Extended
Internet Services Daemon(xinetd)
The
Extended Internet Services Daemon service is a TCP-wrapped super
service which controls access to a subset of popular network
services, including FTP, IMAP, and Telnet. The xinetd service listens
for connection requests for all of the active servers with specific
configuration file in the /etc/xinetd.d
directory. There's also generic configuration file for xinetd
services, /etc/xinetd.conf.
It controls services such as rsync, gssftp, and telnet-server, when
installed.
/etc/xinetd.conf
It contains general configuration settings which affect
every service under xinetd's control. It is read when the xinetd
service is first started, so for configuration changes to take
effect, you need to restart the xinetd service:
# cat /etc/xinetd.conf
defaults
{
instances = 70
per_source = 15
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 30 40
}
includedir /etc/xinetd.d
# cat /etc/xinetd.conf
defaults
{
instances = 70
per_source = 15
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 30 40
}
includedir /etc/xinetd.d
These are some parameters that can be configured on
this file to lines control the following aspects of xinetd. For more
info 'man xinetd.conf'
instances:
Specifies the maximum number of simultaneous requests that xinetd can process.
log_type:
Configures xinetd to use the authpriv log facility, which writes log entries to the /var/log/secure file. Adding a directive such as FILE /var/log/xinetdlog would create a custom log file called xinetdlog in the /var/log/ directory.
log_on_failure:
Configures xinetd to log failed connection attempts or if the connection was denied.
cps:
Configures xinetd to allow no more than 30 connections per second to any given service. If this limit is exceeded, the service is retired for 40 seconds.
per_source:
This limits the number of connections from each IP address.
includedir /etc/xinetd.d/:
Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory.
instances:
Specifies the maximum number of simultaneous requests that xinetd can process.
log_type:
Configures xinetd to use the authpriv log facility, which writes log entries to the /var/log/secure file. Adding a directive such as FILE /var/log/xinetdlog would create a custom log file called xinetdlog in the /var/log/ directory.
log_on_failure:
Configures xinetd to log failed connection attempts or if the connection was denied.
cps:
Configures xinetd to allow no more than 30 connections per second to any given service. If this limit is exceeded, the service is retired for 40 seconds.
per_source:
This limits the number of connections from each IP address.
includedir /etc/xinetd.d/:
Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory.
/etc/xinetd.d
It contains the configuration files for each service
managed by xinetd and the names of the files related to the service.
This directory is read only when the xinetd service is started, for
any changes to take effect xinetd service must be restarted. as
example of this file lets see the /etc/xinetd.d/telnet file installed
by 'telnet-server rpm'.
# cat /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
These lines control various aspects of the telnet service. For more info 'man xinetd.conf'.
service:
Specifies the service name, usually one of those listed in the /etc/services file.
flags:
Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection.
socket_type:
Sets the network socket type to stream.
wait:
Specifies whether the service is single-threaded (yes) or multi-threaded (no).
user:
Specifies which user ID the process runs under.
group:
Group under which the server should run.
server:
Specifies which binary executable to launch.
only_from:
Host name or IP address allowed to use the server. CIDR notation (such as 192.168.0.0/24) is okay.
no_access:
Host name or IP address not allowed to use the server. CIDR notation is okay.
access_times:
Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
log_on_failure:
Specifies logging parameters for log_on_failure in addition to those already defined in xinetd.conf.
disable:
Specifies whether the service is disabled (yes) or enabled (no).
# cat /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
These lines control various aspects of the telnet service. For more info 'man xinetd.conf'.
service:
Specifies the service name, usually one of those listed in the /etc/services file.
flags:
Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection.
socket_type:
Sets the network socket type to stream.
wait:
Specifies whether the service is single-threaded (yes) or multi-threaded (no).
user:
Specifies which user ID the process runs under.
group:
Group under which the server should run.
server:
Specifies which binary executable to launch.
only_from:
Host name or IP address allowed to use the server. CIDR notation (such as 192.168.0.0/24) is okay.
no_access:
Host name or IP address not allowed to use the server. CIDR notation is okay.
access_times:
Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
log_on_failure:
Specifies logging parameters for log_on_failure in addition to those already defined in xinetd.conf.
disable:
Specifies whether the service is disabled (yes) or enabled (no).
