xinetd - What is it?
 

Hi there?
I´d like to know what is xinetd. Let me explain why this all of a sudden.

I recently was configuring my vsFTPd following the installing via RPM link. And everything went fine except that I didn´t follow this section "If you are running xinetd, do the following:" because I tried by myself to make it work as a service. The thing is that when I shut down the linuxbox, a lot of services failed to stop and the vsftpd failed to unload even manually (./vsftpd stop). So I went for the xinetd configuration, made everything the tutorial said and everything worked fine. Anyway it doesn´t work as a service. It is permanently working on my machine without being a service. Now, when I shut down the machine, every service unloads correctly so I prefer it like this.

But I don´t understand a single line, I don´t know what the lines do within my linux and I don´t understand what xinetd is... Here are the lines I stated on the vsftpd files inside xinetd.d folder:

service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10
}

I´d like to know what each line does and what is xinetd!!! :)
Thanks.

Palula,
xinetd is a tcp wrapper super service. It can be use to control access to network services. The link below will provide details on TCP Wrapper and xinetd. If you want to dive right into what xinetd is you can go to the second link.

http://www.ms.washington.edu/Docs/Li...pwrappers.html
http://www.ms.washington.edu/Docs/Li...rs-xinetd.html

Xinetd is like inetd, but more configurable (or at least I feel it is). I replaced inet on our Solaris boxes with xinetd, and it works splendedly for us. We currently run telnet and ftp on one box, as well as ssh through it.

One fun thing that we did was to leave FTP open on a few of our servers, but as a sensor only. That way, if anything hits FTP on that machine, it locks that IP out of all of the services that are open on that machine through xinetd. And as we get security scans occasionally, it blocks a LOT of TCP Wrapper denials for us since any request against a service through xinetd gets dropped as soon as xinetd sees it.

ANYway, what the lines do ...

disable ... tells xinet to run this service or not. Yes means do NOT run it, no means to run it. (Another way to stop a service from running is to append a ~ to the file name in the /etc/xinetd.d directory I.e. ftp~)

socket_type ... don't really know as I never really got into networking and the like. I think the man page explains it though.

wait ... determines if the service runs single or multi-thread. Yes means that the service will start on a request, but will not start another request until the first is done. No means that you can have more than one going.

user ... who to start the service as.

server ... what service to start.

nice ... what priority the service has on the system. man nice for more info.

Oh, and be sure to man xinetd and xinetd.conf for more information. Some other links to check ...

http://www.linuxfocus.org/English/No...ticle175.shtml

http://www.xinetd.org

http://man.linuxquestions.org/?query...pe=2&section=5

There are a lot of sites out there that explains what xinetd is and what those lines mean. Another thing to try is google.


xinetd

The xinetd daemon is a TCP wrapped super service which controls access to a subset of popular network services including FTP, IMAP, and Telnet. It also provides service-specific configuration options for access control, enhanced logging, binding, redirection, and resource utilization control.

When a client host attempts to connect to a network service controlled by xinetd, the super service receives the request and checks for any TCP wrappers access control rules. If access is allowed, xinetd verifies that the connection is allowed under its own access rules for that service and that the service is not consuming more than its alloted amount of resources or in breach of any defined rules. It then starts an instance of the requested service and passes control of the connection to it. Once the connection is established, xinetd does not interfere further with communication between the client host and the server.

Service is telling you what it is.

disable
"yes" or "no". This will result in the service being disabled and not starting..

socket_type
Possible values include:

stream
stream-based service

dgram
datagram-based service

raw
service that requires direct access to IP

seqpacket
service that requires reliable sequential datagram transmission

wait
This attribute determines if the service is single-threaded or multi-threaded and whether or not xinetd accepts the connection or the server program accepts the connection. If its value is yes, the service is single-threaded; this means that xinetd will start the server and then it will stop handling requests for the service until the server dies and that the server software will accept the connection. If the attribute value is no, the service is multi-threaded and xinetd will keep handling new service requests and xinetd will accept the connection. It should be noted that udp/dgram services normally expect the value to be yes since udp is not connection oriented, while tcp/stream servers normally expect the value to be no.

user
determines the uid for the server process. The user attribute can either be numeric or a name. If a name is given (recommended), the user name must exist in /etc/passwd. This attribute is ineffective if the effective user ID of xinetd is not super-user.

server
determines the program to execute for this service.

nice
determines the server priority. Its value is a (possibly negative) number.

Nice! I read somethings about xinetd and intend to read a lot more since it can provide security to my online services... But I have a small question, almost useless...

Okay so I start some of my services through /etc/rc.d/init.d/service (I think it´s this).
For example: I enter that folder, and type ./service start/stop/restart

My question is: Are there automated forms like this to start/stop/restart a service within xinetd?

Thanks a lot!!!

xinetd is a sort of "super listener."

When some process wants to connect to a service on your computer, they will ask to open a well-known port number. For example, http requests (for web pages) will always be made to port #80. FTP, SSH, Telnet, and so-on all have their own ports (see /etc/services).

It would be possible, but wasteful, to have a whole bunch of server processes sitting around idle, each waiting for a connection on "their" port. What Xinetd does instead is to wait for a connection on all of those port-numbers at once. When a valid connection request comes in, Xinetd will start the appropriate service, then pass the connection request to it. The advantage is that Linux only has to deal with one process, Xinetd, to wait for potential connections on many ports.

In addition to the above explanations, the usual rule of thumb is that if the listening service will be accessed rarely, the use xinetd to control it.
On the other hand, if it's going to be busy eg you have a popular website, then make the service (Apache: ports 80, 443) a standalone daemon ie not via xinetd.

Thanks a lot.

The services I have on my machine will be rarely accessed so the use of Xinetd suits well right? Thanks a lot.

Just make sure you disable any entries in etc/xinetd.d/ that you don't want to run ie never run a service unless you positively want to; more secure.

It is better to use iptables instead of xinetd. xinetd has problems with certain services such as ssh and apache. It is better to just run them at certain schedules using cron. If you setup the services and iptables correctly, then you do not have to use xinetd. Use xinetd as little as possible because it also uses a port that can be compromise.

Problem with
 

hi ,
I'm trying to access CVS on server from remote system i get the following error message ,
******************************************
Logging in to :pserver:admin@localhost:2401/home/cvs/repository
CVS password:
cvs [login aborted]: connect to localhost(127.0.0.1):2401 failed: Connection refused
********************************************

when i did the root cause analysis i found that the service xinetd is not working properly

[root@WiproODC admin]# /sbin/service xinetd status
xinetd is stopped
[root@WiproODC admin]# /sbin/service xinetd stop
Stopping xinetd: [FAILED]
[root@WiproODC admin]# /sbin/service xinetd start
Starting xinetd: [ OK ]


so i could not figure out what is wrong with the service

can you please help me to solve this issue ?

regards
apj