FreeBSD INETD Daemon and inetd conf Configuration File

On the FreeBS operating system, there are lots of daemons that have files with the .conf extension located in the /etc directory and other directories. Among these daemons, the most important and sensitive one that must be taken seriously is inetd or often called the "super server". The job of inetd is to listen for connections on a specific set of network ports and run the appropriate server processes when requests come in.

For example, inetd is responsible for telnet connections; If your FreeBSD system allows telnet, you can open a telnet connection and receive a login prompt without any telnetd processes running on the server beforehand. Every time the system receives a connection request on Port 23 it will create a new telnetd process to handle the connection.

So it's not surprising that most people call inetd the Internet Super-Server because it manages connections for several services. When a connection is accepted by inetd, inetd will determine which program the connection is intended for, then run a specific process and delegate the socket to it.

When a peer connects to a port managed by inetd, then inetd executes commands in a sub process to handle incoming requests. Sub processes are given socket file descriptors as standard input, standard output, and standard error. Once the sub process completes, for example, after printing the requested web page to its STDOUT, the sub process exits, returning control to inetd.

In a traditional Unix scenario, a single server process (daemon) monitors connections on a specific port and handles incoming requests. In this case, if the server offers many services, many daemon processes must be started, most of them in a waiting state, but still consuming resources, such as memory. The Internet super server, inetd is an approach to solve this problem. Inetd will wait for a connection on some port, and when it receives a service request, it determines which application should serve the request and launches an instance of that program.

1. inetd configuration

The inetd configuration file is located at /etc/inetd.conf. Each line of this configuration file represents an application that can be run by inetd. By default, each line starts with a comment (#), meaning inetd is not listening to any applications. If you want to activate a specific application or port in inetd, delete the "#" sign at the beginning of the script.

Pay attention to the script contents of the /etc/inetd.conf file.

root@ns1:~ # ee /etc/inetd.conf
# $FreeBSD$
#
# Internet server configuration database
#
# Define *both* IPv4 and IPv6 entries for dual-stack support.
# To disable a service, comment it out by prefixing the line with '#'.
# To enable a service, remove the '#' at the beginning of the line.
#
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
#ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4
#ssh stream tcp6 nowait root /usr/sbin/sshd sshd -i -6
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
#shell stream tcp nowait root /usr/local/sbin/rshd rshd
#shell stream tcp6 nowait root /usr/local/sbin/rshd rshd
#login stream tcp nowait root /usr/local/sbin/rlogind rlogind
#login stream tcp6 nowait root /usr/local/sbin/rlogind rlogind
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
#
# run comsat as root to be able to print partial mailbox contents w/ biff,
# or use the safer tty:tty to just print that new mail has been received.
#comsat dgram udp wait tty:tty /usr/libexec/comsat comsat
#
# ntalk is required for the 'talk' utility to work correctly
#ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd
#tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
#tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -l -s /tftpboot
#bootps dgram udp wait root /usr/libexec/bootpd bootpd


If you want one of the applications above to be active and usable, delete the "#" sign. After that, to activate the inetd super server, you must enter the following script in the /etc/rc.conf file.

root@ns1:~ # ee /etc/rc.conf
inetd_enable="YES"

Restart so that inetd can run automatically.

root@ns1:~ # service inetd restart
Stopping inetd.
Waiting for PIDS: 2500.
Starting inetd.


2. How to read the inetd.conf script

In the /etc/inetd.conf file above, we can see that the contents of the file consist of three columns, as in the following example (taken from the /etc/inetd.conf file above).

#ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l

OK, now let's discuss the meaning of each column.

a. Service-name
The service name or program name that reflects the port number on which inetd should listen for incoming connections. This can be a decimal number or a service name given in /etc/services, such as ftp, ssh, telnet, login and others.

b. socket-type
The type of socket that inetd uses to communicate. The socket type must be one of stream, dgram, raw, rdm and seqpacket.
stream" for stream sockets, dgram for UDP services, raw for binary sockets, rdm for guaranteed delivery messages and seqpacket for reserved packet sockets. The most common socket types are stream and dgram.

c. Protocol
The type of protocol used by Inetd can be TCP or UDP, either IP4 or IP6.

d. wait/nowait
This column will tell inetd whether to wait for the server program to return, or immediately return to processing new connections. Many connections to the server require a response after the data transfer is complete, while others can continue to transfer data continuously, in the latter case the situation is typical "nowait", and in the former case "wait". In most cases, this value corresponds to the socket type, for example, a streaming connection will correspond to the value "nowait".

e. username[:group]
The name of the user or group used by inetd.

f. server program
Location of the program directory that will be run or executed by inetd.

g. argument-list
This final column contains a list of arguments for running the program, including the program name and additional program arguments that the system administrator may need to provide. In inetd, all services or daemons run by inetd must match the services listed in the /etc/services file. This determines which inetd port is listening for incoming connections to that service. When using a custom service, it must first be added to /etc/services.

Even though inetd is said to be a super server, in reality many of the daemons run by inetd do not pay attention to security. Some daemons, such as fingerd, can provide information that may be useful to an attacker. Only enable necessary services and monitor the system for excessive connection attempts.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post