download

Network Services—Internet ServersTo have a quick look at a custom inetd service, the following example showsthat inetd should listen to a port 69 UDP (tftp service), which is a dgram socketusing root user privileges to run the tftpd binary at /usr/libexec/tftpd withappropriate parameters:tftp dgram udp wait root /usr/libexec/tftpd tftpd-l -s /tftpboottcpdThe inetd daemon does not give all the necessary controls over the service, suchas an access list to control the access to each service, or log incoming connectionattempts. The tcpd(8) utility introduces a method to control remote access to thedaemons that are launched from inetd.In fact, tcpd(8) is a wrapper that wraps around the daemon and checks incomingrequests against access lists, and logs the connection attempt before actually passingthe connection to the daemon. This is achieved by modifying appropriate lines in theinetd.conf file. The following example shows FTP daemon wrapped in atcpd wrapper:ftp stream tcp nowait root /usr/libexec/tcpd ftpd -lOnce an incoming request arrives for FTP service, tcpd will be invoked first. Thetcpd wrapper looks in the /etc/hosts.allow file for a set of access rules. It willthen reject or accept the request, based on the access list.In this example, we modify the hosts.allow file to limit ftp access to specificsubnets in our network. The default FTP related section in the hosts.allow filelooks like the following code:# Provide a small amount of protection for ftpdftpd : localhost : allow#ftpd : .nice.guy.example.com : allow#ftpd : .evil.cracker.example.com : denyftpd : ALL : allowNote that the comments lines start with a # sign. The second line indicates that allconnections to the ftpd daemon from the localhost should be allowed. The last linealso allows access from any host (ALL keyword) to the ftp service.[ 206 ]