June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.10. Restricting Access by Remote Hosts (xinetd with tcpd)
Problem
You want only particular remote hosts to access a TCP service via xinetd , when xinetd was not compiled with libwrap support.
Solution
Set up access control rules in /etc/hosts.allow and/or /etc/hosts.deny. For example, to permit telnet connections only from 192.168.1.100 and hosts in the example.com domain, add to /etc/hosts.allow:
in.telnetd : 192.168.1.100 in.telnetd : *.example.com in.telnetd : ALL : DENY
Then modify /etc/xinetd.conf or /etc/xinetd.d/servicename to invoke tcpd in place of your service:
Old /etc/xinetd.conf or /etc/xinetd.d/telnet: service telnet { ... flags = ... server = /usr/sbin/in.telnetd ... } New /etc/xinetd.conf or /etc/xinetd.d/telnet: service telnet { ... flags = ... NAMEINARGS server = /usr/sbin/tcpd server_args = /usr/sbin/in.telnetd ... }
Then reset xinetd so your changes take effect. [Recipe 3.3]
Discussion
This technique is only for the rare case when, for some reason, you don’t want to use xinetd’s built-in access control [Recipe 3.8] and your xinetd does not have libwrap support compiled in. It mirrors the original inetd method of access control using TCP-wrappers. [Recipe 3.11]
You must include the flag
NAMEINARGS
, which tells
xinetd to look in the
server_args line to find the
service
executable name (in this case,
/usr/sbin/in.telnetd).
See Also
xinetd(8), hosts.allow(5), tcpd(8).