specifies an absolute path name for the process name field. For example:
-.nf
-.sp
- ntalk dgram udp wait root /some/where/tcpd /usr/local/lib/ntalkd
-.sp
-.fi
-.PP
-Only the last component (ntalkd) of the pathname will be used for
-access control and logging.
-.SH BUGS
-Some UDP (and RPC) daemons linger around for a while after they have
-finished their work, in case another request comes in. In the inetd
-configuration file these services are registered with the \fIwait\fR
-option. Only the request that started such a daemon will be logged.
-.PP
-The program does not work with RPC services over TCP. These services
-are registered as \fIrpc/tcp\fR in the inetd configuration file. The
-only non-trivial service that is affected by this limitation is
-\fIrexd\fR, which is used by the \fIon(1)\fR command. This is no great
-loss. On most systems, \fIrexd\fR is less secure than a wildcard in
-/etc/hosts.equiv.
-.PP
-RPC broadcast requests (for example: \fIrwall, rup, rusers\fR) always
-appear to come from the responding host. What happens is that the
-client broadcasts the request to all \fIportmap\fR daemons on its
-network; each \fIportmap\fR daemon forwards the request to a local
-daemon. As far as the \fIrwall\fR etc. daemons know, the request comes
-from the local host.
-.SH FILES
-.PP
-The default locations of the host access control tables are:
-.PP
-/etc/hosts.allow
-.br
-/etc/hosts.deny
-.SH SEE ALSO
-.na
-.nf
-hosts_access(5), format of the tcpd access control tables.
-syslog.conf(5), format of the syslogd control file.
-inetd.conf(5), format of the inetd control file.
-.SH AUTHORS
-.na
-.nf
-Wietse Venema (wietse@wzv.win.tue.nl),
-Department of Mathematics and Computing Science,
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-\" @(#) tcpd.8 1.5 96/02/21 16:39:16