Logging
The following logging options are available for both
/etc/xinetd.conf and the service-specific configuration files within
the /etc/xinetd.d/ directory.
ATTEMPT:
Logs the fact that a failed attempt was made (log_on_failure).
DURATION:
Logs the length of time the service is used by a remote system (log_on_success).
EXIT:
Logs the exit status or termination signal of the service (log_on_success).
HOST:
Logs the remote host's IP address (log_on_failure and log_on_success).
PID:
Logs the process ID of the server receiving the request (log_on_success).
USERID:
Logs the remote user using the method defined in RFC 1413 for all multi-threaded stream services (log_on_failure andlog_on_success).
For more info 'man xinetd.conf'.
ATTEMPT:
Logs the fact that a failed attempt was made (log_on_failure).
DURATION:
Logs the length of time the service is used by a remote system (log_on_success).
EXIT:
Logs the exit status or termination signal of the service (log_on_success).
HOST:
Logs the remote host's IP address (log_on_failure and log_on_success).
PID:
Logs the process ID of the server receiving the request (log_on_success).
USERID:
Logs the remote user using the method defined in RFC 1413 for all multi-threaded stream services (log_on_failure andlog_on_success).
For more info 'man xinetd.conf'.
Access control
Users of xinetd services can use the TCP Wrappers hosts
access rules, provide access control via the xinetd configuration
files, or a mixture of both.
only_from:
Allows only the specified hosts to use the service.
no_access:
Blocks listed hosts from using the service.
access_times:
Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
# cat /etc/xinetd.d/telnet
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 192.168.10.0/24
log_on_success += PID HOST EXIT
access_times = 09:00-17:00
}
In this example, when a client system from the 192.168.10.0/24 network, such as 192.168.10.100, tries to access the Telnet service, it receives the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/messages as follows:
Jun 17 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=192.168.10.100
Jun 17 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=192.168.10.100
Jun 17 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5184
only_from:
Allows only the specified hosts to use the service.
no_access:
Blocks listed hosts from using the service.
access_times:
Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
# cat /etc/xinetd.d/telnet
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 192.168.10.0/24
log_on_success += PID HOST EXIT
access_times = 09:00-17:00
}
In this example, when a client system from the 192.168.10.0/24 network, such as 192.168.10.100, tries to access the Telnet service, it receives the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/messages as follows:
Jun 17 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=192.168.10.100
Jun 17 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=192.168.10.100
Jun 17 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5184
xinetd and TCP Wrappers
The following is the sequence of events followed by
xinetd when a client requests a connection:
First: The xinetd daemon accesses the TCP Wrappers hosts access rules using a libwrap.a library call (files /etc/hosts.allow,deny). If a deny rule matches the client, the connection is dropped. If an allow rule matches the client, the connection is passed to xinetd.
Then: The xinetd daemon checks its own access control rules both for the xinetd service and the requested service. If a deny rule matches the client, the connection is dropped. Otherwise, xinetd starts an instance of the requested service and passes control of the connection to that service.
First: The xinetd daemon accesses the TCP Wrappers hosts access rules using a libwrap.a library call (files /etc/hosts.allow,deny). If a deny rule matches the client, the connection is dropped. If an allow rule matches the client, the connection is passed to xinetd.
Then: The xinetd daemon checks its own access control rules both for the xinetd service and the requested service. If a deny rule matches the client, the connection is dropped. Otherwise, xinetd starts an instance of the requested service and passes control of the connection to that service.
