inetd and xinetd

An introduction to xinetd and inetd

inetd the Super Server

inetd is a daemon that runs on many Linux systems. The purpose of the inetd daemon is to listen for connections on particular ports. inetd was created to handle multiple services, this approach eliminates the need for multiple daemons. inetd will identify which service is required and then determines which program needs to be called to satisfy the request.

The main configuration file for inetd is is located in "/etc/inetd.conf". Below is an extract from an inetd.conf file. The basic layout of the file is as follows:

service name  socket type  protocol  wait/nowait  user  server program  arguments

## service  socket  protocol  wait/  user    server    server program
##  name     type             nowait         program     arguments

ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd         ftpd
telnet  stream  tcp6    nowait  root    /usr/sbin/telnetd      telnetd -a
shell   stream  tcp6    nowait  root    /usr/sbin/rshd         rshd

Service Name

The "service name" identifies which port inetd should listen on. This can be either a numerical number or a name of a service listed in the "/etc/services" file.

Socket Type

Communication socket types are stream for TCP, dgram for UDP and raw for a raw socket.


The following protocols may be used:

tcp and tcp4 = TCP (IPV4)
udp and udp4 = UDP (IPV4)
tcp6 = TCP (IPV6)
udp6 = UDP (IPV6)

wait/nowait - Connection Options

The "wait" or "nowait" field is used by inetd to define how it should handle an incoming connection. "wait" is used by datagram sockets (UDP). If "wait" is specified then inetd will only execute one server for the specified port at any time.
The "nowait" option is used to specify that that inetd should start a new server process for each incoming connection. Stream sockets should always use the "nowait" option.


Here you specify the name of the user that should be used to start the service with.

Server Program

This is the path to the service that inetd should start. Internal services are marked as internal.

Server Program Arguments

This field is for arguments passed to the server. This field is empty for internal services.


Most modern Linux systems now will be using the newer version "Extended Internet Daemon" xinetd. "xinetd" carries out the functionality that inetd used to, however, it offers logging and enhanced resource management. The "xinetd" configuration file can be found in the location "/etc/xinetd.conf". However, most services are configured as individual files within the "/etc/xinetd.d" directory. Older inetd.conf files can be converted to xinetd.conf files using a utility called "itox". Below is an example of a "/etc/xinetd.conf" file:

# xinetd.conf
# Copyright (c) 1998-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.

        log_type        = FILE /var/log/xinetd.log
        log_on_success  = HOST EXIT DURATION
        log_on_failure  = HOST ATTEMPT
#        only_from       = localhost
        instances       = 30
        cps             = 50 10

# The specification of an interface is interesting, if we are on a firewall.
# For example, if you only want to provide services from an internal
# network interface, you may specify your internal interfaces IP-Address.
#       interface       =


includedir /etc/xinetd.d

Fields found within the xinetd.d service files

Service Name

Any combination of the following flags may be used:

Intercept packets or accepted connections in order to verify that they are coming from acceptable locations.

Avoid retry attempts in case of service failure.

Accept connections only when the remote end identifies the remote user.

If the service is a tcp service and the NODELAY flag is set, then the TCP_NODELAY flag will be set on the socket. If the service is not a tcp service, this option has no effect.

Sets the keepalive flag on the TCP socket.

This replaces the service with a sensor that detects accesses to the specified port. SENSOR does not detect stealth scans. Only use this option if you do not require the service. Any access attempts are logged.

Use IPV4 only.

Use IPV6 only.

This will result in the service being disabled and not starting.

stream-based service

datagram-based service

service that requires direct access to IP

service that requires reliable sequential datagram transmission

This attribute determines if the service is single threaded or multi threaded and whether or not xinetd accepts the connection or the server program accepts the connection. If its value is "yes", then the service is single threaded. This means that xinetd will start the server and then it will stop handling requests for the service until the server dies and that the server software will accept the connection. If the attribute value is "no", the service is multi threaded and xinetd will keep handling new service requests and "xinetd" will accept the connection.

Determines the uid for the process.

Determines the Group the service runs as.

Determines the number of instances that can run. The default is no limit.

Server Priority Value (nice value).

The full path of the service to be executed.

Arguments passed to the server.

Allows you to restrict access by IP address, network or hostname.

Blocks access by IP address, network or hostname.

Determines when the service is available. Specified in the format of HH:MM


Determines what variables are logged, these can be any of PID, HOST, USERID, EXIT, DURATION or TRAFFIC.

Determines what variables are logged, these can be HOST, USERID or ATTEMPT.

Determines the service port. If this is specified for a service listed in the "/etc/services" files, then it must be the same as the port number listed in that file.

Allows a service to be bound to a specific interface on the machine.

This specifies the maximum instances of this service per source IP address.

Limit the amount of connections (connections per second).

Stop accepting connections after the one minute load average reaches this threshold.

Takes a directory name in the form of "includedir /etc/xinetd.d".


The file "/etc/services" is used to associate port numbers and protocols to service names.

For example, if a TCP request comes in on port 901, the file "/etc/services" shows an entry for Samba's Web Administration tool:

swat               901/tcp

The corresponding entry can be found under the "/etc/xinetd.d" directory:

sles01:/etc/xinetd.d # ls -l swat*
-rw-r--r-- 1 root root 277 Feb  4  2012 swat

The contents of this entry are as follows:

sles01:/etc/xinetd.d # cat swat
# SWAT is the Samba Web Administration Tool.
service swat
        socket_type     =  stream
        protocol        =  tcp
        wait            =  no
        user            =  root
        server          =  /usr/sbin/swat
        only_from       =
        log_on_failure  += USERID
        disable         =  no