@(#) README 1.1 91/01/06 22:30:23

General description:

With this package you can monitor connections to the SYSTAT, FINGER,
FTP, TELNET, RLOGIN, RSH and EXEC network services.  Connections are
logged through the syslog(3) facility. A requirement is that daemons
are started by the inetd program or something similar.

The programs are tiny front ends that just report the remote host name
and then invoke the real network daemon.  In the most common case, no
changes should be required to existing software or to configuration
files.  Just move the vendor-provided daemons to another place and
install the front ends into their original places. Installation details
are given below.

Earlier versions of the programs were tested with Ultrix >= 2.2, with
SunOS >= 3.4 and ISC 2.2. The present version is a bit cleaned up, but
should still run without modification on top of most BSD-style TCP/IP
implementations.

Optional feature:

When compiled with -DHOSTS_ACCESS, the front-end programs support a
simple form of access control that is based on host (or domain) names
and service names.  Wild cards are supported.  If a host requests a
service, and if the (service, host) pair is matched by an entry in the
/etc/hosts.allow file, access is granted.  Otherwise, if the (service,
host) pair is matched by an entry in the /etc/hosts.deny file, access
is denied.  Otherwise, access is granted.  For more details, see the
hosts_access(5) manual page. This form of access control may be useful
if it can not be implemented at a more suitable level (such as an
internet router).

Related software:

Versions of rshd and rlogind, hacked to report the remote user name as
well, are available for anon ftp (ftp.win.tue.nl:/pub/logdaemon.tar.Z).
Those programs have been tested only with SunOS >= 4.0.

Another way to manage access to tcp/ip services is illustrated by the
servers provided with the authutil package (comp.sources.unix volume
22). This has the advantage that one will get the remote username from
any host supporting RFC 931 security.  By installing the auth package
(same volume) one supports RFC 931 security too.  Eventually one can
start cutting off unauthenticated connections. This is obviously a much
more advanced approach than what my front-end programs provide. The
present package is more suitable for those who lack the resources to
install anything that requires more than just renaming a couple of
executables.

Configuration and installation:

If you don't run Ultrix, you don't need the miscd front-end program.
The Ultrix miscd daemon implements among others the SYSTAT service,
which pipes the output from the WHO command to standard output.

By default, the front-end programs assume that the vendor-provided
daemons will be moved to the "/usr/etc/..." directory.  If you want
something else, adjust the REAL_DAEMON and the REAL_DAEMON_DIR macros
in the files miscd.c and tcpd.c.

By default, connections are logged to the same place where the sendmail
log entries go.  If connections should be logged elsewhere, adjust the
LOG_MAIL macro in the miscd.c and tcpd.c files, and update your inetd
configuration file (usually, /etc/syslog.conf).  Most Ultrix versions 
do not provide this flexibility, though.

By default, the front-end programs support host access control.  Access
control is turned off when the /etc/hosts.{allow,deny} files do not
exist. If you do not need support for host access control, adjust the
makefile so that the programs are compiled without -DHOSTS_ACCESS. Note:
host access control support requires the strchr() and strtok() routines.

If your C library does not provide the strcasecmp() routine, adjust the
AUX_OBJ macro in the makefile so that it uses the strcasecmp() version
provided with this package.

The tcpd program is intended for monitoring connections to the telnet,
finger, ftp, exec, rsh and rlogin services. Decide which services you
want to be monitored, move the vendor-provided daemon programs to the
location specified by the REAL_DAEMON_DIR macro in the file tcpd.c, and
copy the tcpd front end to the locations where the vendor-provided
daemons used to be. That is, one copy of the tcpd front end for each
service that you want to monitor.

Ultrix only: if you want to monitor connections to the SYSTAT service,
move the vendor-provided miscd daemon to the location specified by the
REAL_DAEMON macro in the miscd.c file, and install the miscd front end
into the original miscd location.

Acknowledgements:

Thanks to Brendan Kehoe (brendan@cs.widener.edu), Heimir Sverrisson
(heimir@hafro.is) and Dan Bernstein (brnstnd@kramden.acf.nyu.edu) for
feedback on an earlier release of this product.

	Wietse Venema,
	Mathematics and Computing Science,
	Eindhoven University of Technology,
	The Netherlands.
