The inetd Daemon and inetd Services

Objectives
After completing this unit, students should be able to: Describe and configure the inetd daemon Describe and configure the tcpd daemon Describe and configure the xinetd daemon Describe, configure and use the most common inetd services

The inetd "Super" Daemon

A typical server offers a number of low-usage services telnet ftp talk finger ... Don't want to waste resources running individual daemons all day Solution: inetd Listens to a large number of ports Starts server application when needed Do not use inetd for high-usage services http mail

/etc/inetd.conf
#echo #echo #discard #discard #daytime #daytime #chargen #chargen #time #time ftp telnet shell login exec talk ntalk #pop-2 pop-3 #imap stream dgram stream dgram stream dgram stream dgram stream dgram stream stream stream stream stream dgram dgram stream stream stream tcp udp tcp udp tcp udp tcp udp tcp udp tcp tcp tcp tcp tcp udp udp tcp tcp tcp nowait wait nowait wait nowait wait nowait wait nowait wait nowait nowait nowait nowait nowait wait wait nowait nowait nowait root internal root internal root internal root internal root internal root internal root internal root internal root internal root internal root /usr/sbin/tcpd in.ftpd -l -a root /usr/sbin/tcpd in.telnetd root /usr/sbin/tcpd in.rshd root /usr/sbin/tcpd in.rlogind root /usr/sbin/tcpd in.rexecd nobody.tty /usr/sbin/tcpd in.talkd nobody.tty /usr/sbin/tcpd in.ntalkd root /usr/sbin/tcpd ipop2d root /usr/sbin/tcpd ipop3d root /usr/sbin/tcpd imapd

The tcpd Wrapper Daemon

Extra security feature for inetd services Transparent for user, inetd and daemon inetd starts "/usr/sbin/tcpd in.ftpd -l -a" tcpd tests connection origin and requested service against /etc/hosts.allow and /etc/hosts.deny If allowed, tcpd starts "in.ftpd -l -a" If denied, connection is broken Relies on reverse DNS lookup to work! (IP address to hostname)

/etc/hosts.allow and /etc/hosts.deny

Syntax for both files: Service: Hostlist Service may also be specified as service, service or ALL Hostlist may be specified using DNS domain names or IP address, or ALL Checking order: If /etc/hosts.allow allows the service, allow it If /etc/hosts.deny denies the service, deny it Otherwise, allow it Example:
# cat /etc/hosts.allow in.telnetd: .ibm.com, 9.0.0.0/8 # cat /etc/hosts.deny ALL: ALL

Can execute commands upon match using spawn

The xinetd "Super" Daemon

Successor of inetd Integrates tcpd functionality Configuration file syntax change Adds configuration directory: /etc/xinetd.d

/etc/xinetd.conf and /etc/xinetd.d/*

# cat /etc/xinetd.conf defaults { instances = log_type = log_on_success = log_on_failure = } includedir /etc/xinetd.d

60 SYSLOG authpriv HOST PID HOST RECORD

# cat /etc/xinetd.d/telnet telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }

Overview of inetd Services

Internal services (mostly used for testing) echo: replies everything back to sender discard: discards everything received daytime: sends time as 32-bit value chargen: generates data time: displays time in human-readable format Common external services telnet, login: remote login ftp: file transfer exec: remote execute finger: retrieve information about a user talk: chat with another user rsync: remote synchronization

Remote Login, Execute and File Transfer

ARPAnet commands: Reasonably secure, not very powerful Platform independent Berkeley commands: Not very secure but powerful Works only between UNIX machines
ARPANET remote login remote execute file transfer telnet rexec ftp BERKELEY rlogin rsh rcp

telnet
Login to another system Automatic configuration of certain environment variables TERM DISPLAY Example:
client$ telnet sys7 Trying 129.33.151.7... Connected to sys7. Escape character is '^]'. Welcome to sys7. login: tux1 Password: sys7$ echo $DISPLAY client:0.0 sys7$ ^] telnet> quit Connection closed. client$ _

ftp
Transfer files to and from other systems If text file, can convert between CR/LF and LF Client can use $HOME/.netrc file to: logon automatically define macros ftpd daemon uses /etc/ftpusers file to determine access Example:
client$ ftp sys7 Connected to sys7. 220 sys7 FTP server ready. Name (client:tux1): tux1 Password: ftp> cd accounts ftp> put file1 file1 ftp> get file2 file222 ftp> quit 221 Goodbye client$

