| |
|
Domain Registration -
Domain registration & domain search service from just
$5.95/year only |
|
|
|
Webhosting Service -
Webhosting service for single or multiple domain names at affordable price. |
|
|
Back to Index
|
Contributed by Chern Lee.
inetd(8) is referred
to as the ``Internet Super-Server'' because it manages connections for several daemons.
Programs that provide network service are commonly known as daemons. inetd serves as a managing server for other daemons. When a
connection is received by inetd, it determines which daemon
the connection is destined for, spawns the particular daemon and delegates the socket to
it. Running one instance of inetd reduces the overall system
load as compared to running each daemon individually in stand-alone mode.
Primarily, inetd is used to spawn other daemons, but
several trivial protocols are handled directly, such as chargen, auth, and daytime.
This section will cover the basics in configuring inetd
through its command-line options and its configuration file, /etc/inetd.conf.
inetd is initialized through the /etc/rc.conf system. The inetd_enable
option is set to NO by default, but is often times turned on
by sysinstall with the medium security profile. Placing:
inetd_enable="YES"
or
inetd_enable="NO"
into /etc/rc.conf can enable or disable inetd starting at boot time.
Additionally, different command-line options can be passed to inetd via the inetd_flags option.
inetd synopsis:
inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address |
hostname] [-p filename] [-R rate] [configuration file]
- -d
-
Turn on debugging.
- -l
-
Turn on logging of successful connections.
- -w
-
Turn on TCP Wrapping for external services (on by default).
- -W
-
Turn on TCP Wrapping for internal services which are built into inetd (on by default).
- -c maximum
-
Specify the default maximum number of simultaneous invocations of each service; the
default is unlimited. May be overridden on a per-service basis with the max-child parameter.
- -C rate
-
Specify the default maximum number of times a service can be invoked from a single IP
address in one minute; the default is unlimited. May be overridden on a per-service basis
with the max-connections-per-ip-per-minute parameter.
- -R rate
-
Specify the maximum number of times a service can be invoked in one minute; the
default is 256. A rate of 0 allows an unlimited number of invocations.
- -a
-
Specify one specific IP address to bind to. Alternatively, a hostname can be
specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is
used. Usually a hostname is specified when inetd is run inside
a jail(8), in which case
the hostname corresponds to the jail(8)
environment.
When hostname specification is used and both IPv4 and IPv6 bindings are desired, one
entry with the appropriate protocol type for each binding is required for each service in
/etc/inetd.conf. For example, a TCP-based service would need
two entries, one using tcp4 for the protocol and the other
using tcp6.
- -p
-
Specify an alternate file in which to store the process ID.
These options can be passed to inetd using the inetd_flags option in /etc/rc.conf. By
default, inetd_flags is set to -wW,
which turns on TCP wrapping for inetd's internal and external
services. For novice users, these parameters usually do not need to be modified or even
entered in /etc/rc.conf.
Note: An external service is a daemon outside of inetd, which is invoked when a connection is received for it. On
the other hand, an internal service is one that inetd has the
facility of offering within itself.
Configuration of inetd is controlled through the /etc/inetd.conf file.
When a modification is made to /etc/inetd.conf, inetd can be forced to re-read its configuration file by sending
a HangUP signal to the inetd process as shown:
Example 19-4. Sending inetd a HangUP Signal
# kill -HUP `cat /var/run/inetd.pid`
Each line of the configuration file specifies an individual daemon. Comments in the
file are preceded by a ``#''. The format of /etc/inetd.conf is
as follows:
service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-arguments
An example entry for the ftpd daemon using IPv4:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
- service-name
-
This is the service name of the particular daemon. It must correspond to a service
listed in /etc/services. This determines which port inetd must listen to. If a new service is being created, it must
be placed in /etc/services first.
- socket-type
-
Either stream, dgram, raw, or seqpacket. stream must be used for connection-based, TCP daemons, while dgram is used for daemons utilizing the UDP transport protocol.
- protocol
-
One of the following:
- {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
-
wait|nowait indicates whether the daemon invoked from inetd is able to handle its own socket or not. dgram socket types must use the wait
option, while stream socket daemons, which are usually multi-threaded, should use nowait. wait usually hands off multiple
sockets to a single daemon, while nowait spawns a child daemon
for each new socket.
The maximum number of child daemons inetd may spawn can be
set using the max-child option. If a limit of ten instances of
a particular daemon is needed, a /10 would be placed after
nowait.
In addition to max-child, another option limiting the
maximum connections from a single place to a particular daemon can be enabled. max-connections-per-ip-per-minute does just this. A value of ten
here would limit any particular IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent intentional or unintentional resource
consumption and Denial of Service (DoS) attacks to a machine.
In this field, wait or nowait is
mandatory. max-child and max-connections-per-ip-per-minute are optional.
A stream-type multi-threaded daemon without any max-child or
max-connections-per-ip-per-minute limits would simply be: nowait.
The same daemon with a maximum limit of ten daemons would read: nowait/10.
Additionally, the same setup with a limit of twenty connections per IP address per
minute and a maximum total limit of ten child daemons would read: nowait/10/20.
These options are all utilized by the default settings of the fingerd daemon, as seen here:
finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
- user
-
This is the username that the particular daemon should run as. Most commonly, daemons
run as the root user. For security purposes, it is common to
find some servers running as the daemon user, or the least
privileged nobody user.
- server-program
-
The full path of the daemon to be executed when a connection is received. If the
daemon is a service provided by inetd internally, then internal should be used.
- server-program-arguments
-
This works in conjunction with server-program by specifying
the arguments, starting with argv[0], passed to the daemon on
invocation. If mydaemon -d is the command line, mydaemon -d would be the value of server-program-arguments. Again, if the daemon is an internal
service, use internal here.
Depending on the security profile chosen at install, many of inetd's daemons may be enabled by default. If there is no
apparent need for a particular daemon, disable it! Place a ``#'' in front of the daemon
in question, and send a hangup signal
to inetd. Some daemons, such as fingerd, may not be
desired at all because they provide an attacker with too much information.
Some daemons are not security-conscious and have long, or non-existent timeouts for
connection attempts. This allows an attacker to slowly send connections to a particular
daemon, thus saturating available resources. It may be a good idea to place max-connections-per-ip-per-minute and max-child limitations on certain daemons.
By default, TCP wrapping is turned on. Consult the hosts_access(5) manual
page for more information on placing TCP restrictions on various inetd invoked daemons.
daytime, time, echo, discard, chargen, and auth are all internally
provided services of inetd.
The auth service provides identity (ident, identd) network services, and
is configurable to a certain degree.
Consult the inetd(8) manual page
for more in-depth information.
|
|
|
|
© 2002-2004 Active-Venture.com
Website Hosting
Service
|
| |
|
Disclaimer: This
documentation is provided only for the benefits of our website hosting customers.
For authoritative source of the documentation, please refer to http://www.freebsd.org
|
|
|
