Introduction

One of the major concerns of Linux users at the University  has to do with restricting services that are running on their  machines.  Many services have vulnerabilities that require much maintenance.  For this reason any service on a Linux machine that is not used or is not needed should either be disabled or restricted so that it can only be used by a few trusted hosts.  That can be achieved by editing the file inetd.conf and using tcp wrappers.  It is important to note that in order to edit this files the user must have root access to the specific machine that this file is on.

What is inetd.conf?

Inetd.conf is a configuration file that is read by a program called inetd at boot time.  This configuration file tells the inetd program which services to run and which options to run them with.  The inetd.conf file can usually be found in the /etc directory on the Linux machine.  If you can not find this file on your particular system use the command:

locate inetd.conf

from the system prompt to find the path to this file.

What are TCP Wrappers?

TCP wrappers are access control facilities for Internet services running on a machine.  Based on a set of rules that are set up in two files (/etc/hosts.allow and /etc/hosts.deny) the tcpd program decides whom to grant and deny access to services.
 

Using inetd.conf to disable services

The first step in disabling services using the inetd.conf file is to open it up for editing.  This is done through the use of a text editor such as Emacs or pico.  Once the file is opened the contents should look something similar to the following:   (Note: this file may look slightly different depending on the specific system being used and the services running on it)

#
 # inetd services
 ftp      stream tcp nowait root  /usr/sbin/ftpd    in.ftpd -l
 telnet   stream tcp nowait root  /usr/sbin/telnetd in.telnetd -b/etc/issue
 #finger  stream tcp nowait bin   /usr/sbin/fingerd in.fingerd
 #tftp    dgram  udp wait  nobody /usr/sbin/tftpd   in.tftpd
 #tftp    dgram  udp wait  nobody /usr/sbin/tftpd   in.tftpd /boot/diskless
 #login   stream tcp nowait root  /usr/sbin/rlogind in.rlogind
 #shell   stream tcp nowait root  /usr/sbin/rshd    in.rshd
 #exec    stream tcp nowait root  /usr/sbin/rexecd  in.rexecd
 #
 #       inetd internal services
 #
 daytime  stream tcp nowait root internal
 daytime  dgram  udp nowait root internal
 time     stream tcp nowait root internal
 time     dgram  udp nowait root internal
 echo     stream tcp nowait root internal
 echo     dgram  udp nowait root internal
 discard  stream tcp nowait root internal
 discard  dgram  udp nowait root internal
 chargen  stream tcp nowait root internal
 chargen  dgram  udp nowait root internal
 

You can disable specific services by putting a # sign before its entry in the inetd.conf file.  For example to disable the ftp service so that no one can ftp to your machine change the line that reads:

ftp      stream tcp nowait root  /usr/sbin/ftpd    in.ftpd -l

to read:

#ftp      stream tcp nowait root  /usr/sbin/ftpd    in.ftpd -l

Examples of files that should be disabled this way are echo, chargen, daytime, shell, login, and ftp.  The list of services that are available on the machine could be different depending on which distribution of Linux is running on it.

Once you are finished editing the inetd.conf file save it, and go back to the command line.  Then restart the inetd program so these changes take affect by issuing the command:

killall -HUP inetd

Now the services that were disabled should be unaccessable to users coming from another system.

Using inetd and tcp wrappers to restrict services

Sometimes simply disabling services for security reasons is not a viable option.  You may want to access the machine from a remote location, or you may want to have other users be able to ftp files from your machine.  That can be done while still preserving security by using TCP wrappers to restrict services to only certain machines, or domains.  The first step to setting this up is to look at the inetd.conf file to see if TCP wrappers are installed.  Using the inetd.conf file in our previous example we can see what to look for.  (Note: The area in bold represents the difference in the previous two examples)

The above example has a line:

ftp      stream tcp nowait root  /usr/sbin/ftpd    in.ftpd -l

which means that TCP Wrappers are not installed on this system.  Had TCP wrappers been installed the line would read:

ftp    stream  tcp     nowait  root    /usr/sbin/tcpd    in.ftpd -l
 

Most Linux systems have TCP wrappers installed by default.  If your system does not have them installed you can download a copy from:

ftp://ftp.porcupine.org/pub/security/index.html

Once it is determined whether or not TCP Wrappers are installed, the only other thing to do is edit the two files /etc/host.allow and /etc/host.deny

The files /etc/host.allow and /etc/host.deny give tcpd (tcp deamon) the rules to check for before giving access to the computers network services.  When a host tries to connect to a network service on your computer tcpd reads the contents of the /etc/host.allow to see if the rules listed in the file explicitly give permission (based on hostname or IP address) to that host to access the service.  If no rule is found then it checks the contents of the /etc/host.deny file to see if the rule listed in this file explicitly deny access to that host to access the service.  If no rule is found in either of these files access is granted by default.  In order to set up these rules in these files we must edit the files with a text editor like Emacs or Pico.  The format of the rules is as follows:

service: hostname: options

A typical setup for a host.allow file for a Linux computer at Rutgers might be:

in.telnetd: .rutgers.edu : ALLOW
in.ftpd: .rutgers.edu : ALLOW

A typical setup for a host.deny file for a Linux computer at Rutgers might be:

in.telnetd: ALL : DENY
in.ftpd: ALL : DENY

The /etc/host.allow file allows access to ftp and telnet from any computer in the .rutgers.edu domain, and the /etc/host.deny file denies access from a system anywhere else.

You can edit the host.allow and host.deny files in this way for all services available on your machine, or you can use the ALL rule to specify ALL the services or ALL hosts.
An example of doing this with the host.allow file would be:

ALL: .rutgers.edu: ALLOW

This would allow access to all services running on the computer from the rutgers.edu domain.
A similar thing can be done with the host.deny file by putting:

ALL: ALL: DENY

This would deny all services from any host not allowed by hosts.allow

Now restart inetd by typing in killall -HUP inetd and pressing return at the command line.

Checking Your Work

There are programs that come with tcp wrappers that can be utilized to make sure the hosts.allow and hosts.deny files are set up correctly.  One of these programs is called tcpmatch.  The tcpmatch program is a tool that attempts to predict how tcp wrappers will handle a specific request for a service.  The syntax for tcpmatch is:

tcpmatch service hostname

For example, lets say that the hosts.allow file on a specific machine is set up to allow a user from test.rutgers.edu to utilize the telnet service on our machine.  This could be checked using tcpmatch by typing:

tcpmatch in.telnetd test.rutgers.edu

If hosts.allow is set up correctly the output of tcpmatch should say that access is granted.  The same thing could be done to check the setup of hosts.deny.

Additional References

The following  is a list of websites where you can find additional information having to do with tcp wrappers as well as other Linux security issues:

The Linux Documentation Project- http://www.Linuxdoc.org

Linuxsecurity.com- http://Linuxsecurity.com

Linux Knowledge Portal- http://portal.suse.de/en/