Solved

uucp command

Posted on 2006-07-11
21
649 Views
Last Modified: 2013-12-06
we are using HP-UX 10.2
My application is interacting with another application via uucp. Now the interface with other application system  is going to be removed. So i need to remove the details about the another  system in my system so that it doesnt send/receive files to us. I am able to see a directory /etc/uucp and /usr/lib/uucp. There are a lot of file under it. Which file  contain entries about other machines. What i need to remove the entries about the other machine.
0
Comment
Question by:pigeon5566
  • 9
  • 9
  • 2
  • +1
21 Comments
 
LVL 3

Expert Comment

by:anumalas
ID: 17088711
Hi

the main configuration file for uucp is /etc/uucp/config -- contains information about all nodes

second one is /usr/lib/uucp/sys file this contains system specific information of sites to which you are linked

third one is /etc/uucp/port holds uucp port inforamtion

fourth one is /etc/uucp/dial holds per-dailer information

You need to remove entry from "config" file and related information about that node in "sys" and "dial" files

Hope this will solve your problem :)
0
 

Author Comment

by:pigeon5566
ID: 17102096
I am able to find the below files under /etc/uucp

ls -ltr /etc/uucp
-r--r--r-- 1 bin bin 15 Nov 6 1995 Dialcodes
-r--r--r-- 1 bin bin 2 Nov 6 1995 Maxuuxqts
-r--r--r-- 1 bin bin 2 Nov 6 1995 Maxuuscheds
-r-------- 1 root sys 3248 Sep 10 1998 Systems_s
-r--r--r-- 1 root sys 1007 Sep 11 1998 Permissions_s
-r--r--r-- 1 bin bin 2361 Dec 21 1998 Devices
-r--r--r-- 1 bin bin 1483 Dec 21 1998 Permissions
-r--r--r-- 1 bin bin 12435 Dec 21 1998 Dialers
-r--r----- 1 uucp daemon 3594 Apr 10 2001 Systems_old
-r--r--r-- 1 bin bin 649 Sep 21 2004 Poll
-r--r----- 1 root scc 3774 Sep 22 2004 Systems_0922
-r--r----- 1 uucp daemon 3776 Sep 22 2004 Systems
-rw-r--r-- 1 root sys 29622180 Jul 12 08:06 cron.log

I am not able to find the  sys,port,dial and config files in the /etc/uucp directory
0
 
LVL 6

Expert Comment

by:JJSmith
ID: 17110831

The Systems file should contain the details of 'other' systems.

If you want to remove a complete 'line/connection'  then you would edit Devices.


Cheers
JJ

PS - do a 'man cu' for some background reading.

0
 

Author Comment

by:pigeon5566
ID: 17116938
I want disable the uucp communication with another system. My system is sending/receiving files to/from  another system.  If i remove an entry in systems file will it stop both sending and receiving from another system. Do i need to remove entries in some other file for stopping the receiving files from another system.
0
 
LVL 6

Expert Comment

by:JJSmith
ID: 17118439

Changing you systems file will stop sendin to the remote system.

You cannot stop recieving (from anyone) - unless you start to protect yourself by one or more of:

1. Removing the uucp functionality.
2. Changing passwords used by the remote system.
3. Removing your system details from their systems file.
4. Changing privileges on inbound directories.
5. Setting up firewalling.

Probably some other 'hardening' techniqueues, but I'm not aware of any uucp configurative ways of doing it, but it has been 15 years years since I used it !!

Cheers
JJ
0
 
LVL 34

Expert Comment

by:James0628
ID: 17121095
It depends on how your system is set up, but start with Systems (as already mentioned) and Permissions.  Looking at the modification dates in the file list you posted, you might also want to look at  Poll (I never used it and can't remember what it's for, but if it has an entry for that other computer, I'd delete it, or comment it out).

 BTW, those variations on Systems and Permissions, like Systems_old and Permissions_s, are presumably just copies of the files that someone made.  Systems and Permissions should be the "live" files.

 Which computer initiates the connection, yours or the other computer?

 If it's yours, take the other computer out of Systems and your computer can't connect to it any more (via uucp), even if it wants to.

