The inetd(8) daemon is sometimes referred to as the “Internet Super-Server” because it manages connections for many services. When a connection is received by inetd, it determines which program the connection is destined for, spawns the particular process and delegates the socket to it (the program is invoked with the service socket as its standard input, output and error descriptors). Running inetd for servers that are not heavily used can reduce the overall system load, when compared to running each daemon individually in stand-alone mode.
Primarily, inetd is used to spawn other daemons, but several trivial protocols are handled directly, such as chargen, auth, and daytime.
This section will cover the basics in configuring
inetd through its command-line
options and its configuration file,
/etc/inetd.conf
.
inetd is initialized through
the rc(8) system. The inetd_enable
option is set to NO
by default. It can be
enabled by placing:
into /etc/rc.conf
.
inetd will now start at boot time.
The command:
#
service inetd rcvar
can be run to display the current effective setting.
Additionally, different command-line options can be passed
to inetd via the
inetd_flags
option.
Like most server daemons, inetd has a number of options that it can be passed in order to modify its behaviour. See the inetd(8) manual page for the full list of options.
Options can be passed to inetd
using the inetd_flags
option in
/etc/rc.conf
. By default,
inetd_flags
is set to
-wW -C 60
, which turns on TCP wrapping for
inetd's services, and prevents any
single IP address from requesting any service more than 60
times in any given minute.
Although we mention rate-limiting options below, novice users may be pleased to note that these parameters usually do not need to be modified. These options may be useful if an excessive amount of connections are being established. A full list of options can be found in the inetd(8) manual.
Specify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
max-child
parameter.
Specify the default maximum number of times a
service can be invoked from a single IP address in one
minute; the default is unlimited. May be overridden on
a per-service basis with the
max-connections-per-ip-per-minute
parameter.
Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations.
Specify the maximum number of times a service can be
invoked from a single IP address at any one time; the
default is unlimited. May be overridden on a
per-service basis with the
max-child-per-ip
parameter.
Configuration of inetd is
done via the file /etc/inetd.conf
.
When a modification is made to
/etc/inetd.conf
,
inetd can be forced to re-read its
configuration file by running the command:
Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
“#”. The format of each entry in
/etc/inetd.conf
is as follows:
An example entry for the ftpd(8) daemon using IPv4 might read:
This is the service name of the particular daemon.
It must correspond to a service listed in
/etc/services
. This determines
which port inetd must listen
to. If a new service is being created, it must be
placed in /etc/services
first.
Either stream
,
dgram
, raw
, or
seqpacket
. stream
must be used for connection-based, TCP daemons, while
dgram
is used for daemons utilizing
the UDP transport protocol.
One of the following:
Protocol | Explanation |
---|---|
tcp, tcp4 | TCP IPv4 |
udp, udp4 | UDP IPv4 |
tcp6 | TCP IPv6 |
udp6 | UDP IPv6 |
tcp46 | Both TCP IPv4 and v6 |
udp46 | Both UDP IPv4 and v6 |
wait|nowait
indicates whether the
daemon invoked from inetd is
able to handle its own socket or not.
dgram
socket types must use the
wait
option, while stream socket
daemons, which are usually multi-threaded, should use
nowait
. wait
usually
hands off multiple sockets to a single daemon, while
nowait
spawns a child daemon for each
new socket.
The maximum number of child daemons
inetd may spawn can be set
using the max-child
option. If a limit
of ten instances of a particular daemon is needed, a
/10
would be placed after
nowait
. Specifying
/0
allows an unlimited number of
children
In addition to max-child
, two other
options which limit the maximum connections from a
single place to a particular daemon can be enabled.
max-connections-per-ip-per-minute
limits the number of connections from any particular IP
address per minutes, e.g., a value of ten would limit
any particular IP address connecting to a particular
service to ten attempts per minute.
max-child-per-ip
limits the number of
children that can be started on behalf on any single IP
address at any moment. These options are useful to
prevent intentional or unintentional excessive resource
consumption and Denial of Service (DoS) attacks to a
machine.
In this field, either of wait
or
nowait
is mandatory.
max-child
,
max-connections-per-ip-per-minute
and
max-child-per-ip
are optional.
A stream-type multi-threaded daemon without any
max-child
,
max-connections-per-ip-per-minute
or
max-child-per-ip
limits would simply
be: nowait
.
The same daemon with a maximum limit of ten daemons
would read: nowait/10
.
The same setup with a limit of twenty connections
per IP address per minute and a maximum total limit of
ten child daemons would read:
nowait/10/20
.
These options are utilized by the default settings of the fingerd(8) daemon, as seen here:
Finally, an example of this field with a maximum of
100 children in total, with a maximum of 5 for any one
IP address would read:
nowait/100/0/5
.
This is the username that the particular daemon
should run as. Most commonly, daemons run as the
root
user. For security purposes,
it is common to find some servers running as the
daemon
user, or the least
privileged nobody
user.
The full path of the daemon to be executed when a
connection is received. If the daemon is a service
provided by inetd internally,
then internal
should be
used.
This works in conjunction with
server-program
by specifying the
arguments, starting with argv[0]
,
passed to the daemon on invocation. If
mydaemon -d
is the command line,
mydaemon -d
would be the value of
server-program-arguments
. Again, if
the daemon is an internal service, use
internal
here.
Depending on the choices made at install time, many
of inetd's services may be enabled
by default. If there is no apparent need for a particular
daemon, consider disabling it. Place a “#” in
front of the daemon in question in
/etc/inetd.conf
, and then
reload the
inetd configuration. Some daemons, such as
fingerd, may not be desired at all
because they provide information that may be useful to an
attacker.
Some daemons are not security-conscious and have long or
non-existent timeouts for connection attempts. An attacker
can send connections to a particular daemon, eventually
consuming available resources and resulting in a Denial of
Service (DoS).
max-connections-per-ip-per-minute
,
max-child
and
max-child-per-ip
can be used to limit such
attacks.
By default, TCP wrapping is turned on. Consult the hosts_access(5) manual page for more information on placing TCP restrictions on various inetd invoked daemons.
daytime, time, echo, discard, chargen, and auth are all internally provided services of inetd.
The auth service provides identity network services, and is configurable to a certain degree, whilst the others are simply on or off.
Consult the inetd(8) manual page for more in-depth information.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.