INETD.CONF EXPLAINED
Threx [ threx@attrition.org ]
********** Table of Contents **********
[ One: Preface ]
[ Two: The Fields ]
[ Three: Closer Look at Services ]
[ Four: Opening & Closing Services ]
[ Five: Daemon Options ]
[ Six: TCP Wrappers ]
[ Seven: Conclusion ]
********** Table of Contents **********
[ One: Preface ]
One of the most important files on a linux system today is inetd.conf.
This file holds the internet servers database. From this one file you are
able to control many services. You can open/close services, make them
more secured, and much more. I hope this file will help explain it in its
fullness.
[ Two: The Fields ]
Now every valid entry in inetd.conf file must have the following:
* service name
* socket type
* protocol
* wait/nowait[.max]
* user[.group]
* server program
* server program arguments
However if you want to specify a Sun-RPC service, then the following are
the fields that need to be filled:
* service name/version
* socket type
* rpc/protocol
* wait/nowait[.max]
* user[.group]
* server program
* server program arguments
The service name is a valid service name (ex. telnet, echo, etc.).
This clearly means it has to be in the /etc/services file. If the
service name is being used to define a Sun-RPC service, then it has to be
in the /etc/rpc file.
The socket type field should be one of the follow:
* stream - stram
* dgram - datagram
* raw - raw
* rdm - reliably delivered message
* seqpacket - sequenced packet
This field depends on what type of socket it will use.
The protocol field must be a valid content of /etc/protocols. The most
used protocols are "tcp - Transmission Control Protocol" or "udp - User
Datagram Protocol". To specify a Sun-RPC service put a rpc/ infront of
the protocol. (ex. rpc/tcp or rpc/udp).
The wait/nowait field is only used for datagram sockets only. All others
should be "nowait". If the datagram server is "multi-threaded", meaning
when it connects to its peer and frees up the socket so inetd can
recieve further messages on the socket, then it should have the "nowait"
entry. If the datagram server is "single-threaded", meaning it
processes all incoming datagrams on a socket and will eventually time out,
should use the "wait" entry. The max option, that is seperated by a dot
from wait/nowait, specifies the maxium number of server instances that may
be spawn from inetd within 60 seconds.
The user field should have the user name of the user the service should run
from. The group option, that is seperated by a dot, allows the servers to
run with a differenet group id rather than the one specified from the
/etc/passwd file.
The server program should be the path to the program to execute when it is
requested on a socket. If inetd provides this service internally the this
entry should be "internally"
The server program arguments are just arguments provided by the server
program. Once again, if the service is provided internally then
"internally" should take the place of this entry.
[ Three: Closer Look at Services ]
Now I think we should take a look at different services to have a better
understanding:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
* Service Name: telnet
* Socket Type: stream
* Protocol: tcp
* Wait/Nowait[.max]: nowait
* User[.group]: root
* Server Program: /usr/sbin/tcpd
* Server Program Arguments: in.telnetd
echo dgram udp wait root internal
* Service Name: echo
* Socket Type: dgram
* Protocol: udp
* Wait/Nowait[.max]: wait
* User[.group]: root
* Server Program: internal
rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rstatd
* Service Name: rstatd/1-3
* Socket Type: dgram
* Protocol: rpc/udp
* Wait/Nowait[.max]: wait
* User[.group]: root
* Server Program: /usr/sbin/tcpd
* Server Program Arguments: rpc.rstatd
[ Four: Opening & Closing Services ]
This is probably one of the easiest things to do in the inetd.conf file.
All this consist of is commenting (#) the service. For example, let us
say I want to close port 23, which is telnet. I would just simply put a
# infront of it.
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Now port 23, telnet, is closed. However, later on I decide that I want my
computer friends to access their accounts on my computer through telnet.
All I would do is uncomment the service.
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Now port 23, telnet, is opened. It's as easy as that. Then you must
restart inetd for the actions to go into affect. Just type in the
following command.
hoodlum:~ # killall -HUP inetd
There you go. Now the affects have gone into affect, just like I said.
[ Five: Daemon Options ]
Some times in the server program arguments field, you will see options.
For example:
smtp stream tcp nowait root /usr/sbin/sendmail sendmail -bs
At the end it has '-bs', which means the options 'b' and 's' are on. It
would be the same as typing in:
hoodlum:~ # sendmail -bs
So if you want to turn on some options for the daemon then just add them
to the server program aruments field. Please refer to the man pages for
various options.
[ Six: TCP Wrappers ]
TCP Wrappers is a security utility to secure your network services. You
will see this in the 6th column, in the server program field.
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
TCP Wrappers uses two files, /etc/hosts.allow and /etc/hosts.deny, to
restrict access to certain services. The hosts.allow file holds the
hosts allowed to access services. As you can probably already tell,
hosts.deny holds the hosts that can't access services. However this won't
do much unless you edit /etc/hosts.allow and /etc/hosts.deny. Try the man
pages for help on them.
[ Seven: Conclusion ]
Well thats all for now folks. I hope this paper has helped you get a
grasp on inetd.conf. If you have any questions please feel free to email
me at threx@inferno.tusculum.edu. If your email doesn't go through then
try again because it's not the most reliable server ;-).