Home You are here: Doxfer > Webmin Web > InternetServices
r1 - 23 Mar 2007 - 07:04:04 - TWikiGuest

Internet Services

This chapter covers the super-servers inetd and xinetd, which are responsible for starting servers for protocols like telnet and FTP when needed.

Introduction to internet services

Heavily used network services such as email, proxing and web serving are handled by server processes that run continually and have their own complex configuration files and Webmin modules. However, there are other services like telnet, finger and POP that do not need any configuration and do not need their own permanent server process. Instead, their servers are run when needed by a super-server like inetd or xinetd which listens for network connections on multiple ports. Only when it receives a connection does it start the appropriate process to communicate with the client, which exits when the connection is closed. This saves memory by limiting the number of processes running at any one time, but makes the handling of new connections slightly slower.

Every service has a short name like telnet or pop3, a port number like 23 or 110 and a protocol like TCP or UDP. The file /etc/services lists all the service names and their corresponding ports numbers that your system knows about, only a few of which may have a super-server or other server listening on them.

The most commonly used super-server is inetd, which is used by almost all Linux distributions and Unix variants. All server settings are stored in the configuration file /etc/inetd.conf. In addition to starting servers in response the TCP and UDP connections, it can also handle RPC (remote procedure call) function calls in a similar way. One major shortcoming of inetd is its inability to reject connections depending on the client IP address. However, this can be overcome by using an intermediate TCP-wrappers server program, which has its own IP access control configuration file.

Another super-server that is gaining in popularity and has more features is xinetd, which uses the /etc/xinetd.conf configuration file and sometimes other files under the /etc/xinetd.d directory. Like inetd, it can launches server processes in response to TCP and UDP connections, but does not support RCP. Its major advantage is built-in support for restricting connections to certain client IP addresses without the need for a separately configured program. It can also re-direct an incoming connections on certain ports to another host and port by making its own client connection and forwarding data back and forth.

Because inetd and xinetd have totally different configuration files and file formats, there is a separate Webmin module for configuring each of them. Most Linux distributions will ship with one or the either, but in some cases both can be installed and co-exist peacefully. The only limitation is that they cannot both listen on the same port at the same time.

The Internet Services and Protocols module

This module deals with the configuration of inetd, and can be found under the Networking category in Webmin. If the icon is not visible, Webmin has detected that it is not installed. This could be because your distribution is using xinetd instead, in which case you should skip down to the “The Extended Internet Service module” section. If neither module is visible, check your distribution CD or website for an inetd or xinetd package.

The module's main page (shown in Figure 15-1) displays two tables, one for Internet Services that respond to TCP or UDP connections, and one for RCP Programs. In the Internet Services section, the names and protocols of all services are shown – in some cases, the same service may be recognized for more than one protocol. Each service can be in one of three states, indicated by the font its name is shown in :

Enabled (bold) A server program has been assigned to this service, and it is currently active.

Disabled (bold-italic) A server program has been assigned, but it is not active. This corresponds to a commented-out entry in the inetd.conf file.

Unassigned (normal) No server program has been assigned to this service, meaning there is no inetd.conf entry for it.

If the module configuration option Show services with no program has been set to No, services in the unassigned state will not be displayed. This is the default on some operating systems, due to the large number of services that the system knows about.

Most Linux distributions ship with almost all services in the disabled state by default. This limits the number of unnecessary services that your system allows connections to, and thus reduces the chance of a security hole in one of the server programs being exploited by an attacker.

** Figure 15-1 “The Internet Services and Protocols module main page”

Because each service is shown with only a short name like telnet or chargen, it is not obvious to an inexperienced administrator what each of them do. Some of the more commonly used services and their purposes are :

The daytime, echo and chargen services for both TCP and UDP protocols are handled internally by inetd when enabled, not by a separate server program.

