此内容没有您所选择的语言版本。
2.6.4.3.2. Access Control Options
Users of
xinetd
services can choose to use the TCP Wrappers hosts access rules, provide access control via the xinetd
configuration files, or a mixture of both. Refer to Section 2.6.2, “TCP Wrappers Configuration Files” for more information about TCP Wrappers hosts access control files.
This section discusses using
xinetd
to control access to services.
Note
Unlike TCP Wrappers, changes to access control only take effect if the
xinetd
administrator restarts the xinetd
service.
Also, unlike TCP Wrappers, access control through
xinetd
only affects services controlled by xinetd
.
The
xinetd
hosts access control differs from the method used by TCP Wrappers. While TCP Wrappers places all of the access configuration within two files, /etc/hosts.allow
and /etc/hosts.deny
, xinetd
's access control is found in each service's configuration file in the /etc/xinetd.d/
directory.
The following hosts access options are supported by
xinetd
:
only_from
— Allows only the specified hosts to use the service.no_access
— Blocks listed hosts from using the service.access_times
— Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
The
only_from
and no_access
options can use a list of IP addresses or host names, or can specify an entire network. Like TCP Wrappers, combining xinetd
access control with the enhanced logging configuration can increase security by blocking requests from banned hosts while verbosely recording each connection attempt.
For example, the following
/etc/xinetd.d/telnet
file can be used to block Telnet access from a particular network group and restrict the overall time range that even allowed users can log in:
service telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/kerberos/sbin/telnetd log_on_failure += USERID no_access = 172.16.45.0/24 log_on_success += PID HOST EXIT access_times = 09:45-16:15 }
In this example, when a client system from the
172.16.45.0/24
network, such as 172.16.45.2
, tries to access the Telnet service, it receives the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in
/var/log/messages
as follows:
Sep 7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107 Sep 7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)
When using TCP Wrappers in conjunction with
xinetd
access controls, it is important to understand the relationship between the two access control mechanisms.
The following is the sequence of events followed by
xinetd
when a client requests a connection:
- The
xinetd
daemon accesses the TCP Wrappers hosts access rules using alibwrap.so
library call. If a deny rule matches the client, the connection is dropped. If an allow rule matches the client, the connection is passed toxinetd
. - The
xinetd
daemon checks its own access control rules both for thexinetd
service and the requested service. If a deny rule matches the client, the connection is dropped. Otherwise,xinetd
starts an instance of the requested service and passes control of the connection to that service.
Important
Care should be taken when using TCP Wrappers access controls in conjunction with
xinetd
access controls. Misconfiguration can cause undesirable effects.