Previous Page | Next Page

  1. Introduction
  2. Abbreviated Boot
  3. The Boot Process
  4. Startup and Run Levels
  5. Initialization Scripts
  6. Runlevel Scripts
  7. Login Process
  8. Bash Shell
  9. Filesystems
  10. LILO, Kernel and Root Filesystem
  11. The Kernel
  12. Passwords, Users, Groups, and Quotas
  13. The Environment
  14. The /etc/sysconfig directory
  15. The /proc filesystem
  16. Process Control
  17. Devices
  18. Daemons Services
  19. Inetd and Network Services
  20. Programs and Libraries
  21. Security and PAM
  22. The printer services
  23. Mouse support with gpm
  24. Mail
  25. News
  26. UUCP
  27. LDAP
  28. NFS and RPC
  29. Samba, NetBIOS, WINS, nmbd
  30. Identd (auth)
  31. Telnet and FTP
  32. Apache web server
  33. DNS and named
  34. How X Works
  35. X Scripts
  36. Support for Text
  37. Keymapping for Programs
  38. Keycode Table
  39. Example Keymap File
  40. Terminfo Commands
  41. VT100 ESC sequences
  42. Kernel Revisited
  43. Configuration Files
  44. Credits

Linux Network Services

Network services can be started and run through the system startup scripts as its own stand alone daemon. However to conserve system resources and make it easier to manage services, the inetd (internet super daemon) program is used to run various services such as ftp and telnet. Services such as httpd (web server) are run without inetd since performance is the major concern with this service and not security.

inetd

The inet daemon acts as a network super server providing several networking services such as:

  • auth - identd - This is a server that returns user information to a remote host that a user is requesting a service from. If it is running on your system, it allows the remote host to acquire your user name. It is not used for login and user authentification. It is described in RFC 1413. The daemon called identd provides this service, and its configuration file is /etc/identd.conf. For client side use of auth, you should be able to turn on user authentification on servers such as your telnetd server with the option "-a user" option. See the telnetd man page for more information.
  • bootps - bootpd - A server that allows remote clients to get their IP addresses from a bootp server using the bootp network protocol. This involves the server having a /etc/bootptab file containing hardware addresses and associated IP addresses for each computer to be serviced.
  • Telnet - A protocol used to open user sessions from remote sites.
  • Ftp - File transport protocol. Allows users to transport files between remote sites.
  • tftp - in.tftp - Trivial file transport protocol. A way for users to transfer files to/from remote machines without logging in. Normally this transfer is limited to specific areas and is normally used for transporting files to clients which are needed for remote booting.
  • finger - in.fingerd - Allows users to get information about users currently logged in on the local system or remote systems.
  • exec - in.rexecd - Remote execution server allows remote users to execute commands on the system provided they have proper authorization using their name and password.
  • rsh - in.rshd - Remote shell, Used to execute commands on a remote host
  • rlogin (login) - in.rlogind - An older method of opening remote sessions, being replaced by telnet.
  • talk - in.talkd - A communication program that allows two users to talk by copying lines from one user's terminal to the other.
  • comsat A server that notifies users when they have received mail. The biff program is used to turn comsat service on and off for each user.
  • pop-2 - ipop2d - Supports POP2 remote mail access protocol.
  • pop-3 -ipop3d - Supports POP3 remote mail access protocol.
  • imap - imapd - Supports the IMAP4rev1 remote mail access protocol which is more powerful than POP3. See RFC 2060.
  • uucp - uucico - The daemon that processes Unix to Unix copy (UUCP) file transfer requests that were queued by uucp or uux.
  • netstat - Displays network connections, routing tables, and other networking information about a system.
  • swat - A Samba web administration tool allowing the administrator to configure the /etc/smb.conf file using a web browser.
  • Trivial internal services used for testing
    1. echo
    2. discard
    3. chargen - Character generator
    4. daytime - Human readable time
    5. time - Number of seconds since midnight on Jan1 1900.