Enabling an internet service

If you want to allow users to fetch mail from your system using the POP3 protocol or login via telnet, it is necessary to turn on the appropriate internet service if it is not currently enabled. To do this, the steps to follow are :

  1. On the main page of the module, click on the name of the service that you want to enable in the Internet Services table. This will take you to the page shown in Figure 15-2 for editing its details. If unassigned services are not displayed on your system, you can enter the service name and select the protocol in the fields next to the Edit service button. Clicking the button will take you to the editing form, assuming the service name is recognized.
  2. The Service name, Port number, Protocol and Aliases fields should be left unchanged unless you want to rename the service or change the port it is listening on. For services that you did not create yourself, changing any of these fields is a bad idea as it may prevent programs on your system connecting to other servers.
  3. In the Server program section, to enable the service select the Program enabled option. If Program disabled was selected previously, then all the other settings in the section should be correct and will not need to be changed. However, if No program assigned was selected before then you will need to choose a server program and a user for the server to run as. Select the Program field Command option and enter the full path to the server program into the field next to it, such as /usr/sbin/in.ftpd. In the Args field, enter the server command again and any arguments what it needs, such as in.ftpd –l –a. Even though the program path is in the Command field, the program name must appear in the Args field as well. You will need to enter a user for the server program to run as into the Execute as User field. For almost all servers, this will be root. One of the Wait Mode options must be set as well – unless the server runs and executes very quickly, choose Don't wait. Some services such as daytime, echo, chargen and discard are handed internally by inetd. If you are enabling one of them, just select the Internal to inetd. No program or arguments need to be entered, and the user the server executes as is irrelevant.
  4. When you are done, click the Save button. As long as there are no errors and the chosen server program actually exists, the browser will return to the list of services on the main page.
  5. Click the Apply Changes button at the bottom of the page to make your changes active.

** Figure 15-2 “Editing an internet service”

In some cases, you will not be able to enable a service because the corresponding server program is not installed yet. If this is the case, use the Software Packages module to install it from your Linux distribution CD or website.

If you want to disable a service, just follow the same steps but select the Program disabled option instead. This is better than choosing No program assigned as it is easy to turn the service back on again without having to re-enter the server program details.

Creating your own internet service

In some situations, you may want to add a new server to your system that listens on a port not assigned to anything else. You might want to run a telnet server on some non-standard port, or re-direct traffic from one port on your system to another server using a program like nc. If you are just trying to turn on some standard service like ftp or imap, the instructions in this section are not for you – see the “Enabling an internet service” section instead.

The steps to follow to create a new service are :

  1. On the main page of the module, click the Create a new internet service link. This will take you to the service creation form, which is similar to the editing form is Figure 15-2.
  2. Fill in the Service Name field with a unique name for your service.
  3. Enter the port number you want the service to be associated with into the Port Number field.
  4. Select the protocol from the Protocol list. This will almost always be TCP, but in some cases you may need to use UDP.
  5. Enter any alternate names that you want the service to be referred to by into the Aliases field.
  6. Assuming you want to have a server program associated with this service, choose the Program enabled option in the Server Program section. Otherwise all that will be created is an association between a service name and port number.
  7. For the Program field, select the Command option and enter the full path to the server program into the field next to it – for example /usr/local/bin/someserver. In the Args field, enter the program name and any command-line arguments that it should be run with, such as someserver –foo. To give another example, if you wanted to create a service that displayed all the processes running on your system to anyone who connected via telnet, you could set the Command to /bin/ps and the Args to ps auxwww. This would be a bad idea from a security point of view though.
  8. If the server program is going to take more than a second to run or if it accepts any input, set the Wait mode field to Don't wait. Otherwise inetd will stop handling new network connections until the program has finished. The only advantage of this Wait until complete mode is a slight reduction in memory usage.
  9. Enter the username of the Unix user that the server program should run as into the Execute as User field. This is usually root, but can be anyone.
  10. To limit the rate at which inetd will accept connections for your service, enter a number into the Max per Minute field. If the limit is exceeded, subsequent connections will be refused until the next minute.
  11. By default, the group that the server program runs as is the primary group of the user set in the Execute as User field. To change this, enter a group name into the Execute as Group field.
  12. Click the Create button to create your service. As long as there are no errors in the form, you will be returned to the list of services on the main page.
  13. Click the Apply Changes button to make the service active.

