Author: Terry Collings and Kurt Wall
xinetd
is started on bootup, and listens on ports designated in /etc/xinetd.conf for incoming network connections. When a new connection is made, xinetd
starts up the corresponding network service.
This article is excerpted from the recently published book Red Hat Linux Networking and System Administration, 2nd Edition.
You should disable any unnecessary services from being started from xinetd
as part of securing your machine. The way to do this is to edit that service’s configuration file. xinetd
‘s main configuration file is /etc/xinetd.conf. At the end of the xinetd.conf file is a line that indicates that all the files in the /etc/xinetd.d are also included in the configuration. This means that you need to go through the files in that directory as well in order to turn off any services you don’t want.
So, to disable telnet, you would look in /etc/xinetd.d for a file called telnet. The contents of the telnet file is shown in the listing below. Edit the line in the config file that says disable = no
and change it to disable = yes
, as it appears below. Once the line is set to disable = yes
, the service is disabled and does not start up the next time you boot.
# default: on # description: The telnet server serves telnet sessions; it uses # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure = USERID disable = yes }
An automated tool called chkconfig
manages what services are started from xinetd
and the rc scripts. Network services that are not started out of xinetd
are started out of the rc scripts at boot time. Network services started at the default boot level 3 (multiuser networked mode) are started out of the /etc/rc3.d directory. If you look in that directory, you should see a file with the name of the service you want to stop or start. The script to start the service starts with an S, and the kill script starts with a K.
So for example, ssh is started from /etc/rc3.d /S55sshd, and killed upon shutdown from /etc/rc6.d/K25sshd. Runlevel 6 is the shutdown level, so that’s why its kill script is located in the rc6.d directory.
Other important network configuration files in the /etc/sysconfig directory
You can use the files listed in this section to create routes to other hosts, either on your own network or on outside networks. You also can use these files to set up firewall rules for your network to either allow or disallow connections to your network.
Static routes
If you want to set up some static routes on your machine, you can do so in the static-routes file. This config file has lines that follow the format of:
network-interface net network netmask netmask gw gateway
iptables
iptables is the next-generation Linux firewall. It supersedes the ipchains firewall. It can use ipchains rules as a component of its firewall filtering, but iptables and ipchains cannot be run at the same time.
This is the file where the iptables rules are stored. iptables syntax is very similar to the ipchains syntax, which is briefly explained by the following example.
ipchains
ipchains is a Linux firewall that is now being superseded by iptables. The GUI interface that configures the ipchains firewall rules is firewall-config. The ipchains rules are stored in the ipchains file.
When you install Red Hat, it asks if you would like to set up a host-based firewall. If you select a medium or heavy security host-based firewall, a default set of iptables rules installs according to your preferences.
The following is a simplified configuration file. The gist of this configuration is that all incoming traffic to privileged ports (those below 1024) is dropped except for ssh traffic. The first line accepts all traffic from the loopback interface. The second line accepts all incoming TCP traffic to the ssh port. The third line drops all incoming TCP traffic to ports between 1 and 1024. The last line drops all incoming UDP traffic to ports between 1 and 1024.
-A INPUT -i lo -j ACCEPT -A INPUT -p tcp --dport 22 -p tcp -j ACCEPT -A INPUT -p tcp -s ! 192.168.1.0/24 --dport 1:1024 -j DROP -A INPUT -p udp -s ! 192.168.1.0/24 --dport 1:1024 -j DROP
Network configuration files in /etc/sysconfig/network-scripts
You can use the files in this directory to set the parameters for the hardware and software used for networking. The scripts contained here are used to enable network interfaces and set other network related parameters.
ifcfg-networkinterfacename
A few files fall into this specification. Red Hat specifies a separate configuration file for each network interface. In a typical Red Hat install you might have many different network interface config files that all follow the same basic syntax and format.
You could have ifcfg-eth0 for your first Ethernet interface, ifcfg-irlan0 for your infrared network port, ifcfg-lo for the network loop-back interface, and ifcfg-ppp0 for your PPP network interface.
ifup and ifdown
These files are symlinks to /sbin/ifup and /sbin/ifdown. In future releases, these symlinks might be phased out. But for now, these scripts are called when the network service is started or stopped. In turn, ifup
and ifdown
call any other necessary scripts from within the network-scripts directory. These should be the only scripts you call from this directory.
