Setup TCP Wrappers on AIX
- What has to be installed?
- What has to be configured?
- Restart the Internet Superdaemon
- Interference with sshd
- Related Information
tcpwrappers help you to get some control over unsecure services such like telnet ftp etc.
Standard on Linux for a looooong time AIX was always lacking official support for tcpwrappers.
But starting with AIX 6.1 IBM ships tcpwrappers with the official AIX DVD/CD set.
2. What has to be installed?
You have to install the fileset 'netsec.options' from the AIX Expansion DVD.
The fileset can be found on the AIX 6.1 Expansion DVD.
Although you find the netsec.options fileset on an AIX 6.1 media it is also suitable for AIX 5.3
3. What has to be configured?
To configure telnet with TCP wrappers change the default telnet line in /etc/inetd.conf from
telnet stream tcp6 nowait root /usr/sbin/telnetd telnetd -a
telnet stream tcp6 nowait root /usr/sbin/tcpd telnetd -a
Typically you deny access to the system completely here:
aix# vi /etc/hosts.deny # deny access through tcpwrapper # =============================== # default policy: no access ALL : ALL : severity auth.info
With the above policy all attempts to connect to the server via telnet will be passed to the syslog
daemon with severity auth.info. Where the logging messages actually can be found depends on your
Now explicitly only allow specific hosts or networks access:
aix# vi /etc/hosts.allow telnetd: LOCAL .mydomain.net
The example allows all local hosts (without a dot in the name) and all hosts from the domain 'mydomain.net' to telnet to the system. You could also limit the access to single ip addresses:
aix# vi /etc/hosts.allow telnetd: 184.108.40.206 220.127.116.11
4. Restart the Internet Superdaemon
aix# refresh -s inetd 0513-095 The request for subsystem refresh was completed successfully.
You can check that telnet is wrapped now by tcpd:
aix# lssrc -l -s inetd Subsystem Group PID Status inetd tcpip 401640 active Debug Not active Signal Purpose SIGALRM Establishes socket connections for failed services. SIGHUP Rereads the configuration database and reconfigures services. SIGCHLD Restarts the service in case the service ends abnormally. Service Command Description Status telnet /usr/sbin/tcpd telnetd -a active
5. Interference with sshd
Although not passed through the TCP wrapper the sshd reads the same host access files. With the changes described
here sshd would block all connections. You need to add an extra line to
hosts.allow for sshd.
If you want to allow connections from everywhere add the following line to
Of course you can limit access to sshd the same way as to the services passed through the TCP wrappers decribed earlier in this article.
6. Related Information