xinetd 2.3.14 review
Downloadxinetd project is a replacement for inetd, the internet services daemon. Here are some key features of "xinetd": Access control:
|
|
xinetd project is a replacement for inetd, the internet services daemon.
Here are some key features of "xinetd":
Access control:
Has builtin access control for stopping connections from evil bad guys, or for only allowing connections from good guys.
Can be compiled with builtin libwrap support. Use hosts.{allow|deny}! More efficient than using tcpd!
Tcp wrappers are good, but can only see one connection at a time. xinetd can limit the rate of incoming connections, number of incoming connections from specific hosts, or total number of connections for a service.
Limit access to services based on access time of day.
You can have specific services bind to specific IP's. This lets you provide different services to internal clients than external clients.
Prevent denial of service attacks
With the access control capabilities of limiting the rate of incoming connections, xinetd can respond to "port bombs" in a reasonable fashion.
If one host seems to be hogging your services, you can limit the number of simultaneous connections from a host.
You can place limits on the size of the log files it creates, so people can't fill your disk.
Extensive logging abilities
You can configure the syslog logging level for each service independently.
If you don't want to use syslog logging, you can have each service log to a file, independent of any other service.
It can log the start and stop times for the connection, so you can determine how long a client used your services.
It can log extensive information about failed connection attempts.
Offload services to a remote host
The redir feature allows you to redirect a TCP stream to another host. This other host does not need to be an externally reachable machine. If you want to provide services on a NAT'd machine, run xinetd with the redir feature to redirect the service to a different host.
IPv6 support
As of the xinetd 2.1.8.8pre* series, xinetd supports IPv6.
User interaction
You can print different banners to the client when they have a successful connection, when their connection attempt failed, and always regardless of connection status. This can help keep your users informed of changes, and why they may be having trouble accessing services.
What's New in This Release:
Applied patch from Art Haas for gcc 3.5 compat.
Flush the descriptor after writing a banner. -Jay Fenlason
Don't assume char is signed in the udp drain() function -Don Provan
If log remote user is on, a descriptor between 0-2 is likely to be opened. Call msg_suspend before dup'ing socket to avoid this bug. -Glen Johnson
Added confparse() RPC patch from RedHat's RHEL4 srpm.
Fixed some service release bugs with accesses to dangling pointers.
Updated BACKLOG to 64 from 7
Updated xconv.pl to understand ":" in inetd.conf files from FreeBSD ports patch.
Added howl support for mdns advertising.
Added a libwrap service attribute to specify the service name to check access via libwrap.
Make some type cleanups to fix some warnings.
Parse things as unsigned instead of signed where it makes sense. Based on a patch from Tony Ernst.
Remove the
xinetd 2.3.14 keywords