Renaming .rhost and /etc/hosts.equiv

Hi!
In the Solaris hardening quide there is a point which says that the .rhost and /etc/hosts.equiv files should be removed. Is it enough if I just rename them (in the same directory) in order to be able to restore them in a later point?
Thanks.

Should be.
7/M.

Similar Messages

  • Sshd ignores /etc/hosts.allow and /etc/hosts.deny

    Hello everyone,
    I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
    These are my settings:
    /etc/hosts.deny:
    ALL: ALL
    /etc/hosts.allow:
    # some nfs daemons: 192.168.1.0/255.255.255.0
    sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
    mysqld: 192.168.1.0/255.255.255.0
    /etc/hosts.evil:
    195.113.21.131
    60.10.6.53
    A simple experiment to verify the settings:
    [[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
    warning: sshd: no such process name in /etc/xinetd.conf
    client: address 195.113.21.131
    server: process sshd
    matched: hosts.deny line 5
    access: denied
    [[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
    warning: sshd: no such process name in /etc/xinetd.conf
    client: address 195.113.21.130
    server: process sshd
    matched: hosts.allow line 10
    access: granted
    This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
    This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

    elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
    This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

  • Network-profiles (1) and /etc/hosts

    Hi everyone,
    i've got a few network-profiles, especially in one network I have to use a static ip to connect to the internet. The only entry in the /etc/hosts which works correctly - without any error messages - for me, is
    192.168.0.99 localhost.localdomain myhost
    If I use something like 127.0.0.1 in front and simply add my hostname at the end, I can't connect with the Inet, unfortunately. I did not test it, but I'm pretty sure, that this host configuration won't work in any other network, where I get a dynamic IP from the DHCP. Is there a possibility to write the content of the /etc/hosts with netcfg, like the /etc/resolv.conf for example?
    MfG Skit

    Because you didn't specify what localhost was in your hosts file. It only knows of localhost.localdomain(does not imply 'localhost') and acer being the loopback.
    I think he understood that.
    'localhost' is universally understood as the loopback.
    this is some kind of 'magic' answer isn't it? the resolving doesn't come out as a miracle... and that is IMHO what needs explanation.
    his computer alone doesn't (obviously) get it because sure, it's not set. now what 'magic' makes it known when a cable is plugged in? the computer tries to reslove locally (via /etc/hosts), fails at it, and then asks the dns server about it. so I reckon the dns server is instructed on replying '127.0.0.1' for a 'localhost' hostname request. why so? because dns servers have an option to look at their local /etc/host for resolving before delegating to bigger servers, so the dns server certainly has localhost matching 127.0.0.1 in his /etc/host, and blindly replies accordingly, oblivious to the fact that he is replying about his 'own' 127.0.0.1 to someone else.
    Last edited by lloeki (2008-01-16 08:24:12)

  • Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions

    Hi,
    I am looking forward to setting up two Oracle 11gR2 RAC instances
    on my Oracle VM test machine.
    I plan on using the Oracle 11gR2 RAC VM template.
    I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
    The DNS will be pre-installed in the JeOS.
    My first simple question about the setup is the following.
    In my DNS name file, for example,
    /var/named/chroot/var/named/milkyway.univ.db
    do I need to provide the racnode1 and racnode2 information,
    for example,
    # DNS name file (snippet)
    myjeos IN A 192.168.1.150
    racnode1 IN A 192.168.1.161
    racnode1-vip IN A 192.168.1.163
    racnode2 IN A 192.168.1.162
    racnode2-vip IN A 192.168.1.164
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    Or, can I just provide only the rac-scan information
    # DNS name file alternate (snippet)
    myjeos IN A 192.168.1.150
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    What I am getting at is the following.
    Within the install process, will racnode1, racnode1-vip, racnode2,
    and racnode2-vip host names and their IP address be written
    to the RAC instances /etc/hosts files? (So I should not bother
    to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
    Or, should I put the racnode and racnode-vip host names and IP addresses
    in the DNS name file like '# DNS name file (snippet)'?
    The second question is the following.
    Are the cluster name and the scan name allowed to be different?
    Currently, I would plan them to be different,
    for example, rac-cluster and rac-scan.
    Or, are they required to be the same,
    for example, rac-cluster and rac-cluster.
    Thank you.
    AIM

    AIM wrote:
    do I need to provide the racnode1 and racnode2 information,
    Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
    Are the cluster name and the scan name allowed to be different?They can be different.

