Increasing Security with xinetd


Increasing Security with xinetd

Starting with the Mac OS X 10.2 distribution, xinetd is used as the default Internet services daemon. The xinetd package, the extended Internet services daemon, is highly configurable and can provide access controls for both TCP and UDP. Among the controls for a given service that can be configured are the number of simultaneous servers, the number of connections permitted from a given source, access times, allowing and denying access to certain hosts , and limiting the rate of incoming connections. Some of these controls can help reduce denial of service attacks on your machine. xinetd can even redirect a service to a port on another machine, or to another interface on the same machine. This would be particularly useful if xinetd is running on your firewall machine.


Using xinetd can limit the risk of DoS attacks, but not eliminate it.

Although xinetd can be configured to limit access to services in a number of ways, and is superior to inetd in its capacity to reduce the resource consumption caused by a DoS attack, it is not a complete solution. xinetd still must receive and process each network service request. Even if a particular request is going to be denied by the rules, it still consumes network bandwidth, and it still consumes processing power to detect that it's invalid.

The only way to completely eliminate the effect of DoS attacks against your machine is to get them filtered out before they reach your hardware. This is usually accomplished at the router that feeds your network. If your service provider can't provide this service to you, blocking DoS attacks at the packet-filter level (see the discussion on Carrafix and traffic shaping in Chapter 17, "Blocking Network Access: Firewalls") is most efficient at reducing the impact on your machine.


Although xinetd is a highly configurable inetd replacement that promotes increased security, it is not immune to vulnerabilities. The following list describes recent xinetd vulnerabilities.

  • xinetd Open File Descriptor Denial of Service Vulnerability (CAN-2002-0871, BugTraq ID 5458). Services launched by xinetd inherit file descriptors from the signal pipe. An attacker could then launch a denial of service attack via the signal pipe. So far there are no known instances of this vulnerability being exploited. The vulnerability is fixed in xinetd 2.3.7.

  • Multiple xinetd Vulnerabilities (CAN-2001-1389, BugTraq ID 3257). Buffer overflows and improper NULL termination exist in versions of xinetd before version 2.3.3. These vulnerabilities can lead to denial of service attacks or remote root compromise. The vulnerabilities are fixed in version 2.3.3.

  • Zero Length Buffer Overflow Vulnerability (CAN-2001-0825, BugTraq ID 2971). Versions of xinetd before improperly handle string data in some internal functions. As a result, a buffer overflow can occur when a length argument with a value less than or equal to zero is passed to one of these internal functions. This could result either in a root compromise on the machine, or in denial of service for services started by xinetd , if xinetd crashes. Fixes that were originally available for this vulnerability may not completely fix the problem, but the problem is fixed in version 2.3.3.

Installing xinetd

The first vulnerability listed in the previous section, CAN-2002-0871, indicates that a fix is available in xinetd 2.3.7. Mac OS X 10.2, however, originally came with xinetd 2.3.5. If you check your logs, and you see an entry like the one below, you have a version of xinetd with the particular denial of service vulnerability contained in CAN-2002-0871.

[View full width]
[View full width]
Aug 26 18:13:49 Sage-Rays-Computer xinetd[1112]: xinetd Version 2.3.5 started with graphics/ccc.gif libwrap options compiled in.

Make sure you apply the latest updates to replace your version of xinetd . You can always download the most recent version from As of this writing, the latest version is 2.3.11. If you upgrade an application yourself before Apple provides an update, save your newer version somewhere, in case Software Update should overwrite your version with something that might not be as current. If Software Update overwrites your version with the same or newer , you can probably remove yours entirely, unless you had customized your version.

xinetd follows this basic format for compilation and installation:

 ./configure make make install 

A few compile-time options that you can pass to configure are documented in Table 11.1. The install step must be done as root . Depending on how you want to maintain your machine, you may just prefer to copy the binary to /usr/libexec/ , or you may want to store your updated version of xinetd in a completely separate location. To keep your updated version of xinetd as capable as the one Apple provides, we recommend at least running configure with the --with-libwrap option. The libwrap path is /usr/lib/libwrap.a . Make sure you keep backup copies of the original xinetd and its configuration file, /etc/xinetd.conf .

Table 11.1. Compile-Time Options for xinetd




Specifies the directory prefix for installing xinetd . The default is /usr/local .


Compiles in support for TCP Wrappers. With this option on, xinetd first looks at the TCP Wrappers controls file(s). If access is granted, xinetd then continues on to its access controls.


