• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

Securing inetd

inetd, the Internet "super-server", is a single service on Unix-based systems that invokes other services as needed. It is run at boot time and listens for connections on certain Internet ports. When a connection occurs on a given port, inetd determines which service corresponds to that port and invokes the appropriate program. When the program has completed, inetd continues its monitoring.

The inetd.conf File

A list of services inetd controls is specified in /etc/inetd.conf. Each line of the file specifies a service name (which maps to a port number in /etc/services), a program to run, and some other parameters. You can disable a service by simply deleting the line it's on, or you can comment it out by putting a # at the beginning of the line.

Once you've made changes to inetd.conf, you must restart inetd by sending it a HUP signal. First, find the process with ps:

# ps ax | grep inetd
  375 ?        S      0:00 inetd
14145 pts/3    S      0:00 grep inetd

Then, use the kill command as root to send the signal:

# kill -HUP 375

Here's an example of an inetd.conf entry for the login service:

login  stream  tcp  nowait  root  /usr/etc/in.rlogind  rlogind

When commented out (and therefore disabled), the entry looks like

#login  stream  tcp  nowait  root  /usr/etc/in.rlogind  rlogind

Common Services

Listed below are the network services common to most vendors' inetd configurations, along with recommendations for or against their use.

bootp, bootps

Used for booting systems over the network with the BOOTP protocol. We recommend disabling them unless you use BOOTP for this purpose.

comsat

Notifies users of incoming mail as configured by biff. Since mail is read remotely with IMAP so often these days, comsat is largely unnecessary and should be disabled.

echo, chargen, daytime, discard

Used mainly for testing, these services are unnecessary and can be used by attackers to launch denial of service attacks. They should all be disabled.

exec

Allows remote users to execute commands on a host without logging in. The exec service is not cryptographically secure, so it exposes user passwords and other sensitive data on the network. It should be disabled.

finger

Allows remote users to use the finger utility to obtain information about arbitrary users on a host. Most implementations are very insecure and have had numerous vulnerabilities over the years. We recommend disabling the service.

ftp

Allows remote users to transfer files between computers. Most versions of FTP allow user passwords and other sensitive data to be transmitted over the network in clear text, so they can be easily stolen by attackers with access to your network. We recommend disabling FTP and using instead a secure file transfer mechanism which encrypts the entire session (such as Kerberized FTP, SSH (see Install and Use SSH), or an SSL-protected web page). If FTP access is a must, the service must be protected with TCP Wrappers.

login

Allows remote users to use the rlogin utility to log in to a host without supplying a password (using a trusted hosts mechanism configured with the /etc/hosts.equiv and ~/.rhosts files). This service is very insecure because, like FTP, it transmits passwords and other sensitive data over the network in clear text. We recommend disabling it and using SSH (see Install and Use SSH) instead. If rlogin is a must, the service must be protected with TCP Wrappers.

netstat

Designed to provide network status information about a host to remote users. Because it gives away information that may be useful to attackers, we recommend disabling it.

shell

Allows remote users to run arbitrary commands on a computer using the rsh utility using the same trusted hosts mechanism as rlogin. Like FTP and rlogin, this service transmits all data in clear text and is very insecure. We recommend disabling it and using SSH (see Install and Use SSH) instead. If rsh access is a must, the service must be protected with TCP Wrappers.

systat

Designed to provide status information about a host. Like netstat, this service could give clues to attackers and should be disabled.

talk

Allows remote users to use the talk program to have real-time conversations with local users. The talk service has had several vulnerabilities in the past, and most people use other instant messaging services these days, so we recommend disabling talk.

telnet

Allows remote users to connect to a computer using the TELNET protocol. Like FTP and rlogin, this service transmits all data in clear text and is very insecure. We recommend disabling it and using SSH (see Installing and Using SSH) instead. If TELNET access is a must, the service must be protected with TCP Wrappers.

tftp

Allows remote users to transfer files from a computer using the TFTP protocol, which does not require authentication. It is used primarily by X terminals and routers. Because no authentication is required, this service is insecure and we recommend disabling it. If you must use TFTP, use the -s option to restrict downloads to a specified directory. Also, be sure to use TCP Wrappers.

time

Used for clock synchronization. We recommend disabling this service and using the NTP protocol to keep your system clock up to date.

uucp

Allows remote users to transfer files between computers using the UUCP protocol. Unless you require UUCP, we recommend disabling the service.

Services Based on RPC

RPC-based services are used by many other services such as NFS and NIS. Most RPC protocols contain known security hazards, and RPC in general uses a very weak authentication mechanism that is easily circumvented. Our recommendation is against using NIS or NFS. All RPC based services should be disabled in inetd.conf unless NFS/NIS must be used. Another option is to run services based on Secure RPC (such as NIS+).

rexd

Allows remote users to run RPC programs on a computer. This service makes it very easy for a remote user to run a root shell on your computer. We recommend disabling it.

rquotad

Returns quotas for a user of a local file system which is NFS-mounted by a remote machine. We recommend disabling it.

rstatd

Extracts performance statistics from the kernel for use by programs such as perfmeter. We recommend disabling it.

ruserd

Returns a list of users on a network. We recommend disabling it.

sadmind

This service is required for Sun's graphical administration tools to work, but it also allows attackers to run arbitrary commands as root on your computer. We recommend disabling it before your computer is even connected to a network.

sprayd

This performance-monitoring service records the packets sent by the spray program and sends a response to the originator of the packets. It can be used by attackers to compromise systems or launch denial of service attacks. We recommend disabling it.

walld

Used for sending messages to all the users on a network with the rwall program. It can be used by attackers to compromise systems or launch denial of service attacks. We recommend it be disabled.

ypupdated

Used for updating NIS information. We recommend against the use of NIS in general, and this service has additional vulnerabilities. We therefore recommend it be disabled.

Don't forget to restart inetd after making any changes!