Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exercise 2: xinetd

Description

xinetd is a replacement for the inetd daemon. It addresses many of the shortcomings of inetd. It can perform access control based on the time of the access and on the remote hostname, address, or domain. It kills services that are no longer in its configuration file or that no longer meet the access criteria. It can help prevent denial of service attacks by limiting access to many of the resources that are targeted by those attacks. It provides extensive logging capabilities for successful or unsuccessful connections. It also allows services to be bound to specific IP addresses. Another interesting capability of xinetd is that its features can be extended to chrooted environments (special, highly secured areas in a Unix system that are often used to publish vulnerable services, such as bind/DNS, FTP, sendmail, or Web access).

While it is not compatible with existing inetd.conf configuration files, a utility is provided that can convert an inetd.conf file to the xinetd format.

The configuration settings for xinetd are stored in /etc/xnetd.conf. There are as many sections as there are services, plus a section for default settings. However, in the xinetd.conf provided by the standard Red Hat installation, there is a single default section and an include statement that includes the files in the /etc/xinet.d directory.

The format of a section is

serviceservice_name {    attribute operator value(s)    ...  }

xinetd provides three services of its own—servers, services, and xadmin. Since these services provide information about your host, they represent a security vulnerability and should be enabled only when configuring xinetd.

Objective

The objective of this exercise is to familiarize you with the configuration of xinetd to control access to your system.

Requirements

    Permission
    If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management team prior to conducting this exercise. Do not proceed without receiving the necessary permissions.

    Hardware
    Intel-based PC

    Software

    Red Hat Linux 7.2

Challenge Procedure

The following are the steps that you will perform for this exercise:

  1. Establish a default deny policy.

  2. Allow Telnet access for internal access only.

  3. Configure FTP for internal access only.

  4. Allow access to xadmin.

  5. Disable access to xadmin through the default settings.

Challenge Procedure Step-by-Step

The following are the detailed steps you will perform for this exercise:

  1. Establish a default deny policy. To do this, log in as root. Then, open a Telnet session to the local host:

  2. telnet 127.0.0.1

    Figure 3.11

  3. Log in to the system. At a command prompt, type in exit to close the Telnet session. Change the directory to /etc:

  4. cd /etc

    Figure 3.12

  5. Edit the xinetd.conf:

  6. vi xinetd.conf

  7. Position the cursor on the line that begins with cps. Press the o key to add a new line. Add the following entry to deny all access by default:

  8. no_access = 0.0.0.0/0

    Figure 3.13

  9. Press the Esc key to exit insert mode. Press ZZ to save the changes and exit vi. Enter the following command to activate the new policy:

  10. /etc/init.d/xinetd reload

    Figure 3.14

  11. Try to open a Telnet session again:

  12. telnet 127.0.0.1

    Figure 3.15

  13. Next, allow Telnet access for internal access only. Change the directory to /etc/xinetd.d:

  14. cd /etc/xinetd.d

  15. Edit the Telnet configuration file:

  16. vi telnet

    Figure 3.16

  17. Position the cursor on the line that begins with disable. Press the o key to add a new line.

  18. Add the following entry to grant access by the local network:

            instances= 4
    access_times = 7:00-12:30 13:30-21:00
    only_from = 127.0.0.0/24

    Your system is not on a network, thus, you should use the local loopback network. On a live system you should enter the IP network address and corresponding CIDR subnet mask, for example, 192.168.0.0/24.

    Figure 3.17

  19. Press the Esc key to exit insert mode. Press ZZ to save the changes and exit vi. Enter the following command to activate the new policy:

  20. /etc/init.d/xinetd reload

    Figure 3.17a

  21. Try to open a Telnet session again:

  22. telnet 127.0.0.1

    Figure 3.18

    Because of the time limitations, this test may or may not work depending on when you try it.

  23. Edit the Telnet configuration file:

  24. vi telnet

  25. Position the cursor on the line that begins with access_times. Press dd to delete the entry.

  26. Figure 3.19

  27. Press ZZ to save the changes and exit vi. Enter the following command to activate the new policy:

  28. /etc/init.d/xinetd reload

    Try to open a Telnet session again:

    telnet 127.0.0.1

  29. Next, allow access to xadmin. Change the directory to /etc/xinetd.d:

  30. cd /etc/xinetd.d

    Figure 3.20

  31. Edit the Telnet configuration file:

  32. vi xadmin

    Figure 3.21

  33. Press the o key to add a new line.

  34. Add the following entries to grant access by the local network:

          service xadmin
    {
    type = INTERNAL UNLISTED
    port = 9100
    protocol = tcp
    socket_type = stream
    wait = no
    instances = 1
    only_from = 127.0.0.1
    }

    Figure 3.22

  35. Press the Esc key to exit insert mode. Press ZZ to save the changes and exit vi. Enter the following command to activate the new policy:

  36. /etc/init.d/xinetd reload

    Figure 3.23

  37. Try to open a Telnet session to xadmin:

  38. telnet 127.0.0.1 9100

    Then, enter the following command to see what services are available:

    show avail

    Finally, type exit to close the xadmin session.

    Figure 3.24

  39. Disable access to xadmin through the default settings. Change the directory to /etc:

  40. cd /etc

  41. Edit the xinetd.conf file:

  42. vi xinetd.conf

  43. Position the cursor on the line that begins with no_access. Press the o key to add a new line. Add the following entry to deny access to xadmin:

  44. disable server services xadmin

    Figure 3.25

  45. Press the Esc key to exit insert mode. Press ZZ to save the changes and exit vi. Enter the following command to activate the new policy:

  46. /etc/init.d/xinetd reload

    Figure 3.26

  47. Try to open a Telnet session to xadmin:

  48. telnet 127.0.0.1 9100

    Figure 3.27

Additional Reading

"An Unofficial Xinetd Tutorial," curator of The Shmoo Group, http://www.macsecurity.org/resources/xinetd/tutorial.shtml.

Raynal, Frédéric. "Xinetd," LinuxFocus.org, http://www.linuxfocus.org/English/November2000/article175.html.

Summary

As a replacement for inetd, xinetd does everything that inetd does, but it does so more securely. The primary benefit of xinetd is that it is an efficient combination of inetd and TCP Wrappers.

In addition to providing client access control, xinetd also helps protect against denial of service attacks, bind services to a specific IP address, and control access by time period.

  • + Share This
  • 🔖 Save To Your Account