tcp wrapper (tcpd)

tcpd.man.txt

Centos5 documentation

(Centos7 does not have it installed per default can be installed like this: yum install xinetd*)

To control access to Internet services, use xinetd, which is a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.

xinetd runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.

The configuration file for xinetd is /etc/xinetd.conf, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d directory.

src: https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-services-xinetd.html

is xinetd still in use?

most functionality of xinetd is replaed by stateful firewalling, through iptables/netfilter… but xinetd still exists and can be used.

Der xinetd bietet einkompilierte TCP-Wrapper-Unterstützung, also Zugriffskontrolle über die Dateien /etc/hosts.allow und /etc/hosts.deny.

Er löst tcpd und inetd ab.

Diese funktioniert genau so wie beim herkömmlichen inetd, so dass auf den betreffenden Abschnitt des inetd-Artikels verwiesen sei. Der Umweg über den tcpd ist allerdings nicht nötig.

xinetd bietet unter anderem Zugriffskontroll-Mechanismen, ausführliche Protokollierungsmöglichkeiten, kann Dienste zeitabhängig bereit stellen und die Anzahl der gestarteten Server begrenzen.

Er kann TCP-Ströme zu einem entfernten Rechner und Port umleiten. Dies ist nützlich für Anwender, die IP-Masquerading oder NAT nutzen und ihre internen Rechner erreichen möchten.

Er kann außerdem spezielle Dienste an bestimmte Schnittstellen binden. Dies ist nützlich, wenn Sie diese Dienste für Ihr internes Netzwerk, aber nicht für den Rest der Welt verfügbar machen möchten. Oder um verschiedene Dienste auf dem gleichen Port, jedoch verschiedenen Schnittstellen zu benutzen.

„Services run constantly on certain ports.

The reason inetd and suchlike saved memory is because they didn’t require daemons to run all the time, just on demand.

These days, on-demand daemons are pretty rare.

Things like Apache, MySQL, and Tomcat all stay running and listening to their designated ports.

Some even spin up new processes to handle each connection, others just handle it in the same process.

By not having to load a bunch of code each time a connection starts, the cost to establish a specific connection is smaller than it would be with inetd-like processes.

Essentially the job that TCP-Wrappers does for services being called via a „super server“ can be replaced (for other processes and a „super server“) by stateful firewalling, through iptables/netfilter in the case of most modern Linux installations (and for basic functionality, stateless firewall rules would do also).

src: https://serverfault.com/questions/246710/tcpwrappers-still-in-use

/etc/hosts.deny

uname -a;cat /etc/hosts.deny
Linux centos 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#

uname -a;cat /etc/hosts.deny
Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux
# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.
http-rman : ALL EXCEPT LOCAL

uname -a;cat /etc/hosts.deny
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: some.host.name, .some.domain
# ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID

/etc/hosts.allow

uname -a;cat /etc/hosts.allow
Linux centos 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers

uname -a;cat /etc/hosts.allow
Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux
# /etc/hosts.allow
# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
# of /etc/hosts.allow and /etc/hosts.deny.
#
# short overview about daemons and servers that are built with
# tcp_wrappers support:
#
# package name | daemon path | token
# ----------------------------------------------------------------------------
# ssh, openssh | /usr/sbin/sshd | sshd, sshd-fwd-x11, sshd-fwd- # quota | /usr/sbin/rpc.rquotad | rquotad
# tftpd | /usr/sbin/in.tftpd | in.tftpd
# portmap | /sbin/portmap | portmap
# The portmapper does not verify against hostnames
# to prevent hangs. It only checks non-local addresses.
#
# (kernel nfs server)
# nfs-utils | /usr/sbin/rpc.mountd | mountd
# nfs-utils | /sbin/rpc.statd | statd
#
# (unfsd, userspace nfs server)
# nfs-server | /usr/sbin/rpc.mountd | rpc.mountd
# nfs-server | /usr/sbin/rpc.ugidd | rpc.ugidd
#
# (printing services)
# lprng | /usr/sbin/lpd | lpd
# cups | /usr/sbin/cupsd | cupsd
# The cupsd server daemon reports to the cups
# error logs, not to the syslog(3) facility.
#
# (Uniterrupted Power Supply Software)
# apcupsd | /sbin/apcupsd | apcupsd
# apcupsd | /sbin/apcnisd | apcnisd
#
# All of the other network servers such as samba, apache or X, have their own
# access control scheme that should be used instead.
#
# In addition to the services above, the services that are started on request
# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses
# the last component of the server pathname as a token to match a service in
# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names.
# The following examples work when uncommented:
#
#
# Example 1: Fire up a mail to the admin if a connection to the printer daemon
# has been made from host foo.bar.com, but simply deny all others:
# lpd : foo.bar.com : spawn /bin/echo "%h printer access" | \
# mail -s "tcp_wrappers on %H" root
#
#
# Example 2: grant access from local net, reject with message from elsewhere.
# in.telnetd : ALL EXCEPT LOCAL : ALLOW
# in.telnetd : ALL : \
# twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2
#
#
# Example 3: run a different instance of rsyncd if the connection comes
# from network 172.20.0.0/24, but regular for others:
# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script
# rsyncd : ALL : ALLOW
#

uname -a;cat /etc/hosts.allow
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#

tcpd xinetd manpage

xinetd.man.txt

tcpd.man.txt

uname -a; service xinetd status
Linux suse 4.4.21-69-default #1 SMP Tue Oct 25 10:58:20 UTC 2016 (9464f67) x86_64 x86_64 x86_64 GNU/Linux
* xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
suse:~ #

uname -a; service xinetd status;
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
● xinetd.service - LSB: Starts or stops the xinetd daemon.
Loaded: loaded (/etc/init.d/xinetd)
Active: active (running) since Thu 2017-05-04 16:17:14 CEST; 25min ago
Process: 560 ExecStart=/etc/init.d/xinetd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/xinetd.service
└─881 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
May 04 16:17:15 debian xinetd[881]: removing daytime
May 04 16:17:15 debian xinetd[881]: removing daytime
May 04 16:17:15 debian xinetd[881]: removing discard
May 04 16:17:15 debian xinetd[881]: removing discard
May 04 16:17:15 debian xinetd[881]: removing echo
May 04 16:17:15 debian xinetd[881]: removing echo
May 04 16:17:15 debian xinetd[881]: removing time
May 04 16:17:15 debian xinetd[881]: removing time
May 04 16:17:15 debian xinetd[881]: xinetd Version 2.3.15 started with libwrap loadavg options compiled in.
May 04 16:17:15 debian xinetd[881]: Started working: 0 available services

uname -a; service xinetd status
Linux centos 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Redirecting to /bin/systemctl status xinetd.service
● xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: inactive (dead)

Links:

see more here: http://dwaves.de/2017/05/04/linux-security-config-hosts-deny-hosts-allow/

http://dwaves.de/2017/06/08/lpic-1-102-110-2-setup-host-security/

http://dwaves.de/2017/05/05/linux-bash-config-ssh-to-allow-only-login-from-specific-usersspecific-hosts-sshd-allowusers/

LPIC-1 102 110.2 Setup host security

more Links:

Anti-DDoS – https://javapipe.com/ddos/blog/iptables-ddos-protection/

Anti-BruteForce – fail2ban – for example – block attempts to bruteforce into WordPress via wp-login.php – http://envyandroid.com/fail2ban-wordpress-login-attacks/

https://packages.debian.org/de/jessie/xinetd

https://packages.debian.org/jessie/tcpd

https://yeupou.wordpress.com/2010/03/14/securing-and-improving-internet-services-including-ssh-and-smtp-using-xinetd/

admin