Configuring Various Network Services

using xinetd in Linux RHEL5/6)

+ In this post we will be Discussing about : [hide]

Task 1: Installation and Configuration of Xinetd

o
o
o
o
o
o
o
o
o
o
o

Step 1. Install the xinetd package:

Step 2. Verify that the package is installed correctly:
Step 3. Install the required package:
Step 4. Verify that the package is installed correctly:
Step 5. Enable the TFTP server to start when the system boots:
Step 6. Verify that the service will start during boot:
Step 7. At this point, you should also enable the xinetd service itself to
start on system boot:
Step 8. Verify that the service will start during boot:
Step 9. Use chkconfig to view all the xinetd services:
Step 10. To get the service up and running without a system reboot, just
adjust any config file options youd like and restart the xinetd service:
Step 11. Verify that the xinetd service is now running on the system and
listening on UDP port 69 for connections:
Task2 : Securing Xineted Services using iptables

o
o
o
o

Step 1. Use iptables to create the required firewall rule:

Step 2. Save the firewall rule you just created:
Step 3. Then restart the iptables service:
Share & Discuss

As a system administrator, you will most likely need to provide your users with network and Internet
services. These services may include FTP, HTTP, or Telnet.
Although some software packages like Apache provide a single service (HTTP), there is also a master service
called xinetd that can run multiple services at the same time.
It is also a widely used service in the real world, particularly when it comes to automating the installation of
Red Hat. There are really only a few things that you need to know to be able to use the xinetd service. This
package doesnt always come installed by default, so first lets install it.

Task 1: Installation and Configuration of Xinetd

Step 1. Install the xinetd package:
# yum install y xinetd

Step 2. Verify that the package is installed correctly:

# rpm -qa | grep xinetd
xinetd-2.3.14-29.el6.x86_64
With the service installed, you can shift your focus to the config files. The xinetd service has a master config
file (/etc/xinetd.conf), which inherits all the settings of the services that it controls.

Aside from this master config file, a single directory (/etc/xinetd.d) contains individual config files for each
service you would like xinetd to run.
As an example, lets set up a TFTP server, which can be used to back up config files for Cisco switches or to
deliver data to clients during a PXE boot process (also known as a network installation).

Step 3. Install the required package:

# yum install -y tftp-server

Step 4. Verify that the package is installed correctly:

# rpm -qa | grep tftp
tftp-server-0.49-5.1.el6.x86_64
Now that the package is installed, you can go into the /etc/xinetd.d directory and see the config file for the
new service. By default, the TFTP service is disabled. Lets look at the config file, which is small and simple
to understand.

# cat /etc/xinetd.d/tftp
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
disable = yes
per_source = 11
cps = 100 2
flags = IPv4
}
Here, you can see the basics, such as which protocol it uses, whether the service is disabled, and what
arguments are passed to the service during startup. For this example, all the defaults work fine. You may be
wondering why I suggest leaving the service disabled if you want to use it. Services that are controlled by
xinetd can be enabled in the config file when you enable them during the boot process.

Step 5. Enable the TFTP server to start when the system boots:
# chkconfig tftp on

Step 6. Verify that the service will start during boot:

# chkconfig tftp list tftp on
Looking back in the config file now, notice that the service has been automatically enabled to start. You can
verify this by checking the file:

# cat /etc/xinetd.d/tftp | grep disable

disable = no

Step 7. At this point, you should also enable the xinetd service itself
to start on system boot:
# chkconfig xinetd on

Step 8. Verify that the service will start during boot:

# chkconfig xinetd list
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
There is also one other thing you can verify. You can get a list of all services enabled during boot by using the
chkconfig command. The difference here, though, is that the xinetd service lists not only its boot levels,
but also those of all the services that it controls.

Step 9. Use chkconfig to view all the xinetd services:

# chkconfig list
xinetd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
tcpmux-server: off
tftp: on
time-dgram: off
time-stream: off
You can see here that the xinetd service is set to start on boot and that the TFTP service is the only service it
will start.

Step 10. To get the service up and running without a system reboot,
just adjust any config file options youd like and restart the xinetd
service:
# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]

Step 11. Verify that the xinetd service is now running on the system
and listening on UDP port 69 for connections:

# netstat -a | grep tftp

udp 0 0 *:tftp *:*
The xinetd service understands services from /etc/services and ports from /etc/rpc. These two files define all
services and ports that the system can use to offer different network services to clients using the xinetd
master service.
The xinetd service is fairly simple to configure, but you should make sure that you define
the config file for the services that you want to use within the /etc/xinetd.d directory and restart the service
before use.
For simple troubleshooting of any xinetd service, you can check the /var/log/messages file, which is the place
where the /etc/xinetd.conf config file defines all logs to be sent.
Although the default configuration options are usually fine, you can also edit the information sent to the log
file by editing the main config file.

The following options are available for logging:

Attempt
Duration
Exit
Pid
Host
Userid
You also have the following host access options:
only_from
no_access
access_times
They can be defined within the main config file for security restrictions. Usually, it is better to let the firewall
and TCP Wrappers take care of restricting certain clients, but you should know that the options are available.

Task2 : Securing Xineted Services using iptables

Although the xinetd service can actually handle multiple services, you need to ensure that you have created
the appropriate firewall rule for each server you intend to use. Because you have configured a TFTP server
for this example, you need to ensure that you createa rule to allow the TFTP server to be used.

Step 1. Use iptables to create the required firewall rule:

# iptables -I INPUT 5 -p udp -m udp dport 69 -j ACCEPT

Step 2. Save the firewall rule you just created:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

Step 3. Then restart the iptables service:

# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]