

## 19.14 The  **inetd**  ***Super-Server*** 

***Contributed by Chern Lee. ***

### 19.14.1 Overview 

[inetd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#inetd&section8) is referred to as the ***Internet Super-Server*** because it manages connections for several daemons. Programs that provide network service are commonly known as daemons.  **inetd**  serves as a managing server for other daemons. When a connection is received by  **inetd** , it determines which daemon the connection is destined for, spawns the particular daemon and delegates the socket to it. Running one instance of  **inetd**  reduces the overall system load as compared to running each daemon individually in stand-alone mode.

Primarily,  **inetd**  is used to spawn other daemons, but several trivial protocols are handled directly, such as  **chargen** ,  **auth** , and  **daytime** .

This section will cover the basics in configuring  **inetd**  through its command-line options and its configuration file, `/etc/inetd.conf`.

### 19.14.2 Settings 

 **inetd**  is initialized through the `/etc/rc.conf` system. The `inetd_enable` option is set to `NO` by default. Placing:

    
    inetd_enable="YES"


 or

    
    inetd_enable="NO"


 into `/etc/rc.conf` can enable or disable  **inetd**  starting at boot time.

Additionally, different command-line options can be passed to  **inetd**  via the `inetd_flags` option.

### 19.14.3 Command-Line Options 

 **inetd**  synopsis:

` inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname] [-p filename] [-R rate] [configuration file]`

-d:: Turn on debugging.-l:: Turn on logging of successful connections.-w:: Turn on TCP Wrapping for external services (on by default).-W:: Turn on TCP Wrapping for internal services which are built into  **inetd**  (on by default).-c maximum:: Specify the default maximum number of simultaneous invocations of each service; the default is unlimited. May be overridden on a per-service basis with the `max-child` parameter.-C rate:: Specify the default maximum number of times a service can be invoked from a single IP address in one minute; the default is unlimited. May be overridden on a per-service basis with the `max-connections-per-ip-per-minute` parameter.-R rate:: Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations.-a:: Specify one specific IP address to bind to. Alternatively, a hostname can be specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is used. Usually a hostname is specified when  **inetd**  is run inside a [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#jail&section8), in which case the hostname corresponds to the [jail(8)](http://leaf.dragonflybsd.org/cgi/web-man?command=jail&section=8) environment.
When hostname specification is used and both IPv4 and IPv6 bindings are desired, one entry with the appropriate protocol type for each binding is required for each service in `/etc/inetd.conf`. For example, a TCP-based service would need two entries, one using `tcp4` for the protocol and the other using `tcp6`.-p:: Specify an alternate file in which to store the process ID.

These options can be passed to  **inetd**  using the `inetd_flags` option in `/etc/rc.conf`. By default, `inetd_flags` is set to `-wW`, which turns on TCP wrapping for  **inetd** 's internal and external services. For novice users, these parameters usually do not need to be modified or even entered in `/etc/rc.conf`.

 **Note:** An external service is a daemon outside of  **inetd** , which is invoked when a connection is received for it. On the other hand, an internal service is one that  **inetd**  has the facility of offering within itself.

### 19.14.4 `inetd.conf` 

Configuration of  **inetd**  is controlled through the `/etc/inetd.conf` file.

When a modification is made to `/etc/inetd.conf`,  **inetd**  can be forced to re-read its configuration file by sending a HangUP signal to the  **inetd**  process as shown:

 **Example 19-4. Sending** inetd ** a HangUP Signal** 

    
    # kill -HUP `cat /var/run/inetd.pid`


Each line of the configuration file specifies an individual daemon. Comments in the file are preceded by a ***#***. The format of `/etc/inetd.conf` is as follows:

    
    service-name
    socket-type
    protocol
    {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
    user[:group][/login-class]
    server-program
    server-program-arguments


An example entry for the  **ftpd**  daemon using IPv4:

