Overview
Inet is the service which controls who can connect to your computer and which
services they can use. It allows you to set up your telnet and ftp servers (as
well as others), and gives you very fine control over who can use which of these
services. Inet is a very important service with many uses. Unfortunately, it is
often the cause of security violations, and needs to be carefully administered.
Installation
Inet is controlled by the inet daemon, or inetd. Inetd is installed by default
on most Linux systems, and is probably on yours. To see if it's currently
running, you can issue the command `ps ax | grep inetd`, which will search the
running processes for 'inetd'. If you don't have it on your system, you can
install it from the net-kit RPM or from the rinetd Debian package.
Configuration
Inetd reads it configuration from one file, which defaults to /etc/inetd.conf.
This file maintains all services that should be run by inetd and how they
should be run. It also bases who can use which services by reading the files
/etc/hosts.allow and /etc/hosts.deny. Many other programs also use these two
files for access control.
/etc/inetd.conf has a very specific format which is very intuitive, yet very
powerful. All lines beginning with a pound sign (#) are comments and are
ignored, while all other lines are taken as part of the configuration. Most
services, even if they are commented out, should already be configured for
you in the default file. The format is as follows:
service_name sock_type proto flags user server_path args
"service_name" controls which port is used by referencing /etc/services. You
can choose which port is used by certain services this way. (Common ports are
21 for ftp and 23 for telnet.) "sock_type" tells the inetd how to handle
communications between computers. Usually, 'stream' is used for TCP connections
and 'dgram' is used for UDP connections. "proto" specifies which protocol to
use, either 'tcp' or 'udp'; you can have certain services use both TCP and UDP
this way. "flags" should be set to 'nowait' for non-datagram ('dgram')
connections; for datagram connections, if the server can handle multiple
simultaneous connections, this should be set to 'nowait', or otherwise, 'wait'.
"user" specifies which user to run the server as for security purposes. If a
security hole is found in a certain service, a malicious cracker will only have
the privileges of the user specified. For most services, this must be 'root',
however, for some services, it can be set to 'nobody' or 'guest', and should be
in these cases. "server_path" is the full path name to the server that should be
run when a connection is received. In most cases, this is the full path to tcpd,
which is usually in /sbin or /usr/sbin. "args" are the arguments that are passed
to the server specified in "path"; this way, tcpd knows what kind of connection
has been received and how to handle it (usually by passing it off to a separate
program). For example, a few lines from my inetd.conf are:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
This specifies that /usr/sbin/tcpd should be called when inetd receives a
connection on the ftp, telnet, or pop-3 ports (21, 23, and 110 respectively),
and should use a TCP connection running as the user "root". However, pop-2
and imap connections will be refused because they are commented out. (You
do not need to comment out every service that you wish to refuse; you must only
make sure *not* to comment out services which you do not wish to refuse.)
Inetd can also decide whether to allow a connection based on where the
connection is coming from. It does this by reading /etc/hosts.allow and
/etc/hosts.deny. These files are formatted in daemon/client pairs, such to allow
administrators the right to refuse users to certain services and not to others.
Inetd searches hosts.allow for a match, and if there is one, allows the
connection; it then searches hosts.deny for a match, and if there is one, denies
the connection; it then defaults to allowing the connection.
/etc/hosts.allow and /etc/hosts.deny take the same format: having the name of
the server followed by a colon, then the list of hosts who are either allowed or
denied access to that server. There are some wildcards allowed: ALL, LOCAL,
KNOWN, UNKNOWN, and PARANOID. KNOWN and UNKNOWN refer to host name and address;
if both are known, KNOWN matches, if either are unknown, UNKNOWN matches. You
can also use the keyword EXCEPT to specify certain hosts. To list multiple hosts
for a service, separate them with a comma and a space. You can also wildcard
domains. For example, in hosts.allow, the following will allow all users ftp
access unless if they come from the evilhacker.com domain:
in.ftpd: ALL EXCEPT .evilhacker.com
There are many many more ways of fine-tuning these files; for more information,
see their man pages.
Usage
Once inetd.conf is set, the only thing left to do is to (re)start inetd. If
inetd is already running, you can simply issue the command `killall -HUP
inetd` (as root). If inetd is not running, you can either use the command
`/etc/rc.d/init.d/inet start` for RedHat-based systems or `/etc/rc.d/inetd
start` for Debian-based systems. After this, inetd only needs the usual
administration of making sure the services it has to offer are not being
abused.
Tips
For increased security, consider using Secure Shell in addition to or instead
of telnet. Secure Shell adds extra levels of security by not sending any
information that is not encrypted. Secure Shell is not controlled by Inet,
however, and so is not in the scope of this article.
Inetd defaults to a "mostly open" access scheme, where unless specified, anyone
connecting is allowed. To use a "mostly closed" access scheme, inside
/etc/hosts.deny, put the line "ALL: ALL". This will make it so that anyone who
is not specified in /etc/hosts.allow will be automatically denied. Take care
with this option, as some people who should be allowed access may be denied.
Make sure if you use this option that your hosts.allow file lists everyone you
want to allow.
For added security, use IDENT. This will try and identify connecting users to
make sure they are not "spoofing" their IP address (using a false IP). It is
not 100% reliable, and should not be used as the sole means of security. It does
help to have and use it, however.
Inetd controls many services. Often, people find security holes with these
services. It is very important that you watch for program updates and always
stay on top of security. Keeping strict logs of connections is an excellent way
of detecting if someone has attacked your computer; however, it would be far
better to prevent these attacks before they happen.