Open Source

Setting ACLs with xinetd

If you're still using inetd as your server program to handle connections, there is a faster, more secure program called xinetd. Vincent Danen shows you some tweaks to xinetd that will allow you to control access to certain servers or lock them down completely.

Most Linux distributions use the xinetd program as the standard "superserver" or "superdaemon" that listens for incoming connections to pass on to other programs. In the old days, the inetd program handled this task, but was quite insecure. Today, programs like xinetd, tcpserver, and ipsvd are faster and more secure than the old inetd.

With xinetd, you can configure a lot more than just having xinetd passively listen for connections and spawn the appropriate service when it receives an incoming connection. Comprehensive ACLs are available that allow you to tweak and lock down particular servers, such as SSH, RSYNC, SWAT, and many others. For instance, a stock configuration for xinetd to handle SSH connections might look like:

<code>
service ssh
{
        disable = yes
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/sshd
        server_args             = -i
        log_on_success          += DURATION USERID
        log_on_failure          += USERID
        nice                    = 10
}
</code>

This configuration works, but has absolutely no access controls. To restrict access to the SSH service from a specific IP address you could add:

<code>
only_from 10.0.5.100
</code>

Alternatively, you can ban certain IPs and allow all others:

<code>
no_access = 10.0.5.12 bad.user.org
</code>

You can also define networks here to ban entire ranges of IPs; hostnames are permitted as xinetd will do hostname lookups when it starts or reloads the configuration file.

Another restriction can be time-based; for instance, you could allow SSH access to be initiated only during working hours:

<code>
access_times 8:00-17:00
</code>
Tips in your inbox
Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills.
Automatically sign up today!

Finally, you can place limits on the number of connections that xinetd will accept for a particular service. For instance, to limit the number of SSH connections to a maximum of 10 with a maximum of three sessions per IP address, you would use:

<code>
instances = 10
per_source = 3
</code>

xinetd provides for a lot of flexibility with the services it manages, and the defaults that most Linux vendors ship with are fairly liberal. Tweaking the individual configurations for each service can be advantageous because of the ways you can streamline service offerings.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks

Free Newsletters, In your Inbox