Compiles in support for the max_load configuration option, which causes a service to stop accepting connections when the specified load has been reached. The option is currently supported only on Linux and Solaris.


Causes services to default to IPv6. However, IPv6 support is now fully integrated into xinetd , rendering this option meaningless.


If you decide to install xinetd on Mac OS X 10.1 or earlier and want to compile in libwrap support, you need to download some libwrap files first. They are available from if you select the tcp-wrappers download. The source builds its files in /tmp/ . If you want to put the files in /usr/local/ , make /usr/local/lib/ and /usr/local/include/ directories, if they do not already exist. If you want to install the files elsewhere, replace the /usr/local/ references as appropriate. Then at the root of the source directory, do the following:

[View full width]
[View full width]
make RC_ARCHS=ppc install cp /tmp/tcp_wrappers/Release/usr/local/lib/libwrap.a /usr/local/ graphics/ccc.gif lib/ ranlib /usr/local/lib/libwrap.a cp /tmp/tcp_wrappers/Release/usr/local/include/tcpd.h /usr/local/ graphics/ccc.gif include/

In Mac OS X, xinetd runs by default as xinetd -pidfile /var/run/ . However, more runtime options are also available for xinetd , and are listed in Table 11.2.

Table 11.2. Runtime Options for xinetd




Enables debug mode.

-syslog <syslog_facility>

Enables syslog logging of xinetd -produced messages using the specified syslog facility. The following syslog facilities may be used: daemon , auth , user , local[0-7] . Ineffective in debug mode.

-filelog <log_file>

Specifies where to log xinetd -produced messages. Ineffective in debug mode.

-f <config_file>

Specifies which file to use as the config file. Default is /etc/xinetd.conf .

-pidfile <pid_file>

Writes the process ID to the file specified. Ineffective in debug mode. Apple starts xinetd with this option:

xinetd -pidfile /var/run/


Tells xinetd to stay running even if no services are specified.

-limit <proc_limit>

Limits the number of concurrently running processes that can be started by xinetd .

-logprocs <limit>

Limits the number of concurrently running servers for remote user ID acquisition.

-cc <interval>

Performs consistency checks on its internal state every <interval> seconds.

Configuring xinetd

The default /etc/xinetd.conf file that comes with Mac OS X 10.2 is shown in Listing 11.2.

Listing 11.2 The Default /etc/xinetd.conf File
 1  # man xinetd.conf for more information 2 3  defaults 4  { 5          instances               = 60 6          log_type                = SYSLOG daemon 7          log_on_success          = HOST PID 8          log_on_failure          = HOST 9          cps                     = 25 30 10  } 11 12  includedir /etc/xinetd.d 

The /etc/xinetd.conf file looks very different from the /etc/inetd.conf file. This file has two major sections to it: a defaults section and a services section. The defaults section has controls that are basic defaults for the services. Each service has further controls and can also override or augment controls listed in the defaults section. Briefly, the intent of the lines of this file is as follows:

  • Line 3 labels the defaults section of the file.

  • Line 4 starts the configuration for the defaults section of the file.

  • Line 5 sets the first defaults attribute, instances , which specifies the limit of servers for a given service to 60 .

  • Line 6 sets the log_type attribute to the SYSLOG facility at the daemon level.

  • Line 7 sets the log_on_success attribute to HOST , which logs the remote host's IP address, and PID , the process ID of the server.

  • Line 8 sets the log_on_failure attribute to HOST , which logs the remote host's IP address.

  • Line 9 sets the cps attribute, the one that limits the connections per second, to 25 connections per second. When this limit is reached, the service disables itself for the number of seconds specified in the second argument ” 30 seconds in this case.

  • Line 10 ends the defaults configuration section.

  • Line 12 starts the services section by using the includedir directive to specify that every file in the /etc/xinetd.d directory, excluding files containing . or ~ , is parsed as an xinetd configuration file. The files are parsed in alphabetical order according to the C locale.

Already you can tell that xinetd has more functionality than the traditional inetd . For instance, inetd cannot limit the number of connections per second. The items listed in this default /etc/xinetd.conf file are not the only ones that can be listed in this section, nor are the default values necessarily the only possible values. Table 11.3 shows a listing of available attributes for xinetd .

Table 11.3. Available Attributes for xinetd




Used to uniquely identify a service. Useful for services that can use different protocols and need to be described with different entries in the configuration file. Default service ID is the same as the service name .


Any combination of the following can be used:

RPC : Specifies service as an RPC service.

