Contents: Securing Network ServicesProxiesSpecific Examples

About this document

1. Wrap Your Services: inetd and xinetd

Most services on a machine to which one can connect remotely may be "wrapped": when a connection is made, a security service looks at it, and if it satisfies given criteria the connection is passed on to the OS service in question, such as telnet or FTP; if not the connection is dropped. The criteria usually consist of access control lists --- does the connection come from a known, trusted host or domain? Such a security service can come in the form of a super-daemon (possibly with auxilliary software), e.g., inetd (with TCP Wrappers) or xinetd, or in the form of a proxy.

1.1. TCP Wrappers

On older Linuces and on Solaris, service wrapping is usually done with TCP Wrappers. The source can be freely downloaded from; binaries are available from for Solaris and with most older Linux distributions.

After compilation and linking, if necessary, there are two ways in which installation and configuration can be completed:

  1. Move network daemons to some other directory and fill the resulting holes with copies of the wrapper programs. This approach involves no changes to system configuration files. (See the supplied README for more details.)

  2. Install the wrapper daemon, tcpd, (e.g., in /usr/sbin); leave the network daemons alone and modify the inetd configuration file, /etc/inetd.conf: for example, commented out unwrapped services and the corresponding wrapped services might look like this:
          ## ftp     stream  tcp6  nowait  root  /usr/sbin/in.ftpd     in.ftpd
          ## telnet  stream  tcp6  nowait  root  /usr/sbin/in.telnetd  in.telnetd
          ftp     stream  tcp  nowait  root  /usr/sbin/tcpd  in.ftpd
          telnet  stream  tcp  nowait  root  /usr/sbin/tcpd  in.telnetd
    Then restart inetd as described above.
Your binary package may lead you in one direction or the other.

Finally, the associated access-control lists, /etc/hosts.allow and /etc/hosts.deny, must be edited, for example:

    # -- /etc/hosts.deny --- a default-deny stance :
    in.telnetd: ALL
    in.ftpd: ALL
    in.rexecd: ALL
    in.rlogind: ALL
    in.rshd: ALL
    # -- /etc/hosts.allow --- let a few friends in :
This should be simple, but be warned, some versions of TCP Wrappers can be fussy over details of whitespace and comments within the configuration files --- use the utility tcpdchk (which comes with TCP Wrappers) to check the files' syntax.

1.2. xinetd

On recent Linux distributions xinetd access control lists have replaced TCP Wrappers. (The required daemons and configuration files should already be installed.) The configuration files are to be found in /etc/xinetd.d.

Example Configuration Files

After changing configuration files restart xinetd as described above.

A standard xinetd configuration file which can be trivially-modified for FTP and other services --- note the use of Cosmos as a gateway machine so that this machine can be accessed globally:

    # default: on
    # description: The telnet server serves telnet sessions; it uses \
    #              unencrypted username/password pairs for authentication.
    service telnet
        flags              = REUSE
        socket_type        = stream        
        wait               = no
        user               = root
        server             = /usr/sbin/in.telnetd
        log_on_failure    += USERID
        disable            = no
        only_from          =      # my PC
        only_from         +=    # my trusted friend's machine
        only_from         +=     # my co-researcher's machine
        only_from         +=     # cosmos --- use as 
                                              #     globally-accessible gateway

If you have a need to run a SMTP service, wrap it like this --- note the server arguments:

    service smtp
        socket_type     = stream        
        protocol        = tcp
        wait            = no
        user            = root
        server          = /usr/lib/sendmail
        server_args     = -bs
  #NO!# server_args     = -bd -q15m
        disable         = no
        instances       = 10
        nice            = 10
        log_on_failure += HOST
        only_from       =
        only_from      +=   # cosmos --- for testing
        only_from      +=  # rainstorm  } 
        only_from      +=  # downpour   } the ISD mail
        only_from      +=  # cloudburst } routers
        only_from      +=  # deluge     } 
        no_access       =