Renaming .rhost and /etc/hosts.equiv
Hi!
In the Solaris hardening quide there is a point which says that the .rhost and /etc/hosts.equiv files should be removed. Is it enough if I just rename them (in the same directory) in order to be able to restore them in a later point?
Thanks.
Should be.
7/M.
Similar Messages
-
Sshd ignores /etc/hosts.allow and /etc/hosts.deny
Hello everyone,
I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
These are my settings:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
# some nfs daemons: 192.168.1.0/255.255.255.0
sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
mysqld: 192.168.1.0/255.255.255.0
/etc/hosts.evil:
195.113.21.131
60.10.6.53
A simple experiment to verify the settings:
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.131
server: process sshd
matched: hosts.deny line 5
access: denied
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.130
server: process sshd
matched: hosts.allow line 10
access: granted
This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default? My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid. That was users don't have to specify their local IP address. Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug. -
Network-profiles (1) and /etc/hosts
Hi everyone,
i've got a few network-profiles, especially in one network I have to use a static ip to connect to the internet. The only entry in the /etc/hosts which works correctly - without any error messages - for me, is
192.168.0.99 localhost.localdomain myhost
If I use something like 127.0.0.1 in front and simply add my hostname at the end, I can't connect with the Inet, unfortunately. I did not test it, but I'm pretty sure, that this host configuration won't work in any other network, where I get a dynamic IP from the DHCP. Is there a possibility to write the content of the /etc/hosts with netcfg, like the /etc/resolv.conf for example?
MfG SkitBecause you didn't specify what localhost was in your hosts file. It only knows of localhost.localdomain(does not imply 'localhost') and acer being the loopback.
I think he understood that.
'localhost' is universally understood as the loopback.
this is some kind of 'magic' answer isn't it? the resolving doesn't come out as a miracle... and that is IMHO what needs explanation.
his computer alone doesn't (obviously) get it because sure, it's not set. now what 'magic' makes it known when a cable is plugged in? the computer tries to reslove locally (via /etc/hosts), fails at it, and then asks the dns server about it. so I reckon the dns server is instructed on replying '127.0.0.1' for a 'localhost' hostname request. why so? because dns servers have an option to look at their local /etc/host for resolving before delegating to bigger servers, so the dns server certainly has localhost matching 127.0.0.1 in his /etc/host, and blindly replies accordingly, oblivious to the fact that he is replying about his 'own' 127.0.0.1 to someone else.
Last edited by lloeki (2008-01-16 08:24:12) -
Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions
Hi,
I am looking forward to setting up two Oracle 11gR2 RAC instances
on my Oracle VM test machine.
I plan on using the Oracle 11gR2 RAC VM template.
I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
The DNS will be pre-installed in the JeOS.
My first simple question about the setup is the following.
In my DNS name file, for example,
/var/named/chroot/var/named/milkyway.univ.db
do I need to provide the racnode1 and racnode2 information,
for example,
# DNS name file (snippet)
myjeos IN A 192.168.1.150
racnode1 IN A 192.168.1.161
racnode1-vip IN A 192.168.1.163
racnode2 IN A 192.168.1.162
racnode2-vip IN A 192.168.1.164
rac-scan IN A 192.168.1.131
rac-scan IN A 192.168.1.132
rac-scan IN A 192.168.1.133
Or, can I just provide only the rac-scan information
# DNS name file alternate (snippet)
myjeos IN A 192.168.1.150
rac-scan IN A 192.168.1.131
rac-scan IN A 192.168.1.132
rac-scan IN A 192.168.1.133
What I am getting at is the following.
Within the install process, will racnode1, racnode1-vip, racnode2,
and racnode2-vip host names and their IP address be written
to the RAC instances /etc/hosts files? (So I should not bother
to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
Or, should I put the racnode and racnode-vip host names and IP addresses
in the DNS name file like '# DNS name file (snippet)'?
The second question is the following.
Are the cluster name and the scan name allowed to be different?
Currently, I would plan them to be different,
for example, rac-cluster and rac-scan.
Or, are they required to be the same,
for example, rac-cluster and rac-cluster.
Thank you.
AIMAIM wrote:
do I need to provide the racnode1 and racnode2 information,
Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
Are the cluster name and the scan name allowed to be different?They can be different. -
Socket functions and /etc/hosts and /etc/servi​ces
I have verified that I con open a socket with either the host name or the IP address.
But can I use either the port number or the service name (from /etc/services)?
