INETD.CONF EXPLAINED Threx [ threx@attrition.org ] ********** Table of Contents ********** [ One: Preface ] [ Two: The Fields ] [ Three: Closer Look at Services ] [ Four: Opening & Closing Services ] [ Five: Daemon Options ] [ Six: TCP Wrappers ] [ Seven: Conclusion ] ********** Table of Contents ********** [ One: Preface ] One of the most important files on a linux system today is inetd.conf. This file holds the internet servers database. From this one file you are able to control many services. You can open/close services, make them more secured, and much more. I hope this file will help explain it in its fullness. [ Two: The Fields ] Now every valid entry in inetd.conf file must have the following: * service name * socket type * protocol * wait/nowait[.max] * user[.group] * server program * server program arguments However if you want to specify a Sun-RPC service, then the following are the fields that need to be filled: * service name/version * socket type * rpc/protocol * wait/nowait[.max] * user[.group] * server program * server program arguments The service name is a valid service name (ex. telnet, echo, etc.). This clearly means it has to be in the /etc/services file. If the service name is being used to define a Sun-RPC service, then it has to be in the /etc/rpc file. The socket type field should be one of the follow: * stream - stram * dgram - datagram * raw - raw * rdm - reliably delivered message * seqpacket - sequenced packet This field depends on what type of socket it will use. The protocol field must be a valid content of /etc/protocols. The most used protocols are "tcp - Transmission Control Protocol" or "udp - User Datagram Protocol". To specify a Sun-RPC service put a rpc/ infront of the protocol. (ex. rpc/tcp or rpc/udp). The wait/nowait field is only used for datagram sockets only. All others should be "nowait". If the datagram server is "multi-threaded", meaning when it connects to its peer and frees up the socket so inetd can recieve further messages on the socket, then it should have the "nowait" entry. If the datagram server is "single-threaded", meaning it processes all incoming datagrams on a socket and will eventually time out, should use the "wait" entry. The max option, that is seperated by a dot from wait/nowait, specifies the maxium number of server instances that may be spawn from inetd within 60 seconds. The user field should have the user name of the user the service should run from. The group option, that is seperated by a dot, allows the servers to run with a differenet group id rather than the one specified from the /etc/passwd file. The server program should be the path to the program to execute when it is requested on a socket. If inetd provides this service internally the this entry should be "internally" The server program arguments are just arguments provided by the server program. Once again, if the service is provided internally then "internally" should take the place of this entry. [ Three: Closer Look at Services ] Now I think we should take a look at different services to have a better understanding: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd * Service Name: telnet * Socket Type: stream * Protocol: tcp * Wait/Nowait[.max]: nowait * User[.group]: root * Server Program: /usr/sbin/tcpd * Server Program Arguments: in.telnetd echo dgram udp wait root internal * Service Name: echo * Socket Type: dgram * Protocol: udp * Wait/Nowait[.max]: wait * User[.group]: root * Server Program: internal rstatd/1-3 dgram rpc/udp wait root /usr/sbin/tcpd rpc.rstatd * Service Name: rstatd/1-3 * Socket Type: dgram * Protocol: rpc/udp * Wait/Nowait[.max]: wait * User[.group]: root * Server Program: /usr/sbin/tcpd * Server Program Arguments: rpc.rstatd [ Four: Opening & Closing Services ] This is probably one of the easiest things to do in the inetd.conf file. All this consist of is commenting (#) the service. For example, let us say I want to close port 23, which is telnet. I would just simply put a # infront of it. #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd Now port 23, telnet, is closed. However, later on I decide that I want my computer friends to access their accounts on my computer through telnet. All I would do is uncomment the service. telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd Now port 23, telnet, is opened. It's as easy as that. Then you must restart inetd for the actions to go into affect. Just type in the following command. hoodlum:~ # killall -HUP inetd There you go. Now the affects have gone into affect, just like I said. [ Five: Daemon Options ] Some times in the server program arguments field, you will see options. For example: smtp stream tcp nowait root /usr/sbin/sendmail sendmail -bs At the end it has '-bs', which means the options 'b' and 's' are on. It would be the same as typing in: hoodlum:~ # sendmail -bs So if you want to turn on some options for the daemon then just add them to the server program aruments field. Please refer to the man pages for various options. [ Six: TCP Wrappers ] TCP Wrappers is a security utility to secure your network services. You will see this in the 6th column, in the server program field. telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd TCP Wrappers uses two files, /etc/hosts.allow and /etc/hosts.deny, to restrict access to certain services. The hosts.allow file holds the hosts allowed to access services. As you can probably already tell, hosts.deny holds the hosts that can't access services. However this won't do much unless you edit /etc/hosts.allow and /etc/hosts.deny. Try the man pages for help on them. [ Seven: Conclusion ] Well thats all for now folks. I hope this paper has helped you get a grasp on inetd.conf. If you have any questions please feel free to email me at threx@inferno.tusculum.edu. If your email doesn't go through then try again because it's not the most reliable server ;-).