Scribd Logo
Upload

Welcome to Scribd!

  • Lect 05 - Controlling Access With Xinetd

    Uploaded by

    dielo
    10 views24 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views24 pages

    Lect 05 - Controlling Access With Xinetd

    Uploaded by

    dielo

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Technical Support Fundamentals (ITP 4107)

    CONTROLLING ACCESS WITH XINETD

    Controlling Access with Xinetd


    Topic 07,p.1
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    LESSON INTENDED LEARNING OUTCOMES


    On completion of the lesson, students are expecte
    d to
     setup, configure, monitor and control appropriat
    e TCP/IP network services for satisfying given r
    equirements.

    Controlling Access with Xinetd


    Topic 07,p.2
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    OVERVIEW
     inetd

     TCP Wrappers
     xinetd

     One of the problems with TCP/IP is that it


    is basically insecure. Many intrusions are
    the result of this insecurity.

    Controlling Access with Xinetd


    Topic 07,p.3
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    INTERNET SERVICES DAEMON


     inetd is a daemon on many Unix systems th
    at manages Internet services.
     Often called a super-server, inetd listen
    s on all ports used by internet services
    such as FTP, POP3, and telnet.
     When a TCP packet or UDP packet comes in
    with a particular port number, inetd laun
    ches the appropriate server program to ha
    ndle the connection.

    Controlling Access with Xinetd


    Topic 07,p.4
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    INTERNET SERVICES DAEMON – SETUP


     /etc/services
     Maps (port number, protocol) pairs to service
    names.
     Standard services such as email, telnet … al
    l associate themselves with “well-known” po
    rts defined in this file.
     /etc/inetd.conf
     Maps service names to server names.

    Controlling Access with Xinetd


    Topic 07,p.5
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    EXTENDED INTERNET SERVICES DAEMON


     xinetd is an extended and secure replaceme
    nt for inetd. Same as inetd, it also:
     Accepts client request from Internet.
     Redirects to corresponding service.

     It offers many features that allow us to c


    ontrol who accesses which services, when,
    and from where.

    Controlling Access with Xinetd


    Topic 07,p.6
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    OVERVIEW : XINETD VS. INETD


     The configuration file for inetd, /etc/inetd.conf,
    contains a list of all of the services the daemon
    controls, along with commented out items that it c
    ould control if you wanted to activate those servi
    ces.
     xinetd has a collection of configuration files.
     The master file is /etc/xinetd.conf, which allows f
    or general configuration.
     Along with the master configuration file is the sub
    directory /etc/xinetd.d/, which contains a series o
    f individual files pertaining to various services.
     Each of these files is loaded through the xinetd.co
    nf when xinetd loads its configuration data into me
    mory during startup.
    Controlling Access with Xinetd
    Topic 07,p.7
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    TCP WRAPPERS
     Controlling access to network services
    is one of the most important security t
    asks facing a server administrator.
     TCP wrappers add an additional layer of
    protection by defining which hosts are
    allowed or not allowed to connect to "w
    rapped" network services.

    Controlling Access with Xinetd


    Topic 07,p.8
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    Controlling Access with Xinetd


    Topic 07,p.9
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    TCP WRAPPERS ACCESS CONTROL


     The TCP wrappers package (tcp_wrappers) provides
    host-based access control to network services.
     tcpd - program checks permissions and launches
    the specified service if access is permitted.
     When a connection attempt is made to a TCP wrapp
    ed service, tcpd first references the hosts acce
    ss files (/etc/hosts.allow and /etc/hosts.deny)
    to determine whether or not the client host is a
    llowed to connect.
     If a client host is allowed to connect, TCP wrap
    pers release control of the connection to the re
    quested service.

    Controlling Access with Xinetd


    Topic 07,p.10
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    ADVANTAGES OF TCP WRAPPERS


     Transparency to both the client host and
    the wrapped network service.
     Both the connecting client and the wrapped n
    etwork service are unaware that TCP wrappers
    are in use. Legitimate users are logged and
    connected to the requested service while con
    nections from banned clients fail.
     Centralized management of multiple proto
    cols.
     TCP wrappers operate separately from the net
    work services they protect, allowing many se
    rvices to share a common set of configuratio
    n files for simpler management.
    Controlling Access with Xinetd
    Topic 07,p.11
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    TCP WRAPPERS CONFIGURATION FILES


     /etc/hosts.allow
     The TCP wrapped service sequentially parses the
    /etc/hosts.allow file and applies the first rule
    specified for that service. If it finds a matchi
    ng rule, it allows the connection. If not, it mo
    ves on to step 2.
     /etc/hosts.deny
     The TCP wrapped service sequentially parses the
    /etc/hosts.deny file. If it finds a matching rul
    e is denies the connection. If not, access to th
    e service
    A non-existing access is granted.
    control file is treated as if it were an empty file.
    Thus, access control can be turned off by providing no access control files.

