xinetd vs tcpwrappers

john smith no at thanks.com
Sat Nov 30 16:54:43 PST 2002


"Dagmar d'Surreal" <dagmar at speakeasy.net> wrote in message
news:1038689522.4394.25.camel at evil.kung.foo...
> On Sat, 2002-11-30 at 05:19, john smith wrote:
> > I am new to linux and my main aim in building an lfs system was to learn
how
> > it all fits together.
> > I have a few questions relating to xinetd that I was hoping people could
> > clear up for me.  If anyone can help, please do. If  I'm on the wrong
track
> > tell me.
>
> Well, you could probably have posted this to LFS Security, but it's
> kinda 50/50 so whatever.  :)
>
> > 1. I was wondering what is the difference/advantage of xinetd access and
> > logging facilities as opposed to using tcpwrappers to do what appears to
me
> > as a similar job (as far as security is concerned)?
>
> Using tcp_wrappers lets you put a large portion of your access control
> definitions in just that one file, /etc/hosts.allow (since
> /etc/hosts.deny should usualy contain just "ALL:ALL").  This keeps
> things nice and tidy, and tidy is good.  It keeps you from accidentally
> forgetting to change something when your security data is scattered
> around the filesystem in three or four places.
>
> > 2. I have just installed ssh and it is started by init. can this instead
be
> > started by xinetd (using tcpd depending on answer to question 1) ?
>
> You don't want to do that.  The reasons are documented in the README
> files that come with the OpenSSH package but I'll recap them here.  When
> you start sshd it needs to generate a key for temporary use.  This is
> fairly computationally intensive.  It is wasteful to have sshd making a
> new one of these up every time someone connects in, and can lend itself
> to being a resource starvation attack by someone just pelting your sshd
> port with random connections.
>
> Plus, sshd already has support for tcp_wrappers which you add to it at
> compile time.  Do a ./configure --help and you'll see the proper option
> appear in the list.  I AM VERY UPSET THAT THIS IS NOT MENTIONED IN THE
> BOOK ALREADY.  I would use _stronger_ language, but that will wait until
> someone gives me grief for claiming to know what I'm doing by submitting
> a patch for it this weekend.
>
> > 3. If I setup tcpwrappers then should I disable any xinetd access
control
> > options. Is there a network performance cost if say you have a
> > firewall+tcpd+xinetd in some cases doing the same job.
>
> No.  Don't disable any of it.  It takes far less than an eyeblink to
> look at an IP address and see it it matches anything in the control
> files, and only happens once as the connection is being made.  You can
> divvy up the various functions tho.  Tcp_wrappers, while being great for
> doing paranoid DNS checks, polling remote identd daemons, and generally
> denying access to netblocks, has no capability to throttle the number of
> connections someone can make.  Xinetd is very good at throttling
> connections.  Firewalling is kinda so-so (and used to be much less
> useful than that) at throttling connections, but can blackhole network
> space far more efficiently than tcp_wrappers can.  It can also do a
> number of twisted and perverse things to network traffic tha neither
> xinetd or tcp_wrappers have even a glimmer of understanding about.
>
> > 4. I'm just curious as to where xinetd is told to log to daemon.log for
> > announcements such as services started.
>
> This is probably mentioned in the man page for it (because I'm pretty
> sure it's a directive you can give it) but if it's not you can always
> modify the source code and look for calls to syslog().
>
Thankyou. This has been very  helpfull.
I had read the man pages for xinetd and xinetd.conf but couldn't find where
in the boot scripts or xinetd.conf  the option was specified.

thanks
gavin




-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list