20010205: Security of McIDAS ADDE and LDM

>From: Erick Lorenz <address@hidden>
>Organization: UC Davis
>Keywords: 200102020159.f121xaX03428 security

Erick,

re: ADDE uses ports 500 and 503

The topic is setting up TCP wrappers for the ports that McIDAS ADDE
uses for data transfers.

>My man page for hosts.allow and hosts.deny describes an entry as being of
>the form:
>
>        <daemon_list> : <client_list> : [ <shell_command> ]
>
>e.g.
>
>       in_ftpd in_telnetd : 192.192.
>
>I am not sure how to designate a port number in this syntax. (but then
>I am rather fuzzy on the whole issue of ports anyway)

The designation of a port is indirect.  The port is picked up by
virtue of the service-port pair in /etc/services.  For McIDAS ADDE
this will look like:

mcserv          500/tcp
mccompress      503/tcp

You might think, therefore, that the hosts.allow line would look
something like:

mcserv: 192.192.

** but it doesn't**  Instead, the single entry in hosts.allow that wll
specify the list of IPs allowed to connect using either port that McIDAS
ADDE communicates on is:

mcservsh:       <IP mask/list>

The revised /etc/inetd.conf entry that sets up use of TCP wrappers is:

mcserv  stream  tcp nowait  mcadde  /usr/sbin/tcpd  /home/mcidas/bin/mcservsh
-H /home/mcidas
mccompress  stream  tcp nowait  mcadde  /usr/sbin/tcpd  /home/mcidas/bin/mcservs
h   -H /home/mcidas

From these entries it is more clear that the service you are telling the
TCP wrappers to control is mcservsh:

/usr/sbin/tcpd  /home/mcidas/bin/mcservsh
           ^                       ^______ the service to control
           |______________________________ the TCP wrapper


So, if you are setting up TCP wrappers on your machine for McIDAS ADDE,
you will need to modify both /etc/inetd.conf (and then send inetd a
HUP signal) and /etc/hosts.allow.

Please let me know if my explanation is satisfactory.  If it isn't (I am
no expert either), I will get our system administrator to provide the
correct (:-) explanation.

Tom