    
    ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l


service-name:: This is the service name of the particular daemon. It must correspond to a service listed in `/etc/services`. This determines which port  **inetd**  must listen to. If a new service is being created, it must be placed in `/etc/services` first.socket-type:: Either `stream`, `dgram`, `raw`, or `seqpacket`. `stream` must be used for connection-based, TCP daemons, while `dgram` is used for daemons utilizing the UDP transport protocol.protocol:: One of the following:
[[!table  data="""
| Protocol | Explanation 
 tcp, tcp4 | TCP IPv4 
 udp, udp4 | UDP IPv4 
 tcp6 | TCP IPv6 
 udp6 | UDP IPv6 
 tcp46 | Both TCP IPv4 and v6 
 udp46 | Both UDP IPv4 and v6 |{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]:: `wait|nowait` indicates whether the daemon invoked from  **inetd**  is able to handle its own socket or not. `dgram` socket types must use the `wait` option, while stream socket daemons, which are usually multi-threaded, should use `nowait`. `wait` usually hands off multiple sockets to a single daemon, while `nowait` spawns a child daemon for each new socket.
"""]]The maximum number of child daemons  **inetd**  may spawn can be set using the `max-child` option. If a limit of ten instances of a particular daemon is needed, a `/10` would be placed after `nowait`.
In addition to `max-child`, another option limiting the maximum connections from a single place to a particular daemon can be enabled. `max-connections-per-ip-per-minute` does just this. A value of ten here would limit any particular IP address connecting to a particular service to ten attempts per minute. This is useful to prevent intentional or unintentional resource consumption and Denial of Service (DoS) attacks to a machine.
In this field, `wait` or `nowait` is mandatory. `max-child` and `max-connections-per-ip-per-minute` are optional.
A stream-type multi-threaded daemon without any `max-child` or `max-connections-per-ip-per-minute` limits would simply be: `nowait`.
The same daemon with a maximum limit of ten daemons would read: `nowait/10`.
Additionally, the same setup with a limit of twenty connections per IP address per minute and a maximum total limit of ten child daemons would read: `nowait/10/20`.
These options are all utilized by the default settings of the  **fingerd**  daemon, as seen here:
    
    finger stream  tcp     nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
user:: This is the username that the particular daemon should run as. Most commonly, daemons run as the `root` user. For security purposes, it is common to find some servers running as the `daemon` user, or the least privileged `nobody` user.server-program:: The full path of the daemon to be executed when a connection is received. If the daemon is a service provided by  **inetd**  internally, then `internal` should be used.server-program-arguments:: This works in conjunction with `server-program` by specifying the arguments, starting with `argv[0]`, passed to the daemon on invocation. If `mydaemon -d` is the command line, `mydaemon -d` would be the value of `server-program-arguments`. Again, if the daemon is an internal service, use `internal` here.

### 19.14.5 Security 

Depending on the security profile chosen at install, many of  **inetd** 's daemons may be enabled by default. If there is no apparent need for a particular daemon, disable it! Place a ***#*** in front of the daemon in question, and send a [network-inetd.html#NETWORK-INETD-HANGUP hangup signal to inetd]. Some daemons, such as  **fingerd** , may not be desired at all because they provide an attacker with too much information.

Some daemons are not security-conscious and have long, or non-existent timeouts for connection attempts. This allows an attacker to slowly send connections to a particular daemon, thus saturating available resources. It may be a good idea to place `max-connections-per-ip-per-minute` and `max-child` limitations on certain daemons.

By default, TCP wrapping is turned on. Consult the [hosts_access(5)](http://leaf.dragonflybsd.org/cgi/web-man?command#hosts_access&section5) manual page for more information on placing TCP restrictions on various  **inetd**  invoked daemons.

### 19.14.6 Miscellaneous 

 **daytime** ,  **time** ,  **echo** ,  **discard** ,  **chargen** , and  **auth**  are all internally provided services of  **inetd** .

The  **auth**  service provides identity ( **ident** ,  **identd** ) network services, and is configurable to a certain degree.

Consult the [inetd(8)](http://leaf.dragonflybsd.org/cgi/web-man?command#inetd&section8) manual page for more in-depth information.



CategoryHandbook
CategoryHandbook-advancednetworking