Once a service has been created, you can test it by running telnet localhost portnumber at the shell prompt on your system. You can edit your service at any time by clicking on its name on the main page, and changing any of the options before clicking Save – or Delete if you want to get rid of it. After making any modifications, the Apply Changes button must be used to make them active,

Creating and editing RPC programs

RPC is a protocol and data format that is the basis for other protocols like NFS and NIS. RPC clients make function calls to RPC servers, passing parameters and getting back results. To the client or server, making a remote procedure call is no more difficult than calling a normal library function, which writing programs that use RPC much easier than creating your own protocol from scratch.

An RPC program is a set of functions that are handled by a server. Each program has a unique number, similar to the port of an internet service. Programs are not associated with a particular protocol, as they can generally accept connections and function calls via UDP or TCP. Nor does it have a fixed port, as they are assigned dynamically when needed.

RPC servers (like the NIS and NFS servers) that handle a large amount of traffic have their own processes that run all the time. However, some servers that need to be run only occasionally can be instead executed by inetd only when needed – just like with infrequently used internet services. Some of the more commonly used RPC programs are :

On some systems, these RPC programs may be handled by servers that are not run from inetd but instead as stand-alone processes. In that case, the Bootup and Shutdown module (explained in chapter 9) is the place to activate or de-activate it. Due to the small number of common RPC programs and their limited usefulness, many Linux distributions do not have any programs enabled or disabled in the inetd configuration by default. However, this is not the case on other operating systems like Solaris.

If you want to make use of an RPC protocol which is not currently enabled, you can use this module to turn it on. Of course, the appropriate RPC server program must be installed first, and inetd on your system must support RPC programs. If so, the steps to follow are :

  1. On the main page of the module, click on the program name from the RPC Programs table. This will take you to the program editing form shown in Figure 15-3.
  2. Under the Server Program section, select the Program enabled option. If Program disabled was selected previously, then all the other settings in the section should be correct and will not need to be changed. However, if No program assigned was checked you will need to fill in several other fields. The RPC Versions field should be set to the range of versions that the server program supports, such as 13. The Socket Type field should be set to Datagram, and the Protocol field set to only the udp option. For the Server Program field, enter the full path to the RPC program, such as /usr/sbin/rpc.rusersd. For the Command field, etner the program name and any arguments, such as rpc.rusersd –a. For the Wait Mode, select Don't wait. For the Execute as User field, enter the username you want the server program to run as – usually root.
  3. When done, click the Save button. As long as there are no errors in your input, you will be returned to the main page of the module where the RPC program should appear as enabled.
  4. Click the Apply Changes button to make the program active.

** Figure 15-3 “The RPC program editing form”

Configuring the Internet Services and Protocols module

To access the configurable options of the Internet Services module, click on the Module Config link in the top-left corner of its main page. This will take you to the standard configuration form, on which you can change the following options :

The rest of the module configuration options under System configuration are set automatically by Webmin based on your operating system type, and so should not be changed.

Other operating systems

Almost all versions of Unix include inetd as standard, and use it to launch infrequently-run server programs in the same was that Linux does. However, its configuration file format and capabilities are slightly different on other operating systems, which means that the module's user interface will not be exactly the same. The main page will always show lists of internet and RPC services, but when editing or creating a service different fields and options will be available depending on the Unix variant you are running :

*Sun Solaris - *When editing an internet service, the *Max Per Minute* and Execute as Group fields are not available. - Solaris versions 8 and above support IPv6 TCP and UDP protocols, as well as the standard IPv4 that Linux uses. - Many RPC services exist in the disabled state by default, for things like NFS quotas and locking.

*FreeBSD *- RPC services cannot have programs assigned. All you can do is edit the service names and program numbers. - When editing or creating a service, you can control the number of server programs that can active at any one time with the Max Child Processes field. - Also when editing, you can set the login class that the server program runs as with the Execute as Login Class field.

NetBSD * - Like on FreeBSD? , the *Max Child Processes and *Execute as Login Class* fields are available when editing or creating a service. - As with Solaris, internet services can use IPv6 TCP and UDP protcols.

