Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

121

122

123

124

125

126

127

128

129

130

124 Chapter 8. TCP Wrappers and xinetd

• EXIT — Logs the exit status or termination signal of the service. (log_on_success)

• HOST — Logs the remote host’s IP address. (log_on_failure and log_on_success)

• PID — Logs the process ID of the server receiving the request. (log_on_success)

• RECORD — Records information about the remote system in the case the service cannot be started.

Only particular services, such as login and finger, may use this option. (log_on_failure)

• USERID — Logs the remote user using the method deﬁned in RFC 1413 for all multi-threaded

stream services. (log_on_failure and log_on_success)

Other options for /etc/xinetd.conf are available, such as per_source, which limits the maxi-

mum number of connections from a particular IP address to a speciﬁc service. See the man page for

xinetd for more information.

8.3.1.2. Files in the /etc/xinetd.d/ Directory

The ﬁles in the /etc/xinetd.d/ directory are read every time xinetd starts, due to the in-

cludedir /etc/xinetd.d/ statement at the bottom of /etc/xinetd.conf. These ﬁles, with

names such as finger, ipop3, and rlogin, correlate to the services controlled by xinetd.

The ﬁles in /etc/xinetd.d/ use the same conventions as /etc/xinetd.conf. The primary reason

they are stored in separate conﬁguration ﬁles is to make it easier to add and remove a service from

xinetd without affecting other services.

To get an idea of how these ﬁles are structured, consider the wu-ftp ﬁle:

service ftp

{

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.ftpd

server_args = -l -a

log_on_success += DURATION USERID

log_on_failure += USERID

nice = 10

disable = yes

}

The ﬁrst line deﬁnes the service’s name. The lines within the brackets contain settings that deﬁne how

this service is supposed to be started and used. The wu-ftp ﬁle states that the FTP service uses a

stream socket type (rather than dgram), the binary executable ﬁle to use, the arguments to pass to

the binary, the information to log in addition to the /etc/xinetd.conf settings, the priority with

which to run the service, and more.

The use of xinetd with a service also can serve as a basic level of protection from a Denial of

Service (DoS) attack. The max_load option takes a ﬂoating point value to set a CPU usage threshold

when no more connections for a particular service will be accepted, preventing certain services from

overwhelming the system. The cps option accepts an integer value to set a rate limit on the number

of connections available per second. Conﬁguring this value to something low, such as 3, will help

prevent attackers from being able to ﬂood your system with too many simultaneous requests for a

particular service.