GuestbookSign our guestbook ContactGet in touch with the authors ArchiveAll unixwerk articles since 2003
April 24, 2014

Setup TCP Wrappers on AIX

 

Contents

  1. Introduction
  2. What has to be installed?
  3. What has to be configured?
  4. Restart the Internet Superdaemon
  5. Interference with sshd
  6. Related Information

 

1. Introduction

tcpwrappers help you to get some control over unsecure services such like telnet ftp etc. Standard on Linux for a looooong time AIX was always lacking official support for tcpwrappers. But starting with AIX 6.1 IBM ships tcpwrappers with the official AIX DVD/CD set.

 

2. What has to be installed?

You have to install the fileset 'netsec.options' from the AIX Expansion DVD. The fileset can be found on the AIX 6.1 Expansion DVD. Although you find the netsec.options fileset on an AIX 6.1 media it is also suitable for AIX 5.3

 

3. What has to be configured?

(1) /etc/inetd.conf

To configure telnet with TCP wrappers change the default telnet line in /etc/inetd.conf from 

telnet stream  tcp6    nowait  root    /usr/sbin/telnetd telnetd -a

to 

telnet  stream  tcp6    nowait  root    /usr/sbin/tcpd telnetd -a

(2) /etc/hosts.deny

Typically you deny access to the system completely here: 

aix# vi /etc/hosts.deny
# deny access through tcpwrapper
# ===============================
# default policy: no access
ALL : ALL : severity auth.info

With the above policy all attempts to connect to the server via telnet will be passed to the syslog daemon with severity auth.info. Where the logging messages actually can be found depends on your /etc/syslog.conf.

(3) /etc/hosts.allow

Now explicitly only allow specific hosts or networks access: 

aix# vi /etc/hosts.allow
telnetd: LOCAL .mydomain.net

The example allows all local hosts (without a dot in the name) and all hosts from the domain 'mydomain.net' to telnet to the system. You could also limit the access to single ip addresses: 

aix# vi /etc/hosts.allow
telnetd: 111.111.111.111 111.111.111.114

 

4. Restart the Internet Superdaemon

aix# refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.

You can check that telnet is wrapped now by tcpd: 

aix# lssrc -l -s inetd 
                                              
Subsystem         Group            PID          Status                        
 inetd            tcpip            401640       active                        
                                                                              
Debug         Not active                                                      
                                                                              
Signal        Purpose                                                         
 SIGALRM      Establishes socket connections for failed services.             
 SIGHUP       Rereads the configuration database and reconfigures services.   
                                                                              
 SIGCHLD      Restarts the service in case the service ends abnormally.       
                                                                              
Service       Command                  Description              Status        
 telnet       /usr/sbin/tcpd           telnetd -a               active

 

[update]

 

5. Interference with sshd

Although not passed through the TCP wrapper the sshd reads the same host access files. With the changes described here sshd would block all connections. You need to add an extra line to hosts.allow for sshd.

If you want to allow connections from everywhere add the following line to /etc/hosts.allow: 

sshd: ALL

Of course you can limit access to sshd the same way as to the services passed through the TCP wrappers decribed earlier in this article.

[/update]

 

6. Related Information