xinetd
xinetd is a secure replacement for inetd. It was originally written
by panos@cs.colorado.edu. This is a home for xinetd, and a place for
information to be gathered, bugs to be submitted, and hopefully fixed.
- Information:
- Features of xinetd
- xinetd FAQ
- Changelog
- Sample config
- Recent changes
- Download:
- Source to xinetd 2.1.8.8p3 (Released 4 Jun. 2000)
- Source to the current development version, 2.1.8.9pre9 (Released 3 August 2000)
- RPM's to xinetd 2.1.8.8p3
- Old distributions of xinetd
Curator has written a tutorial on the use of xinetd here.
Warning: xinetd releases prior to 2.1.8.8p3 and 2.1.8.9pre6
have a bug in the access control mechanism. If you use a hostname to control
access to a service ( localhost instead of 127.0.0.1 ), xinetd
will allow any connection from hosts that cannot be reverse looked up.
Please upgrade to the latest version.
xinetd has a mailing list. Mail majordomo@synack.net with a
body of subscribe xinetd.
Features:
- Access control:
- Has builtin access control for stopping connections from evil bad guys, or for only allowing connections from good guys.
- Can be compiled with builtin libwrap support. Use hosts.{allow|deny}! More efficient than using tcpd!
- Tcp wrappers are good, but can only see one connection at a time. xinetd can limit the rate of incoming connections, number of incoming connections from specific hosts, or total number of connections for a service.
- Limit access to services based on access time of day.
- You can have specific services bind to specific IP's. This lets you provide different services to internal clients than external clients.
- Prevent denial of service attacks!
- With the access control capabilities of limiting the rate of incoming connections, xinetd can respond to "port bombs" in a reasonable fashion.
- If one host seems to be hogging your services, you can limit the number of simultaneous connections from a host.
- You can place limits on the size of the log files it creates, so people can't fill your disk.
- Extensive logging abilities!
- You can configure the syslog logging level for each service independently.
- If you don't want to use syslog logging, you can have each service log to a file, independent of any other service.
- It can log the start and stop times for the connection, so you can determine how long a client used your services.
- It can log extensive information about failed connection attempts.
- Offload services to a remote host
- The redir feature allows you to redirect a TCP stream to another host. This other host does not need to be an externally reachable machine. If you want to provide services on a NAT'd machine, run xinetd with the redir feature to redirect the service to a different host.
- IPv6 support
- As of the xinetd 2.1.8.8pre* series, xinetd supports IPv6.
- User interaction
- You can print different banners to the client when they have a successful connection, when their connection attempt failed, and always regardless of connection status. This can help keep your users informed of changes, and why they may be having trouble accessing services.
2.1.8.9pre9
2.1.8.9pre9
- Fixed a potential bug in parsing of filenames from includedir.
- Possibly fixed tcp wait=yes handling.
- Fixed man pages so they say they're installed in the sections
they are really installed into.
- Added .cvsignore to empty directories
2.1.8.9pre8
- Now allows you to specify multiple instances of the same service
as long as all but one is disabled.
- Fixed a documentation issue in the xinetd.conf man page.
The user attribute can be specified for an unlisted
service, just not an internal service.
- When including files with "includedir", it parses the files
in alphabetical order, as determined by strcmp().
- Under Solaris, I've removed the no_control_tty() call in
child.c. This was causing some confusion. xinetd
its self still calls no_control_tty().
- Fixed a compile error with --with-inet6
2.1.8.9pre5
- Implemented better error checking in redirect.c, so hopefully
it will detect error conditions more reliably and
prevent lots of child xinetd's running unecisarily.
- Ramon Krikken sent a redirector implementation that replaced
the two process redirection with a single process using
select. Modifications to his patch were integrated.
- includedir parses only regular files, or symlinks to regular
files, that do not begin with '.'.
- Added includedir to the xinetd.conf man page.
2.1.8.9pre4
- Incorporated a patch to allow logging to the AUTHPRIV level.
patch from Trond Eivind Glomsr.
- Numerous cleanups. Mostly superficial, but gets rid of *lots*
of compile warnings when using -Wall. These cleanups
may have affected portability issues...
- Support for Darwin! Now compiles and runs fine. Note that
xinetd doing mmap didn't work right (always lost the
first byte of the file). Workaround is to disable
mmapped io for Darwin.
- Added a DISABLE flag for services, that will prevent a service
from starting.
- Added a "disable" boolean for services that does the same thing
as the DISABLE flag.
2.1.8.9pre3
- Incorporated a patch from Frodo Looijaard to incorperate an includedir directive, to include services from files in the directory.
- Incorporated a patch from Preston Norvell to add support for Mac OS X.
- Incorporated a patch from Frank Wortner to fix compile problems on Tru64 unix.
2.1.8.8p2
- Fixed some compile problems for the commercial Sun C compiler. These fixes may also benefit people who have been having trouble with the banner directives.
2.1.8.8p1
- The setsid() call that fixed a bug on FreeBSD, caused problems with telnetd (/bin/login) on Solaris. This fixes the problem for Solaris.
2.1.8.9pre1
- Added an "include" feature. In xinetd.conf, outside any service entry,
you can add "include /path/to/filename" that contains xinetd.conf directives.
- Added an inetd.conf compatibility mode. Run with -inetd-compat and
specify the config file as /etc/inetd.conf (or whatever).
Bug reports or patches may be sent to me at: bbraun@synack.net.
|