OpenBSD, Compaq Tru64/OSF1, IBM AIX, SCO OpenServer? and SCO UnixWare? - *Like on Solaris, the *Max Per Minute and Execute as Group fields are not available.

SGI Irix - The Max Per Minute and Execute as Group fields are not available when editing a service. - There is an additional checkbox below the server program Command field labeled *Command may not exist?*, that if set tells inetd to ignore the service if the server program is not installed. By default, this is turned on for many services related to Irix packages that are not installed by default.

*HP/UX *- On HP/UX, the module has exactly the same options as Linux.

Apple MacOS? X * *- *Like on Solaris, the *Max Per Minute and *Execute as Group* fields are not available. - RPC services cannot have programs assigned, as on FreeBSD? . - Instead of the /etc/services file being used to store service names and ports, they are in a NetInfo? table. Webmin dumps and re-loads this table to read and edit services.

The Extended Internet Services module

This module allows you to configure xinetd, a super-server that is similar in purpose to inetd but has several additional features. Like the Internet Services and Protocols module, this one can also be found under the Networking category. However, its icon will only appear if Webmin detects that xinetd is installed, which it does by looking for the /etc/xinetd.conf file. If you have compiled and installed it manually, you may need to create a symbolic link to the real location of xinetd.conf.

The main page lists all services that have server programs assigned, their port numbers, protocol, program and active status – see Figure 15-4 for an example. Services with no program are never shown, unlike in the Internet Services module.

** Figure 15-4 “The Extended Internet Services module”

On Linux distributions that use xinetd, most server program packages include a file that adds an appropriate service to list shown on the main page. These are generally disabled by default, so that services are not unexpectedly enabled the moment you install them.

If you are using a different operating system on which you have installed xinetd, the user interface will be exactly the same as on Linux. However, server program packages will probably not set up services when installed.

Enabling or editing an extended internet service

If you want to allow users to fetch mail from your system using the POP3 protocol or login via telnet it is necessary to turn on the appropriate service in this module, assuming it is listed on the main page. If not, you will need to first install the appropriate package from your distribution website or CD, which should add an entry for the service. If not, see the “Creating an extended internet service” section below.

Existing services can also be changed in other ways, for example to restrict the allowed client IP addresses or number of concurrent connections. To edit a service, the steps to follow are :

  1. On the main page of the Extended Internet Services module, click on the name of the service that you want to edit. This will take you to the form shown in Figure 15-5.
  2. The Service name, Socket type and Protocol options should all be left unchanged. The Port field should only be changed if you know what you are doing.
  3. To turn on the service, set the Service enabled? field to Yes. Or if it is already enabled and you want to turn it off, select No.
  4. If you want the service to be accessible only via a single IP address on your server, enter it into the Bind to address field. This can be useful if you have multiple virtual IP interfaces on your system and want different servers to listen on different addresses.
  5. Most of the fields under Server program options can be left unchanged, unless you want to limit the amount of load the service puts on your system. If so, you can set the Max concurrent servers field to the maximum number of server processes that should be allowed to run at any one time. The Maximum connections per second and Delay if maximum is reached fields can be set to limit the rate at which clients are allowed to connect and the amount of time that the service is disabled if that rate is exceeded.
  6. To control which addresses clients are allowed to connect from, use the fields in the Service access control section. If Allow access from is set to Only listed hosts, only the IP addresses (like 192.168.1.55), hosts (like server.foo.com) and networks (like 192.168.1.0/24) entered will be allowed. If Deny access from is set to Only listed hosts, the hosts, IP addresses and networks entered will be prevented from connecting. If a client matches an entry in both lists, the most specific entry will be used to determine whether access is allowed or denied. For example, if 192.168.1.10 was allowed and 192.168.1.0/24 was denied then a client with IP address 192.168.1.10 would be able to connect.
  7. If you want to limit the times at which the service can be used, fill in the Allow access at times field. It must be in the format HH:MM-HH:MM, such as 9:00_-_17:00 to allow access during normal working hours.
  8. Click the Save button when you are done making changes. As long as you haven't made any mistakes, the browser will return to the module's main page.
  9. Click the Apply Changes button to make your modifications active.