You call these scripts with the name of the interface that you want to bring up or down. If these scripts are called at boot time, then “boot” is used as the second argument. For instance, to bring your Ethernet interface down and then up again after boot, you would type:
ifup eth0 ifdown eth0
Managing the init scripts
Init scripts determine what programs start up at boot time. Red Hat and other Unix distributions have different runlevels, so a different set of programs is started at each runlevel.
Usually Red Hat Linux starts up in multiuser mode with networking turned on. These are some of the other runlevels available:
- Halt
- Single-user mode
- Multiuser mode, without networking
- Full multiuser mode
- Not used
- Full multiuser mode (with an X-based login screen)
- Reboot
The system boots into the default runlevel set in /etc/inittab (see listing below). In Red Hat Linux, the default boot level is 3. When booting into an X Windows login, the default boot level is 5.
# # inittab This file describes how the INIT process should set up # the system in a certain run-level. # # Author: Miquel van Smoorenburg,# Modified for RHS Linux by Marc Ewing and Donnie Barnes # # Default runlevel. The runlevels used by RHS are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this) # id:5:initdefault: # System initialization. si::sysinit:/etc/rc.d/rc.sysinit l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 # Things to run in every runlevel. ud::once:/sbin/update # Trap CTRL-ALT-DELETE ca::ctrlaltdel:/sbin/shutdown -t3 -r now # When our UPS tells us power has failed, assume we have a few minutes # of power left. Schedule a shutdown for 2 minutes from now. # This does, of course, assume you have powerd installed and your # UPS connected and working correctly. pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" # If power was restored before the shutdown kicked in, cancel it. pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" # Run gettys in standard runlevels 1:2345:respawn:/sbin/mingetty tty1 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 4:2345:respawn:/sbin/mingetty tty4 5:2345:respawn:/sbin/mingetty tty5 6:2345:respawn:/sbin/mingetty tty6 # Run xdm in runlevel 5 # xdm is now a separate service x:5:respawn:/etc/X11/prefdm -nodaemon
Managing rc scripts by hand
If you want to configure what services are started at boot time, you need to edit the rc scripts for the appropriate runlevel. The default runlevel is 3, which is full multiuser mode. So to change what services are started in the default runlevel, you should edit the scripts found in /etc/rc3.d.
When you look at a directory listing of the rc directories, notice that the files start with either S or K. The files that start with S are startup files, and the files that start with K are kill files. The S scripts are run in the numerical order listed in their filenames. If a startup script is set to S15, the K script should be K85 (or in general, SN becomes SM with M = 100 – n; the idea being the last started service is the first killed).
Note that case is important. Scripts that do not start with a capital S do not run upon startup. So one good way to keep scripts from starting up at boot time without deleting them is to rename the file with a small s at the beginning instead of a capital S. This way you can always put the script back into the startup configuration by capitalizing the initial letter.
When the system starts up, it runs through the scripts in the rc directory of the runlevel it’s starting up in. So when the system starts up in runlevel 3, it runs the scripts in the /etc/rc3.d directory.
Looking at the directory listing below, you can see that the first few services start in this order: kudzu, reconfig, iptables, and network. That is because their scripts are named S05kudzu, S06reconfig, S08iptables, and S10network, respectively.
Kudzu is called first because it detects new hardware. Reconfig runs to put into effect any changes made with the chkconfig tool. Iptables then starts up the built-in firewall. Network then brings up the system’s network interfaces. As you can see, the order in which these services are started makes a lot of sense, and their order is enforced by the way their rc startup scripts are named. All of the files in rc#.d are symboliclinks to /etc/init.d scripts and the names are used here only to affect what services start or stop and the ordering of those services. Editing the rc3.d/httpd file will affect rc5.d/httpd.
[root@buffy rc3.d]# ls K05innd K20rwhod K50xinetd K74ypserv K92ipvsadm S60lpd K08vmware K25squid K54pxe K74ypxfrd K92upsd S83iscsi K09junkbuster K28amd K55routed K75gated K96irda S90crond K10fonttastic K30mcserv K61ldap K75netfs S05kudzu S90xfs K12mysqld K30sendmail K65identd K84bgpd S06reconfig S91atalk K15gpm K34yppasswdd K65kadmin K84ospf6d S08iptables S95anacron K15httpd K35smb K65kprop K84ospfd S10network S97rhnsd K15postgresql K35vncserver K65krb524 K84ripd S12syslog S99linuxconf K16rarpd K40mars-nwe K65krb5kdc K84ripngd S17keytable S99local K20bootparamd K45arpwatch K73ypbind K85zebra S20random S99wine K20nfs K45named K74apmd K86nfslock S28autofs K20rstatd K46radvd K74nscd K87portmap S40atd K20rusersd K50snmpd K74ntpd K91isdn S55sshd K20rwalld K50tux K74ups K92ipchains S56rawdevices [root@buffy rc3.d]#
The S scripts are started in this order until they have all been started. When the system shuts down, the corresponding K, or kill scripts are run to shut down the services started from the rc directory. In general, every S script should have a corresponding K script to kill the service at shutdown.