    Controlling Access with Xinetd


    Topic 07,p.12
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    EXAMPLE - MOSTLY CLOSED SYSTEM


     hosts.allow
    ALL : localhost
    in.telnetd : cwcim.org
    in.fingerd : staff.cwcim.org

     hosts.deny
    ALL : ALL
    in.telnetd : news.cwcim.org

    Controlling Access with Xinetd


    Topic 07,p.13
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    /etc/hosts.allow
    #
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #

    ALL : localhost
    in.telnetd : cwcim.org
    in.fingerd : staff.cwcim.org

    This configuration allows any service for the local machine, allows
    telnet for any machine on the cwcim.org network,
    allows finger for any machine on the staff.cwcim.org network.

    Controlling Access with Xinetd


    Topic 07,p.14
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    /etc/hosts.deny
    #
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #

    ALL : ALL
    in.telnetd : news.cwcim.org

    Anything else is denied. Note that second line doesn't do anything because
    second line of hosts.allow lets any machine on cwcim.org network use
    telnet.

    Controlling Access with Xinetd


    Topic 07,p.15
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    EXTENDED INTERNET SERVICES DAEMON


     xinetd features access control mechanisms
    such as TCP Wrapper, ACLs, extensive logg
    ing capabilities, and the ability to make
    services available based on time.
     It can place limits on the number of serv
    ers that the system can start, and has de
    ployable defense mechanisms to protect ag
    ainst port scanners, among other things.

    Controlling Access with Xinetd


    Topic 07,p.16
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    XINETD FUNCTIONS
     The xinetd daemon is a TCP-wrapper-enable
    d super server which controls access to a
    subset of popular network services includ
    ing POP3, IMAP, and Telnet.
     It also provides service-specific configu
    ration options for access control, enhanc
    ed logging, redirection, and resource uti
    lization control.

    Controlling Access with Xinetd


    Topic 07,p.17
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    HOW XINETD WORKS


     When a client host attempts to connect to a net
    work service controlled by xinetd, the super se
    rver receives the request and checks for any TC
    P wrappers access control rules in /etc/hosts.a
    llow & /etc/hosts.deny.
     If access is allowed, xinetd verifies that the
    connection is allowed under its own access rule
    s for that service; and that the service is not
    consuming more than its allocated amount of res
    ources or in breach of any defined rules.
     It then starts an instance of the requested ser
    vice and passes control of the connection to it
    .
     Once the connection is established, xinetd does
    not interfere further with communication betwee
    n the client host and the server.
    Controlling Access with Xinetd
    Topic 07,p.18
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    XINETD – CONFIGURATION FILES


     /etc/xinetd.conf
     The master/global xinetd configuration file
    .
     /etc/xinetd.d/ directory
     The directory containing all service-specif
    ic configuration files.

    Controlling Access with Xinetd


    Topic 07,p.19
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    XINETD – ACCESS CONTROLS


    only_from - Specifies which hosts are allowed to access this s
    ervice.
     only_from 192.168.1.0/24
    no_access - Specifically deny a host or hosts.
     no_access = 192.168.1.20
     NOTE: - If both only_from and no_access are specified, the o
    ne that is more specific wins. In this case, no_access wins
    because it specifies a specific host within the 192.168.1.0/
    24 network.
    access_times - Specifies a time period where access is allowed
    .
     access_times = 07:30-17:30
    instances - Specifies the maximum number of instances of this
    service that may be launched.
     instances = 100
    per_source - Specifies the maximum number of instances that ca
    nAccess
    Controlling be initiated
    with Xinetd per source IP address.
    Topic 07,p.20
    ©VTC 2012

    Technical Support Fundamentals (ITP 4107)

    Sample /etc/xinetd.conf
    defaults
    {
    instances = 60
    log_type = SYSLOG authpriv
    log_on_success = HOST PID
    log_on_failure = HOST
    cps = 25 30
    }
    includedir /etc/xinetd.d

    Controlling Access with Xinetd


    Topic 07,p.21
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    /etc/xinetd.d/telnet
    service telnet
    {
    flags = REUSE
    socket_type = stream
    wait = no
    user = root
    server = /usr/sbin/in.telnetd
    log_on_failure += USERID
    disable = yes
    }

    Controlling Access with Xinetd


    Topic 07,p.22
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    CONTROLLING XINETD
     The starting and stopping of the xinetd
    daemon is controlled by the scripts in t
    he /etc/init.d directory and its behavio
    r at boot time is controlled by chkconfi
    g.
     We can start/stop/restart xinetd after b
    ootup by using the following commands:
    # service xinetd start | stop | restart

    Controlling Access with Xinetd


    Topic 07,p.23
    ©VTC 2012
    Technical Support Fundamentals (ITP 4107)

    CONTROLLING XINETD-MANAGED SERVICES


     xinetd-managed services all store their configu
    ration files in the /etc/xinetd.d/ directory.
     Each configuration file has a disable statement
    that you can set to yes or no.
     This governs whether xinetd is allowed to start
    them or not.
     We don't have to edit these files to activate o
    r deactivate the application.
     The chkconfig command does that automatically.

    Controlling Access with Xinetd


    Topic 07,p.24
    ©VTC 2012

    You might also like