19.2. TCP Wrappers
Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by
xinetd
(as well as any program with built-in support for libwrap
) can use TCP wrappers to manage access. xinetd
can use the /etc/hosts.allow
and /etc/hosts.deny
files to configure access to system services. As the names imply, hosts.allow
contains a list of rules that allow clients to access the network services controlled by xinetd
, and hosts.deny
contains rules to deny access. The hosts.allow
file takes precedence over the hosts.deny
file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to the Reference Guide and hosts_access
in section 5 of the man pages (man 5 hosts_access
) for details.
19.2.1. xinetd
To control access to Internet services, use
xinetd
, which is a secure replacement for inetd
. The xinetd
daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd
can be used to provide access only to particular hosts, to deny access to particular hosts, to provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, and more
xinetd
runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, xinetd
starts up the appropriate server for that service.
The configuration file for
xinetd
is /etc/xinetd.conf
, but the file only contains a few defaults and an instruction to include the /etc/xinetd.d
directory. To enable or disable an xinetd
service, edit its configuration file in the /etc/xinetd.d
directory. If the disable
attribute is set to yes
, the service is disabled. If the disable
attribute is set to no
, the service is enabled. You can edit any of the xinetd
configuration files or change its enabled status using the Services Configuration Tool, ntsysv, or chkconfig
. For a list of network services controlled by xinetd
, review the contents of the /etc/xinetd.d
directory with the command ls /etc/xinetd.d
.