If you can’t find the corresponding K script in the startup directory, it is probably located in the shutdown directory. When the system is shut down, it enters runlevel 6, so most of the K scripts are in /etc/rc6.d. A typical /etc/rc6.d directory listing looks like:
[root@buffy rc6.d]# ls K00linuxconf K16rarpd K34yppasswdd K55routed K74nscd K85zebra K03rhnsd K20bootparamd K35atalk K60atd K74ntpd K86nfslock K05anacron K20iscsi K35smb K60crond K74ups K87portmap K05innd K20nfs K35vncserver K60lpd K74ypserv K88syslog K05keytable K20rstatd K40mars-nwe K61ldap K74ypxfrd K90network K08vmware K20rusersd K44rawdevices K65identd K75gated K91isdn K09junkbuster K20rwalld K45arpwatch K65kadmin K75netfs K92ipchains K10wine K20rwhod K45named K65kprop K80random K92ipvsadm K10xfs K25squid K46radvd K65krb524 K84bgpd K95kudzu K12mysqld K25sshd K50snmpd K65krb5kdc K84ospf6d K95reconfig K15gpm K28amd K50tux K72autofs K84ospfd K96irda K15httpd K30mcserv K50xinetd K73ypbind K84ripd S00killall K15postgresql K30sendmail K54pxe K74apmd K84ripngd S01reboot
If you ever need to restart a service that’s started from an rc directory, an easy way to do it properly is to run its startup script with the restart option. This procedure enables all the proper steps to be followed (configuration files read, lock files released, and so forth) when the service starts up again. So to restart syslog, for example, run the following command from the rc directory:
[root@buffy rc3.d]# ./S12syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ]
Managing rc scripts using chkconfig
Red Hat comes with a useful tool called chkconfig that helps the system administrator manage rc scripts and xinetd
configuration files without having to manipulate them directly. It is inspired by the chkconfig
command included in the IRIX operating system.
Type chkconfig --list
to see all the services chkconfig knows about, and whether they are stopped or started in each runlevel. An abridged example output is shown in the following listing. The chkconfig output can be a lot longer than that listed here, so be prepared to pipe it through less
or more
.
The first column is the name of the installed service. The next seven columns each represent a runlevel, and tell you whether that service is turned on or off in that runlevel.
Since xinetd
is started on the system whose chkconfig output is excerpted, at the end of chkconfig’s report is a listing of what xinetd
-started services are configured to begin at boot time. The listing is abridged, since a lot of services can be started from xinetd
and there’s no need to show all of them.
The listing below shows how chkconfig can be an effective tool for handling all your network services and controlling which ones get started up at boot time. This is the output of chkconfig --list
:
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:off 4:off 5:off 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off kdcrotate 0:off 1:off 2:off 3:off 4:off 5:off 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:off 4:off 5:off 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:off 4:off 5:off 6:off ipchains 0:off 1:off 2:off 3:off 4:off 5:off 6:off -- snip -- xinetd based services: rexec: off rlogin: off rsh: off chargen: off chargen-udp: off daytime: off daytime-udp: off echo: off echo-udp: off time: off time-udp: off finger: off ntalk: off talk: off telnet: off wu-ftpd: on rsync: off eklogin: off gssftp: off klogin: off
To turn a service off or on using chkconfig, use this syntax:
chkconfig -level[0-6](you must choose the runlevel) servicename off|on|reset
So to turn off the FTP daemon turned on previously, type:
chkconfig wu-ftpd off
To turn on xinetd
, type:
chkconfig xinetd on
Run chkconfig --list
again to see if the service you changed has been set to the state you desire. Changes you make with chkconfig take place the next time you boot the system. You can always start, stop, or restart a service by running service
servicename from a terminal prompt.