 If the other computer initiates the connection, taking it out of Systems may be enough to keep it from getting in.  It's been a while and I can't remember for sure if an entry in Systems is absolutely required.  I think there might be settings that allow connections from "anonymous" computers, in which case simply taking that computer out of Systems may not be enough, depending on how your system is set up.
 You should also look at Permissions.  It can control which directories a computer is allowed to access, whether it can send or request files, etc.  FWIW, you could try to use Permissions to restrict that computer's access, so that it couldn't do what it wanted to do (eg. don't allow it to send files), but it would be better to prevent it from getting into your computer, or even trying to connect to it, for that matter.  So, while I think it'd be worthwhile to look at Permissions and see if that other computer is there, there may not actually be much point in trying to change anything there.

 If you want to be absolutely sure that that other computer can not connect to your computer, you could find out what login that computer uses to connect to your computer and remove the login or change the password, but if other computers use the same login, they won't be able to get in either unless they are changed to use the new password, or a different login.  The login they use may be in a log file (probably under /usr/lib/uucp somewhere, I think).  Otherwise, check the Systems file on that computer (Systems has the name of each known system, and the connection and login info used to connect to that system).

 Whichever computer is initiating the connection, if it's done automatically, you probably want to stop that, so it doesn't try to establish the connection anymore.  There are various ways it could be done, but the first place to look would be in the cron files (traditionally in /usr/spool/cron/crontabs).  If you can identify the entry that establishes the connection and delete it (or comment it out), the computer won't even try to connect anymore.

 Hope this helps.

 James
0
 

Author Comment

by:pigeon5566
ID: 17136820
Thanks a lot for the info .In the program i am able to see its using uucp command to transfer the file to remote system.  If i modify the Systems and Permissions file do i need to restart any daemon or uucp command will automatically know about the modification in the config file?
0
 
LVL 34

Expert Comment

by:James0628
ID: 17144526
Traditionally, uucp commands read the Systems, etc. files every time they are run, so no restarts should be necessary.

 FYI, uucico is the program that actually performs file transfers.

 James
0
 

Author Comment

by:pigeon5566
ID: 17165186
Thanks a  lot for the info
1. Remote system to which our system sending is ocdpp01. To stop our system sending files to external systemIn system file i need to delete or comment the line number 40 . Hope i am correct

System
******

    33  ##########  interface to OCDDB ##########
    34
    35  nspmprod Any TCP "" \r in:--in: nuucp word: dragon
    36  ocddb Any;30 DK,g Any mo/kscygw/4002 "" "" in:--in: topas word: n0sc0re.
    37  irdwsvr2 Any TCP "" \r in:--in: nuucp word: dragon
    38  # ocdpp01 Any;30 DK,g Any az/mscdd/2222 "" \r\r\c in:--in: topuucp word: ftuucp
    39  #ocdpp01 Any;30 DK,g Any 727/385/2222 "" \r\r\c in:--in: topuucp word: ftuucp
    40  #ocdpp01 Any;30 DK,g Any 727/404/2222 "" \r\r\c in:--in: topuucp word: ftuucp
    41  ocdpp01 Any TCP "" \r in:--in: topuucp word: ftuucp
    42  #ocdpp01 Any;30 DK,g Any 685/207/0709.uucp"" \r\r\c in:--in: topuucp word: ftuucp
    43


2. Remote system ocddp01 is putting the files in our local machine's /topas/reports/ocdd directory.
So if i want to stop the external system sending to our directory in line number 17,18 i need to remove /topas/reports/ocdd directory entry. Hope i am correct?  Also do i need to remove the line between 47 and 51 or is it sufficient to remove the directory entry /topas/reports/ocdd in line number 48.



Permissions
***********

    16          LOGNAME=nuucp \
    17          READ=/var/spool:/topas/reports/NCD:/topas/reports/ocdd \
    18          WRITE=/var/spool/uucppublic:/topas/reports/NCD:/topas/reports/ocdd \
    19          REQUEST=yes SENDFILES=no \
    20          COMMANDS=rmail:lp:uux:/usr/bin/uucp:/topas/ebin/NCDaud




    47          MACHINE=ocdpp01 \
    48          READ=/topas/reports/ocdd:/var/spool/uucppublic \
    49          WRITE=/var/spool/uucppublic:/topas/reports/ocdd \
    50          REQUEST=yes \
    51          COMMANDS=rmail:lp:uux:/usr/bin/uucp
    52


3. Also what is purpose of Machine entry and logname entry  in permissions entry?
0
 
LVL 34

Expert Comment

by:James0628
ID: 17166458
First of all, I hope you edited those Systems lines.  Otherwise, you just posted the logins and passwords that your system uses to connect to those systems.  The sequence at the end of the line is a login sequence.  Basically, it tells uucp to look for "in:" (as in the end of "login:"), then send the next field (eg. nuucp), then look for "word:" (as in the end of "password:"), then send the next field.  uucp doesn't encrypt or alter those fields in any way.  Those are the actual logins and passwords it uses, unless you altered them.

