Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   16655 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

TCPD(1M)							      TCPD(1M)

NAME
       tcpd - access control facility for internet services

DESCRIPTION
       The tcpd program can be set up to monitor incoming requests for telnet,
       finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and  other  services
       that have a one-to-one mapping onto executable files.

       The  program  supports  both  4.3BSD-style sockets and System V.4-style
       TLI.  Functionality may be limited when the protocol underneath TLI  is
       not an internet protocol.

       Operation  is  as  follows: whenever a request for service arrives, the
       inetd daemon is tricked into running the tcpd program  instead  of  the
       desired	server. tcpd logs the request and does some additional checks.
       When all is well, tcpd runs the appropriate  server  program  and  goes
       away.

       Optional	 features  are:	 pattern-based access control, client username
       lookups with the RFC 931 etc. protocol, protection against  hosts  that
       pretend	to  have someone elses host name, and protection against hosts
       that pretend to have someone elses network address.

LIBWRAP INTERFACE
       The same monitoring and access control functionality  provided  by  the
       tcpd  standalone	 program  is also available through the libwrap shared
       library interface. Some programs, including the Solaris	inetd  daemon,
       have  been  modified   to  use  the  libwrap  interface and thus do not
       require replacing the real  server  programs  with  tcpd.  The  libwrap
       interface  is  also  more  efficient and can be used for inetd internal
       services. See inetd(1M) for more information.

LOGGING
       Connections that are monitored by tcpd are reported  through  the  sys‐
       log(3)  facility.  Each	record	contains a time stamp, the client host
       name and the name of the requested service.   The  information  can  be
       useful  to detect unwanted activities, especially when logfile informa‐
       tion from several hosts is merged.

       In order to find out where your logs are going, examine the syslog con‐
       figuration file, usually /etc/syslog.conf.

ACCESS CONTROL
       Optionally, tcpd supports a simple form of access control that is based
       on pattern matching.  The access-control software  provides  hooks  for
       the execution of shell commands when a pattern fires.  For details, see
       the hosts_access(4) manual page.

HOST NAME VERIFICATION
       The authentication scheme of some protocols  (rlogin,  rsh)  relies  on
       host  names.  Some  implementations believe the host name that they get
       from any random name server; other implementations are more careful but
       use a flawed algorithm.

       tcpd   verifies	 the   client  host  name  that	 is  returned  by  the
       address->name DNS server by looking at the host name and	 address  that
       are  returned  by  the name->address DNS server.	 If any discrepancy is
       detected, tcpd concludes that it is dealing with a host	that  pretends
       to have someone elses host name.

       If the sources are compiled with -DPARANOID, tcpd will drop the connec‐
       tion in case of a host name/address mismatch.  Otherwise, the  hostname
       can  be matched with the PARANOID wildcard, after which suitable action
       can be taken.

HOST ADDRESS SPOOFING
       Optionally, tcpd disables source-routing socket options on  every  con‐
       nection	that  it  deals with. This will take care of most attacks from
       hosts that pretend to have an address that  belongs  to	someone	 elses
       network. UDP services do not benefit from this protection. This feature
       must be turned on at compile time.

RFC 931
       When RFC 931 etc. lookups are enabled (compile-time option)  tcpd  will
       attempt	to  establish  the  name of the client user. This will succeed
       only if the client host runs an RFC 931-compliant daemon.  Client  user
       name  lookups  will not work for datagram-oriented connections, and may
       cause noticeable delays in the case of connections from PCs.

       Warning: If the local system runs an RFC 931  server  it	 is  important
       that  it be configured NOT to use TCP Wrappers, or that TCP Wrappers be
       configured to avoid RFC 931-based access control for this service.   If
       you  use usernames in the access control files, make sure that you have
       a hosts.allow entry that allows	the  RFC  931  service	(often	called
       "identd"	 or "auth") without any username restrictions. Failure to heed
       this warning can result in two hosts getting in an endless loop of con‐
       sulting each other's identd services.

EXAMPLES
ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌────────────────────┬─────────────────┐
       │  ATTRIBUTE TYPE    │ ATTRIBUTE VALUE │
       ├────────────────────┼─────────────────┤
       │Interface Stability │ Committed	      │
       └────────────────────┴─────────────────┘

				 Sep 15, 2011			      TCPD(1M)

Vote for polarhome