Code [inet001e]
One or the other of the two listed files are unavailable. These files are required for the checks to proceed. This either indicates an incorrect configuration, or that a port to this machine has not been completed.
Code [inet002f]
The indicated service is assigned to the wrong port. This indicates either a misconfiguration in the services database, or a possible sign of an intrusion. This should be checked and corrected. If it is not apparent why it is like this, the system should be checked for other signs of intrusion.
Code [inet003w]
The indicated port number is assigned to another service. This indicates either a misconfiguration in the services database, or a possible sign of an intrusion. This should be checked and corrected. If it is not apparent why it is like this, the system should be checked for other signs of intrusion.
Code [inet004i]
The indicated service has been added to the services database as distributed. These are normal output, but you should be familiar with what is there, and note any changes.
Code [inet005w]
'inetd' is using the indicated binary for the listed service instead of what is normally expected there. Unexpected differences should be checked, and if anything unusual is found, the system should be checked for other signs of intrusion.
Code [inet006f]
The 'rexd' (or 'exec') service is very insecure and should never be enabled. Known rexd servers have little or no security in their design or implementation. Intruders can exploit this service to execute commands as any user.
It should be disabled immediately by editing the inetd.conf file and removing the 'rexd' entry, and sending a HUP signal to the 'inetd' process.
For AIX systems, CERT Advisory CA-92:05 is applicable.
Notice that some intruders may turn on a service that you previously thought you had turned off, or replace the inetd program with a Trojan horse program.
Code [inet007w]
'inetd' is using the indicated executable for a port other than what would normally be expected for this port. This may indicate a backdoor into the system and should be checked. If anything unusual is found, the system should be checked for other signs of intrusion.
Code [inet008]
The owner of the indicated executable is not 'root'. The owner of the executable should be root in order to reduce the possibility of it being altered or replaced.
Code [inet009]
The indicated executable is group writable, world writable or both. The executable should be owned by root and writable only by the owner. This reduces the possibility of it being altered or replaced.
Code [inet010i]
The program listed in the `inetd' configuration file does not exist or is not executable.
Code [inet011i]
The listed entry is a local addition to the `inetd.conf' file. This should be checked to see if it is a valid addition. If it is not, it should be removed.
Code [inet012w]
The 'systat' service is enabled, this system provides a considerable number of information to remote anonymous users. Consider disabling it by editing the inetd.conf file, removing the 'systat' entry, and sending a HUP signal to the 'inetd' process.
Code [inet013w]
The 'netstat' service is enabled, this system provides a considerable number of information to remote anonymous users. Consider disabling it by editing the inetd.conf file, removing the 'netstat' entry, and sending a HUP signal to the 'inetd' process.
Code [inet014i]
The listed entry was protected by tcp wrappers by the default installation and is currently protected this way too. This is a good thing!
Code [inet015i]
The listed entry has been modified in order for it to be protected by using tcp wrappers. This has been changed from default installation (which did not provide it) but is probably a better setup.
Code [inet016f]
The listed entry was protected by tcp wrappers by the system but has, for some unknown reason, changed to no longer be protected by them. Make sure that the service is secured since, if not using tcp wrappers, access control for it might be disabled.
Code [inet017w]
The inetd configuration file permissions is not 600. This is the recommended setting by CERT's 'UNIX Security Checklist v2.0'. You should check that the file permissions on that file are correct. If an attacker can access the file due to lack of file permissions it might enable him to add new lines to the file which would, when inetd is restarted, allow him to introduce backdoors in the system.
Code [inet018w]
The inetd configuration file can be written by any user of a given group since the file permissions ensure this. If the group is not an administrative group you should consider changing its permissions to 600. If the group includes untrusted users, one of them could add new lines to the file which would, when inetd is restarted, allow him to introduce backdoors in the system.
Code [inet019a]
The inetd configuration file can be written by any user of the system. This makes it possible for any user to add new lines to the file which would, when inetd is restarted, allow him to introduce backdoors in the system. You should review your inetd configuration file to determine if there are suspicious services enabled since this might indicate that an intrusion has taken placed on the system. Also change the file permissions to restrict this misuse.
Code [inet020f]
The inetd configuration file is not owned by root which is usually the owner of this file in most systems. This might indicate that the system has been affected by an intrusion and permissions of both the file and the directory it is stored in should be reviewed. Also review the content of this file in order to check if there are suspicious services enabled since this might indicate that an intrusion has taken place.