 If those were actual logins and passwords, you might want to delete this thread (AFAIK, you can't delete a single message) and start over (I plan to save a copy of my messages, just in case), but the fact is, they're already "out there".  You should at least change the passwords.  That means changing the password on a remote system and then changing the password for that system in the Systems file on every system that initiates a uucp connection to that system.

 James
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 34

Expert Comment

by:James0628
ID: 17166539
Now, getting back to your questions:

 For the record, I haven't used uucp under HP-UX.  My answers are based on using uucp under various other versions of Unix.  But uucp is an old and, in my experience, fairly standardized package.  The HP-UX version should be basically the same.

 Systems:

 > To stop our system sending files to external system
 > In system file i need to delete or comment the line number 40

 If you want to prevent any outgoing connections with ocdpp01, I would also delete/comment line 41 and any other line that references ocdpp01.
 However, removing these entries doesn't specifcally prevent your system from sending files to, or receiving files from, ocdpp01.  It keeps your system from initiating a connection to ocdpp01.  But it doesn't necessarily keep ocdpp01 from initiating a connection to your system, and if a connection is established, file transfers (sending or receiving) can be initiated by _either_ system.

 See if you have a remote.unknown file on your system.  It may be in /usr/lib/uucp, or it may be somewhere else.  This is a standard script file that uucp uses to decide what to do if a system that is _not_ listed in Systems connects to your system.  I think the traditional operation is:
 If remote.unknown is found and is executable, it records in a log file that an unknown system tried to connect and the connection is denied.
 If remote.unknown is not found or is not executable, uucp will allow unknown systems, _any_ unknown systems, to establish uucp connections to your system.

 For the purposes of not allowing connections from ocdpp01, you'd want the first option.  If your system is set up to allow connections from unknown systems for some reason, you might want to try to change it.  ocdpp01 aside, allowing unknown systems to initiate uucp connections presents obvious security issues.

 FWIW, the remote.unknown script could also theoretically be modified to perform specific operations, like allow connections from some systems and not others.


 Permissions:

 > So if i want to stop the external system sending to our directory in
 > line number 17,18 i need to remove /topas/reports/ocdd directory entry.

 It depends, but you probably don't want to do that.

 LOGNAME means login name.  Changing any of those settings will affect every uucp connection to your system that uses that login.  nuucp is a standard/default login.  If you have other systems that initiate uucp connections to your system and use that same login, which seems likely based on what I've seen so far, changing the entries for LOGNAME=nuucp will affect those other systems as well.


 To prevent any uucp operations between your system and ocdpp01:

 The simplest answer would be to delete/comment all references to ocdpp01 in Systems, provided that your system will not allow "unknown" systems to initiate uucp connections to your system.  That may be determined by a remote.unknown script.  At least, that's the first thing I'd look for.

 The next simplest thing would probably be to change your Systems file _and_ the Systems file on ocdpp01.  If you eliminate every reference to your system from the Systems file on ocdpp01, it should not be able to initiate a uucp connection to your system either.  If neither system can initiate a uucp connection to the other, the settings in Permissions, etc. should be moot.
 In case you're wondering, you shouldn't need to worry if there is a remote.unknown script on ocdpp01.  If you eliminate ocdpp01 from your Systems file, your system can't initiate a uucp connection to ocdpp01, so a remote.unknown script on ocdpp01 shouldn't be an issue.  Likewise, if you eliminate your system from Systems on ocdpp01, ocdpp01 can't initiate a uucp connection to your system, in which case a remote.unknown script on your system wouldn't be an issue either.

 There are various other possibilities, like changing the login used by ocdpp01 and/or any other systems that initiate uucp connections to your system, so you can control what they can/can't do using Permissions; or simply lock ocdpp01 out by setting it up to use an invalid login/password, so it can't login (that would involve changing the Systems file on ocdpp01, not your Systems file).  But they all seem a lot more complicated than just removing the appropriate system names from the Systems files on both systems.

