inetd and xinetd

An introduction to xinetd and inetd

inetd the Super Server


inetd is a daemon that runs on many Linux systems. The purpose of the inetd daemon is to listen for connections on particular ports. inetd was created to handle multiple services, this approach eliminates the need for multiple daemons. inetd will identify which service is required and then determines which program needs to be called to satisfy the request.



The main configuration file for inetd is is located in "/etc/inetd.conf". Below is an extract from an inetd.conf file. The basic layout of the file is as follows:



service name  socket type  protocol  wait/nowait  user  server program  arguments

## service  socket  protocol  wait/  user    server    server program
##  name     type             nowait         program     arguments

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd      telnetd -a
shell   stream  tcp6    nowait  root    /usr/sbin/rshd         rshd

Service Name


The "service name" identifies which port inetd should listen on. This can be either a numerical number or a name of a service listed in the "/etc/services" file.


Socket Type


Communication socket types are stream for TCP, dgram for UDP and raw for a raw socket.


Protocol


The following protocols may be used:

tcp and tcp4 = TCP (IPV4)
udp and udp4 = UDP (IPV4)
tcp6 = TCP (IPV6)
udp6 = UDP (IPV6)


wait/nowait - Connection Options


The "wait" or "nowait" field is used by inetd to define how it should handle an incoming connection. "wait" is used by datagram sockets (UDP). If "wait" is specified then inetd will only execute one server for the specified port at any time.
The "nowait" option is used to specify that that inetd should start a new server process for each incoming connection. Stream sockets should always use the "nowait" option.


User


Here you specify the name of the user that should be used to start the service with.


Server Program


This is the path to the service that inetd should start. Internal services are marked as internal.


Server Program Arguments


This field is for arguments passed to the server. This field is empty for internal services.


xinetd


Most modern Linux systems now will be using the newer version "Extended Internet Daemon" xinetd. "xinetd" carries out the functionality that inetd used to, however, it offers logging and enhanced resource management. The "xinetd" configuration file can be found in the location "/etc/xinetd.conf". However, most services are configured as individual files within the "/etc/xinetd.d" directory. Older inetd.conf files can be converted to xinetd.conf files using a utility called "itox". Below is an example of a "/etc/xinetd.conf" file:



#
# xinetd.conf
#
# Copyright (c) 1998-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
#

defaults
{
        log_type        = FILE /var/log/xinetd.log
        log_on_success  = HOST EXIT DURATION
        log_on_failure  = HOST ATTEMPT
#        only_from       = localhost
        instances       = 30
        cps             = 50 10

#
# The specification of an interface is interesting, if we are on a firewall.
# For example, if you only want to provide services from an internal
# network interface, you may specify your internal interfaces IP-Address.
#
#       interface       = 127.0.0.1

}

includedir /etc/xinetd.d


Fields found within the xinetd.d service files


id
Service Name

flags
Any combination of the following flags may be used:

INTERCEPT
Intercept packets or accepted connections in order to verify that they are coming from acceptable locations.

NORETRY
Avoid retry attempts in case of service failure.

IDONLY
Accept connections only when the remote end identifies the remote user.

NODELAY
If the service is a tcp service and the NODELAY flag is set, then the TCP_NODELAY flag will be set on the socket. If the service is not a tcp service, this option has no effect.

KEEPALIVE
Sets the keepalive flag on the TCP socket.

SENSOR
This replaces the service with a sensor that detects accesses to the specified port. SENSOR does not detect stealth scans. Only use this option if you do not require the service. Any access attempts are logged.

IPV4
Use IPV4 only.

IPV6
Use IPV6 only.

disable
This will result in the service being disabled and not starting.

socket_type
stream
stream-based service

dgram
datagram-based service

raw
service that requires direct access to IP

seqpacket
service that requires reliable sequential datagram transmission

wait
This attribute determines if the service is single threaded or multi threaded and whether or not xinetd accepts the connection or the server program accepts the connection. If its value is "yes", then the service is single threaded. This means that xinetd will start the server and then it will stop handling requests for the service until the server dies and that the server software will accept the connection. If the attribute value is "no", the service is multi threaded and xinetd will keep handling new service requests and "xinetd" will accept the connection.

user
Determines the uid for the process.

Group
Determines the Group the service runs as.

instances
Determines the number of instances that can run. The default is no limit.

nice
Server Priority Value (nice value).

server
The full path of the service to be executed.

server_args
Arguments passed to the server.

only_from
Allows you to restrict access by IP address, network or hostname.

no_access
Blocks access by IP address, network or hostname.

access_times
Determines when the service is available. Specified in the format of HH:MM

log_type
SYSLOG or FILE.

log_on_success
Determines what variables are logged, these can be any of PID, HOST, USERID, EXIT, DURATION or TRAFFIC.

log_on_failure
Determines what variables are logged, these can be HOST, USERID or ATTEMPT.

port
Determines the service port. If this is specified for a service listed in the "/etc/services" files, then it must be the same as the port number listed in that file.

bind
Allows a service to be bound to a specific interface on the machine.

per_source
This specifies the maximum instances of this service per source IP address.

cps
Limit the amount of connections (connections per second).

max_load
Stop accepting connections after the one minute load average reaches this threshold.

includedir
Takes a directory name in the form of "includedir /etc/xinetd.d".


/etc/services


The file "/etc/services" is used to associate port numbers and protocols to service names.

For example, if a TCP request comes in on port 901, the file "/etc/services" shows an entry for Samba's Web Administration tool:



swat               901/tcp

The corresponding entry can be found under the "/etc/xinetd.d" directory:



sles01:/etc/xinetd.d # ls -l swat*
-rw-r--r-- 1 root root 277 Feb  4  2012 swat

The contents of this entry are as follows:



sles01:/etc/xinetd.d # cat swat
# SWAT is the Samba Web Administration Tool.
service swat
{
        socket_type     =  stream
        protocol        =  tcp
        wait            =  no
        user            =  root
        server          =  /usr/sbin/swat
        only_from       =  127.0.0.1
        log_on_failure  += USERID
        disable         =  no
}