It allows me to use a string constant instead of a numeric, but it doesn't seem to work.The string form for the port number is specifically meant to use the NI Service Locator service and nothing else. It does not link into /etc/services or anything like that at all but is a proprietary service locator solution from NI. There exist LabVIEW VIs that one can use to both query this service as well as register new services. It can be found at vi.lib/Utility/ServLocInterface.llb. The actual service used to be programmed in LabVIEW around LabVIEW 7.0 but quickly was moved to a real system service at least on Windows. Not sure if other platforms still use the VI based service implementation or have a native service deamon too, for this.
Theoretically it would be possible to create some translation program in LabVIEW that reads /etc/services and then registers them through the service locator API but I'm not sure I see a real benefit in this.
Rolf Kalbermatter
CIT Engineering Netherlands
a division of Test & Measurement Solutions -
/etc/hosts vs DNS & sendmail
Hi All,
I have a question about how /etc/hosts & DNS work on a solaris 9 box.
When I have entries in /etc/hosts that are not in DNS and I run say nslookup the utility will not find the ip. Put if I ping the entry in /etc/hosts it will find it. Basically I have a box with default sendmail and in /etc/hosts I have a entry with mailhost added to it at the end. nslookup does not find the box ping does and sendmail can't send mail to it and I can not verify that it ever worked correctly.
1) what is up with nslookup no seeing /etc/hosts?
2) can sendmail send to hosts per FQDN listed in /etc/hosts & use a DNS server at the same time?
thanks
-imWhen I have entries in /etc/hosts that are not in DNS
and I run say nslookup the utility will not find the
ip. Correct. nslookup and /etc/hosts are controlled by /etc/nsswitch.conf.
Files says to search /etc/hosts.
Anything else says to use that name service.
Put if I ping the entry in /etc/hosts it will
find it.If it is in /etc/hosts and /etc/nsswitch.conf says to search /etc/hosts.
and in /etc/hosts I have a entry with mailhost added
to it at the end. nslookup does not find the box ping
does and sendmail can't send mail to it and I can not
verify that it ever worked correctly. Sendmail can be compiled to use or disregard name server lookups in addition to the /etc/nsswitch.conf file.
sendmail -v e-mail_addr, should show you some basic diagnostics.
1) what is up with nslookup no seeing /etc/hosts?That's the way it works.
2) can sendmail send to hosts per FQDN listed in
/etc/hosts & use a DNS server at the same time?sure, see /etc/nsswitch.conf and the sendmail compile time options.
http://www.ilkda.com/sendmail/
alan -
/etc/hosts.allow versus iptables/firewall?
What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
(Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
- ident lookup
- NIS netgroup
- domain name
- consistent ip->name and name->ip mapping
and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution. -
Rcp, rlogin, rsh, telnet, hosts.equiv 9iRAC
Hello all,
I wonder whether rlogin, rsh, rcp, telnet and hosts.equiv are required for 9iRAC to function on Linux. The install guide for 9iRAC on RH AS2.1 has one start up those services and use hosts.equiv. Even though we are behind a firewall, I would much rather not have them running.
Any guidance would be appreciated
Thx
WayneOk, I'll just try to sym link to secure equivalents and set up auth keys for Oracle user.
-
Hello,
I'm trying to follow the cookbooks to install rac/linux/vmware on xp professional. Whenever i try and install the CRS I get an error message that says
The local node entry in Cluster Configuration inforamtion does not match with the entry in /etc/hosts file. Verify local node information in /etc/hosts file and re-enter the correct value.
I have followed the instructions and can't see where I have gone wrong. Can someone point me in the right direction...
thanksI too am getting this same error on HP-UX install, any ideas?
My nslookups, and /etc/hosts match up across the nodes, for the private and public networks, and the Cluster is created and looks good from clverify. -
Mpc problem: getaddrinfo not checking /etc/hosts?
The source of this question is my attempt to get mpc to contact mpd on my localhost when the internet is down. When the internet is up it works fine, but when i'm not connected to the internet, running mpc behaves as follows:
I seem to have tracked this down to a problem in getaddrinfo (possibly in my sytem configuration?). I created a piece of test code (below) that does a gethostbyname and then a getaddrinfo. On this computer, both work when connected to the internet, but getaddrinfo fails when disconnected. I tested the same code on an ubuntu computer and it getaddrinfo worked even when disconnected from the internet.
My /etc/hosts and /etc/host.conf seem to be set properly. glibc is 2.8-3. I would have thought that getaddrinfo having such a problem would cause more errors than just in mpc, but I haven't noticed any.
