3.10. Restricting Access by Remote Hosts (xinetd with tcpd)
Problem
You want only particular remote hosts to access a TCP service via xinetd , when xinetd was not compiled with libwrap support.
Solution
Set up access control rules in /etc/hosts.allow and/or /etc/hosts.deny. For example, to permit telnet connections only from 192.168.1.100 and hosts in the example.com domain, add to /etc/hosts.allow:
in.telnetd : 192.168.1.100 in.telnetd : *.example.com in.telnetd : ALL : DENY
Then modify /etc/xinetd.conf or /etc/xinetd.d/servicename to invoke tcpd in place of your service:
Old /etc/xinetd.conf or /etc/xinetd.d/telnet: service telnet { ... flags = ... server = /usr/sbin/in.telnetd ... } New /etc/xinetd.conf or /etc/xinetd.d/telnet: service telnet { ... flags = ... NAMEINARGS server = /usr/sbin/tcpd server_args = /usr/sbin/in.telnetd ... }
Then reset xinetd so your changes take effect. [Recipe 3.3]
Discussion
This technique is only for the rare case when, for some reason, you don’t want to use xinetd’s built-in access control [Recipe 3.8] and your xinetd does not have libwrap support compiled in. It mirrors the original inetd method of access control using TCP-wrappers. [Recipe 3.11]
You must include the flag
NAMEINARGS
, which tells
xinetd to look in the
server_args line to find the
service
executable name (in this case,
/usr/sbin/in.telnetd).
See Also
xinetd(8), hosts.allow(5), tcpd(8).
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
