Hello all, my problem concerning the tcpwrapper program is now solved, special thanks to Casper Dik and Angel L. Mateo! Let me first explain the problem by re-sending my old mail: > > Hello, > > I apologize if anyone has already answered this question, because this > is my first posting to this mailing list. > I'm trying to increase our network security by installing "tcpwrap" by > Wietse Venema, which is recommended on many sites, including this > mailing list. But, unfortanetly, it doesn't work... > The system I use to test it is a Ultra 10, running Solaris 8 with the > newest patches installed. I've installed and configured tcpwrap as > described in the "advanced config" section in the Readme, but without > writing any hosts.allow/hosts.deny files, since I - as it is recommended > in the manual - first want to try it. > The tcpd work, every attempt to connect is logged in /var/log/syslog, as > I expected, but the hostaddress is always written as "0.0.0.0". I've > tried to install other versions of tcpwrap, even the ipv6-Version > (although I don't use IP Verison 6 at all), but without success. > The testmachine is set up correctly, and I can resolve every hostname > with "nslookup" and other tools, but it's not logged. I've already > searched the internet for any advises, and even try to dig in the code, > but without success. So, this is my last try, :-)) > Hope you can help me! > After my posting to the sunmanagers list, I've also send a mail to Wietse Veenema, who has programmed TCPWrap. And, I got an automatic reply which I think is useful to post it to this list: TCP WRAPPER On SOLARIS 8+ and AIX 4.3+ use the IPV6-enabled version by Casper Dik at ftp://ftp.porcupine.org/pub/security/index.html. Be sure to specify HAVE_IPV6 in the Makefile (see comments in that file for instructions). If you run an IP version 6 enabled version of TCP Wrapper and still see connections from 0.0.0.0, you forgot to specify HAVE_IPV6 in the Makefile. or you forgot to specify tcp6 in the inetd.conf file. If tcpd shell commands fail with a "bad option name" error message, have a look at the first paragraph of the hosts_options.5 document. If tcpd access rules do not work as expected, run "tcpdchk -v" and see if its output matches your expectation. If that does not clear things up, please use the "tcpdmatch" command, report what it says, and also report what result you expected to get. Both commands come with the tcp wrapper source code. See tcpdchk.8 and tcpdmatch.8 for documentation (`nroff -man' format). Otherwise, if you see connections from 0.0.0.0, someone may be portscanning your machine, by making brief connections that end before tcpd has a chance to run. If this happens a lot you might want to consider running a sniffer program such as tcpdump. If tcpd banners and other features in hosts_options.5 do not work, please read the first paragraph of the hosts_options.5 manual page. SOLARIS 7: the try-from command produces garbled output when run from, for example, rsh. In order to fix, remove the #ifdef TLI code in try-from.c. SOLARIS: if you have trouble building TCP Wrapper, please look carefully at the error messages. SOLARIS: if the build fails with with: "/usr/ucb/cc: language optional software package not installed" you must either spend $$ on the SUN C compiler, or you download and install GCC. See the SOLARIS FAQ at http://www.wins.uva.nl/pub/solaris/solaris2.html SOLARIS: if you have trouble building TCP Wrapper with GCC after upgrading the SOLARIS software, you are probably still using the include files from the PREVIOUS SOLARIS release (look at the exact error message). Fix: run the fixincludes command that comes with GCC, re-install GCC from scratch, or install GCC 2.8. HP-UX: if you have trouble building TCP Wrapper, and the compilation fails with: /usr/ccs/bin/ld: Unsatisfied symbols: yp_get_default_domain (code), edit the Makefile and add -DUSE_GETDOMAIN to the definition of the BUGS macro. LINUX: if you have trouble building TCP Wrapper version 7.5 get, the current version ftp://ftp.porcupine.org/pub/security/. LINUX: if the compilation fails with: percent_m.c:17: conflicting types for `sys_errlist', edit the "linux" entry in the Makefile, and add a -DSYS_ERRLIST_DEFINED directive like this: linux: @make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \ LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP= \ TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER -DSYS_ERRLIST_DEFINED" all (There were more hints for other programs written by Wietse, like SATAN, LogDaemon and so on, but I decided not to put them in this mail). So, the solution is that you have to use the TCPWrap_ipv6 suite and specially enable IPv6-Support in the Makefile on Solaris 8, even if you don't use IPv6 addresses... (Carsten's answer pointed also to this solution) Simple solution for a big problem, which is not documented in the Readme-Files delivered with tcpwrap. Again, thanks to everyone for reading + answering, best regards, Harald Husemann System Administrator Materna GmbH Informations + Communications Vokuhle 37 44141 Dortmund, GermanyReceived on Mon Aug 6 10:47:43 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:25:01 EDT