HP-UX Internet Services Administrator's Guide (May 2010)

For more information on the access control language and ACL options, type man 5

hosts_access or man 5 hosts_options at the HP-UX prompt.

Host Name/Address Spoofing

tcpd prevents an illegal host that behaves as a legal host from accessing services. If

any discrepancy is identified in the client address or name, the wrapper program denies

access to that host and logs the information. tcpd also disables the source-routing

socket options on all the host’s connections. This protection mechanism benefits UDP

services.

Client User Name Lookup

tcpd determines the identity of a client requesting a particular TCP connection using

the RFC 931 (Authentication Server) protocol. By default, the client user name lookup

is disabled in the /etc/tcpd.conf configuration file. If you enable client user name

lookup in the configuration file, tcpd assumes that the client requesting the service

runs a RFC931-compliant daemon, such as IDENT.

Trap Setting

This feature allows you to trigger appropriate action on the host depending on the

number of denied connection attempts. For example, the following rule in the

/etc/hosts.deny file denies access to all hosts, and notifies when a remote host

attempts to access the TFTP server:

tftpd:ALL:spawn (/usr/bin/safe_finger -1 @%h2>&1 mailx -s “remote tftp attempt” root)

Banner Message

This feature provides a mechanism to send a message when an ACL rule is included

in an access control file. For example, the following rule in the /etc/hosts.deny file

sends the message in the telnetd file placed in the /tmp/banner directory, and

denies access to a request from any host whose address starts with 192.5.2:

telnetd:192.5.2.:banners/tmp/banner

TCP Wrappers Files

The TCP Wrappers product suite contains the following files:

• The tcpd Daemon

• The libwrap.a Library API

• The tcpdchk Tool

• The tcpdmatch Tool

• The try-from Utility

• The safe_finger Program

TCP Wrappers Files 39