The inetd Daemon

The Internet daemon, /usr/sbin/inetd, is the master server for many Internet Services.

The inetd daemon is usually started automatically by the /sbin/init.d/inetd script as part of the boot process.

The inetd daemon monitors for connection requests for the services listed in the /etc/inetd.conf configuration file, and spawns the appropriate server on receiving a request. In other words, users connect to remote systems by using an Internet Service, such as telnet. The inetd daemon determines if a telnet connection from the host is allowed before completing the connection. The host information for allowing or denying access is in the /var/adm/inetd.sec file.

The inetd daemon works as follows:

Starts at run level 2 during system boot. (if the following command is in the system startup script: /sbin/init.d/inetd start)
Checks /etc/inetd.conf to determine which services to provide. For more information, see ftp(1) and inetd.conf(4).
Checks /etc/services to determine which ports to monitor for the services listed in /etc/inetd.conf. The /etc/services file maps service names to port numbers. For more information, see services(4).
Receives an Internet Service connection request from a client. For example, someone runs telnet.
Consults /var/adm/inetd.sec to determine if the client is permitted access. For more information, see inetd.sec(4).
Logs the request in /var/adm/syslog/syslog.log if logging is enabled. For more information, see syslogd(1M).
If inetd refuses the connection for security reasons, the connection is shut down.
If the connection request is valid, inetd starts a server process to handle the valid connection request. The server process can have other security features in addition to inetd.

Securing inetd

The /etc/inetd.conf file is the inetd configuration file, which lists the services that the inetddaemon can start. Each service listed in /etc/inetd.conf must also appear in the /etc/services file. The /etc/services file maps service names to port numbers. Each port number has an associated protocol name, such as tcp or udp. Every entry for a protocol must have a matching entry in the /etc/protocols file.

The following suggestions can make inetd more secure:

Enable inetd logging in /etc/rc.config.d/netdaemons. For more information, see rc.config.d(4).
Review /etc/inetd.conf and /etc/services for changes. An unauthorized user might have gained root access and modified the /etc/services and /etc/inetd.conf files. In /etc/inetd.conf, look for names of services you are not using. In /etc/services, look for port numbers that are not registered with the Internet Assigned Numbers Authority (IANA) at http://www.iana.org. Verify that the port numbers listed for Internet Services match port numbers registered with IANA.
Comment out unnecessary services, such as finger, in /etc/inetd.conf. The finger command displays user information without needing a password.
Comment out Remote Procedure Calls (RPC) services in /etc/inetd.conf.
Comment out inetd "internal trivial" services in /etc/inetd.conf to avoid denial-of-service attacks. A malicious user might overload inetd with chargen (character generator) requests. For more information, see inetd(1M) and inetd.conf(4).

Denying or Allowing Access Using /var/adm/inetd.sec

In addition to configuring the /etc/inetd.conf file, you can configure an optional security file called /var/adm/inetd.sec to restrict access to the services started by inetd. The /var/adm/inetd.sec file lists which hosts are allowed or denied access to each service. For more information, see inetd.conf(4).

For example:

login allow 10.3-5 192.34.56.5 ahost anetwork

login deny 192.54.24.5 cory.example.edu.testlan

The inetd Daemon

Technical documentation

» Table of Contents

» Glossary

» Index

Securing inetd

Denying or Allowing Access Using /var/adm/inetd.sec