Jan 13, 2009 
It’s maybe not the first thing I’d do to lock down a server, but this is a worthwhile bit to change if you use any inetd services (ftp, telnet, remsh, finger, talk, etc). In addition to the OS-related inetd services mentioned, many applications will add their own, broadening your exposure to vulnerabilities across different vendor products.
When any type of network connection is made to your servers, it’s important to know the source of the connection – where that connection originated. Yes, many hackers will use a proxy or bounce host or hosts to hide their true IP, but at least this information can give you a place to start if you needed to track them. This becomes even more useful in company-internal incidents where users are less able to hide.
TCP Wrappers has been around for ages. It’s a mechanism to allow or deny access to any inetd service, based upon the connecting IP address or host name. It used to be a more difficult to use – one had to download source, compile, install, configure, etc. But these days it’s built into many inetd variants, including Solaris.
Just for connection logging, we don’t necessarily need to set up TCP Wrappers to deny/allow hosts to connect based on IP or host name, so we’ll skip that part. If you want to go the extra mile and set this up, you configure the hosts.allow and hosts.deny files in /etc. Google around, it’s easy to find a howto.
With the SMF-based inetd in Solaris 10, it’s easy to turn on TCP wrappers for just one service or all services at once. If you just wanted to enable wrappers/logging for the FTP service, you’d change the properties of the FTP inetd service with inetadm:
# inetadm -m ftp tcp_wrappers=true
Or, to change the default value for ALL inetd services, you’d use the -M option:
# inetadm -M tcp_wrappers=true
When this change is made, a log entry will be made, usually in /var/log/syslog, unless you’ve changed your syslog configuration:
Jan 13 08:56:52 waters vnetd[26111]: [ID 927837 daemon.info] connect from rocky
Jan 13 09:00:26 waters in.rshd[28426]: [ID 927837 daemon.info] connect from hungryhippo
Jan 13 09:17:25 waters in.rshd[8174]: [ID 927837 daemon.info] connect from penta
Jan 13 09:24:19 waters in.telnetd[12414]: [ID 927837 daemon.info] connect from 192.168.151.95
Jan 13 09:35:17 waters in.ftpd[23954]: [ID 927837 daemon.info] connect from mercury
In Solaris 8, you’d accomplish this same goal by altering your inetd start script, /etc/init.d/inetsvc:
just add the -t option to the last line:
/usr/sbin/inetd -s -t &
how can i disable the logging on syslog? by inetadm -m ftp tcp_wrappers=FALSE?
but it seem to be still logging…
I just tested your inetadm command to turn off the logging, and it works for me. Keep in mind I’m just talking about the initial “connect from” log entries, created when a client first connects to the service. All other logging by ftp or other inetd services would be configured separately. If I set tcp_wrappers=TRUE, I get the “connect from” log entries, and when I set that to FALSE, they do not appear any longer.
this is a greatly intriguing post, acknowledgement you for the information. Sorry my english is not the uncommonly best. do you know if it is possible to despatch this to the spanish language. that would be sheer helpfull.
this is a deeply riveting enter, thank you on the information. Wretched my english is not the sheer best. do you be versed if it is possible to forward this to the spanish language. that would be quite helpfull.
this is a very riveting dispatch, thank you as the information. Sorry my english is not the very best. do you remember if it is practicable to forward this to the spanish language. that would be damned helpfull.
Thanks for that. Now what about a game of football?!