Running UNIX » auditing http://www.runningunix.com UNIX/Solaris tips, tricks, and advice Mon, 01 Aug 2011 17:37:05 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Solaris Security Tip: inetd Connection Logging http://www.runningunix.com/2009/01/solaris-security-tip-inetd-connection-logging/ http://www.runningunix.com/2009/01/solaris-security-tip-inetd-connection-logging/#comments Wed, 14 Jan 2009 05:30:55 +0000 admin http://www.runningunix.com/?p=151 It’s maybe not the first thing I’d do to lock down a server, but this is a worthwhile bit to change if you use any inetd services (ftp, telnet, remsh, finger, talk, etc). In addition to the OS-related inetd services mentioned, many applications will add their own, broadening your exposure to vulnerabilities across different vendor products.

When any type of network connection is made to your servers, it’s important to know the source of the connection – where that connection originated. Yes, many hackers will use a proxy or bounce host or hosts to hide their true IP, but at least this information can give you a place to start if you needed to track them. This becomes even more useful in company-internal incidents where users are less able to hide.

TCP Wrappers has been around for ages. It’s a mechanism to allow or deny access to any inetd service, based upon the connecting IP address or host name. It used to be a more difficult to use – one had to download source, compile, install, configure, etc. But these days it’s built into many inetd variants, including Solaris.

Just for connection logging, we don’t necessarily need to set up TCP Wrappers to deny/allow hosts to connect based on IP or host name, so we’ll skip that part. If you want to go the extra mile and set this up, you configure the hosts.allow and hosts.deny files in /etc. Google around, it’s easy to find a howto.

With the SMF-based inetd in Solaris 10, it’s easy to turn on TCP wrappers for just one service or all services at once. If you just wanted to enable wrappers/logging for the FTP service, you’d change the properties of the FTP inetd service with inetadm:

# inetadm -m ftp tcp_wrappers=true

Or, to change the default value for ALL inetd services, you’d use the -M option:

# inetadm -M tcp_wrappers=true

When this change is made, a log entry will be made, usually in /var/log/syslog, unless you’ve changed your syslog configuration:

Jan 13 08:56:52 waters vnetd[26111]: [ID 927837 daemon.info] connect from rocky
Jan 13 09:00:26 waters in.rshd[28426]: [ID 927837 daemon.info] connect from hungryhippo
Jan 13 09:17:25 waters in.rshd[8174]: [ID 927837 daemon.info] connect from penta
Jan 13 09:24:19 waters in.telnetd[12414]: [ID 927837 daemon.info] connect from 192.168.151.95
Jan 13 09:35:17 waters in.ftpd[23954]: [ID 927837 daemon.info] connect from mercury

In Solaris 8, you’d accomplish this same goal by altering your inetd start script, /etc/init.d/inetsvc:
just add the -t option to the last line:

/usr/sbin/inetd -s -t &

Share

]]> http://www.runningunix.com/2009/01/solaris-security-tip-inetd-connection-logging/feed/ 6