NSLU2-Linux
view · edit · print · history

Optware.Xinetd History

Hide minor edits - Show changes to markup

December 29, 2009, at 06:45 AM by Jim DeLaHunt -- Attempt to fix up numbered list formatting
Changed lines 23-29 from:

1. Add an entry to to /unslung/rc.xinetd of the form:

   if ( [ ! -f /etc/inetd.conf ] || !(grep swat /etc/inetd.conf -q) ) then
     echo "swat stream tcp nowait root /opt/sbin/swat swat" >>/etc/inetd.conf
   fi
   This appears before the final line, return 1. This entry adds a compatibility entry to /etc/inetd.conf for inetd's benefit, if xinetd ends up deferring to inetd.

2. Add a file to the directory /opt/etc/xinetd.d/ which gives the configuration for that services. When xinetd starts up, it reads all the files in this directory as if they had been part of the /opt/etc/xinetd.conf file.

to:
  1. Add an entry to to /unslung/rc.xinetd of the form:
    if ( [ ! -f /etc/inetd.conf ] || !(grep swat /etc/inetd.conf -q) ) then
        echo "swat stream tcp nowait root /opt/sbin/swat swat" >>/etc/inetd.conf
      fi
    
    This appears before the final line, return 1. This entry adds a compatibility entry to /etc/inetd.conf for inetd's benefit, if xinetd ends up deferring to inetd.
  2. Add a file to the directory /opt/etc/xinetd.d/ which gives the configuration for that services. When xinetd starts up, it reads all the files in this directory as if they had been part of the /opt/etc/xinetd.conf file.
December 29, 2009, at 06:43 AM by Jim DeLaHunt -- Three Troubleshooting tips. Revise introduction.
Added lines 3-4:

Xinetd is a replacement for inetd. It invokes a daemon, a process which runs all the time, monitoring communication requests from other computers over the TCP/IP network to the NSLU2. When it receives a request, it starts the appropriate module to handle the request. Thus xinetd (and inetd) provide a way to invoke telnet, FTP, and other handlers.

Changed lines 14-15 from:
to:
  • Samba 3.2 depends on xinetd, and when you install Samba with ipkg you will get xinetd.
Changed lines 20-31 from:
to:
  • Alternatively, Samba 3.2 depends on xinetd, and when you install Samba with ipkg you will get xinetd.

As you install packages which rely on Xinetd for invocation, you will need to make two additions to the xinetd configuration for each package. 1. Add an entry to to /unslung/rc.xinetd of the form:

   if ( [ ! -f /etc/inetd.conf ] || !(grep swat /etc/inetd.conf -q) ) then
     echo "swat stream tcp nowait root /opt/sbin/swat swat" >>/etc/inetd.conf
   fi
   This appears before the final line, return 1. This entry adds a compatibility entry to /etc/inetd.conf for inetd's benefit, if xinetd ends up deferring to inetd.

2. Add a file to the directory /opt/etc/xinetd.d/ which gives the configuration for that services. When xinetd starts up, it reads all the files in this directory as if they had been part of the /opt/etc/xinetd.conf file.

The xinetd.conf format and keywords are documented in the xinetd.conf(5) man page (unofficial copy). There is also an official sample xinetd.conf file.