The inetd daemon is configured by modifying the /etc/inetd.conf file. The format of each line is as follows:

  1. service name - The name of a valid service in the file /etc/services which is the first entry on each respective line. If the service is a Sun-RPC service it is specified in the file /etc/rpc.
  2. Socket type - The choices are stream, dgram, raw, rdm (reliably delivered message), or seqpacket (sequenced packet socket).
  3. protocol - A protocol listed in /etc/protocols which is some type of network protocol such as IP, ICMP, TCP, UDP, etc.
  4. flags - wait/nowait[.max] - Wait applies to datagram sockets only. All other socket types should have the "nowait" option in this entry. Nowait entries are used for multithreaded servers which free their sockets after each request so it can continue receiving more requests on the same socket. The tftpd daemon should have this option set to "wait". The suffix ".max" specifies the maximum number of server instances that can be spawned within 1 minute. The default value is 40.
  5. user[.group] - The name of the user the server will run as. If the user name is listed as "usernam.group1" the server can run with a different group ID than the one specified in the password file for that user.
  6. Server program - The path and name of the program to be executed when the request is found on the socket.
  7. Server program arguments - Command line arguments to the server program being run.

A typical inetd.conf file is listed below:

# inetd.conf	This file describes the services that will be available
#		through the INETD TCP/IP super server.  To re-configure
#		the running INETD process, edit this file, then send the
#		INETD process a SIGHUP signal.
#
#
#echo	stream	tcp	nowait	root	internal
#echo	dgram	udp	wait	root	internal
#discard	stream	tcp	nowait	root	internal
#discard	dgram	udp	wait	root	internal
#daytime	stream	tcp	nowait	root	internal
#daytime	dgram	udp	wait	root	internal
#chargen	stream	tcp	nowait	root	internal
#chargen	dgram	udp	wait	root	internal
#time	stream	tcp	nowait	root	internal
#time	dgram	udp	wait	root	internal
#
# These are standard services.
#
ftp	stream	tcp	nowait	root	/usr/sbin/tcpd	in.ftpd -l -a
telnet	stream  tcp 	nowait  root    /usr/sbin/tcpd	in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rshd
login	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rlogind
#exec	stream	tcp	nowait	root	/usr/sbin/tcpd	in.rexecd
#comsat	dgram	udp	wait	root	/usr/sbin/tcpd	in.comsat
talk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd	in.talkd
ntalk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd	in.ntalkd
#dtalk	stream	tcp	wait	nobody.tty	/usr/sbin/tcpd	in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd	ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd	ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd	imapd
#
# The Internet UUCP service.
#
#uucp	stream	tcp	nowait	uucp	/usr/sbin/tcpd	/usr/lib/uucp/uucico	-l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not un comment
# this unless you *need* it.  
#
tftp	dgram	udp	wait	root	/usr/sbin/tcpd	in.tftpd /tftpboot
#bootps	dgram	udp	wait	root	/usr/sbin/tcpd	bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable 
# some or all of these services to improve security.
#
finger	stream	tcp	nowait	nobody	/usr/sbin/tcpd	in.fingerd
#cfinger stream	tcp	nowait	root	/usr/sbin/tcpd	in.cfingerd
#systat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/ps	-auwwx
#netstat	stream	tcp	nowait	guest	/usr/sbin/tcpd	/bin/netstat	-f inet
#
# Authentication
#
auth	stream	tcp	wait	root	/usr/sbin/in.identd in.identd -e -o
#
# End of inetd.conf

linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
#swat      stream  tcp     nowait.400      root /usr/sbin/swat swat

The tcp wrapper daemon

The purpose of the TCP wrapper daemon is to monitor requests and allow or deny service based on configuration. The tcpd wrapper daemon provides an extra level of protection to network services. To implement the tcp wrapper in the services provided by inetd, the /etc/inetd.conf file must be modified to trick inetd into running tcpd rather than the actual service. The standard way of doing this is to convert a line such as:

telnet stream tcp nowait root /usr/sbin/in.telnetd

to:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Files:
hosts_access, hosts.allow, hosts.deny

Other Network Services

Network services that do not need to use inetd are described in the section on the Daemons and Services. They are listed below:

arpwatch, bootparamd, dhcpd, gated, httpd, identd (auth), innd, ldap, mars-nwe (netware), mcserv, named, nfs, nfslock, portmap, postgresql, pulse, pxe, routed, rstatd, rusersd, rwalld, rwhod, sendmail, smb, snmpd, squid, xfs, xntpd, ypbind, yppasswd, ypserv.

There are many other networking services the system can provide, including packet firewall and routing services that can be provided by the kernel using other tools to configure them. Also other important services such as virtual private networking (VPN) and many others can be run by getting a copy of the proper program, installing it and configuring it.