The inetd(8) daemon is sometimes referred to as a Super-Server because it manages connections for many services. Instead of starting multiple applications, only the inetd service needs to be started. When a connection is received for a service that is managed by inetd, it determines which program the connection is destined for, spawns a process for that program, and delegates the program a socket. Using inetd for services that are not heavily used can reduce system load, when compared to running each daemon individually in stand-alone mode.
Primarily, inetd is used to spawn other daemons, but several trivial protocols are handled internally, such as chargen, auth, time, echo, discard, and daytime.
This section covers the basics of configuring inetd.
Configuration of inetd is
done by editing /etc/inetd.conf
. Each
line of this configuration file represents an application
which can be started by inetd. By
default, every line starts with a comment
(#
), meaning that
inetd is not listening for any
applications. To configure inetd
to listen for an application's connections, remove the
#
at the beginning of the line for that
application.
After saving your edits, configure
inetd to start at system boot by
editing /etc/rc.conf
:
inetd_enable="YES"
To start inetd now, so that it listens for the service you configured, type:
#
service inetd start
Once inetd is started, it needs
to be notified whenever a modification is made to
/etc/inetd.conf
:
Typically, the default entry for an application does not
need to be edited beyond removing the #
.
In some situations, it may be appropriate to edit the default
entry.
As an example, this is the default entry for ftpd(8) over IPv4:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
The seven columns in an entry are as follows:
service-name socket-type protocol {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] user[:group][/login-class] server-program server-program-arguments
where:
The service name of the daemon to start. It must
correspond to a service listed in
/etc/services
. This determines
which port inetd listens on
for incoming connections to that service. When using a
custom service, it must first be added to
/etc/services
.
Either stream
,
dgram
, raw
, or
seqpacket
. Use
stream
for TCP connections and
dgram
for
UDP services.
Use one of the following protocol names:
Protocol Name | Explanation |
---|---|
tcp or tcp4 | TCP IPv4 |
udp or udp4 | UDP IPv4 |
tcp6 | TCP IPv6 |
udp6 | UDP IPv6 |
tcp46 | Both TCP IPv4 and IPv6 |
udp46 | Both UDP IPv4 and IPv6 |
In this field, wait
or
nowait
must be specified.
max-child
,
max-connections-per-ip-per-minute
and
max-child-per-ip
are optional.
wait|nowait
indicates whether or
not the service is able to handle its own socket.
dgram
socket types must use
wait
while
stream
daemons, which are usually
multi-threaded, should use nowait
.
wait
usually hands off multiple sockets
to a single daemon, while nowait
spawns
a child daemon for each new socket.
The maximum number of child daemons
inetd may spawn is set by
max-child
. For example, to limit ten
instances of the daemon, place a /10
after nowait
. Specifying
/0
allows an unlimited number of
children.
max-connections-per-ip-per-minute
limits the number of connections from any particular
IP address per minute. Once the
limit is reached, further connections from this IP
address will be dropped until the end of the minute.
For example, a value of /10
would
limit any particular IP address to
ten connection attempts per minute.
max-child-per-ip
limits the number of
child processes that can be started on behalf on any
single IP address at any moment.
These options can limit excessive resource consumption
and help to prevent Denial of Service attacks.
An example can be seen in the default settings for fingerd(8):
finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s
The username the daemon
will run as. Daemons typically run as
root
,
daemon
, or
nobody
.
The full path to the daemon. If the daemon is a
service provided by inetd
internally, use internal
.
Used to specify any command arguments to be passed
to the daemon on invocation. If the daemon is an
internal service, use
internal
.
Like most server daemons, inetd
has a number of options that can be used to modify its
behaviour. By default, inetd is
started with -wW -C 60
. These options
enable TCP wrappers for all services, including internal
services, and prevent any IP address from
requesting any service more than 60 times per minute.
To change the default options which are passed to
inetd, add an entry for
inetd_flags
in
/etc/rc.conf
. If
inetd is already running, restart
it with service inetd restart
.
The available rate limiting options are:
Specify the default maximum number of simultaneous
invocations of each service, where the default is
unlimited. May be overridden on a per-service basis by
using max-child
in
/etc/inetd.conf
.
Specify the default maximum number of times a
service can be invoked from a single
IP address per minute. May be
overridden on a per-service basis by using
max-connections-per-ip-per-minute
in
/etc/inetd.conf
.
Specify the maximum number of times a service can be
invoked in one minute, where the default is
256
. A rate of 0
allows an unlimited number.
Specify the maximum number of times a service can be
invoked from a single IP address at
any one time, where the default is unlimited. May be
overridden on a per-service basis by using
max-child-per-ip
in
/etc/inetd.conf
.
Additional options are available. Refer to inetd(8) for the full list of options.
Many of the daemons which can be managed by
inetd are not security-conscious.
Some daemons, such as fingerd, can
provide information that may be useful to an attacker. Only
enable the services which are needed and monitor the system
for excessive connection attempts.
max-connections-per-ip-per-minute
,
max-child
and
max-child-per-ip
can be used to limit such
attacks.
By default, TCP wrappers is enabled. Consult hosts_access(5) for more information on placing TCP restrictions on various inetd invoked daemons.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <[email protected]>.
Send questions about this document to <[email protected]>.