RHEL6-28-XINETD
xinetd stands for “extended
internet service daemon”
To control access to Internet services, use xinetd, which is a secure
replacement for inetd. The xinetd daemon conserves system resources, provides
access control and logging, and can be used to start special-purpose servers.
xinetd can also be used to grant or deny access to particular hosts, provide
service access at specific times, limit the rate of incoming connections, limit
the load created by connections, and more.
xinetd runs constantly and listens on all ports for the services it
manages. When a connection request arrives for one of its managed services,
xinetd starts up the appropriate server for that service.
The xinetd daemon is a TCP wrapped super service which controls
access to a subset of popular network services including FTP, IMAP, and Telnet.
It also provides service-specific configuration options for access control,
enhanced logging, binding, redirection, and resource utilization control.
When a client host attempts to connect to a network service
controlled by xinetd, the super service receives the request and checks for any
TCP wrappers access control rules. If access is allowed, xinetd verifies that
the connection is allowed under its own access rules for that service and that
the service is not consuming more than its alloted amount of resources or in
breach of any defined rules. It then starts an instance of the requested
service and passes control of the connection to it. Once the connection is
established, xinetd does not interfere further with communication between the
client host and the server.
xinetd Configuration Files
The configuration files for xinetd are as follows:
/etc/xinetd.conf — The global xinetd configuration file.
/etc/xinetd.d/ — The directory containing all service-specific files.
SAMPLE /etc/xinetd.conf:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
instances = 60 : Determines the number of servers that can be
simultaneously active for a service. So 60 is the maximum number of requests
xinetd can handle at once.
log_type = SYSLOG authpriv: Determines where the service
log output is sent. You can send it to SYSLOG at the specified facility
(authpriv will send log to /var/log/secure file).
log_on_success = HOST PID: Force xinetd to log if the
connection is successful. It will log HOST name and Process ID to
/var/log/secure file.
log_on_failure = HOST: Force xinetd to log if there
is a connection dropped or if the connection is not allowed to /var/log/secure
file
cps = 25 30: Limits the rate of incoming connections. Takes
two arguments. The first argument is the number of connections per second to
handle. If the rate of incoming connections is higher than this, the service
will be temporarily disabled. The second argument is the number of seconds to
wait efore re-enabling the service after it has been disabled. The default for
this setting is 50 incoming connections and the interval is 10 seconds. This is
good to avoid DOS attack against your service.
includedir /etc/xinetd.d: Read other service specific
configuration file this directory.
/etc/xinetd.d directory:
[root@rhel6-test1 ~]# ls -ltr /etc/xinetd.d
total 52
-rw-------. 1 root root 1150 Dec
5 2012 time-stream
-rw-------. 1 root root 1149 Dec
5 2012 time-dgram
-rw-------. 1 root root 1212 Dec
5 2012 tcpmux-server
-rw-------. 1 root root 1150 Dec
5 2012 echo-stream
-rw-------. 1 root root 1148 Dec
5 2012 echo-dgram
-rw-------. 1 root root 1159 Dec
5 2012 discard-stream
-rw-------. 1 root root 1157 Dec
5 2012 discard-dgram
-rw-------. 1 root root 1159 Dec
5 2012 daytime-stream
-rw-------. 1 root root 1157 Dec
5 2012 daytime-dgram
-rw-------. 1 root root 1159 Dec
5 2012 chargen-stream
-rw-------. 1 root root 1157 Dec
5 2012 chargen-dgram
-rw-r--r--. 1 root root 332
Nov 25 19:43 rsync
-rw-r--r--. 1 root root 302
Apr 15 17:39 telnet
This dir contains the individual config script files for each
services, run by xinetd.
By default, scripts in this dir are disabled.
[root@rhel6-test1 ~]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted
username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
These lines control various aspects of the telnet service. For more
info 'man xinetd.conf'.
service:
Specifies the service name, usually one of those listed in the
/etc/services file.
flags:
Sets any of a number of attributes for the connection. REUSE
instructs xinetd to reuse the socket for a Telnet connection.
socket_type:
Sets the network socket type to stream.
wait:
Specifies whether the service is single-threaded (yes) or
multi-threaded (no).
user:
Specifies which user ID the process runs under.
group:
Group under which the server should run.
server:
Specifies which binary executable to launch.
only_from:
Host name or IP address allowed to use the server. CIDR notation
(such as 192.168.0.0/24) is okay.
no_access:
Host name or IP address not allowed to use the server. CIDR notation
is okay.
access_times:
Specifies the time range when a particular service may be used. The
time range must be stated in 24-hour format notation, HH:MM-HH:MM.
log_on_failure:
Specifies logging parameters for log_on_failure in addition to those
already defined in xinetd.conf.
disable:
Specifies whether the service is disabled (yes) or enabled (no).
Access control
Users of xinetd services can use the TCP Wrappers hosts access rules,
provide access control via the xinetd configuration files, or a mixture of
both.
only_from:
Allows only the specified hosts to use the service.
no_access:
Blocks listed hosts from using the service.
access_times:
Specifies the time range when a particular service may be used. The
time range must be stated in 24-hour format notation, HH:MM-HH:MM.
# cat /etc/xinetd.d/telnet
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 192.168.234.0/24
log_on_success += PID HOST EXIT
access_times = 09:00-19:00
}
[root@rhel6-test1 ~]# service xinetd restart
Stopping xinetd:
[ OK ]
Starting xinetd:
[ OK ]
In this example, when a client system from the 192.168.234.0/24
network, such as 192.168.234.146, tries to access the Telnet service, it
receives the following message:
[root@rhel6-server ~]# telnet 192.168.234.200
Trying 192.168.234.200...
Connected to 192.168.234.200.
Escape character is '^]'.
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/messages as
follows:
Apr
16 18:57:53 rhel6-test1 xinetd[18571]: START: telnet pid=18588
from=::ffff:192.168.234.146
Apr
16 18:57:53 rhel6-test1 xinetd[18588]: FAIL: telnet address
from=::ffff:192.168.234.146
Apr
16 18:57:53 rhel6-test1 xinetd[18571]: EXIT: telnet status=0 pid=18588
duration=0(sec)
HOW TO LIST THE SEVICES CONTROLLED BY XINETD?
[root@rhel6-test1 ~]# grep disable /etc/xinetd.d/*
/etc/xinetd.d/chargen-dgram: disable = yes
/etc/xinetd.d/chargen-stream: disable = yes
/etc/xinetd.d/daytime-dgram: disable = yes
/etc/xinetd.d/daytime-stream: disable = yes
/etc/xinetd.d/discard-dgram: disable = yes
/etc/xinetd.d/discard-stream: disable = yes
/etc/xinetd.d/echo-dgram: disable = yes
/etc/xinetd.d/echo-stream: disable = yes
/etc/xinetd.d/rsync: disable = yes
/etc/xinetd.d/tcpmux-server: disable = yes
/etc/xinetd.d/telnet: disable = no
/etc/xinetd.d/time-dgram: disable = yes
/etc/xinetd.d/time-stream: disable = yes
[root@rhel6-test1 ~]# chkconfig --list |grep -v 0
xinetd
based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
rsync: off
tcpmux-server: off
telnet: on
time-dgram: off
time-stream: off
[root@rhel6-test1 ~]#
REFERENCES:
No comments:
Post a Comment