INTERNAL : Specifies service as provided by xinetd .

UNLISTED : Specifies that the service is not listed in a standard system file, such as /etc/services or /etc/rpc .


Any combination of the following can be used:

INTERCEPT : Intercepts packets or accepted connections to verify that they are coming from acceptable locations. Internal or multithreaded services cannot be intercepted.

NORETRY : Avoids retry attempts in case of fork failure.

IDONLY : Accepts connections only when the remote end identifies the remote user. Applies only to connection-based services.

NAMEINARGS : Causes the first argument to server_args to be the name of the server. Useful for using TCP Wrappers.

NODELAY : For a TCP service, sets the TCP_NODELAY flag on the socket. Has no effect on other types of services.

DISABLE : Specifies that this service is to be disabled. Overrides the enabled directive in defaults.

KEEPALIVE : For a TCP service, sets the SO_KEEPALIVE flag on the socket. Has no effect on other types of services.

NOLIBWRAP : Disables internal calling of the tcpwrap library to determine access to the service.

SENSOR : Replaces the service with a sensor that detects accesses to the specified port. Does not detect stealth scans . Should be used only on services you know you don't need. Whenever a connection is made to the service's port, adds the IP address to a global no_access list until the deny_time setting expires .

IPv4 : Sets the service to an IPv4 service.

IPv6 : Sets the service to an IPv6 service.


Has a value of yes or no . Overrides the enabled directive in defaults.


Has a value of stream , dgram , raw , or seqpacket .


Specifies the protocol used by the service. Protocol must exist in /etc/protocols . If it is not defined, the default protocol for the service is used.


Specifies whether the service is single-threaded or multithreaded. If yes, it is single-threaded; xinetd starts the service and stops handling requests for the service until the server dies. If no, it is multithreaded; xinetd keeps handling new service requests.


Specifies the UID for the server process. Username must exist in /etc/passwd .


Specifies the GID for the server process. Group must exist in /etc/group . If a group is not specified, the group of the user is used.


Determines the number of simultaneous instances of the server. Default is unlimited. The value can be an integer or UNLIMITED .


Specifies server priority.


Specifies the program to execute for this service.


Specifies arguments to be passed to the server. Server name should not be included, unless the NAMEINARGS flag has been specified.


Specifies to which remote hosts the service is available. Can be specified as:

A numeric address in the form %d.%d.%d.%d . is a wildcard. IPv6 hosts may be specified as abcd:ef01::2345:6789 .

A factorized address in the form of %d.%d.%d.{%d,%d,...} . There is no need for all four components (that is, %d.%d.{%d,%d,...%d} is also okay). However, the factorized part must be at the end of the address. Does not work for IPv6.

A network name (from /etc/networks ). Does not work for IPv6.

A hostname or domain name in the form of .

An IP address/ netmask range in the form of . IPv6 address/netmask ranges in the form of 1234::/46 are also valid.

Specifying this attribute without a value makes the service available to nobody.


Specifies the remote hosts to which this service is not available. Value can be specified in the same forms as for only_from . When neither only_from nor no_access is specified, the service is available to anyone . If both are listed, the one that is the better match for the host determines availability of the service to the host. For example, if only_from is and no_access is , then does not have access.


Specifies time intervals when the service is available. An interval has the form: hour:min- hour :min . Hours can range from 0 “23; minutes can range from 0 “59.


Specifies where service log output is sent. May either be SYSLOG or FILE , as follows:

SYSLOG <syslog_facility> [ <syslog_level> ]

Possible facility names include daemon , auth , authpriv , user , local0-7 . Possible level names include emerg , alert , crit , err , warning , notice , info , debug . If a level is not present, the messages will be recorded at the info level.

FILE <file> [ <soft_limit> ] [ <hard_limit> ]

Log output is appended to <file >, which is created if it does not exist.


Specifies what information is logged when the server is started and exits. Any combination of the following can be specified:

PID : Logs the server process ID.

HOST : Logs the remote host's address.

USERID : Logs remote user ID using RFC 1413 identification protocol. Only available for multithreaded stream services.

EXIT : Logs the fact that the server exited along with the exit status or termination signal.

DURATION : Logs the duration of the server session.


Specifies what is logged when a server cannot start, either from lack of resources or access configuration. Any combination of the following can be specified:

HOST : Logs the remote host's address

USERID : Logs remote user ID using RFC 1413 identification protocol. Available for multithreaded stream services only.

RECORD : Logs as much information about the remote host as possible.

