Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Xinetd

XINETD has TCP Wrappers capabilities built-in.  Both RHEL and Suse uses Xinetd instead of classic inetd.   This allows XINETD to provide a slightly greater range of security options (see Security enhancements), but makes the software harder to deploy. 

Configuration is completely different from TCP_wrappers as Xinetd serves dual function: inetd replacement and TCP_wrapper replacement. As for inetd, the following holds:

• /usr/sbin/xinetd takes the place of inetd
• /etc/xinetd.d  directory replaces /etc/inetd.conf.
• Instead of the normal single one line per service entry of inetd, xinetd uses one file per service approach. Inside each such file there is bracketed structure with keyword=value pairs. for example smtp file looks like:

service smtp
{
     socket_type = stream
     protocol = tcp
     wait = no
     user = qmaild
     id = smtp
     server = /var/qmail/bin/tcp-env
     server_args = /var/qmail/bin/qmail-smtpd
     log_on_success -= DURATION USERID PID HOST EXIT
     log_on_failure -= USERID HOST ATTEMPT RECORD
}

XINETD provide that ability of controlling access of service level that TCP Wrappers pioneered.

XINETD can also protect UDP services (imitating firewall) and detect a some Denial of Service attacks

To restart xinetd, one must send the -USR1 signal instead of SIGHUP.  If xinetd receives a SIGHUP, it will exit prematurely hopefully killing whatever network connection was used to compromise the system security.

Service defaults

By default, denying access to a machine,  is the first step of a reliable security policy. Next, allowing access will be configured on a per-service basis. We've seen two attributes allowing to control access to a machine, based on IP addresses: only_from and no_access. Selecting the second one we write:

no_access = 0.0.0.0/0

only_from = 0.0.0.0/0

Sep 17 15:11:12 charly xinetd[26686]: Service=echo-stream: only_from list and no_access list match equally the address 192.168.1.1

only_from = 192.0.0.0/8

only_from =

Important, not to say essential: in case of no access rules at all (i.e. neither only_from, nor no_access) for a given service (allocated either directly or with the default) section, the access to the service is allowed!

Here is an example of defaults :

defaults
{
  instances       = 15
  log_type        = FILE /var/log/servicelog
  log_on_success  = HOST PID USERID DURATION EXIT
  log_on_failure  = HOST USERID RECORD
  only_from       =
  per_source      = 5

  disabled = shell login exec comsat
  disabled = telnet ftp
  disabled = name uucp tftp
  disabled = finger systat netstat

  #INTERNAL
  disabled = time daytime chargen servers services xadmin

  #RPC
  disabled = rstatd rquotad rusersd sprayd walld
}

Old News ;-)

[Nov. 19, 2000] System Administration xinetd

xinetd - extended Internet services daemon - provides a good security against intrusion and reduces the risks of Deny of Services (DoS) attacks. Like the well known couple (inetd+tcpd), it allows to fix the access rights for a given machine, but it can do much more. In this article we will discover its many features.

You could now ask which daemon should I choose xinetd or inetd. As a matter of fact, xinetd requires a bit more administration, especially as long as it won't be included into distributions (it is in Red Hat 7.0). The most secure solution is to use xinetd on machines with public access (like Internet) since it offers a better defense. For machines within a local network inetd should be enough.

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

http://synack.net/xinetd/ XINETD Home Page: