The client/server architecture of Internet services requires the server to be up and running before a client makes a request for service. It’s probably a bad idea to run all the servers all the time; doing so is impractical because each server process uses system resources in the form of memory and processor time. Besides, you don’t really need all the services up and ready at all times. Instead, run a single server that listens to all the ports and starts the appropriate server when a client request comes in. Such a server is known as an Internet super server because it starts various services on demand.
The two Internet super servers are inetd and xinetd. The inetd server is the older one and is still used in Linux distributions such as Debian, Knoppix, and Ubuntu. The xinetd server is a replacement for inetd, offering improved access control and logging. The name xinetd stands for extended inetd. Distributions such as Fedora and SUSE use xinetd.
How to use inetd to connect a Linux system to the Internet
In Linux distributions that useinetd, the system starts inetd when the system boots. The inetd server reads a configuration file named /etc/inetd.conf at startup. This file tells inetd which ports to listen to and what server to start for each port. The entry in the /etc/inetd.conf file that starts Internet Message Access Protocol (IMAP) on one server looks like this:
imaps stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapdThe first item on this line,
imaps, tells inetd the name of the service. inetd uses this name to look up the port number from the /etc/services file. If you type grep imaps /etc/services, you find that the port number of the IMAP service is 993. This specification tells inetd to listen to port 993 for FTP service requests.The rest of the fields in the IMAP entry have the following meanings:
- The second and third fields of the entry,
streamandtcp, tellinetdthat the FTP service uses a connection-oriented TCP socket to communicate with the client. For services that use the connectionless UDP sockets, these two fields aredgramandudp. - The fourth field,
nowait, tellsinetdto start a new server for each request. If this field iswait,inetdwaits until the server exits before starting the server again. - The fifth field provides the user ID that
inetduses to run the server. In this case, the server runs the FTP server asroot. - The sixth field specifies the program to run for this service and the last field is the argument that
inetdpasses to the server program. In this case, the/usr/sbin/tcpdprogram is provided/usr/sbin/imapdas an argument.
The /usr/sbin/tcpd program is an access-control facility, or a TCP wrapper, for Internet services. Because unnecessary Internet services are often the sources of security vulnerabilities, you may want to turn off any unneeded services or at least control access to the services. The tcpd program can start other services, such as FTP and Telnet, but before starting the service, tcpd consults the /etc/hosts.allow file to see whether the host requesting service is allowed that service. If nothing is in /etc/hosts.allow about that host, tcpd checks the /etc/hosts.deny file to see whether the service should be denied. If both files are empty, tcpd allows the host access to the requested service. You can place the line ALL:ALL in the /etc/hosts.deny file to deny all hosts access to any Internet services.
Browse through the /etc/inetd.conf file on your system to find out the kinds of services that inetd is set up to start. Nowadays, most inetd services are turned off, and many others, such as FTP, are started by stand-alone servers. In any case, if you see any services that you want to turn off, simply place a hash mark (#) at the beginning of the lines that start these services. When you make such a change in the /etc/inetd.conf file, type /etc/init.d/inetd restart to restart the inetd server.
How to use xinetd to connect a Linux system to the Internet
Linux distributions that usexinetd start xinetd when the system boots. The xinetd server reads a configuration file named /etc/xinetd.conf at startup. This file tells xinetd which ports to listen to and what server to start for each port. The file can contain instructions that include other configuration files. In Linux, the /etc/xinetd.conf file looks like the following:
# Simple configuration file for xinetd
#
# Set some defaults and include /etc/xinetd.d/
defaults
{
instances = 30
log_type = FILE /var/log/xinetd.log
log_on_success = HOST EXIT DURATION
log_on_failure = HOST ATTEMPT
cps = 50 10
}
includedir /etc/xinetd.d
Comment lines begin with the hash mark (#). The default block of attributes, enclosed in curly braces ({ … }), specifies default values for some attributes. These default values apply to all other services in the configuration file. The instances attribute is set to 30, which means that no more than 30 servers can be simultaneously active for any service.The last line in the /etc/xinetd.conf file uses the includedir directive to include all files inside the /etc/xinetd.d directory, excluding files that begin with a period (.). The idea is that the /etc/xinetd.d directory contains all service-configuration files — one file for each type of service the xinetd server is expected to manage. Type ls /etc/xinetd.d to see the xinetd configuration files for your system. Each file in /etc/xinetd.d specifies attributes for one service that xinetd can start.
SUSE Linux uses xinetd to start some services, including the vsftpd (Very Secure FTP daemon) server. (A daemon is a process that runs continuously and never dies.) Type cat /etc/xinetd.d/vsftpd to see the xinetd configuration for the vsftpd service. Here’s a typical listing of that file on a SUSE system:
# default: off
# description:
# The vsftpd FTP server serves FTP connections. It uses
# normal, unencrypted usernames and passwords for authentication.
# vsftpd is designed to be secure.
service ftp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/vsftpd
}
The filename (in this case, vsftpd) can be anything; what matters is the service name that appears next to the service keyword in the file. In this case, the line service ftp tells xinetd the name of the service. xinetd uses this name to look up the port number from the /etc/services file.The attributes in /etc/xinetd.d/vsftpd, enclosed in curly braces ({ … }), have the following meanings:
- The
socket_typeattribute is set tostream, which tellsxinetdthat the FTP service uses a connection-oriented TCP socket to communicate with the client. For services that use the connectionless UDP sockets, this attribute is set todgram. - The
waitattribute is set tono, which tellsxinetdto start a new server for each request. If this attribute is set toyes,xinetdwaits until the server exits before starting the server again. - The
userattribute provides the user ID thatxinetduses to run the server. In this case, the server runs the vsftpd server asroot. - The
serverattribute specifies the program to run for this service. In this case,xinetdruns the/usr/sbin/vsftpdprogram to provide the FTP service.
/etc/xinetd.d directory on your Linux system to find out the kinds of services xinetd is set up to start. If you want to turn off any service (many services are already disabled), you can do so by editing the configuration file for that service and adding the following line inside the curly braces that enclose all attributes:
disable = yesWhen you make such a change in the
xinetd configuration files, you must restart the xinetd server by typing the following command:
/etc/init.d/xinetd restart
Typically, you can configure services to run under xinetd or as a stand-alone service. SUSE starts the Very Secure FTP daemon (vsftpd) under the control of xinetd. Debian and Fedora, however, run vsftpd as a stand-alone server.