9.2.5 Restricting access to services
The Internet super-server, inetd
, is started at boot time
by /etc/rc2.d/S20inetd
(for RUNLEVEL=2), which is a symlink to
/etc/init.d/inetd
. Essentially, inetd
allows one
running daemon to invoke several others, reducing load on the system.
Whenever a request for service arrives, its protocol and service are identified
by looking them up in the databases in /etc/protocols
and
/etc/services
. inetd
then looks up a normal Internet
service in the /etc/inetd.conf
database, or a Sun-RPC based
service in /etc/rpc.conf
.
For system security, make sure to disable unused services in
/etc/inetd.conf
. Sun-RPC services need to be active for NFS and
other RPC-based programs.
Sometimes, inetd
does not start the intended server directly but
starts the tcpd
TCP/IP daemon wrapper program with the intended
server name as its argument in /etc/inetd.conf
. In this case,
tcpd
runs the appropriate server program after logging the request
and doing some additional checks using /etc/hosts.deny
and
/etc/hosts.allow
.
If you have problems with remote access in a recent Debian system, comment out
"ALL: PARANOID" in /etc/hosts.deny
if it exists.
For details, see inetd(8)
, inetd.conf(5)
,
protocols(5)
, services(5)
, tcpd(8)
,
hosts_access(5)
, and hosts_options(5)
.
For more information on Sun-RPC, see rpcinfo(8)
,
portmap(8)
, and
/usr/share/doc/portmap/portmapper.txt.gz
.