There are two ways to offer TCP/IP services: by running server applications standalone as a daemon or by using the Internet super server, inetd(8). inetd is a daemon which monitors a range of ports. If a client attempts to connect to a port inetd handles the connection and forwards the connection to the server software which handles that kind of connection. The advantage of this approach is that it adds an extra layer of security and it makes it easier to log incoming connections. The disadvantage is that it is somewhat slower than using a standalone daemon. It is thus a good idea to run a standalone daemon on, for example, a heavily loaded FTP server.
inetd can be configured using the /etc/inetd.conf file. Let's have a look at an example line from inetd.conf:
# File Transfer Protocol (FTP) server: ftp stream tcp nowait root /usr/sbin/tcpd proftpd
This line specifies that inetd should accept FTP connections and pass them to tcpd. This may seem a bit odd, because proftpd normally handles FTP connections. You can also specify to use proftpd directly in inetd.conf, but Slackware Linux normally passes the connection to tcpd. This program passes the connection to proftpd in turn, as specified. tcpd is used to monitor services and to provide host based access control.
Services can be disabled by adding the comment character (#) at the beginning of the line. It is a good idea to disable all services and enable services you need one at a time. After changing /etc/inetd.conf inetd needs to be restarted to activate the changes. This can be done by sending the HUP signal to the inetd process:
# ps ax | grep 'inetd' 64 ? S 0:00 /usr/sbin/inetd # kill -HUP 64
Or you can use the rc.inetd initialization script to restart inetd:
# /etc/rc.d/rc.inetd restart
As you can see in /etc/inetd.conf connections for most protocols are made through tcpd, instead of directly passing the connection to a service program. For example:
# File Transfer Protocol (FTP) server: ftp stream tcp nowait root /usr/sbin/tcpd proftpd
In this example ftp connections are passed through tcpd. tcpd logs the connection through syslog and allows for additional checks. One of the most used features of tcpd is host-based access control. Hosts that should be denied are controlled via /etc/hosts.deny, hosts that should be allowed via /etc/hosts.allow. Both files have one rule on each line of the following form:
service: hosts
Hosts can be specified by hostname or IP address. The ALL keyword specifies all hosts or all services.
Suppose we want to block access to all services managed through tcpd, except for host "trusted.example.org". To do this the following hosts.deny and hosts.allow files should be created.
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
ALL: trusted.example.org
In the hosts.deny access is blocked to all (ALL) services for all (ALL) hosts. But hosts.allow specifies that all (ALL) services should be available to "trusted.example.org".