This page looks best with JavaScript enabled

Inetd/Tcpwrappers FreeBSD

 ·  🎃 kr0m

Normally, each service is started independently consuming CPU/RAM. Inetd is a superdaemon that manages the connections of other daemons. If these services are not used frequently, it is a waste of resources to have them always started even when they are not being used. With inetd, we will only have one process started. When a connection arrives to one of the services configured in inetd, the process of the corresponding daemon is started. Inetd acts as a gateway between the client and the service, starting and stopping it on demand.

We enable the inetd service:

sysrc inetd_enable="yes"

We configure the FTP service through inetd:

vi /etc/inetd.conf

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

We start inetd:

service inetd start

We can see that inetd has opened port 21:

sockstat -sv|grep 21

root inetd 4949 6 tcp4 *:21 *:* LISTEN

If we connect, the service works correctly and we can see how inetd has started the FTP process:

ps aux|grep ftp

root 83937 0.0 0.0 12204 3504 - Ss 10:32 0:00.00 ftpd: 192.168.11.1: connected (ftpd)

The filtering configuration of the inetd services is done through tcpwrappers , allowing us great flexibility.

The syntax is as follows:

daemon: address: action(allow/deny)

We comment out the rule that allows all traffic and only allow FTP access to the 192.168.11.2 address:

vi /etc/hosts.allow

#ALL : ALL : allow
ftpd : 192.168.11.2 : allow

We reload the configuration:

service inetd restart

Now we connect from 192.168.11.1 but get:

ftp 192.168.11.4

Connected to 192.168.11.4.
You are not welcome to use ftpd from 192.168.11.1.

It is possible to execute a command and show its output to the client:

# ftp custom banner
ftpd: ALL: severity auth.info: twist /bin/echo "kr0m doesnt allow you to use %d from %h."
service inetd restart

Connecting, we can see the new message:

ftp 192.168.11.4

Connected to 192.168.11.4.
kr0m doesnt allow you to use ftpd from 192.168.11.1.

If we only want to execute a script but not respond with the command’s output:

# We do not allow connections from example.com:
ALL: .example.com: spawn (/bin/echo %a from %h attempted to access %d >> /var/log/connections.log): deny

An interesting option is PARANOID, which applies to any host whose direct/inverse resolution does not match. If it connects from an IP with inverse resolution X but X does not resolve directly to the IP, it will match the paranoid parameter.

# Block possibly spoofed requests to sendmail:
sendmail: PARANOID: deny

NOTE: The use of /etc/hosts.deny is considered deprecated in FreeBSD.

If you liked the article, you can treat me to a RedBull here