Most Linux distributions use the xinetd program as the standard "superserver" or "superdaemon" that listens for incoming connections to pass on to other programs. In the old days, the inetd program handled this task, but was quite insecure. Today, programs like xinetd, tcpserver, and ipsvd are faster and more secure than the old inetd.

With xinetd, you can configure a lot more than just having xinetd passively listen for connections and spawn the appropriate service when it receives an incoming connection. Comprehensive ACLs are available that allow you to tweak and lock down particular servers, such as SSH, RSYNC, SWAT, and many others. For instance, a stock configuration for xinetd to handle SSH connections might look like:

<code>
service ssh
{
        disable = yes
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/sshd
        server_args             = -i
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        nice                    = 10
}
</code>

This configuration works, but has absolutely no access controls. To restrict access to the SSH service from a specific IP address you could add:

<code>
only_from 10.0.5.100
</code>

Alternatively, you can ban certain IPs and allow all others:

<code>
no_access = 10.0.5.12 bad.user.org
</code>

You can also define networks here to ban entire ranges of IPs; hostnames are permitted as xinetd will do hostname lookups when it starts or reloads the configuration file.

Another restriction can be time-based; for instance, you could allow SSH access to be initiated only during working hours:

<code>
access_times 8:00-17:00
</code>
Tips in your inbox
Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills.
Automatically sign up today!

Finally, you can place limits on the number of connections that xinetd will accept for a particular service. For instance, to limit the number of SSH connections to a maximum of 10 with a maximum of three sessions per IP address, you would use:

<code>
instances = 10
per_source = 3
</code>

xinetd provides for a lot of flexibility with the services it manages, and the defaults that most Linux vendors ship with are fairly liberal. Tweaking the individual configurations for each service can be advantageous because of the ways you can streamline service offerings.