Linux Network Services
Network services can be started and run through the system startup scripts as its own stand alone daemon. However to conserve system resources and make it easier to manage services, the inetd (internet super daemon) program is used to run various services such as ftp and telnet. Services such as httpd (web server) are run without inetd since performance is the major concern with this service and not security.
The inet daemon acts as a network super server providing several networking services such as:
- auth - identd - This is a server that returns user information to a remote host that a user is requesting a service from. If it is running on your system, it allows the remote host to acquire your user name. It is not used for login and user authentification. It is described in RFC 1413. The daemon called identd provides this service, and its configuration file is /etc/identd.conf. For client side use of auth, you should be able to turn on user authentification on servers such as your telnetd server with the option "-a user" option. See the telnetd man page for more information.
- bootps - bootpd - A server that allows remote clients to get their IP addresses from a bootp server using the bootp network protocol. This involves the server having a /etc/bootptab file containing hardware addresses and associated IP addresses for each computer to be serviced.
- Telnet - A protocol used to open user sessions from remote sites.
- Ftp - File transport protocol. Allows users to transport files between remote sites.
- tftp - in.tftp - Trivial file transport protocol. A way for users to transfer files to/from remote machines without logging in. Normally this transfer is limited to specific areas and is normally used for transporting files to clients which are needed for remote booting.
- finger - in.fingerd - Allows users to get information about users currently logged in on the local system or remote systems.
- exec - in.rexecd - Remote execution server allows remote users to execute commands on the system provided they have proper authorization using their name and password.
- rsh - in.rshd - Remote shell, Used to execute commands on a remote host
- rlogin (login) - in.rlogind - An older method of opening remote sessions, being replaced by telnet.
- talk - in.talkd - A communication program that allows two users to talk by copying lines from one user's terminal to the other.
- comsat A server that notifies users when they have received mail. The biff program is used to turn comsat service on and off for each user.
- pop-2 - ipop2d - Supports POP2 remote mail access protocol.
- pop-3 -ipop3d - Supports POP3 remote mail access protocol.
- imap - imapd - Supports the IMAP4rev1 remote mail access protocol which is more powerful than POP3. See RFC 2060.
- uucp - uucico - The daemon that processes Unix to Unix copy (UUCP) file transfer requests that were queued by uucp or uux.
- netstat - Displays network connections, routing tables, and other networking information about a system.
- swat - A Samba web administration tool allowing the administrator to configure the /etc/smb.conf file using a web browser.
- Trivial internal services used for testing
- chargen - Character generator
- daytime - Human readable time
- time - Number of seconds since midnight on Jan1 1900.
The inetd daemon is configured by modifying the /etc/inetd.conf file. The format of each line is as follows:
- service name - The name of a valid service in the file /etc/services which is the first entry on each respective line. If the service is a Sun-RPC service it is specified in the file /etc/rpc.
- Socket type - The choices are stream, dgram, raw, rdm (reliably delivered message), or seqpacket (sequenced packet socket).
- protocol - A protocol listed in /etc/protocols which is some type of network protocol such as IP, ICMP, TCP, UDP, etc.
- flags - wait/nowait[.max] - Wait applies to datagram sockets only. All other socket types should have the "nowait" option in this entry. Nowait entries are used for multithreaded servers which free their sockets after each request so it can continue receiving more requests on the same socket. The tftpd daemon should have this option set to "wait". The suffix ".max" specifies the maximum number of server instances that can be spawned within 1 minute. The default value is 40.
- user[.group] - The name of the user the server will run as. If the user name is listed as "usernam.group1" the server can run with a different group ID than the one specified in the password file for that user.
- Server program - The path and name of the program to be executed when the request is found on the socket.
- Server program arguments - Command line arguments to the server program being run.
A typical inetd.conf file is listed below:
# inetd.conf This file describes the services that will be available
# through the INETD TCP/IP super server. To re-configure
# the running INETD process, edit this file, then send the
# INETD process a SIGHUP signal.
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
# These are standard services.
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
# Shell, login, exec, comsat and talk are BSD protocols.
shell stream tcp nowait root /usr/sbin/tcpd in.rshd
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
#comsat dgram udp wait root /usr/sbin/tcpd in.comsat
talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd
ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd
#dtalk stream tcp wait nobody.tty /usr/sbin/tcpd in.dtalkd
# Pop and imap mail services et al
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
# The Internet UUCP service.
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not un comment
# this unless you *need* it.
tftp dgram udp wait root /usr/sbin/tcpd in.tftpd /tftpboot
#bootps dgram udp wait root /usr/sbin/tcpd bootpd
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
#cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd
#systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx
#netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
auth stream tcp wait root /usr/sbin/in.identd in.identd -e -o
# End of inetd.conf
linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
#swat stream tcp nowait.400 root /usr/sbin/swat swat
The tcp wrapper daemon
The purpose of the TCP wrapper daemon is to monitor requests and allow or deny service based on configuration. The tcpd wrapper daemon provides an extra level of protection to network services. To implement the tcp wrapper in the services provided by inetd, the /etc/inetd.conf file must be modified to trick inetd into running tcpd rather than the actual service. The standard way of doing this is to convert a line such as:
telnet stream tcp nowait root /usr/sbin/in.telnetd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
hosts_access, hosts.allow, hosts.deny
Other Network Services
Network services that do not need to use inetd are described in the section on the Daemons and Services. They are listed below:
arpwatch, bootparamd, dhcpd, gated, httpd, identd (auth), innd, ldap, mars-nwe (netware), mcserv, named, nfs, nfslock, portmap, postgresql, pulse, pxe, routed, rstatd, rusersd, rwalld, rwhod, sendmail, smb, snmpd, squid, xfs, xntpd, ypbind, yppasswd, ypserv.
There are many other networking services the system can provide, including packet firewall and routing services that can be provided by the kernel using other tools to configure them. Also other important services such as virtual private networking (VPN) and many others can be run by getting a copy of the proper program, installing it and configuring it.