inetd, called also the super server, will load a network program based upon a request from the network. The inetd.conf
file tells inetd which ports to listen to and what server to start for each port.
The first thing to look at as soon as you put your Linux system on ANY network is what services you need to offer. Services that you do not need to offer should be disabled and uninstalled so that you have one less thing to worry about, and
attackers have one less place to look for a hole. Look at your /etc/inetd.conf
file to see what services are being offered by your inetd program. Disable what you do not need by commenting them out by adding a #
at
the beginning of the line, and then sending your inetd process a SIGHUP command to update it to the current inetd.conf
file.
Change the permissions on this file to 600.
[root@deep] /#chmod 600 /etc/inetd.conf
Ensure that the owner is root.
[root@deep] /# stat /etc/inetd.conf
File: "/etc/inetd.conf"
Size: 2869 Filetype: Regular File
Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 8,6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)
Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)
Change: Mon Sep 20 10:22:44 1999(00002.06:12:16)
Edit the inetd.conf
file vi /etc/inetd.conf
and disable services like: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,
auth, etc. unless you plan to use it. If it's turned off, it's much less of a risk.
# To re-read this file after changes, just do a 'killall -HUP inetd' # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal # # These are standard services. # #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat #talk dgram udp wait root /usr/sbin/tcpd in.talkd #ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd #dtalk stream tcp wait nobody /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/sbin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # #finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet # # Authentication # #auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o # # End of inetd.conf
[root@deep] /# killall -HUP inetd
One more security measure you can take to secure the inetd.conf
file is to set it immutable, using the chattr command.
To set the file immutable simply, execute the following command:
[root@deep] /# chattr +i /etc/inetd.conf
This will prevent any changes accidental or otherwise to the inetd.conf
file. A file with the immutable attribute set i cannot be modified,
deleted or renamed, no link can be created to this file and no data can be written to it. The only person that can set or clear this attribute
is the super-user root. If you wish later to modify the inetd.conf file you will need to unset the immutable flag:
To unset the immutable flag, simply execute the following command:
[root@deep] /# chattr -i /etc/inetd.conf
Don't forget to send your inetd process a SIGHUP signal killall -HUP inetd
after making change to your inetd.conf
file. The services you enable on a selected
host depend on the functions you want the host to provide. Functions could support the selected network service, other services hosted on this computer, or development and maintenance
of the operating system and applications.