Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Inetd and security
Top Forums UNIX for Dummies Questions & Answers Inetd and security Post 21892 by LivinFree on Friday 24th of May 2002 04:20:08 AM
Old 05-24-2002
Turn all of those off.
chargen provides a very quick and easy denial of service attack against you. The rest are just plain not needed. A good security rule is to not allow anything to run that is not necessary.

Under most circumstances, I simply turn inetd / xinetd off altogether. I don't run any servers on my home machines.
If I want to be able to connect to my machine internally via network, but leave the outside (public network) closed up, I use xinetd, since you can bind to an interface.

Even a service as benign as ntpd (as discussed below) can wreak havoc if someone wants to mess with you. Say for example, you set it up insecurely... Any person can spoof their way into tricking your machine to thinks it's another time, or even another day. Next thing you know your cron jobs are all messed up, they may be able to create / modify files on your machine (should they break in) that have different dates / times, etc...

If you're going to run a firewall, the ideal situation (assuming that this box can be dedicated to only that) would be to turn off everything. Allow console access only, no remote services, just IP forwarding. A Unix like OpenBSD works great for this, since it installs pretty bare by default.

There are a few good books out there on building firewalls. It might be a good idea to invest a few bucks in one.
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Linux file corresponding to HP-UX inetd.conf

Hi!!, I have been working on a HP UX box all these days.. For adding a user defined service, I used to put an entry for this service corresponing to a port number in /etc/services. These services were then defined in inetd.conf. Now I have moved to Mandrake linux. I can find a file named... (2 Replies)
Discussion started by: jyotipg
2 Replies

2. Shell Programming and Scripting

refreshing inetd

Hi I have a question, what is the purpose of this command and what will it do "refresh -s inetd" Thanks in Advance Swaraj (3 Replies)
Discussion started by: kswaraj
3 Replies

3. HP-UX

inetd process

-------------------------------------------------------------------------------- Hi All , I have a client an server among which i want to make the server an inetd process. I have enries in etc/services and etc/inetd.conf The enries looks like below etc/services servername 5551/tcp... (4 Replies)
Discussion started by: binums
4 Replies

4. HP-UX

VNC using inetd on HPUX

To anyone who can help. I am trying to get VNC running using the inetd capability and I am having problems. I have VNC running fine when I manually log into the server through FTP or SSH and start it and then start the viewer on my PC. I have tried a few things I have found on different... (0 Replies)
Discussion started by: punkdeviant
0 Replies

5. Red Hat

inetd.conf in linux

I need to put the following line in inetd.conf: stats stream tcp nowait nobody /usr/local/bin/mrtgsysinfo mrtgsysinfo but my version of linux don't seem to allow that, ie there is no inetd.conf. How do i set that up in linux (red hat enterprise 3). (15 Replies)
Discussion started by: frankkahle
15 Replies

6. IP Networking

Error inetd

Hi , I need help, today I restarted the server, when the machine was up, it had been to writte in the file osmlog that : "inetd: talk/udp: bind: Address already in use" This message appears in ten minutes every time. Why ? Thanks. (6 Replies)
Discussion started by: By_Jam
6 Replies

7. UNIX for Dummies Questions & Answers

Cannot edit inetd.conf???

I'm trying to edit the inetd.conf but for some reason when I vi into it, it says "Read Only" even though I am root and the perms are 777?!? (2 Replies)
Discussion started by: shorty
2 Replies

8. UNIX for Dummies Questions & Answers

too many inetd running

hi, is it ok for more than one inetd daemon running at a time? if not okay, possible to kill the rest and make only one daemon running? i understand that inetd is a process that enables tcp connections from external sources...kindly advise more on inetd...thanks alot..Happy New Year!:) (2 Replies)
Discussion started by: cromohawk
2 Replies

9. Solaris

Inetd problem

Hi All, When i am trying to restart the inetd daemon it throughing error. Please find the message and tell me what i need to do ? Apr 7 22:57:37 HYDOHS01 inetd: ISTATE not in environment Apr 7 22:57:41 HYDOHS01 inetd: stop: No such file or directory Apr 7 22:58:01 HYDOHS01 inetd: ... (5 Replies)
Discussion started by: lbreddy
5 Replies

10. Solaris

Inetd not running on zone

inet not running on the zone , below is the error we see on svc log Importing 100235_1-rpc_ticotsord.xml ...Done inetconv: Error reading from repository inetconv: Notice: Service manifest for 100235/1 already generated as /var/svc/manifest/network/rpc/100235_1-rpc_ticotsord.xml, skipped... (0 Replies)
Discussion started by: skamal4u
0 Replies

LEARN ABOUT OSX

xinetd

XINETD(8)                                                     System Manager's Manual                                                    XINETD(8)

NAME

       xinetd - the extended Internet services daemon

SYNOPSIS

       xinetd [options]

DESCRIPTION

       xinetd  performs  the same function as inetd: it starts programs that provide Internet services.  Instead of having such servers started at
       system initialization time, and be dormant until a connection request arrives, xinetd is the only daemon process started and it listens  on
       all  service  ports  for  the  services  listed  in  its configuration file. When a request comes in, xinetd starts the appropriate server.
       Because of the way it operates, xinetd (as well as inetd) is also referred to as a super-server.

