Xinetd(extended Internet
Daemon) is a secure replacement forinetd(the
Internet services daemon).It is a computer Program that monitors incoming
packets to determine if the external device is autorized to have access. inetd launches the required programs for
Internet connectivity at the time of system initialization.
These programs lie dormant until the connection is made. Once the request is
made , inetd launches the required program or server (FTP,Telnet,SSH etc) to answer the request. Where Xinetd is a program that listen on all the
ports for Internet services like Telnet,FTP & POP3. When it
recognizes a packet is coming through a particular port , xinetd launched the
appropriate program or server to handle the connection
Xinetd provides access control for all services based on the address of
the remote host and/or on time of access and can prevent denial-of-access
attacks. Xinetd provides extensive
logging, has no limit on the number of server arguments, and lets you bind
specific services to specific IP addresses on your host machine. Each service
has its own specific configuration file for Xinetd, the files are located
at the /etc/xinetd.ddirectory.
Advantages of xinetd :
1.
It conserve the system resources by avoiding to fork a lot of
process which might be dormant(inactive) for most of their life time.
2.
Xinetd is not limited to the services listed in /etc/services but
any body can use xined to start special purpose service.
Some Xinetd features that enable a
more secure way of managingInternet services :
1.
TCP Wrapper ACLs - TCP wrappper ACLs(Access Control List) monitor and filter
incoming request for the SYSTAT, FINGER, FTP, TELNET,
RLOGIN, RSH, EXEC, TFTP, TALK & other network services.
2.
Access Control – This feature enables xinetd to restrict or allow connections
based on the address of the remote host, time of access,duration of connection,
name of the remote host, domain of the remote host, Xinetd also limit the rate
of incoming connections from the particular host using TCP Wrapper.
3.
Controls Denial of Service
Attacks - Apart from limiting the number of simultaneous
connections from the same host , xinted executes limits placed on the log files
created by the host to prevent filling up disk space.
4.
Superior logging abilities – Using xinetd ,
one can enable logging for each service separately. The daemon can log the
start and stop times of a connection to help determine how long a service was
used , who the remote user was & log information on failed connection attempts.
Note: - We are assuming that
xinetd is package is installed on a linux box
The configuration files for xinetd are as follows:
The configuration files for xinetd are as follows:
·
/etc/xinetd.conf — The global xinetd configuration file.
·
/etc/xinetd.d/ — The directory containing all service-specific files.
The /etc/xinetd.conf file contains general configuration settings
which effect every service under xinetd's control. It is read once when the
xinetd service is started, so for configuration changes to take effect, the
administrator must restart the xinetd service.
Below is a sample /etc/xinetd.conf file:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
These lines control the
following aspects of xinetd:
·
instances — Sets the maximum number of requests xinetd can handle at once.
·
log_type — Configures xinetd to use the authpriv log facility, which writes
log entries to the /var/log/secure file. Adding a directive such as FILE
/var/log/xinetdlog would create a custom log file called xinetdlog in the
/var/log/ directory.
·
log_on_success — Configures xinetd to
log if the connection is successful. By default, the remote host's IP address
and the process ID of server processing the request are recorded.
·
log_on_failure — Configures xinetd to log if there is a connection failure or if
the connection is not allowed.
·
cps — Configures xinetd to
allow no more than 25 connections per second to any given service. If this
limit is reached, the service is retired for 30 seconds.
·
includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration
files located in the /etc/xinetd.d/ directory
Configuring Telnet Service
Using Xinetd :
Sample file of telnet
is located at /etc/xinetd.d/telnet
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 10.0.1.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 10.0.1.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}
·
service — Defines the service name, usually one listed in the
/etc/services file.
·
flags — Sets any of a number
of attributes for the connection. REUSE instructs xinetd to reuse the socket
for a Telnet connection.
·
socket_type — Sets the network socket type to stream.
·
wait — Defines whether the
service is single-threaded (yes) or multi-threaded (no).
·
user — Defines what user ID
the process runs under.
·
server — Defines the binary
executable to be launched.
·
log_on_failure — Defines logging parameters for log_on_failure in addition to
those already defined in xinetd.conf.
·
disable — Defines whether the service is active.
. only_from — Allows only the specified hosts to use the
service.
·
no_access — Blocks listed hosts from using the service.
·
access_times — Specifies the time range when a particular service may be used.
The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
The only_from andno_access options
can use a list of IP addresses or host names, or can specify an entire network.
Like TCP wrappers, combining xinetd access control with the enhanced logging
configuration can increase security by blocking requests from banned hosts
while verbosely recording each connection attempt. For example, the
following /etc/xinetd.d/telnet file can be used to block Telnet
access from a particular network group and restrict the overall time range that
even allowed users can log in , as shown in above example.
In this example, when a
client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries to access
the Telnet service, it receives a message stating the following message:
Connection closed by
foreign host.
In addition, their
login attempts are logged in /var/log/secure