Quick HOWTO : Ch16 : Telnet, TFTP, and xinetd - Linux Home ...
XINETD – Internet Super Daemon
Many network enabled Linux applications don't rely on standalone server programs to provide restricted access or bind to a particular TCP port; instead they often offload a lot of this work to a program suite made just for this purpose: , xinetd. The xinetd RPM is no longer installed by default in Fedora Linux. It is installed as follows:
yum install xinetd*
xinetd and uses /etc/xinetd.conf as its main configuration file and the xinetd.d directory for individual application setup.
The starting and stopping of the xinetd daemon is controlled by the usual SystemV scripts in the /etc/init.d directory and it is behavior at boot time is controlled by chkconfig.
service xinetd start
service xinetd stop
service xinetd restart
To get xinetd configured to start at boot you can use the chkconfig command. chkconfig xinetd on
xinetd-Managed Applications
Xinetd-managed applications store their configuration files in the /etc/xinetd.d directory. The file name is the same as the service listed in /etc/services. Each configuration file has a disable statement that you can set to disable = yes or no. If set to no, xinetd starts the server program specified by server =.
This governs whether xinetd is allowed to start them or not and whether the xinetd process listens on the port
You have to edit these files to activate or deactivate the application via the disable= option. The default is usually disable=yes.
The chkconfig command does that for you automatically will also stops or starts the application accordingly.
Here is an example of the activation and deactivation of the Samba SWAT web GUI management application.
chkconfig swat on
chkconfig swat off
Common xinetd managed applications tend to be relatively low-traffic – TELNET, FTP, TFTP. High transaction volume applications like SMTP, HTTP or SSH are run in standalone server mode to avoid the overhead of being dispatched by XINETD.
TCP Wrappers
The TCP Wrappers package is installed by default on Fedora Linux and provides host-based security separate from that provided by a firewall running on the server itself or elsewhere.
It is also the default for all services running under the XINETD super daemon.
The application relies on two main files:
• /etc/hosts.allow: Defines the hosts and networks allowed to connect to the server.
The TCP Wrappers enabled application searches this file for a matching entry, and if it finds one, then the connection is allowed.
• /etc/hosts.deny: Defines the hosts and networks prohibited from connecting to the server.
If a match is found in this file, the connection is denied. No match means the connection proceeds normally.
The /etc/hosts.allow file is always read first and both files are always read from top to bottom, therefore the ordering of the entries is important.
The format of the file is as follows:
:
This example allows all traffic from the 192.168.1.0/24 and the 192.168.2.0/255.255.255.0 networks and SSH from only two hosts, 172.16.1.1 and 216.10.119.244.
All HTTP Web traffic is allowed. All other TCP traffic to the host is denied.
Notice how the subnet masks can use the slash nomenclature or the dotted decimal 255.255.255.0 format.
#
# File: hosts.allow
#
ALL: 192.168.1.0/24 192.168.2.0/255.255.255.0
sshd: 172.16.1.1 216.10.119.244
httpd: ALL
#
# File: hosts.deny
#
ALL: ALL
The easiest way of determining the name of a daemon is to use the ps command and then use grep to filter for the name of the service oor pgrep. For example, to determine the daemon name (/usr/sbin/sshd) for the SSH server process. Because TCP Wrappers only requires the program name and not the path, sshd therefore becomes the entry to place in the TCP-daemon-name column of the configuration file.
ps -ef | grep -i ssh
root 10053 � 1 0 Nov06 ? 00:00:00 /usr/sbin/sshd
root 14145 10053 0 Nov13 ? 00:00:02 sshd: root@pts/1
root 18100 14148 0 21:56 pts/1 00:00:00 grep ssh
XINETD Common Applications:
Telnet
Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux. One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password.
A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption. In spite of this, the older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them.
Telnet is also usued as a basic network connectivity tool to determine application availability by allowing telnet to a specific port on a host as follows:
telnet .
Telnet Client
The command to do remote logins via telnet from the command line is simple. You enter the word telnet and then the IP address or server name to which you want to connect.
telnet 192.168.1.105
Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.
Linux 2.4.18-14 (smallfry.my-) (10:35 on Sunday, 05 January 2003)
Login: peter
Password:
Last login: Fri Nov 22 23:29:44 on ttyS0
You have new mail.
[peter@smallfry peter]$
logout
Connection closed by foreign host.
#
Fedora has both an TELNET client and server. When searching for the file, remember that the Telnet server RPM's filename usually starts with the word telnet-server followed by a version number as in telnet-server-0.17-28.i386.rpm.
To set up a Telnet server use the chkconfig command to activate Telnet: chkconfig telnet on
Use the chkconfig command to deactivate telnet, even after the next reboot: chkconfig telnet off
Basic Telnet Security
From an administration perspective, companies are trending away from cleartext TELNET for legal reasons: HIPAA, SOX, PCI.
There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options.
Let Telnet Listen On Another TCP Port
TELNET listens on port 23 by default. There are also several non-standard TLNET applications that provide encryption; but SSH is usually used for encrypted termional communications.
Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic by port scanners (i.e. nmap). Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.
Example: “secure” TELNET on port 2323
1) Edit /etc/services file and add a new service called stelnet.
stelnet 2323/tcp # "secure" telnet
2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:
cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777.
service stelnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
port = 2323
}
4) Activate stelnet: chkconfig stelnet on
5) Check to make sure your server is now listening on port 7777 with the netstat command.
netstat -an | grep 2323
tcp 0 0 0.0.0.0:2323 0.0.0.0:* LISTEN
You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file /etc/xinetd.d/telnet file with a list of trusted servers separated by spaces: only_from = 192.168.1.100 127.0.0.1 192.168.1.200
TFTP
The UDP version of FTP is T(rivial)FTP – UDP port 69. TFTP can be used with great versatility as a network management tool for saving files, upload new configurations to replacement devices after serious hardware failures, new versions of software to be run as network devices.
Most RedHat and Fedora Linux software products are available in the RPM format: “rpm –i *tftp*” or “yum install tftp”.
By default, the TFTP application expects files to be located in the /tftpboot directory. Change this in the /etc/xinetd.d/tftp file via the server_args option, or create your own directory just for this purpose and create a /tftpboot symbolic link to it.
It is usually best to place the TFTP files in a partition other than the root partition. TFTP files of increasing size could eventually fill the partition affecting your ability to install new software or even the overall performance of your system.
FTP
File Transfer Protocol - the standard Internet file transfer application is differnet in that it uses to session pairs to accomplish a file transfer, a command channel TCP port 21 commonly used to identify the application; and a data channel – TCP port 20. See the FTP document for a better explanation of this application. Depending on server activity. the comm0n LINUX FTP package vsftpd can be run as an XINETD application or a standalone server.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- quick and easy cleaning tips
- quick crossword puzzle and solution
- quick and fast loans
- quick and easy jelly recipes
- quick and dirty tips grammar girl
- quick and easy crossword puzzles
- quick degrees and certifications
- quick and easy art projects
- quick and easy science experiments
- quick cleaning tips and tricks
- quick and easy recipes printables
- heart healthy dinner recipes quick and easy