Restrict TCP IP Services

In an open network, any station can request services from other computers on the network. The TCP/IP protocol can be used to supply many services. Some of these services, such as rlogin, rcp, rsh, ftp, telnet, and rexec, are common to all UNIX-based operating systems. Others are provided by in-house and third-party software.
capamsc141
In an open network, any station can request services from other computers on the network. The TCP/IP protocol can be used to supply many services. Some of these services, such as rlogin, rcp, rsh, ftp, telnet, and rexec, are common to all UNIX-based operating systems. Others are provided by in-house and third-party software.
PAM Server Control
 intercepts the accept processes of TCP/IP at the host computer and determines whether the accept program should continue normally or be overridden.
PAM Server Control
bases its decision on access rules governing hosts and services that you define. You can create TCP/IP access rules in the database to specify the computers and networks that are allowed to receive services such as file transfers, remote login, and remote shell from a specific computer.
The following examples show how TCP/IP access rules can be defined and set to efficiently block unwanted outsiders. If you have not yet had time to develop a complete database, you may want to let any station that is not defined in the database receive any service. If so, set the HOST record in the UACC class as follows:
chres UACC HOST defaccess(READ)
A station that is to have access rules for TCP/IP services from the local host is defined in a record in the database under the HOST class. For each of these stations, the services allowed are listed in the record. For example, the following command sequence defines a record for station ws5 and denies it from receiving any TCP/IP service from the local host:
newres HOST ws5
authorize HOST ws5 service(*) access(NONE)
The following command allows ws5 to perform telnet to the local computer:
authorize HOST ws5 service(telnet)
These settings allow users to telnet to the local computer, which means that the remote user must specify a user name and password before using the local system. To allow a station to receive all TCP/IP services from the local computer, you can use an asterisk in the service keyword. For example, the following command allows ws5 to invoke any TCP/IP service from the local computer:
authorize HOST ws5 service(*)
The service can be specified in several ways, some of which involve the
port number
. The port number is an identification number for a service. All services have port numbers, and the port numbers are mapped to the services in the file /etc/services. You can specify a service in the following ways:
  • By its name as defined in the file /etc/services
  • By its port number
  • As a range of port numbers
  • As an RPC port that is listed in the /etc/rpc system file
For example, the following command permits ws5 to receive any TCP/IP service whose port number falls between 7045 and 7050:
authorize HOST ws5 service(7045-7050)
In many cases, it is more economical to define a group of hosts and set its permissions once, instead of making permissions for each individual computer. 
PAM Server Control
provides the GHOST class, where each GHOST record defines a group of hosts. To define a GHOST record and add hosts to its member list, enter the following commands:
newres GHOST gh1 mem(ws2, ws3, ws5)
authorize GHOST gh1 service(ftp)
The newres command defines a group of hosts called gh1 that contain the members ws2, ws3, and ws5. The authorize command allows all three stations to receive ftp (file transfer) services.
Managing host groups is easier than managing individual stations, but to supply more flexibility, 
PAM Server Control
also supports the definition of network access rules. Networks are defined in the HOSTNET class. For example, consider the following set of commands:
newres HOSTNET hn1 mask(255.555.0.0) match(192.168.0.0)
authorize HOSTNET hn1 service(*) access(NONE)
authorize HOSTNET hn1 service(ftp)
 
  • In the first line, the newres command, defines a network called hn1. With its mask and match values, it specifies that any computer with an IP address whose first two qualifiers are 192.168 is considered as coming from the hn1 network.
  • The combination of the second and third lines permits any station from the hn1 network to perform ftp, but not any other service, in the host computer.
Another method that this prodcut provides for defining TCP/IP access rules is name-pattern access rules. The product supports the definition of generic records in the HOSTNP class (host name pattern) with wildcards.
Note:
For information on how 
PAM Server Control
performs string matching, see the
Selang Reference
section.
For example, the following command sequence permits all hosts whose names start with the characters lin and end with the characters .org.com to receive all TCP/IP services on the local host:
newres HOSTNP lin*.org.com authorize HOSTNP lin*.org.com service(*).
Note:
Hosts that are managed by NIS must be identified by their official names that appear in a NIS map and not by their aliases. The chart in the following section summarizes the TCP/IP check flow.