[lug] FTP services - disarming daemon

PC Drew drewpc at colorado.edu
Tue Aug 8 22:02:35 MDT 2000 

As for your use of @home cable, here's how I see it.  It takes someone
like Northpoint or Rhythyms 3 months to install DSL.  With @home you
get 2 months free, free installation, and you "rent" the cable modem
(it's included in the monthly cost).  They will install it within 5-7
days.  Right now I'm using the @home for a couple of months until my
DSL gets installed.  This way, I get broadband for free until my DSL
gets here!!  :)

--
PC Drew


Thus spake John Starkey on Tuesday, August 08, 2000, 8:23:51 PM:

JS> Hi again. 

JS> I'm using @home and I think the are detecting a service on my computer and
JS> shutting me down, as someone on the list (sorry, I lost that message)
JS> mentioned they'd heard they do. I would really like to have ftp for my own
JS> use but looks like that's not even possible. DSL it is once I move next
JS> month.

I could be wrong, but I don't think they're doing any filtering.

JS> But for now I have commented out every service but ftp and telnet,
JS> thinking that neither one of those are daemonized. I logged into my box
JS> from my iMac last night. So abviously they are tied to a daemon. Does
JS> anyone know of a way to shut them down. Better yet, to allow them to only
JS> recieve requests from 192.168s? I can't log on now. And I can't remember
JS> what I changed, obviously something but whatever it was didn't take affect
JS> immediately.

ftp and telnet are (generally) run from inetd.  Inetd is a process
that controls the ports for all of the programs listed in
/etc/inetd.conf and distributes the appropriate connections to the
appropriate servers.

Don't understand?  Here's what my ftp line in /etc/inetd.conf looks
like:

ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a

This means that the service ftp gets forwarded to /usr/sbin/tcpd with
"in.ftpd -l -a" as the arguments.  Anytime someone connects to port 21
on my machine, the connection gets handled by /usr/sbin/tcpd.

What's tcpd?  Why is it not something like in.ftpd?  Tcpd is the
daemon for TCP Wrappers.  TCP wrappers filter access to certain
services.  Once tcp wrappers are installed, the configuration files
are /etc/hosts.allow and /etc/hosts.deny  To deny everything, you
leave hosts.allow empty and insert this into hosts.deny:

ALL: ALL

That says to deny access to "ALL" services from "ALL" hosts.

Then, if you want to allow access to ftp from 192.168.0.0/24 you would
put the following in to /etc/hosts.allow:

ftp: 192.168.0.0/24

Good luck.  Oh, and if you edit /etc/inetd.conf or
/etc/hosts.{allow,deny} you must send a HUP signal to the inetd
process (kill -1 <pid>).  To not allow ftp at all, you'd just comment out the ftp line
in /etc/inetd.conf

More information about the LUG mailing list