  • Socket functions and /etc/hosts and /etc/servi​ces

    I have verified that I con open a socket with either the host name or the IP address.
    But can I use either the port number or the service name (from /etc/services)?
    It allows me to use a string constant instead of a numeric, but it doesn't seem to work.

    The string form for the port number is specifically meant to use the NI Service Locator service and nothing else. It does not link into /etc/services or anything like that at all but is a proprietary service locator solution from NI. There exist LabVIEW VIs that one can use to both query this service as well as register new services. It can be found at vi.lib/Utility/ServLocInterface.llb. The actual service used to be programmed in LabVIEW around LabVIEW 7.0 but quickly was moved to a real system service at least on Windows. Not sure if other platforms still use the VI based service implementation or have a native service deamon too, for this.
    Theoretically it would be possible to create some translation program in LabVIEW that reads /etc/services and then registers them through the service locator API but I'm not sure I see a real benefit in this.
    Rolf Kalbermatter
    CIT Engineering Netherlands
    a division of Test & Measurement Solutions

  • /etc/hosts vs DNS & sendmail

    Hi All,
    I have a question about how /etc/hosts & DNS work on a solaris 9 box.
    When I have entries in /etc/hosts that are not in DNS and I run say nslookup the utility will not find the ip. Put if I ping the entry in /etc/hosts it will find it. Basically I have a box with default sendmail and in /etc/hosts I have a entry with mailhost added to it at the end. nslookup does not find the box ping does and sendmail can't send mail to it and I can not verify that it ever worked correctly.
    1) what is up with nslookup no seeing /etc/hosts?
    2) can sendmail send to hosts per FQDN listed in /etc/hosts & use a DNS server at the same time?
    thanks
    -im

    When I have entries in /etc/hosts that are not in DNS
    and I run say nslookup the utility will not find the
    ip. Correct. nslookup and /etc/hosts are controlled by /etc/nsswitch.conf.
    Files says to search /etc/hosts.
    Anything else says to use that name service.
    Put if I ping the entry in /etc/hosts it will
    find it.If it is in /etc/hosts and /etc/nsswitch.conf says to search /etc/hosts.
    and in /etc/hosts I have a entry with mailhost added
    to it at the end. nslookup does not find the box ping
    does and sendmail can't send mail to it and I can not
    verify that it ever worked correctly. Sendmail can be compiled to use or disregard name server lookups in addition to the /etc/nsswitch.conf file.
    sendmail -v e-mail_addr, should show you some basic diagnostics.
    1) what is up with nslookup no seeing /etc/hosts?That's the way it works.
    2) can sendmail send to hosts per FQDN listed in
    /etc/hosts & use a DNS server at the same time?sure, see /etc/nsswitch.conf and the sendmail compile time options.
    http://www.ilkda.com/sendmail/
    alan

  • /etc/hosts.allow versus iptables/firewall?

    What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
    (Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

    I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
    - ident lookup
    - NIS netgroup
    - domain name
    - consistent ip->name and name->ip mapping
    and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
    Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
    I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

  • Rcp, rlogin, rsh, telnet, hosts.equiv 9iRAC

    Hello all,
    I wonder whether rlogin, rsh, rcp, telnet and hosts.equiv are required for 9iRAC to function on Linux. The install guide for 9iRAC on RH AS2.1 has one start up those services and use hosts.equiv. Even though we are behind a firewall, I would much rather not have them running.
    Any guidance would be appreciated
    Thx
    Wayne

    Ok, I'll just try to sym link to secure equivalents and set up auth keys for Oracle user.

  • /etc/hosts error

    Hello,
    I'm trying to follow the cookbooks to install rac/linux/vmware on xp professional. Whenever i try and install the CRS I get an error message that says
    The local node entry in Cluster Configuration inforamtion does not match with the entry in /etc/hosts file. Verify local node information in /etc/hosts file and re-enter the correct value.
    I have followed the instructions and can't see where I have gone wrong. Can someone point me in the right direction...
    thanks

    I too am getting this same error on HP-UX install, any ideas?
    My nslookups, and /etc/hosts match up across the nodes, for the private and public networks, and the Cluster is created and looks good from clverify.

  • Mpc problem: getaddrinfo not checking /etc/hosts?