ATTEMPT : Logs the fact that a failed attempt was made. Implied by use of any of the other options.


Specifies the RPC version of an RPC service. Can be a single number or a range in the form of number “number .


Specifies the number for an unlisted RPC service.


Value of this attribute is a list of strings of the form <name> = <value> . These strings are added to the server's environment, giving it xinetd 's environment as well as the environment specified by the env attribute.


Value of this attribute is a list of environment variables from xinetd 's environment to be passed to the server. An empty list implies passing no variables to the server except those explicitly defined by the env attribute.


Specifies the service port. If this attribute is listed for a service in /etc/services , it must be the same as the port number listed in that file.


Allows a TCP service to be redirected to another host. Useful for when your internal machines are not visible to the outside world. Syntax is

redirect = <IP address or host name> <port>

The server attribute is not required when this attribute is specified. If the server attribute is specified, this attribute takes priority.


Allows a service to be bound to a specific interface on the machine.


Synonym for bind .


Name of the file to be displayed to the remote host when a connection to that service is made. The banner is displayed regardless of access control.


Name of the file to be displayed to the remote host when a connection to that service is granted. Banner is displayed as soon as access to the service is granted.


Name of the file to be displayed to the remote host when a connection to a service is denied. Banner is printed immediately upon denial of access.


Specifies the maximum number of connections permitted per server per source IP address. May be an integer or UNLIMITED .


Limits the rate of incoming connections. Takes two arguments. The first is the number of connections per second. If the number of connections per second exceeds this rate, the server is temporarily disabled. The second argument specifies the number of seconds to wait before reenabling the server.


Takes either yes or no . If yes , the server is executed with access to the groups to which the server's effective UID has access. If no , server runs with no supplementary groups. Must be set to yes for many BSD-flavored versions of Unix.


Sets the inherited umask for the service. Expects an octal value. May be set in the defaults section to set a umask for all services. xinetd sets its own umask to the previous umask ORd with 022. This is the umask inherited by child processes if the umask attribute is not set.


Takes a list of service names to enable. Note that the service disable attribute and DISABLE flag can prevent a service from being enabled despite its being listed in this attribute.


Takes a filename in the form of include /etc/xinetd/service . File is then parsed as a new configuration file. May not be specified from within a service declaration.


Takes a directory name in the form of includedir /etc/xinetd.d . Every file in the directory, excluding files containing . or ending with ~ , is parsed as an xinetd.conf file. Files are parsed in alphabetical order according to the C locale. May not be specified within a service declaration.


Sets the maximum number of CPU seconds that the service may use. May either be a positive integer or UNLIMITED .


Sets the maximum data resource size limit for the service. May either be a positive integer representing the number of bytes or UNLIMITED .


Sets the maximum resident set size limit for the service. Setting this value low makes the process a likely candidate for swapping out to disk when memory is low. One parameter is required, which is either a positive integer representing the number of bytes or UNLIMITED .


Sets the maximum stack size limit for the service. One parameter is required, which is either a positive integer representing the number of bytes or UNLIMITED .


Sets the time span when access to all services to an IP address are denied to someone who sets off the SENSOR . Must be used in conjunction with the SENSOR flag. Options are

FOREVER : IP address is not purged until xinetd is restarted.

NEVER : Just logs the offending IP address.

<number> : A numerical value of time in minutes. A typical time would be 60 minutes, to stop most DoS attacks while allowing IP addresses coming from a pool to be recycled for legitimate purposes.

OS X has default xinetd configuration files for the following services:

 %  ls /etc/xinetd.d  auth         comsat       echo-udp     login        tftp bootps       daytime      exec         ntalk        time chargen      daytime-udp  finger       shell        time-udp chargen-udp  echo         ftp          telnet 

As you can see, services that require two lines in /etc/inetd.conf , such as time , require two files in /etc/xinetd.d . Listing 11.3 includes the default listings for the ftp , time , and time-udp files.

Listing 11.3 Default xinetd Configuration Files for the ftp , time , and time-udp Files
 service ftp {         disable         = yes         socket_type     = stream         wait            = no         user            = root         server          = /usr/libexec/ftpd         server_args     = -l         groups          = yes         flags           = REUSE } service time {         disable         = yes         type            = INTERNAL         id              = time-stream         socket_type     = stream         wait            = no         user            = root         groups          = yes         flags           = REUSE } service time-udp {         disable         = yes         type            = INTERNAL         id              = time-dgram         socket_type     = dgram         wait            = yes         user            = root         groups          = yes         flags           = REUSE } 

Because FTP is a service that you might possibly enable, let's take a brief look at the attributes of the default /etc/xinetd.d/ftp file from Listing 11.3:

  • Line 3 sets the first attribute, disable , to yes . This means that by default, the FTP service is disabled. /etc/inetd.conf simply has a # in front of a service to disable it.

