Xinetd(extended Internet Daemon) is a secure replacement forinetd(the Internet services daemon).It is a computer Program that monitors incoming packets to determine if the external device is autorized to have access. inetd launches the required programs for Internet connectivity at the time of system initialization. These programs lie dormant until the connection is made. Once the request is made , inetd launches the required program or server (FTP,Telnet,SSH etc) to answer the request. Where Xinetd is a program that listen on all the ports for Internet services like Telnet,FTP & POP3. When it recognizes a packet is coming through a particular port , xinetd launched the appropriate program or server to handle the connection
Xinetd provides access control for all services based on the address of the remote host and/or on time of access and can prevent denial-of-access attacks. Xinetd provides extensive logging, has no limit on the number of server arguments, and lets you bind specific services to specific IP addresses on your host machine. Each service has its own specific configuration file for Xinetd, the files are located at the /etc/xinetd.ddirectory.
Advantages of xinetd :
1. It conserve the system resources by avoiding to fork a lot of process which might be dormant(inactive) for most of their life time.
2. Xinetd is not limited to the services listed in /etc/services but any body can use xined to start special purpose service.
Some Xinetd features that enable a more secure way of managingInternet services :
1. TCP Wrapper ACLs - TCP wrappper ACLs(Access Control List) monitor and filter incoming request for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK & other network services.
2. Access Control – This feature enables xinetd to restrict or allow connections based on the address of the remote host, time of access,duration of connection, name of the remote host, domain of the remote host, Xinetd also limit the rate of incoming connections from the particular host using TCP Wrapper.
3. Controls Denial of Service Attacks - Apart from limiting the number of simultaneous connections from the same host , xinted executes limits placed on the log files created by the host to prevent filling up disk space.
4. Superior logging abilities – Using xinetd , one can enable logging for each service separately. The daemon can log the start and stop times of a connection to help determine how long a service was used , who the remote user was & log information on failed connection attempts.
Note: - We are assuming that xinetd is package is installed on a linux box
The configuration files for xinetd are as follows:
The configuration files for xinetd are as follows:
· /etc/xinetd.conf — The global xinetd configuration file.
· /etc/xinetd.d/ — The directory containing all service-specific files.
The /etc/xinetd.conf file contains general configuration settings which effect every service under xinetd's control. It is read once when the xinetd service is started, so for configuration changes to take effect, the administrator must restart the xinetd service.
Below is a sample /etc/xinetd.conf file:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
These lines control the following aspects of xinetd:
· instances — Sets the maximum number of requests xinetd can handle at once.
· log_type — Configures xinetd to use the authpriv log facility, which writes log entries to the /var/log/secure file. Adding a directive such as FILE /var/log/xinetdlog would create a custom log file called xinetdlog in the /var/log/ directory.
· log_on_success — Configures xinetd to log if the connection is successful. By default, the remote host's IP address and the process ID of server processing the request are recorded.
· log_on_failure — Configures xinetd to log if there is a connection failure or if the connection is not allowed.
· cps — Configures xinetd to allow no more than 25 connections per second to any given service. If this limit is reached, the service is retired for 30 seconds.
· includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory
Configuring Telnet Service Using Xinetd :
Sample file of telnet is located at /etc/xinetd.d/telnet
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 10.0.1.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
no_access = 10.0.1.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}
· service — Defines the service name, usually one listed in the /etc/services file.
· flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection.
· socket_type — Sets the network socket type to stream.
· wait — Defines whether the service is single-threaded (yes) or multi-threaded (no).
· user — Defines what user ID the process runs under.
· server — Defines the binary executable to be launched.
· log_on_failure — Defines logging parameters for log_on_failure in addition to those already defined in xinetd.conf.
· disable — Defines whether the service is active.
. only_from — Allows only the specified hosts to use the service.
· no_access — Blocks listed hosts from using the service.
· access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
The only_from andno_access options can use a list of IP addresses or host names, or can specify an entire network. Like TCP wrappers, combining xinetd access control with the enhanced logging configuration can increase security by blocking requests from banned hosts while verbosely recording each connection attempt. For example, the following /etc/xinetd.d/telnet file can be used to block Telnet access from a particular network group and restrict the overall time range that even allowed users can log in , as shown in above example.
In this example, when a client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries to access the Telnet service, it receives a message stating the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/secure
No comments:
Post a Comment