I'd really appreciate any help.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
int main (void)
struct addrinfo *addrinfo;
int i, error;
struct hostent *h;
h = gethostbyname("localhost");
if (h) {
for (i=0; i < h->h_length - 1; i++)
printf("%d.", h->h_addr_list[0][i]);
printf("%d\n", h->h_addr_list[0][i]);
} else {
printf("no such host\n");
error = getaddrinfo("localhost", NULL, NULL, &addrinfo);
if (error) {
printf("host not found: %s\n", gai_strerror(error));
} else {
while (addrinfo) {
printf("%d %d %d\n",AF_INET,AF_INET6,addrinfo->ai_family);
addrinfo = addrinfo->ai_next;
return 0;
$ ./hnt
127.0.0.1
2 10 2
2 10 2
2 10 2
$ sudo dhcpcd -k wlan0
$ ./hnt
127.0.0.1
host not found: Temporary failure in name resolution
$ mpc
MPD_HOST and/or MPD_PORT environment variables are not set
error: host "localhost" not found: Temporary failure in name resolution
$
Uncommented and nonblank lines of /etc/hosts:
127.0.0.1 localhost.localdomain localhost heroine
and /etc/host.conf:
order hosts,bind
multi onAlas, setting MPD_HOST does not help. If there is some way to give mpc an ip address instead of a hostname, that might help. Just putting 127.0.0.1 as MPD_HOST doesn't work.
I also really think there is something really weird going on with getaddrinfo.
Thanks for the idea.
$ MPD_HOST=localhost mpc
MPD_HOST and/or MPD_PORT environment variables are not set
error: host "localhost" not found: Temporary failure in name resolution
$ MPD_HOST=127.0.0.1 mpc
MPD_HOST and/or MPD_PORT environment variables are not set
error: host "127.0.0.1" not found: Address family for hostname not supported
$ -
DHCP Reservation Sync and DNS Host record sync etc shown in IPAM GUI
Hello all,
I am aware of the scripts in the TechNet script center to sync DHCP leases etc to IPAM, however my question is about something else -
If you highlight an IP address (IP address inventory->select an IP), You can see fields that say: "DHCP reservation sync", "DNS PTR record sync" and "DNS host record sync" as below:
I was curious as to what these are for. Is there some built-in sync functionality for these that I perhaps have not enabled? (Don't see such options any where..)
thanks,
-RaviHi Ravi ,
The three columns tell us the information of the synchronization between IPAM server and DNS server (or DHCP server) .
Here is the detailed guide for using IPAM :
Using the IPAM Client Console :
https://technet.microsoft.com/en-us/library/jj878351.aspx#inventory
IPAM can sync DNS and DHCP records .
The IPAM database is separate from DHCP and DNS servers on our network ,and full synchronization of hosts and IP addresses between IPAM and managed DNS or DHCP servers does not occur automatically
unless we have configured automated tasks to perform this synchronization .
For detailed information ,see
DNS and DHCP record synchronization chapter in the following link :
Multi-server Management :
https://technet.microsoft.com/en-us/library/jj878329.aspx
Best Regards,
Leo
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
/etc/hosts and /etc/inet/hosts
we're running Sol10x86 11-06 and notice that there's no link between /etc/hosts and /etc/inet/hosts as there has been on some previous versions. /etc/hosts is the only file that contains all of the info for our IPMP configuration, and that seems to be enough during reboot.
what looks at /etc/inet/hosts? any danger in making /etc/inet/hosts a link to /etc/hosts?I don't have a copy of 11/06, but I've never seen a default installation of Solaris without that link.
It's certainly there in 08/07. Is there any chance that whatever process is populating /etc/hosts on your machines is breaking that link?
Darren -
/etc/hosts in Snow Leopard: ping works, browsers don't?
I've had success in the past using /etc/hosts to direct web browsers to a test server instead of the production server, but it's not working in OS X 10.6.7.
I edit the hosts file:
$ sudo vi /etc/hosts
Add my entry:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1 localhost dev.localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
111.111.111.111 server.com
Flush the cache:
$ dscacheutil -flushcache
Test with ping:
PING server.com (111.111.111.111): 56 data bytes
64 bytes from 111.111.111.111: icmp_seq=0 ttl=46 time=220.423 ms
64 bytes from 111.111.111.111: icmp_seq=1 ttl=46 time=242.509 ms
All seems good, but when I load http://server.com in a browser (safari, firefox, chrome), I get the production server and not 111.111.111.111. What did I miss?Yep, thank you. It's not my server and is coughing up responses that somehow eventually kick me back over to the production content.
