My-Tiny.Net :: Networking with Virtual Machines



xinetd: the eXtended InterNET Daemon


The idea of a "super service" daemon goes back to the ancient times of the Internet (i.e., before 1992 when the WWW came on the scene). The original inetd is still around, but back then system administrators were not so worried about security (they were happy enough that it just worked).

xinetd is a secure replacement for inetd. It controls access to network services including with service-specific configuration options for access control, enhanced logging, binding, redirection, and resource utilization control.

When a client attempts to connect to a network service controlled by xinetd, the super service receives the request and verifies the connection is allowed under its access rules for that service and that the service is not consuming more than its allotted amount of resources or in breach of any defined rules. It then starts an instance of the requested service and passes control of the connection to it. Once the connection is established, xinetd does not interfere further with communication between the client and the server.

Telnet is the original Internet interactive communication protocol, with ftp for exchanging files - even mail was layered over ftp in those days. Since telnet and ftp transmit passwords over the network in cleartext, their use has been mostly superseded by the use of ssh and sftp. Running sshd in daemon mode is much preferred to running in inetd mode, because SSL needs to be initialized for every connection.



xinetd and telnet

Telnet is still a very handy tool in network environments that are known to be secure. Another service that is usefully managed with xinetd is Trivial File Transfer Protocol (TFTP), which is used for booting diskless workstations, and for backing up and restoring configuration files on Cisco switches and routers.

It bears repeating that Telnet and TFTP provide very little security, and should not be enabled unless they are needed.

The global xinetd configuration file is /etc/xinetd.conf and /etc/xinetd.d/ is the directory of service-specific configuration files. Start mc on either the Gateway or the MailHost (you need to do both, so pick one to start) and use [F4] to make two changes to /etc/xinetd.d/telnet
  1. Uncomment (delete the # from) the only_from directive, and change the IP address to 127.0.0.1
  2. Change the disable directive to no
then save the file with [F2] and exit the editor with [F10].

After editing the service configuration, we need to start xinetd. If you look at /etc/rc.d/rc.inet2 you will find the following code: 

   # Start the inetd server:
   if [ -x /etc/rc.d/rc.inetd ]; then
      /etc/rc.d/rc.inetd start
   fi
which means we need a script named rc.inetd with the execute bit set (-x).

We don't have one yet, so use mc to
  1. Change the permissions on /etc/rc.d/rc.xinetd so that only the owner can write, but everyone can read and execute

  2. Use [F9] and choose File and then choose Symlink to create a symbolic link ("shortcut") called rc.inetd
    (just delete the path in the box and then type in the new name).
With this, xinetd will start every time the system boots up - but it is not started yet, so you need to do that now. Switch to your plain shell virtual terminal, and type the path and the filename at the command prompt.

/etc/rc.d/rc.inetd start



xinetd and Arbitrary Services

We can actually use xinetd to run any script we prepare for it. All we need to do is put a configuration file for the service in /etc/xinetd.d and create a simple executable script in /usr/local/sbin/. In this example, we use the showlog script.

First, get /etc/xinetd.d/ on both sides in mc. Use [F5] to copy and rename telnet to laplink or showlog (just type the new filename in the destination field). The name needs to match the service configuration, so have a look at the boxes below before you do this.

Set up the service in one of two ways:

Find a service in /etc/services
that we won't be using on the server.
This example uses the laplink port 1547 

service laplink
{

    id            = showlog 	
    socket_type   = stream
    protocol      = tcp
    wait          = no
    user          = nobody
    server        = /usr/local/sbin/showlog
    disable       = no
}
some other good candidates for TinyNet are
epec 3031, ccmail 3264, dec-notes 3333,
softcm 6110, spc 6111 		The type UNLISTED will skip the lookup in
/etc/services, we just need to specify
the port. 

service showlog
{ 
    type          = UNLISTED
    port          = 23435
    socket_type   = stream
    protocol      = tcp
    wait          = no
    user          = nobody
    server        = /usr/local/sbin/showlog
    disable       = no
}
Note: The xinetd man page says "When wait is yes and socket_type is stream, the socket passed to the server can only accept connections."

It is tempting to think a server_args line in the xinetd configuration could be used to pass information to the script, but it is not good for this. xinetd simply connects stdin and stdout of the script (see the Redirection page under Standard I/O on the menu) to the stream of the source host. Input received over the socket is not interpreted by xinetd so it cannot pass command line arguments to the script.

The Bash built-in read command is the counterpart of the echo command. One line is read from the standard input, and processed according to the options. Here is an example (see the man page for details). 

    #!/bin/bash
    read FILE theRest
    /usr/bin/tail -f /var/log/$FILE
In this form the first word of the line is assigned to variable HOST, and all leftover words to the last name, theRest.

To create an empty script, use the command: echo '#!/bin/bash' >/usr/local/sbin/showlog
(use single quote) and then open the file in your editor and type in the other two lines. Save it, and then set the executable bits on the file.

It needs to work before the listener is started, so test it with any file that exists in /var/log: for example,
echo "stunnel.log" |/usr/local/sbin/showlog

Finally, restart xinetd to get it listening on the new port: /etc/rc.d/rc.xinetd restart
and check that the service is ready with netstat -tulp

Now you can use netcat (See Utilities :: Netcat on the menu) to connect to the service. For example,

echo "acpid.log" |nc -w 300 mail.tinynet.edu laplink
or
echo "acpid.log" |nc -w 300 192.168.56.252 23435

The -w switch for netcat closes the connection after a given number of seconds, so you probably want to adjust that. Note that xinetd can "get tired" of launching the shell script after several rounds of fast experimentation, so just restart xinetd if the command suddenly stops working.


Some things to know about the mc editor:
  • Spaces may appear as light blue dots and tabs as <---> because some programs (like OpenLDAP) are sensitive to whitespace at the beginning and the end of lines. "That's a feature, not a bug!"

  • To Copy / Delete / Move a block of text you need to start by pressing [F3] at the beginning of the text you want to work with, and look for [B---] in the top status bar which means you are marking a block. Use the arrow keys to highlight to the end of the text block, and press [F3] again (top status bar will show [BM--]).

    Now you can use the labelled [Fkey] to Copy / Delete / Move within the file. After that, press [F3] until the top status bar just shows [-M--] (twice is usually enough), which means you have stopped marking blocks of text.

  • If you want to paste into another file, press [F9] and choose Copy to Clipfile from the menu. Close the source file, open the destination file and move to where you want the new text, press [F9], and choose Paste from Clipfile from the menu.