  • Line 4 sets the socket_type attribute to stream . This was the second item in the ftp line of /etc/inetd.conf .

  • Line 5 sets the wait attribute to no . This was the third item in the ftp line of /etc/inetd.conf .

  • Line 6 sets the user attribute to root . This was the fourth item in the ftp line of /etc/inetd.conf .

  • Line 7 sets the server attribute to /usr/libexec/ftpd . This was the fifth item in the ftp line of /etc/inetd.conf .

  • Line 8 sets the server_args attribute to -l . This was the final item in the ftp line of /etc/inetd.conf .

  • Line 9 sets the groups attribute to yes . This is required for BSD-flavored versions of Unix. Because this attribute is required for all of your xinetd services, you could also move it to the defaults section of /etc/xinetd.conf and then remove it from the individual service files.

  • Line 10 sets the flags attribute to REUSE . This seems to be an undocumented flag, but online wisdom indicates that it is a good flag to use.

As was the case with the /etc/inetd.conf file, the time service contains the same major descriptors, but in a different form. Unlike the ftp xinetd configuration file, the time and time-udp files also include the id attribute to uniquely identify the services.

Perhaps one of the most notable differences between the default /etc/inetd.conf file and the /etc/xinetd.d/ftp file is that the server is set to /usr/libexec/tcpd in the inetd.conf file, but in the ftp file, it is set to /usr/libexec/ftpd . Because inetd is not as configurable, it is important to use TCP Wrappers. However, you can configure host access information directly in xinetd without having to use TCP Wrappers. We recommend that you make use of that built-in capability. Additionally, xinetd includes support for displaying banners for services.

If you want to enable any of the default services controlled by xinetd , change the disable entry to no and restart xinetd by sending it a HUP signal using either of the following methods :

 kill HUP  <xinetd_pid>  killall HUP xinetd 

Likewise, if you want to change any of the default configuration files, or add services not included in the initial set of default configuration files, simply restart xinetd to have them take effect. Listing 11.4 includes recommended xinetd configurations for services that might be of interest to you. If you want to change any of the defaults that appear in /etc/xinetd.conf for a given service, be sure to include that updated attribute in the service's file.

Finally, we also recommend that you reverse the starting order of inetd and xinetd in /System/Library/StartupItems/IPServices/IPServices . As of this writing, inetd starts before xinetd , but we recommend that you change the lines to read as follows:

 xinetd -pidfile /var/run/ inetd 

This change will ensure that any services you start via the System Preferences are controlled as they were intended to be.

Listing 11.4 Recommended Basic xinetd Configurations
 service ftp {         disable         = no         flags           = REUSE         socket_type     = stream         wait            = no         user            = root         server          = /usr/libexec/ftpd         server_args     = -l         groups          = yes         only_from       = <host list>         no_access       = <host list>         access_times    = <time intervals> } service imap {          disable         = no          socket_type     = stream          wait            = no          user            = root          server          = /usr/local/libexec/imapd          groups          = yes          flags           = REUSE } service pop3 {          disable         = no          socket_type     = stream          wait            = no          user            = root          server          = /usr/local/libexec/ipop3d          groups          = yes          flags           = REUSE } service swat {          disable         = no          socket_type     = stream          wait            = no          user            = root          server          = /usr/sbin/swat          groups          = yes          flags           = REUSE } (Note that the swat service also needs a corresponding swat 901/tcp line in /etc/services) 

Wrapping xinetd Processes

Although xinetd already has built-in host access restriction capabilities, if you decide that you would rather use TCP Wrappers on a service controlled by xinetd , you need to add a flag, NAMEINARGS , to the service and further expand the server_args line to include the full path to the service. Replace the original path to the server with the path to tcpd . Here's an example for using TCP Wrappers for restricting access to the FTP service in xinetd :

 service ftp {         flags       = REUSE NAMEINARGS         socket_type = stream         protocol    = tcp         wait        = no         user        = root         server      = /usr/libexec/tcpd         server_args = /usr/libexec/ftpd -l } 


Mac OS X Maximum Security
Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158 © 2008-2017.
If you may any questions please contact us: