[1380] in linux-security and linux-alert archive
[linux-security] Re: xinetd v. tcp-wrappers
daemon@ATHENA.MIT.EDU (Cy Schubert)
Thu Jan 16 07:38:11 1997
Reply-to: cschuber@uumail.gov.bc.ca
To: linux-security@redhat.com
cc: linux-security@tarsier.cv.nrao.edu (linux-security)
In-reply-to: Your message of "Mon, 13 Jan 1997 17:06:11 CST."
<199701132306.RAA25380@oak.zilker.net>
Date: Wed, 15 Jan 1997 07:18:38 -0800
From: Cy Schubert <cy@cwsys.cwent.com>
Resent-From: linux-security@redhat.com
>
> I am interested in opinions regarding the use of xinetd versus
> the use of tcp wrappers. The two programs have similar functionality,
> but I find xinetd suits my needs better.
>
> The biggest problem is the age of xinetd, and AFAIK it is no longer
> being kept up. Are there any known security issues with xinetd?
> Another issue is that xinetd makes use of a non-standard inetd.conf
> layout, but I'm willing to accept that limitation. I'm looking
> for security reasons why I might not wish to use xinetd. Anyone?
You will get better performance from xinetd because you will be execing
fewer programs within each process. For example. When you use tcpd, inetd
will fork another process, then exec tcpd. Tcpd will do its verification
and exec the program that will ullitimately provide the service.
Xinetd will perform its checks, fork and exec the service program. It does
not do much of the "paranoid" DNS verification that tcpd does.
[mod: Thus it is open to the attack that the "paranoid" DNS verification
fixes. i.e. create a reverse mapping for bad.host.attacker.com that reads
trusted.host.victim.com and you can use services that were not intended
for you.... -- REW]
As far as not being kept up, tcpd has not been updated for the 12 to 18
months. The last few upgrades were to support additional operating
systems, so it has essentially not changed over the last two years.
Both are good products. For connect intensive applications I would choose
xinetd. For any other applications I'd use tcpd.
You may also wish to look at portmap 4 or portmap 5beta (or rpcbind 1.1 for
Solaris). This portmap daemon is built around the TCP/Wrapper library
giving you some additional protection. You also get it from Wietse's FTP
site. Alternatively you could turn on kernel firewalling to perform the
same function.
Regards, Phone: (250)387-8437
Cy Schubert OV/VM: BCSC02(CSCHUBER)
UNIX Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."