NSLU2-Linux
view · edit · print · history

Xinetd

Xinetd is a replacement for inetd. It invokes a daemon, a process which runs all the time, monitoring communication requests from other computers over the TCP/IP network to the NSLU2. When it receives a request, it starts the appropriate module to handle the request. Thus xinetd (and inetd) provide a way to invoke telnet, FTP, and other handlers.

Project home page: http://www.xinetd.org

Why use Xinetd

  • It is more secure - you can restrict access to any service to hosts and/or networks.
  • It is modular - each service has its own configuration file. No more messing with common files to insert a new service.
  • It has global defaults - very little has to be configured for each services.
  • DoS protection - set limits on the number of instances of each service.
  • Disable single services - a service can be disabled without removing its configuration.
  • Can detect attempts at accessing disabled services and black list IP's for a specified period of time.
  • Samba 3.2 depends on xinetd, and when you install Samba with ipkg you will get xinetd.

Read more in this overview article.

How to install

  • Install the package: ipkg install xinetd
  • Alternatively, Samba 3.2 depends on xinetd, and when you install Samba with ipkg you will get xinetd.

As you install packages which rely on Xinetd for invocation, you will need to make two additions to the xinetd configuration for each package.

  1. Add an entry to to /unslung/rc.xinetd of the form:
    if ( [ ! -f /etc/inetd.conf ] || !(grep swat /etc/inetd.conf -q) ) then
        echo "swat stream tcp nowait root /opt/sbin/swat swat" >>/etc/inetd.conf
      fi
    
    This appears before the final line, return 1. This entry adds a compatibility entry to /etc/inetd.conf for inetd's benefit, if xinetd ends up deferring to inetd.
  2. Add a file to the directory /opt/etc/xinetd.d/ which gives the configuration for that services. When xinetd starts up, it reads all the files in this directory as if they had been part of the /opt/etc/xinetd.conf file.

The xinetd.conf format and keywords are documented in the xinetd.conf(5) man page(approve sites) (unofficial copy). There is also an official sample xinetd.conf file.

Troubleshooting

  • Use the -d option to get debug information in your log files (by default /var/log/messages).
  • To restart xinetd, run the command /opt/etc/init.d/S10xinetd. This stops the old xinetd or inetd process, and starts a new inetd process.
  • Each service which you invoke with xinetd needs to have a corresponding configuration file within /opt/etc/xinetd.d. For instance, if you install SWAT, you will want to create a swat configuration file.
  • Services which you want to turn off can be turned off by setting the line "disable = yes" within the service's configuration file
  • xinetd logging is controlled by the log_type line of the /opt/etc/xinetd.conf file. For log_type = SYSLOG, xinetd writes its error messages to /var/log/messages.

Security

  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd. Note - before making this change the user should make sure that they have an alternative method to access the NSLU2 by installing and configuring either Openssh or Dropbear.
  • The default installation of Xinetd will accept IP connections from any private IP address, some users may consider this a security risk. This is easily changed by modifying the file /opt/etc/xinetd.conf using a Linux text editor and then re-starting Xinetd. The file contains a line similar to :-
 
only_from = localhost 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Example - to restrict IP connections to the default NSLU2 192.168.1.0 subnet, modify the config line to read:-

 
only_from = localhost 192.168.1.0/24

view · edit · print · history · Last edited by Jim DeLaHunt.
Based on work by Jim DeLaHunt, RobHam, Rufus, UncleOp, and bobtm.
Originally by bobtm.
Page last modified on December 29, 2009, at 06:45 AM