Xnetd Security Enhancements

identd is a small deamon that keeps track of what user is running what TCP service, and then reports this to whoever requests it. The identd that ships with most Linux distributions (xnetd) is more configurable than many people think and included the functionality of TCP wrappers. You can disable it for specific IP addresses. You can also log all identd requests

In both Red Hat and Suse they are combined in xnetd diamon.

Old News

Securing Linux, Part 3 Hardening the system

The inetd/xinetd daemons

Securing Linux, Part 3 Hardening the system

Services can also be invoked on demand when requested by a client. These requests are given to the super daemon inetd or xinetd. The super daemon then decides which service to start and passes the request to the corresponding daemon. Typically services like telnet, ftp, rlogin, etc., are started using inetd or xinetd.

The inetd daemon is configured in /etc/inetd.conf, which contains entries for each service to be offered by the super daemon. An entry configuring an FTP server could look like this -- ftp stream tcp nowait root /usr/bin/ftpd in.ftpd -el -- and you can disable it by commenting it out using a hash sign.

For security reasons, the use of xinetd is recommended. In contrast to inetd, xinetd is able to start rpc-based services and provides access control. xinetd can limit the rate of incoming connections, number of incoming connections from specific hosts, or total number of connections for a service.

xinetd is configured by distinct configuration files for each subordinate daemon. These files are located in /etc/xinetd.d/. The example configuration file for the FTP server above would be called /etc/xinetd.d/ftp and would look like this:

Listing 1. Configuration file, /etc/xinetd.d/ftp
 

service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/bin/ftpd server_args = -el disable = yes }

To disable the service, the parameter disable is set to yes as in the previous example.

For a more fine-grained control of access, xinetd supports these three additional parameters:

• only_from
• no_access
• access_time

To restrict the access but not completely disable the ftp daemon, you could modify the config file /etc/xinetd.d/ftp as follows:

Listing 2. Configuration file, /etc/xinetd.d/ftp, modified to restrict access
 

service ftp { socket_type = stream protocol = tcp wait = no user = root server = /usr/bin/ftpd server_args = -el disable = no only-from = 192.168.200.3 192.168.200.7 192.168.200.9 only-from += 192.168.200.10 192.168.200.12 172.16.0.0 no_access = 172.16.{1,2,3,10} access_times = 07:00-21:00 }

only-from and no_access accept numeric IP addresses (right-most zeros are treated as wild cards), IP addresses/netmask ranges, hostnames, and network names from /etc/networks. If a combination of only-from and no_access is used, xinetd finds the closest match for each host connecting.

For the previous code example, this means hosts with an IP address 172.16.x.x can connect except to hosts with addresses in 172.16.1.x, 172.16.2.x, 172.16.3.x, and 172.16.10.x. As you can see, there is no need to specify all four components of an address when you use the factorized notation as shown for no_access. The factorized part must be the right-most element of the address. See the Resources section below for an article on xinetd and its configuration.

Secure Cooking with Linux, Part 2 O'Reilly Media

/etc/xinetd.conf or /etc/xinetd.d/telnet:
service telnet
{
        ...
        access_times = 8:00-17:00
}

/usr/local/sbin/inetd-services:
#!/bin/sh
m4 "$@" /etc/inetd.conf.m4 > /etc/inetd.conf.$$
mv /etc/inetd.conf.$$ /etc/inetd.conf
kill -HUP `pidof inetd`

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

ifelse(TIMEOFDAY,working,telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd)

0  8 * * * /usr/local/sbin/inetd-services -DTIMEOFDAY=working
0 17 * * * /usr/local/sbin/inetd-services -DTIMEOFDAY=playing