 For the record, it's been a long time, but I think it may be possible to have uucp transfer files indirectly (systemA to systemB to systemC), by giving it a list of system names.  In that way, it might be possible to transfer files between your system and ocdpp01 indirectly, by way of another system that your system and ocdpp01 are both communicating with.  But you have to issue specific commands to do that.  It won't just happen automatically.  It's presumably not anything you need to worry about, but I have no idea how the files are being transferred, so I just wanted to mention it.  If some files do show up, that might be worth looking into.


 > 3. Also what is purpose of Machine entry and logname entry  in permissions entry?

 I already covered LOGNAME.  MACHINE is used to control the permissions a remote system has when _your_ _system_ initiates the connection.  IOW,
 When a remote system initiates a uucp connection to your system, it uses a login/password and the LOGNAME entry for that login controls which directories your system will allow that system to access, etc.
 When your system initiates a uucp connection to a remote system, the MACHINE entry for that system controls which directories that system can access, etc.
 Basically, they both control what a remote system can do on your system via uucp.  The difference is which end initiates the connection.

 You can find a description of the Permissions file at:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.doc/files/aixfiles/Permissions.htm

 Technically, it's for AIX (another version of Unix), but, like I said, this uucp stuff has been around a long time and is pretty well standardized.  It should all, or just about all, apply to your system.  If you click on the Index link on that page you'll get a long list of files and you can find other things there, like Systems.
 FWIW, I found that page doing a Google search for "uucp logname" (without the quotes).  It was the first hit.  Google is your friend.  :-)  A little searching would probably turn up something for HP-UX.  That page gave me what I was looking for (trying to refresh my memory on some things), so I didn't look any further.

 James
0
 

Author Comment

by:pigeon5566
ID: 17176681
James , Thanks a lot for the info .You had posted me a long one. Will read it and reply you back.
0
 

Author Comment

by:pigeon5566
ID: 17182615
James,

I will  remove the line number 41 in systems file which has details about the remote machine ocddp01. I will be unable to remove the entry about my machine from systems file in remote machine ocddp01.   I am able to see a remote.unknown file in /user/lib/uucp directory which has the below contents
# @(#) $Revision: 72.1 $
#
FOREIGN=/var/uucp/.Admin/Foreign
echo "`date`: call from system $1" >> $FOREIGN

You had said
" See if you have a remote.unknown file on your system.  It may be in /usr/lib/uucp, or it may be somewhere else.  This is a standard script file that uucp uses to decide what to do if a system that is _not_ listed in Systems connects to your system.  I think the traditional operation is:
 If remote.unknown is found and is executable, it records in a log file that an unknown system tried to connect and the connection is denied.?"

If i remove the entry  of the remote machine ocdpp01 in systems file in my local machine and after that remote machine ocdpp01 communicates to my machine the connection would be denied since remote.unknown  file is found in /usr/lib/uucp file. So there is no need for me to modify the permissions file to deny the remote machine sending files to my machine. Hope i am correct. Only i need to modify systems file and there is no need to modify permissions file.  





0
 
LVL 34

Expert Comment

by:James0628
ID: 17182987
Make sure the remote.unknown file has execute permissions.  If the permissions won't allow uucp to execute remote.unkown, uucp won't use it.  If you're not sure how to check the permissions, post the results of "ls -l /usr/lib/uucp/remote.unknown" (without the quotes).

 Or, just look for a /var/uucp/.Admin/Foreign file (as shown in remote.unknown).  If Foreign exists and has been modified recently, remote.unknown is probably working.

 Once you've removed any other references to ocdpp01 in Systems, wait until ocdpp01 should have tried to contact your system (How often is that?) and see if one or more entries for ocdpp01 have been added to the end of Foreign.  If so, that should confirm that remote.unknown is blocking incoming connections from ocdpp01.


 > So there is no need for me to modify the permissions file to
 > deny the remote machine sending files to my machine.

 As long as remote.unkown is doing its thing then yeah, I think you can leave Permissions as is.

