Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

121

122

123

124

125

126

127

128

129

130

Chapter 8. TCP Wrappers and xinetd 125

8.3.1.3. Access Control within xinetd

Users of xinetd services can choose to use the TCP wrapper host access control ﬁles

(/etc/hosts.allow and /etc/hosts.deny), provide access control via the xinetd

conﬁguration ﬁles, or a mixture of both. Information concerning the use of TCP wrapper host access

control ﬁles can be found in Section 8.2. This section will discuss using xinetd to control access to

services.

Note

Unlike TCP wrapper host access control ﬁles, any changes to xinetd conﬁguration ﬁles require a

restart of the xinetd service to go into affect.

The xinetd host access control available through its various conﬁguration ﬁles is different from the

method used by TCP wrappers. While TCP wrappers places all of the access conﬁguration within

two ﬁles, /etc/hosts.allow and /etc/hosts.deny, each service’s ﬁle in /etc/xinetd.d can

contain access control rules based on the hosts that will be allowed to use that service.

The following options are supported in the xinetd ﬁles to control host access:

• only_from — Allows the hosts speciﬁed to use the service.

• no_access — Blocks these hosts from using this service.

• access_times — Speciﬁes the time range when a particular service may be used. The time range

must be stated in a HH:MM-HH:MM format using 24-hour notation.

The only_from and no_access options can use a list of IP addresses or host names, or can specify

an entire network. Like TCP wrappers, combining xinetd access control with the proper logging

conﬁguration for that service, you can not only block the request but also record every attempt to

access it.

For example, the following /etc/xinetd.d/telnet ﬁle can be used to block telnet access to a

system by a particular network group and restrict the overall time range that even legitimate users can

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

no_access = 10.0.1.0/24

log_on_success += PID HOST EXIT

access_times = 09:45-16:15

}

In this example, when any system from the 10.0.1.0/24 subnet, such as 10.0.1.2, tries to telnet

into the server, they will receive a message stating Connection closed by foreign host. In

addition, their login attempt is logged in /var/log/secure:

May 15 17:35:47 boo xinetd[16188]: START: telnet pid=16191 from=10.0.1.2

May 15 17:38:49 boo xinetd[16252]: START: telnet pid=16256 from=10.0.1.2

May 15 17:38:49 boo xinetd[16256]: FAIL: telnet address from=10.0.1.2

May 15 17:38:49 boo xinetd[16252]: EXIT: telnet status=0 pid=16256