** Figure 15-5 “Editing an extended internet service”

If you want to totally delete a service, you can click the Delete button on the editing form instead. However, it is usually better to simply disable it so that it can be easily turned back on later.

Creating an extended internet service

If you want to enable a protocol that is not in the list on the main page or redirect traffic from a particular port to another host, then you will need to create a new service using this module. The appropriate server program for the service must be installed first, unless you are setting a redirection. The steps to follow are :

  1. Click on the Create a new internet service above or below the list on the main page. This will take you to the creation form, similar to the one if Figure 15-5.
  2. If the service is for a standard protocol like telnet or finger, enter its name in the Service name field. The Port number can then be left set to Standard. Otherwise, enter a unique name into the Service name field and set the Port number to the port you want the service to listen on.
  3. If you want the service to be accessible only via a single IP address on your server, enter it into the Bind to address field. This can be useful if you have multiple virtual IP interfaces on your system and want different servers to listen on different addresses.
  4. Set the Protocol field to the protocol you want the service to use, usually TCP. The Socket type field should be set to Stream for TCP protocol services, or Datagram for UDP services.
  5. If your service is going to use a server program, set the Service handled by option to the Server program option and enter its command and any arguments into the field next to it – for example /usr/sbin/in.telnetd –a. If the service is just redirecting traffic to another host, select the Redirect to host option and enter the destination hostname and port in the corresponding fields.
  6. In the Run as user field, enter the name of the Unix user that the server program will be run as. This is not necessary for redirection services.
  7. Unless the server program always completes very quickly, set the Wait until complete field to No. If you leave it set to Yes, xinetd will not process any more connections until the program finishes.
  8. To limit the rate at which clients can connect, set the Max concurrent servers and Maximum connections per second fields as explained in the section on “Enabling or editing an extended internet service” above.
  9. To limit the addresses from which clients can connect or the times at which connections are allowed, set the fields under Service access control as explained in the section above.
  10. When done, click the Create button. If there are no errors in the form, you will be returned to the main page on which your new service should now be listed.
  11. Click the Apply Changes button to make the service active.

Once a service has been created, you can test it by running telnet localhost portnumber at the shell prompt on your system. You can edit or delete your service at any time by following the instructions in the previous section.

Editing default options

There are several global options that apply to all services handled by xinetd, for logging and IP access control. To edit these options, the steps to follow are :

  1. Click the Edit Defaults button at the bottom of the module's main page, which will take you to the default options form.
  2. To restrict the addresses from which clients can connect to any service, fill in the Allow access from and Deny access from fields. They accept the same input as the fields of the same name on the service form, as explained in the “Enabling or editing an extended internet service” section above. Any IP access controls configured for an individual service will override the default settings that you enter on this form.
  3. To have xinetd log to syslog, set the Xinetd logging mode field to Log to syslog facility and choose the facility and priority that it should use. Chapter 13 explains in detail how to configure the log file that messages from xinetd will be written to, based on the selected priority and facility. Normally, this is the default and best option. If you want xinetd to log directly to a file, select the Log to file option and enter the log file path into the field next to it. To have a warning message logged when the file becomes too big, enter a file size in bytes into the Soft file limit field. To set a file size limit that will never be exceeded, fill in the Hard file limit field. If the soft limit is set but the hard limit is not, it will default to 1% more than the soft limit. If neither is set, the log file will grow forever – which could cause all your disk space to be consumed by an attacker making millions of connections to xinetd. To turn off logging altogether, set the Xinetd logging mode field to Disable logging.
  4. To control which events are logged, choose the appropriate options from the On successful connection *log and *On failed connection log fields.
  5. When done, click the Save button. As long as there are no errors in your input, you will be returned to the module's main page.

Click the Apply Changes button to make the new defaults active.


Edit | Attach | Backlinks: Web, All Webs | Printable | History: r1 | More topic actions

Doxfer is docs for...anything!Copyright © by the contributing authors. All material on Doxfer is the property of the contributing authors.
Ideas, requests, problems regarding Doxfer? Send feedback