    The source of this question is my attempt to get mpc to contact mpd on my localhost when the internet is down. When the internet is up it works fine, but when i'm not connected to the internet, running mpc behaves as follows:
    I seem to have tracked this down to a problem in getaddrinfo (possibly in my sytem configuration?). I created a piece of test code (below) that does a gethostbyname and then a getaddrinfo. On this computer, both work when connected to the internet, but getaddrinfo fails when disconnected. I tested the same code on an ubuntu computer and it getaddrinfo worked even when disconnected from the internet.
    My /etc/hosts and /etc/host.conf seem to be set properly. glibc is 2.8-3. I would have thought that getaddrinfo having such a problem would cause more errors than just in mpc, but I haven't noticed any.
    I'd really appreciate any help.
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    int main (void)
    struct addrinfo *addrinfo;
    int i, error;
    struct hostent *h;
    h = gethostbyname("localhost");
    if (h) {
    for (i=0; i < h->h_length - 1; i++)
    printf("%d.", h->h_addr_list[0][i]);
    printf("%d\n", h->h_addr_list[0][i]);
    } else {
    printf("no such host\n");
    error = getaddrinfo("localhost", NULL, NULL, &addrinfo);
    if (error) {
    printf("host not found: %s\n", gai_strerror(error));
    } else {
    while (addrinfo) {
    printf("%d %d %d\n",AF_INET,AF_INET6,addrinfo->ai_family);
    addrinfo = addrinfo->ai_next;
    return 0;
    $ ./hnt
    127.0.0.1
    2 10 2
    2 10 2
    2 10 2
    $ sudo dhcpcd -k wlan0
    $ ./hnt
    127.0.0.1
    host not found: Temporary failure in name resolution
    $ mpc
    MPD_HOST and/or MPD_PORT environment variables are not set
    error: host "localhost" not found: Temporary failure in name resolution
    $
    Uncommented and nonblank lines of /etc/hosts:
    127.0.0.1      localhost.localdomain  localhost heroine
    and /etc/host.conf:
    order hosts,bind
    multi on

    Alas, setting MPD_HOST does not help. If there is some way to give mpc an ip address instead of a hostname, that might help. Just putting 127.0.0.1 as MPD_HOST doesn't work.
    I also really think there is something really weird going on with getaddrinfo.
    Thanks for the idea.
    $ MPD_HOST=localhost mpc
    MPD_HOST and/or MPD_PORT environment variables are not set
    error: host "localhost" not found: Temporary failure in name resolution
    $ MPD_HOST=127.0.0.1 mpc
    MPD_HOST and/or MPD_PORT environment variables are not set
    error: host "127.0.0.1" not found: Address family for hostname not supported
    $

  • DHCP Reservation Sync and DNS Host record sync etc shown in IPAM GUI

    Hello all,
    I am aware of the scripts in the TechNet script center to sync DHCP leases etc to IPAM, however my question is about something else -
    If you highlight an IP address (IP address inventory->select an IP), You can see fields that say: "DHCP reservation sync", "DNS PTR record sync" and "DNS host record sync" as below:
    I was curious as to what these are for. Is there some built-in sync functionality for these that I perhaps have not enabled? (Don't see such options any where..)
    thanks,
    -Ravi

    Hi  Ravi ,
    The three columns tell us the information of the synchronization between IPAM server and DNS server (or DHCP server) .
    Here is the detailed guide for using IPAM :
    Using the IPAM Client Console :
    https://technet.microsoft.com/en-us/library/jj878351.aspx#inventory
    IPAM can sync DNS and DHCP records .
    The IPAM database is separate from DHCP and DNS servers on our network ,and full synchronization of hosts and IP addresses between IPAM and managed DNS or DHCP servers does not occur automatically
    unless we have configured automated tasks to perform this synchronization .
    For detailed information ,see
    DNS and DHCP record synchronization chapter in the following link :
    Multi-server Management :
    https://technet.microsoft.com/en-us/library/jj878329.aspx
    Best Regards,
    Leo
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • /etc/hosts and /etc/inet/hosts

    we're running Sol10x86 11-06 and notice that there's no link between /etc/hosts and /etc/inet/hosts as there has been on some previous versions. /etc/hosts is the only file that contains all of the info for our IPMP configuration, and that seems to be enough during reboot.
    what looks at /etc/inet/hosts? any danger in making /etc/inet/hosts a link to /etc/hosts?

    I don't have a copy of 11/06, but I've never seen a default installation of Solaris without that link.
    It's certainly there in 08/07. Is there any chance that whatever process is populating /etc/hosts on your machines is breaking that link?
    Darren

  • /etc/hosts in Snow Leopard: ping works, browsers don't?

