Configuring Various Network Services using xinetd in Linux RHEL5/6)
As a system administrator, you will most likely need to provide your users with network and Internet services. These services may include FTP, HTTP, or Telnet.
Although some software packages like Apache provide a single service (HTTP), there is also a master service called xinetd that can run multiple services at the same time.
It is also a widely used service in the real world, particularly when it comes to automating the installation of Red Hat. There are really only a few things that you need to know to be able to use the xinetd service. This package doesn’t always come installed by default, so first let’s install it.
Task 1: Installation and Configuration of Xinetd
Step 1. Install the xinetd package:
# yum install –y xinetd
Step 2. Verify that the package is installed correctly:
# rpm -qa | grep xinetd
With the service installed, you can shift your focus to the config files. The xinetd service has a master config file (/etc/xinetd.conf), which inherits all the settings of the services that it controls.
Aside from this master config file, a single directory (/etc/xinetd.d) contains individual config files for each service you would like xinetd to run.
As an example, let’s set up a TFTP server, which can be used to back up config files for Cisco switches or to deliver data to clients during a PXE boot process (also known as a network installation).
Step 3. Install the required package:
# yum install -y tftp-server
Step 4. Verify that the package is installed correctly:
# rpm -qa | grep tftp
Now that the package is installed, you can go into the /etc/xinetd.d directory and see the config file for the new service. By default, the TFTP service is disabled. Let’s look at the config file, which is small and simple
# cat /etc/xinetd.d/tftp
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot
disable = yes
per_source = 11
cps = 100 2
flags = IPv4
Here, you can see the basics, such as which protocol it uses, whether the service is disabled, and what arguments are passed to the service during startup. For this example, all the defaults work fine. You may be wondering why I suggest leaving the service disabled if you want to use it. Services that are controlled by xinetd can be enabled in the config file when you enable them during the boot process.
Step 5. Enable the TFTP server to start when the system boots:
# chkconfig tftp on
Step 6. Verify that the service will start during boot:
# chkconfig tftp –list tftp on
Looking back in the config file now, notice that the service has been automatically enabled to start. You can verify this by checking the file:
# cat /etc/xinetd.d/tftp | grep disable
disable = no
Step 7. At this point, you should also enable the xinetd service itself to start on system boot:
# chkconfig xinetd on
Step 8. Verify that the service will start during boot:
# chkconfig xinetd –list
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
There is also one other thing you can verify. You can get a list of all services enabled during boot by using the chkconfig command. The difference here, though, is that the xinetd service lists not only its boot levels,
but also those of all the services that it controls.
Step 9. Use chkconfig to view all the xinetd services:
# chkconfig –list
xinetd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
You can see here that the xinetd service is set to start on boot and that the TFTP service is the only service it will start.
Step 10. To get the service up and running without a system reboot, just adjust any config file options you’d like and restart the xinetd service:
# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Step 11. Verify that the xinetd service is now running on the system and listening on UDP port 69 for connections:
# netstat -a | grep tftp
udp 0 0 *:tftp *:*
The xinetd service understands services from /etc/services and ports from /etc/rpc. These two files define all services and ports that the system can use to offer different network services to clients using the xinetd master service.
The xinetd service is fairly simple to configure, but you should make sure that you define
the config file for the services that you want to use within the /etc/xinetd.d directory and restart the service before use.
For simple troubleshooting of any xinetd service, you can check the /var/log/messages file, which is the place where the /etc/xinetd.conf config file defines all logs to be sent.
Although the default configuration options are usually fine, you can also edit the information sent to the log file by editing the main config file.
The following options are available for logging:
You also have the following host access options:
They can be defined within the main config file for security restrictions. Usually, it is better to let the firewall and TCP Wrappers take care of restricting certain clients, but you should know that the options are available.
Task2 : Securing Xineted Services using iptables
Although the xinetd service can actually handle multiple services, you need to ensure that you have created
the appropriate firewall rule for each server you intend to use. Because you have configured a TFTP server for this example, you need to ensure that you createa rule to allow the TFTP server to be used.
Step 1. Use iptables to create the required firewall rule:
# iptables -I INPUT 5 -p udp -m udp —dport 69 -j ACCEPT
Step 2. Save the firewall rule you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Step 3. Then restart the iptables service:
# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]