I don't expect further help (I probably won't pursue it further myself), but just for grins here's an example telnet request:
$ telnet server.com 80
Trying 111.111.111.111...
Connected to server.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: server.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 06 Jul 2011 20:06:43 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 11:40:59 GMT
ETag: "62206ad-6f-49f38f37ec8c0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 111
<html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
Definitely not what I expect. Another request for /cgi-sys/defaultwebpage.cgi just gives a 404 page. Maybe the browser tries a real DNS lookup at that point. -
SCAN LISTENER runs from only one node at a time from /etc/hosts !
Dear all ,
Recently I have to configure RAC in oracle 11g(r2) in AIX 6.1 . Since in this moment it is not possible to configure DNS, so I dont use SCAN ip into the DNS/GNS, I just add the SCAN ip into the host file like :
cat /etc/hosts
SCAN 172.17.0.22
Got the info from : http://www.freeoraclehelp.com/2011/12/scan-setup-for-oracle-11g-release211gr2.html#ORACLE11GR2RACINS
After configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :
srvctl status scan_listener
SCAN listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
now when I relocate it from node 2 using
"srvctl relocate scan -i 1-n DCDBSVR2" , then the output shows :
srvctl status scan_listener
SCAN listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2
Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
srvctl relocate scan -i 2 -n DCDBSVR2
resource ora.scan2.vip does not exists
Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?
Here is my listener file (which is in the GRID home location) configuration :
Listener File OF NODE1 AND NODE 2:
==================================
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON
ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON
LISTENER_SCAN1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC) (KEY = LISTENER_SCAN1)
ADR_BASE_LISTENER_SCAN1 = /U01/APP/ORACLE
2)
Another issue , when I give the command : " ifconfig -a " , then it shows the SCAN ip either node1 or node2 . suppose if the SCAN ip is in the node1 , and then if I run the "relocate" command from node2 , the ip goes to the Node 2 . is it a correct situation ? advice plz ... ...
thx in advance .. ...
Edited by: shipon_97 on Jan 10, 2012 7:22 AM
Edited by: shipon_97 on Jan 10, 2012 7:31 AMAfter configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :If I am not wrong and after looking at the document you sent, you will be able to use only once scan in case you use /etc/host file and this will be up on only one node where you added this scan entry in /etc/hosts file.
Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?Probably you can't in your case, you might run only one i think and on one node only
srvctl status scan_listener
SCAN listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
now when I relocate it from node 2 using
"srvctl relocate scan -i 1 -n DCDBSVR2" , then the output shows :
srvctl status scan_listener
SCAN listener LISTENER_SCAN1 is enabled
SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2You moved scan listener from node 1 to node 2, OK
Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
srvctl relocate scan -i 2 -n DCDBSVR2
resource ora.scan2.vip does not exists
--------------------------------------------------------------------------------Since you have only one scan, you can't relocate "2". So ise "1" instead here also
FYI
http://www.oracle.com/technetwork/database/clustering/overview/scan-129069.pdf
Salman -
Adding the /etc/host.deny file like linux in solaris 10.
Dears,
I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
Eagerly waiting to hear from you.
BR//
Sohel.IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh).
Maybe you are looking for
-
How do I utilize the iCloud to view Pages documents created on my MacBook?
I'm trying to figure out how to get pages documents from the iCloud to view on my iPad that were originally created on my MacBook. Do I need to download the pages app if I already have it on my MacBook? I guess I'm confused as to how to even find wha
-
AirPort Extreme & Windows 8.0 compatability?
My Netgear wireless router just died and am researching an alternative for our household which includes 2 newer work related Dell laptops running Windows 8.0 and my 2 year old MacBook Pro and IPad 2. It seems most ever wireless router offered, whethe
-
I am unable to create a new Citadel database
I am using DSC module 8.5 and am trying to create a new database using MAX. I am following the instructions, but when I select "Finish" to create the database, the progress meter pops up and stays at 0%. I should add that there was not a default da
-
Connect string for scott/tiger
i've personal oracle 8i with only scott/tiger schema on my pc. i installed forms 6i. when i try to connect to my scott/tiger schema it gives me tns listener error. i'm using scott/tiger as username/password. i tried keeping Host string null and 'ORCL
-
Merge to HDR Pro works from Photoshop CS5, not from Bridge
I have three nef files which I want to merge to hdr pro. If i have them open in PS CS5 and choose to merge them from there, all works. But if I choose the three in Bridge and use the Tools, Photoshop, Merge to HDR Pro selection from Bridge, all sta