xinetd vs tcpwrappers

Dagmar d'Surreal dagmar at
Sat Nov 30 12:52:03 PST 2002

On Sat, 2002-11-30 at 05:19, john smith wrote:
> I am new to linux and my main aim in building an lfs system was to learn how
> it all fits together.
> I have a few questions relating to xinetd that I was hoping people could
> clear up for me.  If anyone can help, please do. If  I'm on the wrong track
> tell me.

Well, you could probably have posted this to LFS Security, but it's
kinda 50/50 so whatever.  :)

> 1. I was wondering what is the difference/advantage of xinetd access and
> logging facilities as opposed to using tcpwrappers to do what appears to me
> as a similar job (as far as security is concerned)?

Using tcp_wrappers lets you put a large portion of your access control
definitions in just that one file, /etc/hosts.allow (since
/etc/hosts.deny should usualy contain just "ALL:ALL").  This keeps
things nice and tidy, and tidy is good.  It keeps you from accidentally
forgetting to change something when your security data is scattered
around the filesystem in three or four places.

> 2. I have just installed ssh and it is started by init. can this instead be
> started by xinetd (using tcpd depending on answer to question 1) ?

You don't want to do that.  The reasons are documented in the README
files that come with the OpenSSH package but I'll recap them here.  When
you start sshd it needs to generate a key for temporary use.  This is
fairly computationally intensive.  It is wasteful to have sshd making a
new one of these up every time someone connects in, and can lend itself
to being a resource starvation attack by someone just pelting your sshd
port with random connections.

Plus, sshd already has support for tcp_wrappers which you add to it at
compile time.  Do a ./configure --help and you'll see the proper option
BOOK ALREADY.  I would use _stronger_ language, but that will wait until
someone gives me grief for claiming to know what I'm doing by submitting
a patch for it this weekend.

> 3. If I setup tcpwrappers then should I disable any xinetd access control
> options. Is there a network performance cost if say you have a
> firewall+tcpd+xinetd in some cases doing the same job.

No.  Don't disable any of it.  It takes far less than an eyeblink to
look at an IP address and see it it matches anything in the control
files, and only happens once as the connection is being made.  You can
divvy up the various functions tho.  Tcp_wrappers, while being great for
doing paranoid DNS checks, polling remote identd daemons, and generally
denying access to netblocks, has no capability to throttle the number of
connections someone can make.  Xinetd is very good at throttling
connections.  Firewalling is kinda so-so (and used to be much less
useful than that) at throttling connections, but can blackhole network
space far more efficiently than tcp_wrappers can.  It can also do a
number of twisted and perverse things to network traffic tha neither
xinetd or tcp_wrappers have even a glimmer of understanding about.

> 4. I'm just curious as to where xinetd is told to log to daemon.log for
> announcements such as services started.

This is probably mentioned in the man page for it (because I'm pretty
sure it's a directive you can give it) but if it's not you can always
modify the source code and look for calls to syslog().

Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list