Herding Daemons

SYSADMIN Admin Workshop: inetd & xinetd

Insider Tips: Server Management with inetd and xinetd HERDING DAEMONS

If you have many daemons running on your server, it can be quite difficult to keep track of them all. inetd and xinetd manage these services centrally and also take care of exchanges with your clients, allowing programs

without network code to operate as Internet servers. BY MARC ANDRÉ SELIG

ypical server applications handle work code. The super Server network communication servers listen to network Ports Processes Tautonomously. They open a ports and pass on 80 pop3 socket and listen at a TCP port, using the incoming connections to 25 inetd imap port to send and receive data. Interac- the appropriate Internet 22 exim tion with a socket is not exactly rocket processes. The processes science, but coding a program for socket use stdin and stdout to 21 ftpd

interaction can be troublesome and talk to their clients. As 79 fingerd prone to error. its configuration file, It can also be quite difficult to keep inetd uses a table of the track of the various configurations. Cen- TCP and UDP ports that Figure 1: The Internet super server inetd offloads networking tral security settings involve a lot of it should listen to and tasks from server processes. Processes can use stdin and std- effort if each server has its own set of the programs mapped to out for client communication. configuration files. And what’s more, it these ports. It opens doesn’t always make sense to re-invent sockets for the ports in the table and complete list of registered numbers for the wheel by coding each program sepa- waits for incoming connections. Listing UDP and TCP ports. rately for network access. 1 shows a sample configuration. The second field in the configuration The fields in each line of the configu- file has the socket type (this is always Centralized Server ration file describe the service. The sym- stream for TCP and dgram for UDP). The Management bolic name, such as smtp, also specifies third field has the protocol (such as tcp The so-called super servers, the required port, as inetd looks for the or udp). The nowait option in the next inetd and xinetd provide name in /etc/services. Users are column tells inetd not to wait for the a simple alternative to allowed to add their own ports to running process to finish. In other independent dae- the inetd configuration file, however, words, the daemon will simply launch mons with their if you add a port, make sure you another process in case of another own net- choose a port number between 49152 incoming connection. and 65535, as these ports are wait tells inetd to wait for the reserved for private applica- running process to finish before tions. IANA [1] has a accepting another connection to the port. wait is typically used with datagram sockets, such as UDP servers. UDP cannot assign datagrams to sessions at the transport layer. This means that inetd can only handle one process at any given time and will need to pass any datagrams for the port in question to the current process. The last three arguments in the configuration line specify the user with whose privileges the server will run, the path to the

www.scx.hu binary, and any arguments. Depending on the implementation and

66 ISSUE 52 MARCH 2005 WWW.LINUX-MAGAZINE.COM Admin Workshop: inetd & xinetd SYSADMIN

Listing 1: inetd Configuration File sampleserver stream tcp U nowait mas U 01 # /usr/local/bin/sampleserver 02 03 smtp stream tcp nowait mail /usr/sbin/exim exim -bs sampleserver is the symbolic service 04 printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd name in this case. An entry for sample- 05 ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd server 50000/tcp in /etc/services tells inetd the port. After modifying the con- version, the server may only support a ports a maximum of 50 connections per figuration file, you need to let the super small number of arguments (typically second, blocking the service for 20 sec- server know about the changes. To do five or 20); the super server just ignores onds if this limit is exceeded (cps = 50 so, enter the following command as any other arguments. 20). root: killall -HUP inetd. Inetd does not provide access controls The rlimit_as variable restricts the per- The server should now be running as or security. This is the domain of pro- centage of memory that a process is a TCP service. You can enter telnet local- grams such as the TCP wrapper pro- allowed to hog. And no_access = host 50000 to see the following output gram, tcpd, which parses 24.0.0.0 blocks connections from the 24/ (the first three lines come from the telnet /etc/hosts.allow and /etc/hosts.deny to 8 subnet. client): apply granular controls to specific ports. If the required server cannot launch because the required resources are Trying 127.0.0.1... xinetd Does a Better Job exhausted, or the requesting computer Connected to anmen. xinetd is a vastly improved version of has an IP address the administrator has Escape character is '^]'. the original inetd that supports modular blocked, this configuration directs xinetd This is me and I am called configuration and mechanisms such as to perform an ident lookup to discover anmen. access control and protection against the user name and logs this name along Connection closed by foreign denial of service attacks. Listing 2 shows with the IP address. host. an example for the Exim mail server. xinetd has two kinds of configuration Your Own Server Pitfalls files: /etc/xinetd.conf contains global set- An inetd or xinetd server program can Whether you write a program in C, Java, tings; individual services have their own be very simple. It has to receive and Perl, or shell script, make sure you pay a description files. The file name typically send data using an existing TCP connec- lot of attention to security. Don’t forget includes the name of the service and is tion via standard input and output. Data to validate any input from clients. stored in the /etc/xinetd.d/ directory. from the client is accepted via stdin, and Also, in the Unix workspace, a new- Besides standard options, you can the server talks to the client via stdout. A line is a single \n, whereas the Internet configure a number of security and opti- trivial example of an inetd server only newline is a combination of linefeed and mization variables, such as a list of needs two lines of code: newline (\r\n). inetd and xinetd do not hosts, or IP addresses, that are allowed convert character sets, so your server to access a port. The ability to specify #!/bin/sh process will have to handle this itself. resource limits for the programs, or to echo This is me and I U log access in logfiles or the syslog, is am called `uname -n`. Sense and Nonsense another useful feature. It does not make sense to use the super The configuration in Listing 3 allows a To allow network access to this program, server to launch every single daemon; maximum of ten concurrent instances of just add the following line to each connection to one of these services each server. xinetd calls the servers with /etc/inetd.conf: causes overhead, as it involves relaunch- a low priority (nice = 5), does not start ing the program. This is not a problem any more processes when the load Listing 3: /etc/xinetd.conf for small-footprint daemons that only reaches 2.5 (max_load = 2.5), and sup- run occasionally, but major services 01 defaults such as Apache or SSH take too long to 02 { launch, and this makes it impossible to Listing 2: /etc/xinetd.d/exim 03 instances = 10 use them effectively with inetd. On the 01 service smtp 04 cps = 50 20 02 { upside, running as many services as pos- 05 nice = 5 03 disable = no sible via the super server keeps the 06 max_load = 2.5 04 socket_type = stream process table clean and saves configura- 07 rlimit_as = 32M 05 wait = no tion work. ■ 08 no_access = 24.0.0.0 06 user = mail 09 log_type = SYSLOG daemon 07 server = /usr/ 10 log_on_failure = HOST USERID INFO sbin/exim 11 log_on_success = HOST PID EXIT 08 server_args = -bs [1] IANA port list: http://www.iana.org/ assignments/port-numbers 09 flags = REUSE DURATION 10 } 12 } [2] xinetd: http://www.xinetd.org