Code [inet021f]
TCP wrappers do not seem to be installed in the system since the 'tcpd' program is not found in the system. Tcp wrappers allows you to monitor and filter incoming requests for common network services (through the use of the hosts.allow and hosts.deny files) and can be used to 'wrap' services either running through the inetd or in rc.d files. It is available via anonymous FTP from: ftp://ftp.porcupine.org/pub/security/
Code [inet022w]
The tftpd service is enabled, disable tftp if not needed by commenting it out from the file /etc/inetd.conf and restarting the inetd process.
If the tftpd service is required, create a separate partition to store the files to be served by tftp and limit the tftp daemon to the directory where this partition is mounted. Also make sure that the files in the tftpd area are not writable.
If it is not required, disable it by editing the inetd.conf file, removing the 'tftp' entry, and sending a HUP signal to the 'inetd' process.
Code [inet023w]
The 'finger' service is enabled, this system provides a considerable number of information to remote anonymous users. An intruder can obtain quite a number of information about a remote host. Also, if improperly configured it can be used to create a 'finger war' DoS loop and can be used to do indirect finger requests (that is contact remote servers when a remote user sends a request for 'user@other_host@your_host')
You should make sure that you have an up-to-date version of fingerd. Do not use a version of fingerd that is older than 16 October, 2000. For more information consult the AusCERT ESB available at ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.286
Consider disabling it unless it is considered essentially by editing the inetd.conf file, removing the 'finger' entry, and sending a HUP signal to the 'inetd' process.
If you cannot remove finger consider reducing the content by replacing it with a version which only offers restricted information.
Code [inet024w]
The 'rusers' service is enabled, this system provides a considerable number of information to remote anonymous users.
Consider disabling it by editing the inetd.conf file, removing the 'rusers' entry, and sending a HUP signal to the 'inetd' process.
Code [inet025w]
The 'echo' and 'chargen' UDP servers are potentially problematic since they can be used to setup ping-pong DoS attacks targeted at other systems by means of IP address spoofing.
Consider disabling it by editing the inetd.conf file, removing the 'echo' and/or 'chargen' entries, and sending a HUP signal to the 'inetd' process.
Code [inet026w]
The linuxconf service can be utilized for remote administration.
Consider disabling it by editing the inetd.conf file, removing the 'linuxconf' entry, and sending a HUP signal to the 'inetd' process.
Code [inet027w]
The 'identd or auth' service is enabled, this system provides a considerable number of information to remote anonymous users.
Consider disabling it by editing the inetd.conf file, removing the 'auth' entry, and sending a HUP signal to the 'inetd' process.
Code [inet098w]
Services that pass sensitive information (including passwords) should be replaced with the family of programs that comprise secure shell (ssh) which use strong encryption based on public-key cryptography.
You can use the freely-available OpenSSH implementation at http://www.openssh.org
Code [inet099w]
The indicated service is not protected by tcp wrappers or xinetd access control. The use of this facility is encouraged to limit access and to improve logging. The listed entry was protected by tcp wrappers by the default installation and is currently protected this way too. This is a good thing!
Code [inet100w]
The inetd services does not have logging enabled. Adding logging to the inetd services will help identify potential mis-use of system system resources.
To enable logging for the inetd service add the -l option in the inetd startup scripts.
To enable logging for the xinetd services add the log_type, log_on_success and/or log_on_failure to the /etc/xinetd.conf file.
Code [xnet001e]
The script cannot find an xinetd configuration file in this system. This might happen if Xinetd is not installed of if the XINETDCONF configuration variable is not properly defined. The script will try to find this configuration file in standard locations (/etc/xinetd.conf) but if it's not there you will need to define it in the siterc configuration file.
Code [xnet002e]
A directory which is being included by the XINETDCONF configuration file is not really a directory. This prevents the script from analysing all the active services and might be a configuration issue. Please check Xinetd's configuration file.
Code [xnet003e]
The script cannot read the xined configuration file in this system. This should not usually happen since the script should be running with root privileges. In order to analyse the configuration file you need to run this script as a user who can read all the Xinetd configuration files.
Code [xnet004i]
The service is enabled in the Xinetd configuration file. You should verify that services enabled in the server are legitimate and consider disabling unused services in order to minimise exposure (and associated risk)
Code [xnet005i]
The service is disabled in the Xinetd configuration file. This is usually a good thing, since this limits exposure of the server and prevents external attacks.