 James

 PS: If those were actual passwords in that one message, I hope you changed them.
0
 

Author Comment

by:pigeon5566
ID: 17191180
ls -l /usr/lib/uucp/remote.unknown
-r--r--r--   1 bin        bin            107 May 30  1996 /usr/lib/uucp/remote.unknown
ll /var/uucp/.Admin/Foreign      
-rw-r--r--   1 root       sys              0 Jul 26 05:00 /var/uucp/.Admin/Foreign

I am able to see the  /var/uucp/.Admin/Foreign had been updated yesterday.(Jul 26). Am not sure whether the permission file needs to be modified.  If permissions file need to be modified i just need to remove the directory entry /topas/report/ocdd to which remote machine is sending files from line number  17,18 and change it as below
    17          READ=/var/spool:/topas/reports/NCD \
    18          WRITE=/var/spool/uucppublic:/topas/reports/NCD \


  Also i need to remove the lines between line number 47 and 51 which has a MACHINE entry of remote machine.  Pls correct me if i am wrong. Also how do i delete this thread?
0
 
LVL 34

Expert Comment

by:James0628
ID: 17191572
I've never tried to delete a question, but I think a moderator may have to do it.  Post a 0 point question over in the Community Support section asking them to delete the question (include the URL for this question).
 I suppose you might ask if they can edit this thread and either edit that one message and remove the passwords, or delete that one message, instead of the whole thread.

 http://www.experts-exchange.com/Community_Support/


 It's interesting that Foreign shows it was just modified, but it's empty (0 bytes).  There may be some uucp administration process that updated it (eg. to start new log files).  You could see if there's anything in /var/uucp/.Old/Foreign .
 If Foreign stays empty, I would try adding execute permissions to remote.unknown and see if something shows up in Foreign then.

 chmod 555 /usr/lib/uucp/remote.unknown


 As for Permissions, if you change lines 17 and 18, that will prevent _every_ system that logs in as nuucp from accessing that directory.  If other systems use the same login and need to access that directory, that will be a problem.

 James
0
 
LVL 34

Expert Comment

by:James0628
ID: 17191985
Two other things:

 uucp can use a file named Sysfiles to select alternate configuration files (eg. instead of the default Systems file).  If you have a Sysfiles file, it would presumably be in the same directory as Systems, Permissions, etc., so if you don't see a Sysfiles in that directory, you probably don't have one.  You could search the system for a file named Sysfiles if you wanted to make sure.  If you do find a Sysfiles, see if there is anything in it.

 The lines you posted from Systems also include phone numbers that your system would use to call another system.  I'm assuming those are actual phone numbers.  If that message is going to be edited to remove the passwords, or if you end up reposting those lines in another message, you should probably remove the phone numbers as well.

 James
0
 

Author Comment

by:pigeon5566
ID: 17199676
Is it sufficient if i leave the lines  17 and 18 as it is  in permissions file and delete only  the below lines from 47 to 51 alone in permission file because i know machine name ocddp01 is sending the file to this directory /topas/reports/ocdd.
    47          MACHINE=ocdpp01 \
    48          READ=/topas/reports/ocdd:/var/spool/uucppublic \
    49          WRITE=/var/spool/uucppublic:/topas/reports/ocdd \
    50          REQUEST=yes \
    51          COMMANDS=rmail:lp:uux:/usr/bin/uucp

0
 
LVL 34

Accepted Solution

by:
James0628 earned 25 total points
ID: 17199819
The MACHINE entry is (supposedly) only used when _your_ system initiates a connection to that system.  If your system doesn't initiate the connection, the MACHINE entry shouldn't matter, and if you remove all references to ocdpp01 from Systems (and uucp isn't set up, via Sysfiles, to use one or more other Systems files), your system can't initiate a connection to ocdpp01.  Personally, I probably wouldn't worry about the MACHINE entry, but you can delete it if you want.  uucp may fall back to default settings if your system ever does contact ocdpp01, but those presumably wouldn't include the ocdd directory, which seems to be your main concern.

 Like I said, check Foreign and see if messages about ocdpp01 start showing up.  If so, I think you're OK.

 James
0
 

Author Comment

by:pigeon5566
ID: 17235327
Thanks a lot James for the info .Apologies for delay in my response. Finally i am going to remove the machine name in systems file and directory name from line number 17 and 18 in permissions file.
0
 
LVL 34

Expert Comment

by:James0628
ID: 17240264
You're welcome.

 > ... remove the ... directory name from line number 17 and 18 in permissions file

 Those lines are for systems logging into your system as nuucp.  If there are other systems that log into your system as nuucp and need to access that directory, that will be a problem.  If not, then removing the directory from those lines is probably a good idea.

 Good luck with it.

 James
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now