Inetd.conf will reveal to the user what services are directly run via inetd. Perhaps you should have listed how to run services using tcp_wrappers with tcpd. Learning how to utilize access.conf, hosts.allow and hosts.deny is extremely beneficial to users wanting to add security. After all, a good firewall only restricts the access points for intruders, you need to have security measures in place to handle those open access points.

> First of all, defining a port in /etc/services will allow a service to
> "listen" on that port. Why do you limit yourself to checking only telnet
> and ftp? There are several thousand port numbers defined by IANA.

Crap. A service will listen on a port regardless of whether the port has a friendly name or not. So you check what services you're running, block off what you don't want — What I meant to say was that this is a precursor to blocking off everything with a proper firewall, then enabling the services you want to connect to from <whichever> machines only. Y'know the story.

> Now it is true that not all daemons are defined by the contents of
> /etc/services.
> However, by directing the user to that file first, he/she will gain an
> idea of what might be open.  By remarking ports that are not to be
> used, you are basically turning off the bright lights one by one on
> your burger shack.

Perhaps you ought to start with a simple tool designed for the express purpose of checking what's listening instead of wasting everyone's time with a round-the-houses approach? `man netstat`.

:  Guess what?  A "client" is not a "service".

Yup. And guess what? Both the client and the service use /etc/services to look up their default port in many cases.

: Now it is true that not all daemons are defined by the contents of
: /etc/services.
: However, by directing the user to that file first, he/she will gain an
: idea of what might be open.  By remarking ports that are not to be
: used, you are basically turning off the bright lights one by one on
: your burger shack.
: ((Have I mentioned yet that you need to spend some quiet time READING
: a couple books on linux or even Unix system administration?))

Ok…

I just edited /etc/services, and commented out the lines for telnet.

I type "telnet hostname"

I get "telnet: tcp/telnet: unknown service"

Is this fatal? No. You can specify the port number as well, and still connect just fine.

But that's beside the point. Breaking functionality is *NOT* the way you solve the problem of open ports. Not starting the service in the first place is the correct way. By commenting out the entry in /etc/services, you're relying on the service breaking in the way you want it to. It could default to using a hardcoded port number, or some other unexpected behavior. Plus it may break other parts of the system (like the client) that you don't expect.

This also makes things more difficult to troubleshoot. For example, the user comments out the entries for www. But he can still connect to the web server. Why? Because the default port for apache is defined in httpd.conf, not /etc/services. Now, if he didn't start up apache in the first place, this wouldn't be an issue.

BTW, please tell me which UNIX/Linux book you read that reccomends disabling services by editing /etc/services. I'd love to read it.

jessica

>> 2000.05.27 Sat 13:22:25