Inetd, tcpwrapper

From docwiki
Jump to: navigation, search


Motivation

Often a server is not used often, but because it needs to take connections it must be running all the time. This consumes some memory. For simple servers that are only used once in a while, there is a nice soltuion: inetd. This is a small and simple server that starts server programs as soon as a connection comes in. This also enables you to write simple servers with a shell script.

inetd

There are, unfortunately different versions of inetd. inetutils-inetd and openbsd-inetd are rather similar, while xinetd has a different syntax.

Here is an example of using openbsd-inetd.

The inetd is using a configuration file /etc/inetd.conf 

110 stream tcp nowait root /usr/sbin/in.pop3d
4567 stream tcp nowait nobody /bin/nc -t 192.168.1.41 80
5555 stream tcp noweit nobody /usr/local/bin/mytest.sh

The above example config file opens 3 ports: 110 4567 and 5555. On 110 it starts an inetified version of the pop3 program that would allow you access to your mailbox on that server. The server is started as user "root" here.

On 4567 it starts a netcat nc program that connects to port 80 of an internal host. This could be used to forward an internal webserver to port 4567 on a firewall. This is a poor man's version of DNAT. It has the disadvantage that the internal server does not see the outside IP.

The last example starts a shell script as user "nobody". See below for an example.

While with inetd you have the advantage that the server is only started on demand: The downside is that a process is started for each incoming connection: Thus the performance suffers with heavy load. 


$ cat /usr/local/bin/mytest.sh
#!/bin/bash

echo today is $(date)
read x
echo you sent me $x


$ telnet localhost 5555
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
today is Tue 31 Mar 2020 06:50:21 PM CEST
blah blah
you sent me blah blah
Connection closed by foreign host.

When using scripts like this: be sure that you do not introduce any security risks. The above is already slightly dangerous because it brings untrused input near a shell.

TCP wrapper

Most inetd version use, or can use, the so tcp wrapper library. This is kind of like a firewall but without support from the kernel. All programs that use this library read the files /etc/hosts.allow and /etc/hosts.deny to decide who is allowed to connect to a service.

a line of

ALL: 192.168.111.0/255.255.255.0

in the /etc/hosts.allow would allow access to all services from that network.

Exercises

  • See if inetd is installed on your server. If not try to install one and try to write a command that outputs some message. Try to run this as user nobody.
Retrieved from "https://mond.at/docwiki/index.php?title=Inetd,_tcpwrapper&oldid=415"