Very Computer

Due to security reasons we have disabled the finger from outside
of our machine. Now if someone tries to finger they get the
message " connection refused ", which some people find annoying.

I have noticed that some people have found a nice solution to this.
When a person fingers their machine they provide some helpful
information on who to send email to get information on the machine

-------------
 For information about Silicon Graphics, please call (415) 960-1980.

 or call (415) 390-3410.
------------

Could some kind soul describe briefly how something like this can be
setup ?

Thanks very much.

: Due to security reasons we have disabled the finger from outside
: of our machine. Now if someone tries to finger they get the
: message " connection refused ", which some people find annoying.

: I have noticed that some people have found a nice solution to this.
: When a person fingers their machine they provide some helpful
: information on who to send email to get information on the machine

: -------------
:  For information about Silicon Graphics, please call (415) 960-1980.
:  

:  or call (415) 390-3410.
: ------------

: Could some kind soul describe briefly how something like this can be
: setup ?

: Thanks very much.

Look in the /etc/inetd.conf file.  There should be a line looking like:
finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd -w

Replace the in.fingerd -w with a shell script or something that prints
out the information you want.  You can take out the /usr/sbin/tcpd
too, but that introduces more security risks, and if yr going to close off
finger, you'll want that security then.

--

Smile.  It makes people wonder what you're up to.

(1) Create the file /home/cheema/work/nofinger.c :

main()
{
printf ("get that finger outa my face!\n");

Quote:}

(2) compile with : cc -o nofinger nofinger.c

(3) now replace the "finger" line in /etc/inetd.conf to read :

finger  stream  tcp     nowait  root    /home/cheema/work/nofinger nofinger

(4) find the process ID of inetd (29 on my machine, of course it depends
    on your startup sequence) with ps aux, kill -HUP it to make inetd
    re-read its configuration files.

    Killing it outright and restarting will doubtless work too, but may mess
    something else up.

(5) now "finger" your machine (using full netpath of course, i.e.,

Obviously move the files around to taste.

NOW, the * bit - the usual way to "secure" a local net is to firewall
it via the gateway, that is, you have a bridge machine which filters out
what gets to you. It does bring piece of mind to the suits, who don't know
their computers from their fax machines, and who certainly wouldn't like
just *anyone* from messing with the system parameters. For example, my
nofinger program *could* be written to have a hidden back door. And people
who are afraid of the finger program are generally pretty tense.

If you're firewalled, this won't work because the daemon will never be
woken up, because the datagram will never get there.

Maybe you know all this. If so, sorry for prattling on.

Good Luck.

-----------------
Bill Zettler

Quote:>Look in the /etc/inetd.conf file.  There should be a line looking like:
>finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd -w

>Replace the in.fingerd -w with a shell script or something that prints
>out the information you want.  You can take out the /usr/sbin/tcpd
>too, but that introduces more security risks, and if yr going to close off
>finger, you'll want that security then.

Quote:

>Replace the in.fingerd -w with a shell script or something that prints
>out the information you want.  You can take out the /usr/sbin/tcpd
>too, but that introduces more security risks, and if yr going to close off
>finger, you'll want that security then.

There are two files which determine whether or not a daemon gives out
information under tcpd:  hosts.allow and hosts.deny     (hosts_access(5))

You might like to do this:

<hosts.deny>:
fingerd: ALL : cat nofinger.text

<hosts.allow>:
fingerd: .your.domain

This says:  if anyone in my domain tries to finger accept the connection,
            otherwise, cat some text at them.

--
I've got them on the list. I've got them on the list.
   And they never will be missed. They *never* will be missed.

                                   -- Gilbert & Sullivan, _The Mikado_

in.fingerd : ALL : /bin/cat /etc/nofinger.txt

(and yes, /etc/nofinger.txt is world readable...)

Now finger returns:
---

[technocore.slip.jyu.fi]

technocore:/root#
---

Even echo 'foo' as shell_command didn't produce any output when fingering...

--
-------------------------------------------------------111010-101101-101001---
 Timo Kokkonen, Student of Computer Science, University of Jyvaskyla, Finland

-------------------------------------"In space no one can hear you scream."---

#!/bin/sh
cat <<EOF
We are paranoid and won't tell you who is on.
EOF

And don't forget to disable rusers/rwho/all email services that people
might use to find out what users exist.

Alan
--
  ..-----------,,----------------------------,,----------------------------,,

 ``----------'`----------------------------'`----------------------------''