|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Thursday, 6 January 2000||Author: Eric Warmenhoven|
|Published to: learn_articles_firststep/General||Page: 1/1 - [Printable]|
A Guide to the Inet Daemon
Inet is the service which controls who can connect to your computer and which services they can use. It allows you to set up your telnet and ftp servers (as well as others), and gives you very fine control over who can use which of these services. Inet is a very important service with many uses. Unfortunately, it is often the cause of security violations, and needs to be carefully administered.
|Page 1 of 1|
Overview Inet is the service which controls who can connect to your computer and which services they can use. It allows you to set up your telnet and ftp servers (as well as others), and gives you very fine control over who can use which of these services. Inet is a very important service with many uses. Unfortunately, it is often the cause of security violations, and needs to be carefully administered.
Installation Inet is controlled by the inet daemon, or inetd. Inetd is installed by default on most Linux systems, and is probably on yours. To see if it's currently running, you can issue the command `ps ax | grep inetd`, which will search the running processes for 'inetd'. If you don't have it on your system, you can install it from the net-kit RPM or from the rinetd Debian package.
Configuration Inetd reads it configuration from one file, which defaults to /etc/inetd.conf. This file maintains all services that should be run by inetd and how they should be run. It also bases who can use which services by reading the files /etc/hosts.allow and /etc/hosts.deny. Many other programs also use these two files for access control.
/etc/inetd.conf has a very specific format which is very intuitive, yet very powerful. All lines beginning with a pound sign (#) are comments and are ignored, while all other lines are taken as part of the configuration. Most services, even if they are commented out, should already be configured for you in the default file. The format is as follows:
service_name sock_type proto flags user server_path args"service_name" controls which port is used by referencing /etc/services. You can choose which port is used by certain services this way. (Common ports are 21 for ftp and 23 for telnet.) "sock_type" tells the inetd how to handle communications between computers. Usually, 'stream' is used for TCP connections and 'dgram' is used for UDP connections. "proto" specifies which protocol to use, either 'tcp' or 'udp'; you can have certain services use both TCP and UDP this way. "flags" should be set to 'nowait' for non-datagram ('dgram') connections; for datagram connections, if the server can handle multiple simultaneous connections, this should be set to 'nowait', or otherwise, 'wait'. "user" specifies which user to run the server as for security purposes. If a security hole is found in a certain service, a malicious cracker will only have the privileges of the user specified. For most services, this must be 'root', however, for some services, it can be set to 'nobody' or 'guest', and should be in these cases. "server_path" is the full path name to the server that should be run when a connection is received. In most cases, this is the full path to tcpd, which is usually in /sbin or /usr/sbin. "args" are the arguments that are passed to the server specified in "path"; this way, tcpd knows what kind of connection has been received and how to handle it (usually by passing it off to a separate program). For example, a few lines from my inetd.conf are:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapdThis specifies that /usr/sbin/tcpd should be called when inetd receives a connection on the ftp, telnet, or pop-3 ports (21, 23, and 110 respectively), and should use a TCP connection running as the user "root". However, pop-2 and imap connections will be refused because they are commented out. (You do not need to comment out every service that you wish to refuse; you must only make sure *not* to comment out services which you do not wish to refuse.)
Inetd can also decide whether to allow a connection based on where the connection is coming from. It does this by reading /etc/hosts.allow and /etc/hosts.deny. These files are formatted in daemon/client pairs, such to allow administrators the right to refuse users to certain services and not to others. Inetd searches hosts.allow for a match, and if there is one, allows the connection; it then searches hosts.deny for a match, and if there is one, denies the connection; it then defaults to allowing the connection.
/etc/hosts.allow and /etc/hosts.deny take the same format: having the name of the server followed by a colon, then the list of hosts who are either allowed or denied access to that server. There are some wildcards allowed: ALL, LOCAL, KNOWN, UNKNOWN, and PARANOID. KNOWN and UNKNOWN refer to host name and address; if both are known, KNOWN matches, if either are unknown, UNKNOWN matches. You can also use the keyword EXCEPT to specify certain hosts. To list multiple hosts for a service, separate them with a comma and a space. You can also wildcard domains. For example, in hosts.allow, the following will allow all users ftp access unless if they come from the evilhacker.com domain:
in.ftpd: ALL EXCEPT .evilhacker.comThere are many many more ways of fine-tuning these files; for more information, see their man pages.
Usage Once inetd.conf is set, the only thing left to do is to (re)start inetd. If inetd is already running, you can simply issue the command `killall -HUP inetd` (as root). If inetd is not running, you can either use the command `/etc/rc.d/init.d/inet start` for RedHat-based systems or `/etc/rc.d/inetd start` for Debian-based systems. After this, inetd only needs the usual administration of making sure the services it has to offer are not being abused.
Tips For increased security, consider using Secure Shell in addition to or instead of telnet. Secure Shell adds extra levels of security by not sending any information that is not encrypted. Secure Shell is not controlled by Inet, however, and so is not in the scope of this article.
Inetd defaults to a "mostly open" access scheme, where unless specified, anyone connecting is allowed. To use a "mostly closed" access scheme, inside /etc/hosts.deny, put the line "ALL: ALL". This will make it so that anyone who is not specified in /etc/hosts.allow will be automatically denied. Take care with this option, as some people who should be allowed access may be denied. Make sure if you use this option that your hosts.allow file lists everyone you want to allow.
For added security, use IDENT. This will try and identify connecting users to make sure they are not "spoofing" their IP address (using a false IP). It is not 100% reliable, and should not be used as the sole means of security. It does help to have and use it, however.
Inetd controls many services. Often, people find security holes with these services. It is very important that you watch for program updates and always stay on top of security. Keeping strict logs of connections is an excellent way of detecting if someone has attacked your computer; however, it would be far better to prevent these attacks before they happen.
By Eric Warmenhoven - firstname.lastname@example.org
|Page 1 of 1|