/var/adm/inetd.sec notes

To see what's recently changed on this page - please look at the Changes page.

The purpose of this web page:
This is all about lines found in the typical /etc/inetd.conf file and what programs/functions break if those lines are commented out or removed. I've also added info about the /var/adm/ined.sec file which works along with the inetd.conf file. The inetd.sec info is located at the bottom of this page.

The /etc/inetd.conf info...

At this time I only have access to HP-UX 11.x workstations and servers. That's the inetd.conf flavor I'm going to use here. I don't think there is to much difference on other systems. Also, I show logging switches just about everywhere I can. The only place (I think) their will be a difference compared to, let's say, a Solaris box will be at the very bottom where I'm adding application information. Also, the inetd.sec file is used on HP-UX systems only.

Remember, this has everything to do with the overall line, NOT what each piece of the line does (i.e.; stream, tcp, nowait, root). Enough folks explain that on the internet. Also, I got most of this info from simply looking at the "man" pages or running HP's "Bastille" program.

The inetd.conf line is in regular text and my additions to those lines are going to be in Bold text. My comments for each line are underneath and are in bulleted - Italic text. I'll indicate what breaks if the line is commented or removed (remember... that's the purpose of this doc in the first place). Any line starting with a pound sign (#) was commented out by HP (from a standard O/S install), when I started this mess.

I didn't add any comments to the application lines at the bottom of this page. I got them off of production and development boxes so I assume they are correct. So... I assume if you comment or remove the application line(s) then that application will break.

If you change the /etc/inetd.conf file in any way, you'll need to have inetd reread the config file. Do this buy running the following command: /usr/sbin/inetd -c. You do NOT have to run inetd -c after modifying the inetd.sec file.

If you have input on what breaks, nasty errors on this page, etc., I'd appreciate it if you would let me know. Please send comments to: dburton3@tampabay.rr.com

Oh yes... I have some other pages that may be of some use as well:
Unix Notes, Server Build document, GSP Information and Ignite document

You can get an idea on how to configure the following files; /etc/issue, /etc/ftpd/ftpaccess and /etc/ftpd/ftpusers (which are noted below), and also see what I think can be safely commented out of a "standard" /etc/inetd.conf file in my Server Build document.

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l -a

telnet stream tcp nowait root /usr/lbin/telnetd telnetd -b /etc/issue

#tftp dgram udp wait root /usr/lbin/tftpd tftpd

tftp dgram udp wait root /usr/lbin/tftpd tftpd\

#bootps dgram udp wait root /usr/lbin/bootpd bootpd

#finger stream tcp nowait bin /usr/lbin/fingerd fingerd

login stream tcp nowait root /usr/lbin/rlogind rlogind -l -B /etc/issue

shell stream tcp nowait root /usr/lbin/remshd remshd -l

exec stream tcp nowait root /usr/lbin/rexecd rexecd

#uucp stream tcp nowait root /usr/sbin/uucpd uucpd

ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd

ident stream tcp wait bin /usr/lbin/identd identd -l

printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon -i -l

daytime stream tcp nowait root internal
daytime dgram udp nowait root internal
time stream tcp nowait root internal
#time dgram udp nowait root internal
echo stream tcp nowait root internal
echo dgram udp nowait root internal
discard stream tcp nowait root internal
discard dgram udp nowait root internal
chargen stream tcp nowait root internal
chargen dgram udp nowait root internal

# Do not uncomment these unless your system is running portmap!
# WARNING: The rpc.mountd should now be started from a startup script.
# Please enable the mountd startup script to start rpc.mountd.
#rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 rpc.rexd -r -l /var/adm/syslog/rpc.stuff
#rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd 100001 2-4 rpc.rstatd -e -l /var/adm/syslog/rpc.stuff
#rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd 100002 1-2 rpc.rusersd -e -l /var/adm/syslog/rpc.stuff
#rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld 100008 1 rpc.rwalld -e -l /var/adm/syslog/rpc.stuff
#rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1 rpc.rquotad
#rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd 100012 1 rpc.sprayd -e -l /var/adm/syslog/rpc.stuff

kshell stream tcp nowait root /usr/lbin/remshd remshd -K -l
klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K -l

# NCPM programs.
# Do not uncomment these unless you are using NCPM.
#ncpm-pm dgram udp wait root /opt/ncpm/bin/ncpmd ncpmd
#ncpm-hip dgram udp wait root /opt/ncpm/bin/hipd hipd

dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd -log

rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1 /usr/dt/bin/rpc.ttdbserver

rpc dgram udp wait root /usr/dt/bin/rpc.cmsd 100068 2-5 rpc.cmsd

recserv stream tcp nowait root /usr/lbin/recserv recserv -display :0

registrar stream tcp nowait root /etc/opt/resmon/lbin/registrar /etc/opt/resmon/lbin/registrar

Application lines

# PowerBroker local daemon
pblocald stream tcp nowait root /opt/pb/sbin/pblocald pblocald

# OmniBack/DataProtector
omni stream tcp nowait root /opt/omni//lbin/inet inet -log /var/opt/omni//log/inet.log

# Samba/CIFS
swat stream tcp nowait.400 root /opt/samba/bin/swat swat

# M/C Service Guard
hacl-probe stream tcp nowait root /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -f /var/opt/cmom/cmomd.log -r /var/opt/cmom
hacl-cfg dgram udp wait root /usr/lbin/cmclconfd cmclconfd -p
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd cmclconfd -c

# Ignite
instl_boots dgram udp wait root /opt/ignite/lbin/instl_bootd instl_bootd

# Medusa
medusad stream tcp nowait root /opt/medusa/lbin/medusad medusad

The /var/adm/inetd.sec info...

Basically this file is looked at every time someone tries to access your box using one of the services listed in the /etc/inetd.conf file. If a service does not have a line in the inetd.sec file and is uncommented in the inetd.conf file, then any box can make a connection using that service. If a matching line is found in the inetd.sec file then the connection will be allowed or denied depending on what that line states.

For example, telnet is not commented out in the inetd.conf file. Someone tries to telnet to your box. The inetd process looks here to see what to do next and finds the following line:

telnet   allow   localhost
Only telnet connections from the IP range of to 20 or the localhost will work. All others will not.

If you have this line instead: telnet deny 198.162.* batcave.gothem.city.com
The boxes on the 198.162.whatever.whatever and the server batcave.gothem.city.com will not connect. All others will be able to connect.

So the line look's something like this:
< service name > < allow/deny > < host/network addresses, host/network names >

Also, when you modify this file you do not need to run the "inetd -c" command.

I developed this site so please send comments to dburton3@tampabay.rr.com. Thanks!

Search my site:
Locations of visitors to this page QRcode

Ok.. so I put this waaay down at the bottom of this web page. I don't expect anyone to actually toss a buck or two my way as a thank you for all the work I've done on this site (Hmmm... feel guilty yet?), but it sure would be nice.

Please donate!

This donation link uses a secure PayPal connection.
Valid CSS!
blog counter
blog counter