Increasing Security with xinetd

NOTE

Using xinetd can limit the risk of DoS attacks, but not eliminate it.

Although xinetd can be configured to limit access to services in a number of ways, and is superior to inetd in its capacity to reduce the resource consumption caused by a DoS attack, it is not a complete solution. xinetd still must receive and process each network service request. Even if a particular request is going to be denied by the rules, it still consumes network bandwidth, and it still consumes processing power to detect that it's invalid.

The only way to completely eliminate the effect of DoS attacks against your machine is to get them filtered out before they reach your hardware. This is usually accomplished at the router that feeds your network. If your service provider can't provide this service to you, blocking DoS attacks at the packet-filter level (see the discussion on Carrafix and traffic shaping in Chapter 17, "Blocking Network Access: Firewalls") is most efficient at reducing the impact on your machine.

--prefix=PATH

Specifies the directory prefix for installing xinetd . The default is /usr/local .

--with-libwrap=PATH

Compiles in support for TCP Wrappers. With this option on, xinetd first looks at the TCP Wrappers controls file(s). If access is granted, xinetd then continues on to its access controls.

--with-loadavg

Compiles in support for the max_load configuration option, which causes a service to stop accepting connections when the specified load has been reached. The option is currently supported only on Linux and Solaris.

--with-inet6

Causes services to default to IPv6. However, IPv6 support is now fully integrated into xinetd , rendering this option meaningless.

NOTE

If you decide to install xinetd on Mac OS X 10.1 or earlier and want to compile in libwrap support, you need to download some libwrap files first. They are available from http://www.opensource.apple.com/projects/darwin/1.0/projects.html if you select the tcp-wrappers download. The source builds its files in /tmp/ . If you want to put the files in /usr/local/ , make /usr/local/lib/ and /usr/local/include/ directories, if they do not already exist. If you want to install the files elsewhere, replace the /usr/local/ references as appropriate. Then at the root of the source directory, do the following:

 
 [View full width] 
 make RC_ARCHS=ppc install cp /tmp/tcp_wrappers/Release/usr/local/lib/libwrap.a /usr/local/  lib/ ranlib /usr/local/lib/libwrap.a cp /tmp/tcp_wrappers/Release/usr/local/include/tcpd.h /usr/local/  include/ 

  -d  

Enables debug mode.

-syslog <syslog_facility>

Enables syslog logging of xinetd -produced messages using the specified syslog facility. The following syslog facilities may be used: daemon , auth , user , local[0-7] . Ineffective in debug mode.

-filelog <log_file>

Specifies where to log xinetd -produced messages. Ineffective in debug mode.

-f <config_file>

Specifies which file to use as the config file. Default is /etc/xinetd.conf .

-pidfile <pid_file>

Writes the process ID to the file specified. Ineffective in debug mode. Apple starts xinetd with this option:

xinetd -pidfile /var/run/xinetd.pid

-stayalive

Tells xinetd to stay running even if no services are specified.

-limit <proc_limit>

Limits the number of concurrently running processes that can be started by xinetd .

-logprocs <limit>

Limits the number of concurrently running servers for remote user ID acquisition.

-cc <interval>

Performs consistency checks on its internal state every <interval> seconds.

  id  

Used to uniquely identify a service. Useful for services that can use different protocols and need to be described with different entries in the configuration file. Default service ID is the same as the service name .

type

Any combination of the following can be used:

RPC : Specifies service as an RPC service.

INTERNAL : Specifies service as provided by xinetd .

UNLISTED : Specifies that the service is not listed in a standard system file, such as /etc/services or /etc/rpc .

flags

Any combination of the following can be used:

INTERCEPT : Intercepts packets or accepted connections to verify that they are coming from acceptable locations. Internal or multithreaded services cannot be intercepted.

NORETRY : Avoids retry attempts in case of fork failure.

IDONLY : Accepts connections only when the remote end identifies the remote user. Applies only to connection-based services.

