xinetd vs tcpwrappers
no at thanks.com
Sat Nov 30 16:54:43 PST 2002
"Dagmar d'Surreal" <dagmar at speakeasy.net> wrote in message
news:1038689522.4394.25.camel at evil.kung.foo...
> On Sat, 2002-11-30 at 05:19, john smith wrote:
> > I am new to linux and my main aim in building an lfs system was to learn
> > it all fits together.
> > I have a few questions relating to xinetd that I was hoping people could
> > clear up for me. If anyone can help, please do. If I'm on the wrong
> > tell me.
> Well, you could probably have posted this to LFS Security, but it's
> kinda 50/50 so whatever. :)
> > 1. I was wondering what is the difference/advantage of xinetd access and
> > logging facilities as opposed to using tcpwrappers to do what appears to
> > as a similar job (as far as security is concerned)?
> Using tcp_wrappers lets you put a large portion of your access control
> definitions in just that one file, /etc/hosts.allow (since
> /etc/hosts.deny should usualy contain just "ALL:ALL"). This keeps
> things nice and tidy, and tidy is good. It keeps you from accidentally
> forgetting to change something when your security data is scattered
> around the filesystem in three or four places.
> > 2. I have just installed ssh and it is started by init. can this instead
> > started by xinetd (using tcpd depending on answer to question 1) ?
> You don't want to do that. The reasons are documented in the README
> files that come with the OpenSSH package but I'll recap them here. When
> you start sshd it needs to generate a key for temporary use. This is
> fairly computationally intensive. It is wasteful to have sshd making a
> new one of these up every time someone connects in, and can lend itself
> to being a resource starvation attack by someone just pelting your sshd
> port with random connections.
> Plus, sshd already has support for tcp_wrappers which you add to it at
> compile time. Do a ./configure --help and you'll see the proper option
> appear in the list. I AM VERY UPSET THAT THIS IS NOT MENTIONED IN THE
> BOOK ALREADY. I would use _stronger_ language, but that will wait until
> someone gives me grief for claiming to know what I'm doing by submitting
> a patch for it this weekend.
> > 3. If I setup tcpwrappers then should I disable any xinetd access
> > options. Is there a network performance cost if say you have a
> > firewall+tcpd+xinetd in some cases doing the same job.
> No. Don't disable any of it. It takes far less than an eyeblink to
> look at an IP address and see it it matches anything in the control
> files, and only happens once as the connection is being made. You can
> divvy up the various functions tho. Tcp_wrappers, while being great for
> doing paranoid DNS checks, polling remote identd daemons, and generally
> denying access to netblocks, has no capability to throttle the number of
> connections someone can make. Xinetd is very good at throttling
> connections. Firewalling is kinda so-so (and used to be much less
> useful than that) at throttling connections, but can blackhole network
> space far more efficiently than tcp_wrappers can. It can also do a
> number of twisted and perverse things to network traffic tha neither
> xinetd or tcp_wrappers have even a glimmer of understanding about.
> > 4. I'm just curious as to where xinetd is told to log to daemon.log for
> > announcements such as services started.
> This is probably mentioned in the man page for it (because I'm pretty
> sure it's a directive you can give it) but if it's not you can always
> modify the source code and look for calls to syslog().
Thankyou. This has been very helpfull.
I had read the man pages for xinetd and xinetd.conf but couldn't find where
in the boot scripts or xinetd.conf the option was specified.
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support