    I've had success in the past using /etc/hosts to direct web browsers to a test server instead of the production server, but it's not working in OS X 10.6.7.
    I edit the hosts file:
    $ sudo vi /etc/hosts
    Add my entry:
    # Host Database
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    127.0.0.1   localhost dev.localhost
    255.255.255.255   broadcasthost
    ::1             localhost
    fe80::1%lo0 localhost
    111.111.111.111 server.com
    Flush the cache:
    $ dscacheutil -flushcache
    Test with ping:
    PING server.com (111.111.111.111): 56 data bytes
    64 bytes from 111.111.111.111: icmp_seq=0 ttl=46 time=220.423 ms
    64 bytes from 111.111.111.111: icmp_seq=1 ttl=46 time=242.509 ms
    All seems good, but when I load http://server.com in a browser (safari, firefox, chrome), I get the production server and not 111.111.111.111. What did I miss?

    Yep, thank you. It's not my server and is coughing up responses that somehow eventually kick me back over to the production content.
    I don't expect further help (I probably won't pursue it further myself), but just for grins here's an example telnet request:
    $ telnet server.com 80
    Trying 111.111.111.111...
    Connected to server.com.
    Escape character is '^]'.
    GET / HTTP/1.1
    Host: server.com
    Cache-Control: no-cache
    HTTP/1.1 200 OK
    Date: Wed, 06 Jul 2011 20:06:43 GMT
    Server: Apache
    Last-Modified: Thu, 24 Mar 2011 11:40:59 GMT
    ETag: "62206ad-6f-49f38f37ec8c0"
    Accept-Ranges: bytes
    Vary: Accept-Encoding
    Content-Type: text/html
    Content-Length: 111
    <html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
    Definitely not what I expect. Another request for /cgi-sys/defaultwebpage.cgi just gives a 404 page. Maybe the browser tries a real DNS lookup at that point.

  • SCAN LISTENER runs from only one node at a time from /etc/hosts !

    Dear all ,
    Recently I have to configure RAC in oracle 11g(r2) in AIX 6.1 . Since in this moment it is not possible to configure DNS, so I dont use SCAN ip into the DNS/GNS, I just add the SCAN ip into the host file like :
    cat /etc/hosts
    SCAN 172.17.0.22
    Got the info from : http://www.freeoraclehelp.com/2011/12/scan-setup-for-oracle-11g-release211gr2.html#ORACLE11GR2RACINS
    After configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :
    srvctl status scan_listener
    SCAN listener LISTENER_SCAN1 is enabled
    SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
    now when I relocate it from node 2 using
    "srvctl relocate scan -i 1-n DCDBSVR2" , then the output shows :
    srvctl status scan_listener
    SCAN listener LISTENER_SCAN1 is enabled
    SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2
    Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
    srvctl relocate scan -i 2 -n DCDBSVR2
    resource ora.scan2.vip does not exists
    Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?
    Here is my listener file (which is in the GRID home location) configuration :
    Listener File OF NODE1 AND NODE 2:
    ==================================
    ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON
    ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON
    LISTENER_SCAN1 =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = IPC) (KEY = LISTENER_SCAN1)
    ADR_BASE_LISTENER_SCAN1 = /U01/APP/ORACLE
    2)
    Another issue , when I give the command : " ifconfig -a " , then it shows the SCAN ip either node1 or node2 . suppose if the SCAN ip is in the node1 , and then if I run the "relocate" command from node2 , the ip goes to the Node 2 . is it a correct situation ? advice plz ... ...
    thx in advance .. ...
    Edited by: shipon_97 on Jan 10, 2012 7:22 AM
    Edited by: shipon_97 on Jan 10, 2012 7:31 AM

    After configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :If I am not wrong and after looking at the document you sent, you will be able to use only once scan in case you use /etc/host file and this will be up on only one node where you added this scan entry in /etc/hosts file.
    Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?Probably you can't in your case, you might run only one i think and on one node only
    srvctl status scan_listener
    SCAN listener LISTENER_SCAN1 is enabled
    SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
    now when I relocate it from node 2 using
    "srvctl relocate scan -i 1 -n DCDBSVR2" , then the output shows :
    srvctl status scan_listener
    SCAN listener LISTENER_SCAN1 is enabled
    SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2You moved scan listener from node 1 to node 2, OK
    Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
    srvctl relocate scan -i 2 -n DCDBSVR2
    resource ora.scan2.vip does not exists
    --------------------------------------------------------------------------------Since you have only one scan, you can't relocate "2". So ise "1" instead here also
    FYI
    http://www.oracle.com/technetwork/database/clustering/overview/scan-129069.pdf
    Salman

  • Adding the /etc/host.deny file like linux in solaris 10.

    Dears,
    I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
    If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
    Eagerly waiting to hear from you.
    BR//
    Sohel.

    IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
    block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
    I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh).

Maybe you are looking for