Anonymous ftp
Allows users without passwords ftp access to a special "chroot-ed" ftp directory structure on the server

bin

dev

etc

var

home spool

usr

ftp

lib

log

bin ls...

etc

lib libc.so...

pub

rexec
Allows remote execution of commands Client uses $HOME/.netrc file to automate login Disabled in most distributions Example:
client$ rexec sys7 ls Name: (sys7:tux1): tux1 Password (sys7:tux1) Desktop accounts client$

rlogin
Login to another system Uses /etc/hosts.equiv and $HOME/.rhosts on server to automate login Considered insecure, vulnerable to IP spoofing and DNS attacks Example:
client$ rlogin -l tux1 sys7 Password: sys7$ ls Desktop accounts sys7$ exit client$

rcp
Transfer files to and from other systems Requires /etc/hosts.equiv and/or $HOME/.rhosts on server to automate login Will never prompt for a password Syntax nearly equivalent to cp Can expand wildcards Can do recursive copy of directories Can preserve modification times, permissions Can do third-party copies Example:
client$ cp tux1@sys7:accounts/* accounts/ client$

rsh
Allows remote execution of commands Requires /etc/hosts.equiv and/or $HOME/.rhosts on server to automate login Will never prompt for a password When executed without a command, does an rlogin Example:
client$ rsh -l tux1 sys7 ls Desktop accounts client$

Beware:
client$ rsh -l tux1 ls *.c > allcfiles client$ rsh -l tux1 'ls *.c > allcfiles'

rsync
Allows remote synchronization of files Only transfers the differences -> speedup Can use its own daemon or use rsh or ssh as transport mechanism (still requires the rsync client on the server side though) Syntax comparable to rcp Can automatically enable compression (-z option) Examples: Local sync:
client$ rsync /home/tux1/www-test /home/tux1/www

Sync via rsh (default) or ssh:

client$ rsync -avz /home/tux1/www-test/ www:/var/www/html/ client$ rsync -avz -e ssh ~tux1/www-test/ www:/var/www/html/ client$ rsync -avz /home/tux1/www-test www::wwwdir/html

Sync using rsync protocol (requires /etc/rsyncd.conf)

finger
Used to retrieve information about users on a system, or about a specific user Example:
client$ finger @sys7 [sys7] Login Name Tty root Root of all evil *:0 root Root of all evil /0 tux1 Tux the Penguin /1 Idle Login Time Office Mar 9 09:25 Mar 9 09:26 Mar 9 10:23

client$ finger root@sys7 [sys7] Login: root Name: Root of all evil Directory: /root Shell: /bin/bash On since Fri Mar 9 09:25 (CET) on :0 (messages off) On since Fri Mar 9 09:26 (CET) on pts/0 19 seconds idle Mail last read Sun Jun 4 15:23 2000 (CEST) Plan: World domination!

talk
Used to chat with another user, possibly on another system Example:
client$ talk tux1@sys7 (User tux1 will receive the following message:) Message from TalkDaemon@client at 15:16... talk: connection requested by tux2@client. talk: respond with: talk tux2@client (To accept the invitation, tux1 enters:) sys7$ talk tux2@client

Unit Summary
The inetd and xinetd daemons are used for low-usage services Configuration files: /etc/inetd.conf or /etc/xinetd.conf The tcpd daemon provides an additional level of security for inetd Configured in /etc/hosts.allow and /etc/hosts.deny Various services are run from inetd or xinetd: Internal services like echo, discard, time, daytime Remote login commands: telnet and rlogin File transfer commands: ftp and rcp Remote execution commands: rexec and rsh Retrieve information about users: finger Chatting to other users: talk