Changed lines 34-38 from:
to:
  • To restart xinetd, run the command /opt/etc/init.d/S10xinetd. This stops the old xinetd or inetd process, and starts a new inetd process.
  • Each service which you invoke with xinetd needs to have a corresponding configuration file within /opt/etc/xinetd.d. For instance, if you install SWAT, you will want to create a swat configuration file.
  • Services which you want to turn off can be turned off by setting the line "disable = yes" within the service's configuration file
  • xinetd logging is controlled by the log_type line of the /opt/etc/xinetd.conf file. For log_type = SYSLOG, xinetd writes its error messages to /var/log/messages.
July 11, 2008, at 02:55 PM by RobHam -- Security section expanded to include restricting IP access
Changed line 22 from:
  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd. Note - before making this change the user should make sure that they have an alternative method to access the NSLU2 by installing and configuring either Opensshd or Dropbear.
to:
  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd. Note - before making this change the user should make sure that they have an alternative method to access the NSLU2 by installing and configuring either Openssh or Dropbear.
July 11, 2008, at 02:27 PM by RobHam -- Security secion expanded to include restricting IP access
Changed line 22 from:
  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd
to:
  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd. Note - before making this change the user should make sure that they have an alternative method to access the NSLU2 by installing and configuring either Opensshd or Dropbear.
July 11, 2008, at 02:16 PM by RobHam -- Security secion expanded to include restricting IP access
Changed lines 20-21 from:
  • If after installing xinetd and rebooting you cannot telnet into the box any more check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
to:
Changed lines 23-24 from:
  • The default installation of Xinetd will accept IP connections from any private IP address, some users may consider this a security risk. This is easily changed by modifying the file /opt/etc/xined.conf using a Linux text editor. The file contains a line similar to :-
to:
  • The default installation of Xinetd will accept IP connections from any private IP address, some users may consider this a security risk. This is easily changed by modifying the file /opt/etc/xinetd.conf using a Linux text editor and then re-starting Xinetd. The file contains a line similar to :-
Added line 31:
Added line 33:
Deleted line 39:

then re-start Xinetd.

July 11, 2008, at 02:11 PM by RobHam -- Security secion expanded to include restricting IP access
Added lines 24-38:
  • The default installation of Xinetd will accept IP connections from any private IP address, some users may consider this a security risk. This is easily changed by modifying the file /opt/etc/xined.conf using a Linux text editor. The file contains a line similar to :-

(:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
only_from = localhost 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

(:tableend:) Example - to restrict IP connections to the default NSLU2 192.168.1.0 subnet, modify the config line to read:- (:table border=0 width=100% bgcolor=#eeeeff:) (:cell:)

 
only_from = localhost 192.168.1.0/24

(:tableend:) then re-start Xinetd.

July 10, 2008, at 08:24 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 20-21 from:
  • If after installing xinetd and rebooting you cannot telnet into the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
to:
  • If after installing xinetd and rebooting you cannot telnet into the box any more check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
July 10, 2008, at 08:23 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 20-21 from:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
to:
  • If after installing xinetd and rebooting you cannot telnet into the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
Changed line 23 from:
  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd
to:
  • By default the installation of Xinetd allows access to the NSLU2 by Telnet, this may pose a security risk for some users. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd
July 10, 2008, at 08:15 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 17-19 from:
  • Set up the server for start by copying the diversion script to your hard drive unslung directory, like cp /opt/doc/xinetd/rc.xinetd /share/hdd/conf/unslung. Do NOT copy to /unslung as this directory can be located on the flash and doing that might prevent you from getting a clean system when booting without disks connected. [But note: /opt/doc/xinetd is not created with version 2.3.13-4 of xinetd. YMMV.]
  • Restart your system to start it (optionally, kill the running inetd and run . /opt/etc/init.d/S10xinetd)
to:
July 10, 2008, at 08:09 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 22-23 from:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16
to:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_from to something that suits your needs i.e. localhost 192.168.0.0/16
July 10, 2008, at 08:08 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 22-23 from:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16 - Rufus
to:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_from line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16
July 10, 2008, at 08:02 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 22-23 from:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255@ range so couldn't connect. Commenting out this line will allow connections from any IP address. Alternatively change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16@@ - Rufus
to:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16 - Rufus
July 10, 2008, at 08:00 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 22-23 from:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Commenting out this line will allow connections from any IP address. Alternatively change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16 - Rufus
to:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255@ range so couldn't connect. Commenting out this line will allow connections from any IP address. Alternatively change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16@@ - Rufus
July 10, 2008, at 07:59 PM by RobHam -- Security section added - note regarding Telnet access
Changed lines 11-12 from:
  • Can detect attempts at accessing disabled services and black list IPs? for a specified period of time.
to:
  • Can detect attempts at accessing disabled services and black list IP's for a specified period of time.
Changed line 25 from:
  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using /opt/etc/init.d/S10xinetd
to:
  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using . /opt/etc/init.d/S10xinetd
July 10, 2008, at 07:53 PM by RobHam -- Security section added - note regarding Telnet access
Changed line 25 from:
  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using /opt/etc/init.d/S10xinetd restart
to:
  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using /opt/etc/init.d/S10xinetd
July 10, 2008, at 07:51 PM by RobHam -- Security section added - note regarding Telnet access.
Changed lines 24-25 from:

