Quick HOWTO : Ch16 : Telnet, TFTP, and xinetd - Linux Home ...



XINETD – Internet Super Daemon

Many network enabled Linux applications don't rely on standalone server programs to provide restricted access or bind to a particular TCP port; instead they often offload a lot of this work to a program suite made just for this purpose: , xinetd. The xinetd RPM is no longer installed by default in Fedora Linux. It is installed as follows:

yum install xinetd*

xinetd and uses /etc/xinetd.conf as its main configuration file and the xinetd.d directory for individual application setup.

The starting and stopping of the xinetd daemon is controlled by the usual SystemV scripts in the /etc/init.d directory and it is behavior at boot time is controlled by chkconfig.

service xinetd start

service xinetd stop

service xinetd restart

To get xinetd configured to start at boot you can use the chkconfig command. chkconfig xinetd on

xinetd-Managed Applications

Xinetd-managed applications store their configuration files in the /etc/xinetd.d directory. The file name is the same as the service listed in /etc/services. Each configuration file has a disable statement that you can set to disable = yes or no. If set to no, xinetd starts the server program specified by server =.

This governs whether xinetd is allowed to start them or not and whether the xinetd process listens on the port

You have to edit these files to activate or deactivate the application via the disable= option. The default is usually disable=yes.

The chkconfig command does that for you automatically will also stops or starts the application accordingly.

Here is an example of the activation and deactivation of the Samba SWAT web GUI management application.

chkconfig swat on

chkconfig swat off

Common xinetd managed applications tend to be relatively low-traffic – TELNET, FTP, TFTP. High transaction volume applications like SMTP, HTTP or SSH are run in standalone server mode to avoid the overhead of being dispatched by XINETD.

TCP Wrappers

The TCP Wrappers package is installed by default on Fedora Linux and provides host-based security separate from that provided by a firewall running on the server itself or elsewhere.

It is also the default for all services running under the XINETD super daemon.

The application relies on two main files:

• /etc/hosts.allow: Defines the hosts and networks allowed to connect to the server.

The TCP Wrappers enabled application searches this file for a matching entry, and if it finds one, then the connection is allowed.

• /etc/hosts.deny: Defines the hosts and networks prohibited from connecting to the server.

If a match is found in this file, the connection is denied. No match means the connection proceeds normally.

The /etc/hosts.allow file is always read first and both files are always read from top to bottom, therefore the ordering of the entries is important.

The format of the file is as follows:

 :

This example allows all traffic from the 192.168.1.0/24 and the 192.168.2.0/255.255.255.0 networks and SSH from only two hosts, 172.16.1.1 and 216.10.119.244.

All HTTP Web traffic is allowed. All other TCP traffic to the host is denied.

Notice how the subnet masks can use the slash nomenclature or the dotted decimal 255.255.255.0 format.

#

# File: hosts.allow

#

ALL: 192.168.1.0/24 192.168.2.0/255.255.255.0

sshd: 172.16.1.1 216.10.119.244

httpd: ALL

#

# File: hosts.deny

#

ALL: ALL

The easiest way of determining the name of a daemon is to use the ps command and then use grep to filter for the name of the service oor pgrep. For example, to determine the daemon name (/usr/sbin/sshd) for the SSH server process. Because TCP Wrappers only requires the program name and not the path, sshd therefore becomes the entry to place in the TCP-daemon-name column of the configuration file.

ps -ef | grep -i ssh

root 10053 � 1 0 Nov06 ? 00:00:00 /usr/sbin/sshd

root 14145 10053 0 Nov13 ? 00:00:02 sshd: root@pts/1

root 18100 14148 0 21:56 pts/1 00:00:00 grep ssh

XINETD Common Applications:

Telnet

Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux. One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password.

A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption. In spite of this, the older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them.

Telnet is also usued as a basic network connectivity tool to determine application availability by allowing telnet to a specific port on a host as follows:

telnet .

Telnet Client

The command to do remote logins via telnet from the command line is simple. You enter the word telnet and then the IP address or server name to which you want to connect.

telnet 192.168.1.105

Trying 192.168.1.105...

Connected to 192.168.1.105.

Escape character is '^]'.

Linux 2.4.18-14 (smallfry.my-) (10:35 on Sunday, 05 January 2003)

Login: peter

Password:

Last login: Fri Nov 22 23:29:44 on ttyS0

You have new mail.

[peter@smallfry peter]$

logout

Connection closed by foreign host.

#

Fedora has both an TELNET client and server. When searching for the file, remember that the Telnet server RPM's filename usually starts with the word telnet-server followed by a version number as in telnet-server-0.17-28.i386.rpm.

To set up a Telnet server use the chkconfig command to activate Telnet: chkconfig telnet on

Use the chkconfig command to deactivate telnet, even after the next reboot: chkconfig telnet off

Basic Telnet Security

From an administration perspective, companies are trending away from cleartext TELNET for legal reasons: HIPAA, SOX, PCI.

There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options.

Let Telnet Listen On Another TCP Port

TELNET listens on port 23 by default. There are also several non-standard TLNET applications that provide encryption; but SSH is usually used for encrypted termional communications.

Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic by port scanners (i.e. nmap). Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.

Example: “secure” TELNET on port 2323

1) Edit /etc/services file and add a new service called stelnet.

stelnet 2323/tcp # "secure" telnet

2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:

cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777.

service stelnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

disable = no

port = 2323

}

4) Activate stelnet: chkconfig stelnet on

5) Check to make sure your server is now listening on port 7777 with the netstat command.

netstat -an | grep 2323

tcp 0 0 0.0.0.0:2323 0.0.0.0:* LISTEN

You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file /etc/xinetd.d/telnet file with a list of trusted servers separated by spaces: only_from = 192.168.1.100 127.0.0.1 192.168.1.200

TFTP

The UDP version of FTP is T(rivial)FTP – UDP port 69. TFTP can be used with great versatility as a network management tool for saving files, upload new configurations to replacement devices after serious hardware failures, new versions of software to be run as network devices.

Most RedHat and Fedora Linux software products are available in the RPM format: “rpm –i *tftp*” or “yum install tftp”.

By default, the TFTP application expects files to be located in the /tftpboot directory. Change this in the /etc/xinetd.d/tftp file via the server_args option, or create your own directory just for this purpose and create a /tftpboot symbolic link to it.

It is usually best to place the TFTP files in a partition other than the root partition. TFTP files of increasing size could eventually fill the partition affecting your ability to install new software or even the overall performance of your system.

FTP

File Transfer Protocol - the standard Internet file transfer application is differnet in that it uses to session pairs to accomplish a file transfer, a command channel TCP port 21 commonly used to identify the application; and a data channel – TCP port 20. See the FTP document for a better explanation of this application. Depending on server activity. the comm0n LINUX FTP package vsftpd can be run as an XINETD application or a standalone server.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download