KBTAG: kben10000037
URL: http://www.securityportal.com/lskb/10000000/kben10000037.html
Date created: 14/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: How to configure and manage inetd.conf
Keywords: Network
Inetd acts as a "super server" for other programs. Instead of running software as a stand alone daemon, inetd listens for connections and then starts up the appropriate daemon for that service. Many software packages such as Telnet, Finger and Identd are run this way as it is usually more efficient.
inetd.conf is responsible for starting services, typically ones that do not need to run continuously, or are session based (such as telnet, or ftpd). This is because the overhead of running a service constantly (like telnet) would be higher then the start up cost (firing in.telnetd up for example) when a user wants to use it. For some services (like DNS) that service many quick connections, the overhead of starting the service every few seconds would be much higher then constantly running it as a daemon. Also with services such as DNS time is critical, a few seconds delay starting an ftp session won't hurt much. The man page for inetd.conf covers the basics (man inetd.conf). The service itself is called inetd and is run at boot time, so you can easily stop/start/reload it by manipulating the inetd process. Whenever you make changes to inetd.conf you must restart inetd to make the changes effective, "killall -1 inetd" will restart it. Lines in inetd.conf can be commented out with a # as usual (this is a very simple and effective way of disabling services like rexec). It is advisable to disable as many services in inetd.conf as possible, typically the only ones in use will be ftp, pop and imap. Telnet and r services should be replaced with SSH and services like systat/netstat and finger give away far to much information. Access to programs started by inetd can be easily controlled by the use of TCP_WRAPPERS.
Typical services in inetd.conf that should be disabled are:
Service | Problems |
echo | echoes characters back, attackers can use it to flood other machines, spoof echo packets from one machine to another and they will start "chattering" |
discard | receives and discards characters, can be used to flood a machine with data that is not logged |
daytime | gives system time, useful for attackers, not useful for synchronizing time, use xntp |
chargen | creates characters, attackers can use it to flood other machines, spoof echo packets from one machine to another and they will start "chattering" |
time | gives time, useful for attackers, not useful for synchronizing time, use xntp |
shell | RSH |
login | rlogin |
exec | rexec |
comsat | comsat |
talk | talk program, can be used by attackers to find out who is logged in, firewall or disable |
ntalk | talk program, can be used by attackers to find out who is logged in, firewall or disable |
dtalk | talk program, can be used by attackers to find out who is logged in, firewall or disable |
uucp | Unix to Unix CoPy, original method for moving email and files, rarely used, many security problems |
tftp | Trivial FTP daemon, used for network booting devices (routers, X terminals, etc.). Disable unless needed, or consider replacing. |
bootps | Older version of DHCP, obsolete, use DHCP. |
finger | Finger daemons, gives information about users on the system, very useful for attackers. |
cfinger | Finger daemons, gives information about users on the system, very useful for attackers. |
systat | System status, process listing, etc, extremely useful for attackers. |
netstat | Network status, extremely useful for attackers. |
You can also use TCP_WRAPPERS to control access to services, this is covered in knowledge base article kben10000039 (TCP_WRAPPERS).