Configuring the xinetd Server to Disable Services

In addition to the stand-alone servers such as a Web server (httpd), mail server (sendmail), and domain name server (named), you have to configure another server separately. That other server, xinetd (the Internet superserver), starts a host of other Internet services, such as TELNET, POP3, and so on whenever a client makes a request over the network. The xinetd server includes some security features that you can use to disable the services that it can start on demand.

The xinetd server reads a configuration file named /etc/xinetd.conf at startup. This file, in turn, incorporates all the configuration files stored in the /etc/xinetd.d directory. The configuration files in / etc/xinetd.d tell xinetd which ports to listen to and which server to start for each port. Type ls /etc/xinetd.d to see a list of the files in the /etc/xinetd.d directory on your system. On my system, here's what the ls /etc/xinetd.d command lists:

chargen daytime echo-udp klogin ktalk time chargen-udp daytime-udp eklogin krb5-telnet rsync time-udp cvs echo gssftp kshell telnet

This list shows all the services xinetd can start. However, the configuration file for a service can also turn off a service simply by having a disable = yes line in the file. For example, here's the telnet file's content (you have this file only if you have installed the telnet-server RPM):

# description: The telnet server serves telnet sessions;

# it uses unencrypted username/password pairs for

# authentication.

service telnet {

flags socket_type wait user server log_on_failure disable

REUSE

stream no root

/usr/sbin/in.telnetd = USERID

Notice the last line in the configuration file — that line disables the Telnet service.

I won't explain the format of the xinetd configuration files here (Chapter 6 covers xinetd configuration files), except to reiterate that you can turn off a service simply by adding the following line in the configuration file somewhere between the two curly braces {...}:

disable yes

Conversely, to turn a service on, change that line to disable placing a number sign (#) at the beginning of the line.

no or comment it out by caution

After you make any changes to any xinetd configuration file, you must restart the xinetd server; otherwise the changes won't take effect. To restart the xinetd server, type the following command:

service xinetd restart

This stops the xinetd server and then starts it again. When it restarts, it'll read the configuration files, and the changes will take effect.

insider If you don't feel like editing the configuration file for a service in the /etc/xinetd.d insight directory, you can use the chkconfig command to turn these services on or off. To turn one of these services off, type chkconfig servicename off. There is no need to specify any run levels because these services are activated by xinetd and can run only when xinetd is running.

Depending on how you use your system, you may be able to disable many of the services. If you do not want anyone to log in remotely or download files from your system, simply disable the Telnet and FTP services. Note that to disable FTP, you have to type chkconfig -level 35 vsftpd off because FTP service is now a standalone service and the name of the server is vsftpd.

Another security feature of xinetd is its use of the TCP wrapper library to start various services. The TCP wrapper provides an access-control facility for Internet services. The TCP wrapper can start other services, such as FTP and Telnet, but before starting a service, it consults the /etc/hosts.allow file to see if the host requesting service is allowed that service. If nothing appears in /etc/hosts.allow about that host, TCP wrapper checks the /etc/hosts.deny file to see if it should deny the service. If both files are empty, TCP wrapper provides access to the requested service.

Follow these steps to tighten access to the services that xinetd is configured to start:

1. Use a text editor to edit the /etc/hosts.deny file, adding the following line into that file:

ALL:ALL

This denies all hosts access to any Internet services on your system.

2. Edit the /etc/hosts.allow file and add to it the names of hosts that can access services on your system. For example, to enable only hosts from the 192.168.1.0 network and the localhost (IP address 127.0.0.1) to access the services on your system, place the following line in the /etc/hosts.allow file: ALL: 192.168.1.0/255.255.255.0 127.0.0.1

3. If you want to permit access to a specific Internet service to a specific remote host, you can do so using the following syntax for a line in /etc/hosts.allow: server_program_name: hosts

Here, server_program_name is the name of the server program (for example, in.telnetd for Telnet), and hosts is a comma-separated list of hosts that can access the service. You may also write hosts as a network address or an entire domain name, such as .mycompany.com. For example, here's how you can give Telnet access to all systems in the mycompany.com domain: in.telnetd: .mycompany.com

You should edit configuration files in the /etc/xinetd.d directory to turn off unneeded services and use the /etc/hosts.deny and /etc/hosts.allow files to control access to the services that are allowed to run on your system. After you edit the files in the /etc/xinetd.d directory, remember to type service xinetd restart to restart the xinetd server.

Was this article helpful?

0 0
Make Money Writing

Make Money Writing

This Report Will Show You How To Make Money By Providing Writing Services To Other Internet Marketers. Learn how to make money by writing the right way. Grab your copy of this report now and learn. Why writing is a great way to earn money. How to compete with cheap writers, even if you charge a lot more money.

Get My Free Ebook


Responses

  • maik
    How to enable disable xinetd services?
    7 years ago

Post a comment