Installing TCP Wrappers in Solaris Notes: http://www.sunfreeware.com/README.tcpwrappers http://www.kempston.net/solaris/tcpwrappers.html http://www.ncftpd.com/ncftpd/doc/config/g/tcp-wrappers.html Copy over the software: Solaris 7: From wsadmin01.harcourt.com: # scp /pub/soft/pkgs/sol7/tcp_wrappers-7.6-sol7-sparc-local.gz user@host:/tmp/. Solaris 8: # scp /pub/soft/pkgs/sol8/tcp_wrappers_ipv6-7.6-sol8-sparc-local.gz user@host:/tmp/. Install: Solaris 7: # gzip -d /tmp/tcp_wrappers-7.6-sol7-sparc-local.gz # pkgadd -d /tmp/tcp_wrappers-7.6-sol7-sparc-local Solaris 8: # gzip -d /tmp/tcp_wrappers_ipv6-7.6-sol8-sparc-local.gz # pkgadd -d /tmp/tcp_wrappers_ipv6-7.6-sol8-sparc-local Both: # cp /usr/local/bin/tcpd /usr/local/sbin/tcpd Configure: For ncftpd jump dopwn to that section. If you are using standard Solaris in.ftpd continue: # cp /etc/inetd.conf /etc/inetd.conf.YYYYMMDD.initials Edit /etc/inetd.conf: Then edit /etc/inetd.conf, making the following changes: Each non-commented line in this file consists of a service name, several attributes of the service and, in the sixth field of the line, the name of the program which inetd should start to process an incoming request for the service. Where this program name is of the form "/usr/sbin/some program name", change it to read "/usr/local/sbin/tcpd". For example, the line which reads: ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd in Solaris 7 should be changed so that it reads: ftp stream tcp nowait root /usr/local/sbin/tcpd in.ftpd Note that the protocol field, "tcp", appears in some of these entries on Solaris 8 as "tcp6". This is part of the IPv6 support in Solaris 8. ftp stream tcp6 nowait root /usr/local/sbin/tcpd in.ftpd Make this change in the lines which start ftp, telnet should already be commented out since we use Secure Shell. HUP the inetd process: # kill -HUP `ps -e | grep inetd | awk '{print $1}'` Now proceed to the section "Testing TCP Wrappers". NCFTPD: If you are using ncftpd follow this procedure instead: # cp /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/general.cf.YYYYMMDD.initials Edit /usr/local/etc/ncftpd/general.cf and change the line: tcp-wrappers=no to tcp-wrappers=yes Restart ncftpd: # /etc/init.d/ncftpd stop Stopping NcFTPd: OK # /etc/init.d/ncftpd start Starting NcFTPd: OK # ps -ef | grep ftp root 16666 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16665 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16662 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16667 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16664 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16663 16661 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf root 16661 1 0 15:54:24 ? 0:00 ncftpd -d /usr/local/etc/ncftpd/general.cf /usr/local/etc/ncftpd/domain.cf Testing TCP Wrappers: Go to another host and ftp in # ftp hostname Monitor the /var/log/syslog file by doing: # tail -f /var/log/syslog In the window which is monitoring the syslog file, you should see a line logged such as: Mar 21 16:18:02 gateway in.ftpd[894]: connect from alger If this line reads something like: Mar 21 16:18:05 gateway in.ftpd[894]: connect from 0.0.0.0 and you're running Solaris 8, you've probably compiled the standard version of TCP wrappers. The access control files: TCP Wrappers allow or deny incoming service requests depending on the contents of the files /etc/hosts.allow and /etc/hosts.deny hosts.allow contains a list of hosts that are allowed to access TCP services on the machine in question and hosts.deny contains a list of hosts that are denied access. If these files don't exist, all access is allowed.