Binding and Redirection
Xinetd supports binding the service to an IP address
and redirecting incoming requests for that service to another IP
address, hostname, or port. The xinetd daemon is able to accomplish
this redirection by spawning a process that stays alive for the
duration of the connection between the requesting client machine and
the host actually providing the service, transferring data between
the two systems.
service telnet
{
socket_type = stream
wait = no
server = /usr/sbin/in.telnetd
log_on_success += DURATION USERID
log_on_failure += USERID
bind = 111.111.111.111
redirect = 10.0.0.1 23
}
The bind and redirect options in this file ensure that the Telnet service on the machine is bound to the external IP address (111.111.111.111), the one facing the Internet. In addition, any requests for Telnet service sent to 111.111.111.111 are redirected via a second network adapter to an internal IP address (10.0.0.1) that only the firewall and internal systems can access. The firewall then sends the communication between the two systems, and the connecting system thinks it is connected to 111.111.111.111 when it is actually connected to a different machine.
service telnet
{
socket_type = stream
wait = no
server = /usr/sbin/in.telnetd
log_on_success += DURATION USERID
log_on_failure += USERID
bind = 111.111.111.111
redirect = 10.0.0.1 23
}
The bind and redirect options in this file ensure that the Telnet service on the machine is bound to the external IP address (111.111.111.111), the one facing the Internet. In addition, any requests for Telnet service sent to 111.111.111.111 are redirected via a second network adapter to an internal IP address (10.0.0.1) that only the firewall and internal systems can access. The firewall then sends the communication between the two systems, and the connecting system thinks it is connected to 111.111.111.111 when it is actually connected to a different machine.
Resource Management and DoS attacks
The xinetd daemon can add a basic level of protection
from Denial of Service (DoS) attacks. The following is a list of
directives which can aid in limiting the effectiveness of such
attacks:
per_source
Defines the maximum number of instances for a service per source IP address. It accepts only integers as an argument and can be used in both xinetd.conf and in the service specific configuration files in the xinetd.d directory.
cps
Defines the maximum number of connections per second. This directive takes two integer arguments separated by white space. The first argument is the maximum number of connections allowed to the service per second. The second argument is the number of seconds that xinetd must wait before re-enabling the service. It accepts only integers as arguments and can be used in either the xinetd.conf file or the service-specific configuration files in the xinetd.d/ directory.
max_load:
Defines the CPU usage or load average threshold for a service. It accepts a floating point number argument. The load average is a rough measure of how many processes are active at a given time. See the uptime, who, and procinfo commands for more information about load average. There are more resource management options available for xinetd. Refer to the xinetd.conf man page for more information.
per_source
Defines the maximum number of instances for a service per source IP address. It accepts only integers as an argument and can be used in both xinetd.conf and in the service specific configuration files in the xinetd.d directory.
cps
Defines the maximum number of connections per second. This directive takes two integer arguments separated by white space. The first argument is the maximum number of connections allowed to the service per second. The second argument is the number of seconds that xinetd must wait before re-enabling the service. It accepts only integers as arguments and can be used in either the xinetd.conf file or the service-specific configuration files in the xinetd.d/ directory.
max_load:
Defines the CPU usage or load average threshold for a service. It accepts a floating point number argument. The load average is a rough measure of how many processes are active at a given time. See the uptime, who, and procinfo commands for more information about load average. There are more resource management options available for xinetd. Refer to the xinetd.conf man page for more information.
Managing xinetd services
Some standard Linux services are designed to be
executed through xinetd. For example 'rsync' server, installed by
rsync RPM, is configured and executed through the xinetd service
using /etc/xinetd.d/rsync
The first step in order to run rsync server through xinetd is the RPM installation.
# yum install rsync
Next step is active the rsync server on xinetd service. This can be done writing the directive 'disable = no' into /etc/xinetd.d/rsync file and restarting the xinetd service. The command chkconfig can do both steps automatically :
# chkconfig rsync on
Finally verify the xinetd is listening on port TCP/IP 873, rsync server port:
# netstat -putan | grep 873
tcp ... :::873 ... xinetd/2234
The first step in order to run rsync server through xinetd is the RPM installation.
# yum install rsync
Next step is active the rsync server on xinetd service. This can be done writing the directive 'disable = no' into /etc/xinetd.d/rsync file and restarting the xinetd service. The command chkconfig can do both steps automatically :
# chkconfig rsync on
Finally verify the xinetd is listening on port TCP/IP 873, rsync server port:
# netstat -putan | grep 873
tcp ... :::873 ... xinetd/2234
No comments :
Post a Comment