Bob_tm

to:

Security

  • By default the installation of Xinetd allows access by Telnet. To disable Telnet access edit the file /opt/etc/xinetd.d/telnetd using a Linux text editor. Change disable = no to disable = yes and then re-start Xinetd using /opt/etc/init.d/S10xinetd restart
January 06, 2006, at 03:07 AM by Rufus -- Troubleshooting telnet lockout!
Changed lines 22-23 from:
to:
  • If after installing xinetd and rebooting you cannot telnet in to the box anymore check the /opt/etc/xinetd.conf file. I discovered by default the only_allow line has localhost and 192.168.1.0/24 listed. Sadly my network uses IP addresses in the 192.168.0.1-255 range so couldn't connect. Commenting out this line will allow connections from any IP address. Alternatively change the only_allow to something that suits your needs i.e. localhost 192.168.0.0/16 - Rufus
August 24, 2005, at 12:33 AM by UncleOp --
Changed line 17 from:
  • Set up the server for start by copying the diversion script to your hard drive unslung directory, like cp /opt/doc/xinetd/rc.xinetd /share/hdd/conf/unslung. Do NOT copy to /unslung as this directory can be located on the flash and doing that might prevent you from getting a clean system when booting without disks connected.
to:
  • Set up the server for start by copying the diversion script to your hard drive unslung directory, like cp /opt/doc/xinetd/rc.xinetd /share/hdd/conf/unslung. Do NOT copy to /unslung as this directory can be located on the flash and doing that might prevent you from getting a clean system when booting without disks connected. [But note: /opt/doc/xinetd is not created with version 2.3.13-4 of xinetd. YMMV.]
March 24, 2005, at 10:38 AM by bobtm --
Added lines 3-4:

Project home page: http://www.xinetd.org

Added lines 11-13:
  • Can detect attempts at accessing disabled services and black list IPs? for a specified period of time.

Read more in this http://www.linuxfocus.org/English/November2000/article175.shtml overview article.

Changed line 17 from:
  • Set up the server for start: cp /opt/doc/xinetd/rc.xinetd /unslung
to:
  • Set up the server for start by copying the diversion script to your hard drive unslung directory, like cp /opt/doc/xinetd/rc.xinetd /share/hdd/conf/unslung. Do NOT copy to /unslung as this directory can be located on the flash and doing that might prevent you from getting a clean system when booting without disks connected.
Changed line 21 from:

Bring it on.

to:
  • Use the -d option to get debug information in your log files (by default /var/log/messages).
February 03, 2005, at 07:34 PM by bobtm --
Changed lines 1-18 from:

Describe {{Xinetd}} here.

to:

Xinetd

Why use Xinetd

  • It is more secure - you can restrict access to any service to hosts and/or networks.
  • It is modular - each service has its own configuration file. No more messing with common files to insert a new service.
  • It has global defaults - very little has to be configured for each services.
  • DoS protection - set limits on the number of instances of each service.
  • Disable single services - a service can be disabled without removing its configuration.

How to install

  • Install the package: ipkg install xinetd
  • Set up the server for start: cp /opt/doc/xinetd/rc.xinetd /unslung
  • Restart your system to start it (optionally, kill the running inetd and run . /opt/etc/init.d/S10xinetd)

Troubleshooting

Bring it on.

Bob_tm

view · edit · print · history · Last edited by Jim DeLaHunt.
Based on work by Jim DeLaHunt, RobHam, Rufus, UncleOp, and bobtm.
Originally by bobtm.
Page last modified on December 29, 2009, at 06:45 AM