       The services listed in xinetd's configuration file can be separated into two groups.  Services in the first group are called multi-threaded
       and  they  require  the forking of a new server process for each new connection request.  The new server then handles that connection.  For
       such services, xinetd keeps listening for new requests so that it can spawn new servers.  On the other hand, the second group includes ser-
       vices  for  which the service daemon is responsible for handling all new connection requests.  Such services are called single-threaded and
       xinetd will stop handling new requests for them until the server dies.  Services in this group are usually datagram-based.

       So far, the only reason for the existence of a super-server was to conserve system resources by avoiding to fork a lot of  processes  which
       might  be dormant for most of their lifetime.  While fulfilling this function, xinetd takes advantage of the idea of a super-server to pro-
       vide features such as access control and logging.  Furthermore, xinetd is not limited to services listed in /etc/services.  Therefore, any-
       body can use xinetd to start special-purpose servers.

OPTIONS

       -d     Enables debug mode. This produces a lot of debugging output, and it makes it possible to use a debugger on xinetd.

       -syslog syslog_facility
              This  option  enables  syslog logging of xinetd-produced messages using the specified syslog facility.  The following facility names
              are supported: daemon, auth, user, local[0-7] (check syslog.conf(5) for their meanings).  This option is ineffective in  debug  mode
              since all relevant messages are sent to the terminal.

       -filelog logfile
              xinetd-produced  messages  will  be  placed  in the specified file.  Messages are always appended to the file.  If the file does not
              exist, it will be created.  This option is ineffective in debug mode since all relevant messages are sent to the terminal.

       -f config_file
              Determines the file that xinetd uses for configuration. The default is /etc/xinetd.conf.

       -pidfile pid_file
              The process ID is written to the file. This option is ineffective in debug mode.

       -dontfork
              Tells xinetd to stay in the foreground rather than detaching itself, to support being run from  init  or  daemontools.  This  option
              automatically sets -stayalive (see below).

       -stayalive
              Tells xinetd to stay running even if no services are specified.

       -limit proc_limit
              This option places a limit on the number of concurrently running processes that can be started by xinetd.  Its purpose is to prevent
              process table overflows.

       -logprocs limit
              This option places a limit on the number of concurrently running servers for remote userid acquisition.

       -version
              This option causes xinetd to print out its version information.

       -inetd_compat
              This option causes xinetd to read /etc/inetd.conf in addition to the standard xinetd config files.  /etc/inetd.conf  is  read  after
              the standard xinetd config files.

       -inetd_ipv6
              This  option  causes  xinetd  to  bind  to IPv6 (AF_INET6) addresses for inetd compatibility lines (see previous option).  This only
              affects how /etc/inetd.conf is interpreted and thus only has any effect if the -inetd_compat option is also used.

       -cc interval
              This option instructs xinetd to perform periodic consistency checks on its internal state every interval seconds.

       The syslog and filelog options are mutually exclusive.  If none is specified, the default is syslog using the daemon facility.  You  should
       not confuse xinetd messages with messages related to service logging. The latter are logged only if this is specified via the configuration
       file.

CONTROLLING XINETD

       xinetd performs certain actions when it receives certain signals.  The actions associated with the specific signals  can  be  redefined  by
       editing config.h and recompiling.

       SIGHUP         causes  a  hard reconfiguration, which means that xinetd re-reads the configuration file and terminates the servers for ser-
                      vices that are no longer available. Access control is performed again on running servers by checking  the  remote  location,
                      access  times  and  server  instances. If the number of server instances is lowered, some arbitrarily picked servers will be
                      killed to satisfy the limit; this will happen after any servers are terminated because of failing  the  remote  location  or
                      access  time  checks.  Also, if the INTERCEPT flag was clear and is set, any running servers for that service will be termi-
                      nated; the purpose of this is to ensure that after a hard reconfiguration there will be no running servers that  can  accept
                      packets from addresses that do not meet the access control criteria.

       SIGQUIT        causes program termination.

       SIGTERM        terminates all running servers before terminating xinetd.

       SIGUSR1        causes  an  internal  state  dump  (the default dump file is /var/run/xinetd.dump; to change the filename, edit config.h and
                      recompile).

       SIGABRT        causes an internal consistency check to verify that the data structures used by the program have not been  corrupted.   When
                      the check is completed xinetd will generate a message that says if the check was successful or not.

       On reconfiguration the log files are closed and reopened. This allows removal of old log files.

FILES

       /etc/xinetd.conf    default configuration file
       /var/run/xinetd.dump
                           default dump file

SEE ALSO

       inetd(8),

       xinetd.conf(5),

       xinetd.log(5)

       http://cr.yp.to/daemontools.html

AUTHOR

       Panos Tsirigotis, CS Dept, University of Colorado, Boulder Rob Braun

PRONUNCIATION

       zy-net-d

                                                                   14 June 2001                                                          XINETD(8)
All times are GMT -4. The time now is 05:22 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy