[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

20010205: Security of McIDAS ADDE and LDM



>From: Erick Lorenz <address@hidden>
>Organization: UC Davis
>Keywords: 200102020159.f121xaX03428 security

Erick,

re: ADDE uses ports 500 and 503

The topic is setting up TCP wrappers for the ports that McIDAS ADDE
uses for data transfers.

>My man page for hosts.allow and hosts.deny describes an entry as being of
>the form:
>
>        <daemon_list> : <client_list> : [ <shell_command> ]
>
>e.g.
>
>       in_ftpd in_telnetd : 192.192.
>
>I am not sure how to designate a port number in this syntax. (but then
>I am rather fuzzy on the whole issue of ports anyway)

The designation of a port is indirect.  The port is picked up by
virtue of the service-port pair in /etc/services.  For McIDAS ADDE
this will look like:

mcserv          500/tcp
mccompress      503/tcp

You might think, therefore, that the hosts.allow line would look
something like:

mcserv: 192.192.

** but it doesn't**  Instead, the single entry in hosts.allow that wll
specify the list of IPs allowed to connect using either port that McIDAS
ADDE communicates on is:

mcservsh:       <IP mask/list>

The revised /etc/inetd.conf entry that sets up use of TCP wrappers is:

mcserv  stream  tcp nowait  mcadde  /usr/sbin/tcpd  /home/mcidas/bin/mcservsh
-H /home/mcidas
mccompress  stream  tcp nowait  mcadde  /usr/sbin/tcpd  /home/mcidas/bin/mcservs
h   -H /home/mcidas

From these entries it is more clear that the service you are telling the
TCP wrappers to control is mcservsh:

/usr/sbin/tcpd  /home/mcidas/bin/mcservsh
           ^                       ^______ the service to control
           |______________________________ the TCP wrapper


So, if you are setting up TCP wrappers on your machine for McIDAS ADDE,
you will need to modify both /etc/inetd.conf (and then send inetd a
HUP signal) and /etc/hosts.allow.

Please let me know if my explanation is satisfactory.  If it isn't (I am
no expert either), I will get our system administrator to provide the
correct (:-) explanation.

Tom


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.