Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
71727374757677787980
xinetd Configuration Files
63
This section discusses using xinetd to control access to services.
Note
Unlike TCP Wrappers, changes to access control only take effect if the xinetd administrator
restarts the xinetd service.
Also, unlike TCP Wrappers, access control through xinetd only affects services controlled by
xinetd.
The xinetd hosts access control differs from the method used by TCP Wrappers. While TCP
Wrappers places all of the access configuration within two files, /etc/hosts.allow and /etc/
hosts.deny, xinetd's access control is found in each service's configuration file in the /etc/
xinetd.d/ directory.
The following hosts access options are supported by xinetd:
only_from — Allows only the specified hosts to use the service.
no_access — Blocks listed hosts from using the service.
access_times — Specifies the time range when a particular service may be used. The time range
must be stated in 24-hour format notation, HH:MM-HH:MM.
The only_from and no_access options can use a list of IP addresses or host names, or can specify
an entire network. Like TCP Wrappers, combining xinetd access control with the enhanced logging
configuration can increase security by blocking requests from banned hosts while verbosely recording
each connection attempt.
For example, the following /etc/xinetd.d/telnet file can be used to block Telnet access from a
particular network group and restrict the overall time range that even allowed users can log in:
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
no_access = 172.16.45.0/24
log_on_success += PID HOST EXIT
access_times = 09:45-16:15
}
In this example, when a client system from the 172.16.45.0/24 network, such as 172.16.45.2,
tries to access the Telnet service, it receives the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/messages as follows:
Sep 7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107
Sep 7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107
Sep 7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)