NAMEINARGS : Causes the first argument to server_args to be the name of the server. Useful for using TCP Wrappers.

NODELAY : For a TCP service, sets the TCP_NODELAY flag on the socket. Has no effect on other types of services.

DISABLE : Specifies that this service is to be disabled. Overrides the enabled directive in defaults.

KEEPALIVE : For a TCP service, sets the SO_KEEPALIVE flag on the socket. Has no effect on other types of services.

NOLIBWRAP : Disables internal calling of the tcpwrap library to determine access to the service.

SENSOR : Replaces the service with a sensor that detects accesses to the specified port. Does not detect stealth scans . Should be used only on services you know you don't need. Whenever a connection is made to the service's port, adds the IP address to a global no_access list until the deny_time setting expires .

IPv4 : Sets the service to an IPv4 service.

IPv6 : Sets the service to an IPv6 service.

disable

Has a value of yes or no . Overrides the enabled directive in defaults.

socket_type

Has a value of stream , dgram , raw , or seqpacket .

protocol

Specifies the protocol used by the service. Protocol must exist in /etc/protocols . If it is not defined, the default protocol for the service is used.

wait

Specifies whether the service is single-threaded or multithreaded. If yes, it is single-threaded; xinetd starts the service and stops handling requests for the service until the server dies. If no, it is multithreaded; xinetd keeps handling new service requests.

user

Specifies the UID for the server process. Username must exist in /etc/passwd .

group

Specifies the GID for the server process. Group must exist in /etc/group . If a group is not specified, the group of the user is used.

instances

Determines the number of simultaneous instances of the server. Default is unlimited. The value can be an integer or UNLIMITED .

nice

Specifies server priority.

server

Specifies the program to execute for this service.

server_args

Specifies arguments to be passed to the server. Server name should not be included, unless the NAMEINARGS flag has been specified.

only_from

Specifies to which remote hosts the service is available. Can be specified as:

A numeric address in the form %d.%d.%d.%d . is a wildcard. IPv6 hosts may be specified as abcd:ef01::2345:6789 .

A factorized address in the form of %d.%d.%d.{%d,%d,...} . There is no need for all four components (that is, %d.%d.{%d,%d,...%d} is also okay). However, the factorized part must be at the end of the address. Does not work for IPv6.

A network name (from /etc/networks ). Does not work for IPv6.

A hostname or domain name in the form of .domain.com .

An IP address/ netmask range in the form of 1.2.3.4/32 . IPv6 address/netmask ranges in the form of 1234::/46 are also valid.

Specifying this attribute without a value makes the service available to nobody.

no_access

Specifies the remote hosts to which this service is not available. Value can be specified in the same forms as for only_from . When neither only_from nor no_access is specified, the service is available to anyone . If both are listed, the one that is the better match for the host determines availability of the service to the host. For example, if only_from is 192.168.1.0 and no_access is 192.168.1.10 , then 192.168.1.10 does not have access.

access_times

Specifies time intervals when the service is available. An interval has the form: hour:min- hour :min . Hours can range from 0 “23; minutes can range from 0 “59.

log_type

Specifies where service log output is sent. May either be SYSLOG or FILE , as follows:

SYSLOG <syslog_facility> [ <syslog_level> ]

Possible facility names include daemon , auth , authpriv , user , local0-7 . Possible level names include emerg , alert , crit , err , warning , notice , info , debug . If a level is not present, the messages will be recorded at the info level.

FILE <file> [ <soft_limit> ] [ <hard_limit> ]

Log output is appended to <file >, which is created if it does not exist.

log_on_success

Specifies what information is logged when the server is started and exits. Any combination of the following can be specified:

PID : Logs the server process ID.

HOST : Logs the remote host's address.

USERID : Logs remote user ID using RFC 1413 identification protocol. Only available for multithreaded stream services.

EXIT : Logs the fact that the server exited along with the exit status or termination signal.

