The xinetdconf File

The /etc/xinetd.conf file (previously the inetd.conf file) controls many Unix services, including File Transfer Protocol (FTP) and Telnet. It determines what services are available to the system. The xinetd (like ine td) service is a super server listening for incoming network activity for a range of services. It determines the actual nature of the service being requested and launches the appropriate server. The primary reason for the design is to avoid having to start and run a large number of low-volume servers. Additionally, xinetd's ability to launch services on demand means that only the needed number of servers is run.

The etc/xinted.conf file directs requests for xinetd services to the /etc/xinetd.d directory. Each xinetd service has a configuration file in the xinetd.d directory. If a service is commented out in its specified configuration file, the service is unavailable. Because xinetd is so powerful, only the root should be able to configure its services.

The /etc/xinetd.d directory makes it simple to disable services that your system is not using. For example, you can disable the FTP and Telnet services by commenting out the FTP and Telnet entries in the respective file and restarting the service. If the service is commented out, it will not restart. The next section demonstrates how to disable the Telnet, FTP, and rlogin services.

Telnet and FTP

Most administrators find it convenient to log in to their Unix machines over a network for administration purposes. This allows the administrator to work remotely while maintaining network services. However, in a high-security environment, only physical access may be permitted for administering a server. In this case, you should disable the Telnet interactive login utility. Once disabled, no one can access the machine via Telnet.

1. To disable Telnet, you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, as shown in Figure 2.4, using vi or an editor of your choice.

2. Comment out the service telnet line by adding a number sign (#) before service telnet:

#service telnet

3. Write and quit the file.

Hardening the Operating System • Chapter 2 49 Figure 2.4 Disabling Telnet Using the /xinetd.d/telnet File

4. Next, you must restart xinetd by entering! /etc/rc.d/init.d/xinetd restart

Stopping xinetd: [OK}

Starting xinetd: [OK}

4. Next, you must restart xinetd by entering! /etc/rc.d/init.d/xinetd restart

Stopping xinetd: [OK}

Starting xinetd: [OK}

5. Attempt to log on to the system using Telnet.You should fail.

6. Note that commenting out the service line in the respective xinetd.d directory can disable many services.

7. Disable the FTP service using the same method (e.g., edit the /xinetd.d/wu-ftpd file by commenting out the service ftp line and restarting xinetd).

8. Attempt to access the system via FTP.You should be unable to log in to the server.

The Rlogin Service

The remote login (rlogin) service is enabled by default in the /etc/xinetd.d/ rlogin file. Rlogin has security vulnerabilities because it can bypass the password prompt to access a system remotely.There are two services associated with rlogin! login and RSH (remote shell).To disable these services, open the /xinetd.d/ rlogin file and comment out the service login line.Then, open the /etc/ xinetd.d/rsh file and comment out the service shell line. Restart xinetd to ensure that your system is no longer offering these services.

Was this article helpful?

0 0

Post a comment