Most Linux distributions use the xinetd program as the standard "superserver" or "superdaemon" that listens for incoming connections to pass on to other programs. In the old days, the inetd program handled this task, but was quite insecure. Today, programs like xinetd, tcpserver, and ipsvd are faster and more secure than the old inetd.
With xinetd, you can configure a lot more than just having xinetd passively listen for connections and spawn the appropriate service when it receives an incoming connection. Comprehensive ACLs are available that allow you to tweak and lock down particular servers, such as SSH, RSYNC, SWAT, and many others. For instance, a stock configuration for xinetd to handle SSH connections might look like:
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
This configuration works, but has absolutely no access controls. To restrict access to the SSH service from a specific IP address you could add:
Alternatively, you can ban certain IPs and allow all others:
no_access = 10.0.5.12 bad.user.org
You can also define networks here to ban entire ranges of IPs; hostnames are permitted as xinetd will do hostname lookups when it starts or reloads the configuration file.
Another restriction can be time-based; for instance, you could allow SSH access to be initiated only during working hours:
Finally, you can place limits on the number of connections that xinetd will accept for a particular service. For instance, to limit the number of SSH connections to a maximum of 10 with a maximum of three sessions per IP address, you would use:
instances = 10
per_source = 3
xinetd provides for a lot of flexibility with the services it manages, and the defaults that most Linux vendors ship with are fairly liberal. Tweaking the individual configurations for each service can be advantageous because of the ways you can streamline service offerings.
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.