DURATION : Logs the duration of the server session.

log_on_failure

Specifies what is logged when a server cannot start, either from lack of resources or access configuration. Any combination of the following can be specified:

HOST : Logs the remote host's address

USERID : Logs remote user ID using RFC 1413 identification protocol. Available for multithreaded stream services only.

RECORD : Logs as much information about the remote host as possible.

ATTEMPT : Logs the fact that a failed attempt was made. Implied by use of any of the other options.

rpc_version

Specifies the RPC version of an RPC service. Can be a single number or a range in the form of number “number .

rpc_number

Specifies the number for an unlisted RPC service.

env

Value of this attribute is a list of strings of the form <name> = <value> . These strings are added to the server's environment, giving it xinetd 's environment as well as the environment specified by the env attribute.

passenv

Value of this attribute is a list of environment variables from xinetd 's environment to be passed to the server. An empty list implies passing no variables to the server except those explicitly defined by the env attribute.

port

Specifies the service port. If this attribute is listed for a service in /etc/services , it must be the same as the port number listed in that file.

redirect

Allows a TCP service to be redirected to another host. Useful for when your internal machines are not visible to the outside world. Syntax is

redirect = <IP address or host name> <port>

The server attribute is not required when this attribute is specified. If the server attribute is specified, this attribute takes priority.

bind

Allows a service to be bound to a specific interface on the machine.

interface

Synonym for bind .

banner

Name of the file to be displayed to the remote host when a connection to that service is made. The banner is displayed regardless of access control.

banner_success

Name of the file to be displayed to the remote host when a connection to that service is granted. Banner is displayed as soon as access to the service is granted.

banner_fail

Name of the file to be displayed to the remote host when a connection to a service is denied. Banner is printed immediately upon denial of access.

per_source

Specifies the maximum number of connections permitted per server per source IP address. May be an integer or UNLIMITED .

cps

Limits the rate of incoming connections. Takes two arguments. The first is the number of connections per second. If the number of connections per second exceeds this rate, the server is temporarily disabled. The second argument specifies the number of seconds to wait before reenabling the server.

groups

Takes either yes or no . If yes , the server is executed with access to the groups to which the server's effective UID has access. If no , server runs with no supplementary groups. Must be set to yes for many BSD-flavored versions of Unix.

umask

Sets the inherited umask for the service. Expects an octal value. May be set in the defaults section to set a umask for all services. xinetd sets its own umask to the previous umask ORd with 022. This is the umask inherited by child processes if the umask attribute is not set.

enabled

Takes a list of service names to enable. Note that the service disable attribute and DISABLE flag can prevent a service from being enabled despite its being listed in this attribute.

include

Takes a filename in the form of include /etc/xinetd/service . File is then parsed as a new configuration file. May not be specified from within a service declaration.

includedir

Takes a directory name in the form of includedir /etc/xinetd.d . Every file in the directory, excluding files containing . or ending with ~ , is parsed as an xinetd.conf file. Files are parsed in alphabetical order according to the C locale. May not be specified within a service declaration.

rlimit_cpu

Sets the maximum number of CPU seconds that the service may use. May either be a positive integer or UNLIMITED .

rlimit_data

Sets the maximum data resource size limit for the service. May either be a positive integer representing the number of bytes or UNLIMITED .

rlimit_rss

Sets the maximum resident set size limit for the service. Setting this value low makes the process a likely candidate for swapping out to disk when memory is low. One parameter is required, which is either a positive integer representing the number of bytes or UNLIMITED .

rlimit_stack

Sets the maximum stack size limit for the service. One parameter is required, which is either a positive integer representing the number of bytes or UNLIMITED .

deny_time

Sets the time span when access to all services to an IP address are denied to someone who sets off the SENSOR . Must be used in conjunction with the SENSOR flag. Options are

FOREVER : IP address is not purged until xinetd is restarted.

NEVER : Just logs the offending IP address.

<number> : A numerical value of time in minutes. A typical time would be 60 minutes, to stop most DoS attacks while allowing IP addresses coming from a pool to be recycled for legitimate purposes.