Tcp Wrappers; Xinetd - Red Hat ENTERPRISE LINUX 4 System Administration Manual

Chapter 19. Controlling Access to Services
• 1 — Single-user mode
• 2 — Not used (user-definable)
• 3 — Full multi-user mode
• 4 — Not used (user-definable)
• 5 — Full multi-user mode (with an X-based login screen)
• 6 — Reboot
If you use a text login screen, you are operating in runlevel 3. If you use a graphical login screen, you
are operating in runlevel 5.
The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near
the top of the file similar to the following:
id:5:initdefault:
Change the number in this line to the desired runlevel. The change does not take effect until you
reboot the system.
To change the runlevel immediately, use the command telinit followed by the runlevel number.
You must be root to use this command. The telinit command does not change the /etc/inittab
file; it only changes the runlevel currently running. When the system is rebooted, it continues to boot
the runlevel as specified in /etc/inittab.

19.2. TCP Wrappers

Many UNIX system administrators are accustomed to using TCP wrappers to manage access to
certain network services. Any network services managed by xinetd (as well as any program with
built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /
etc/hosts.allow and /etc/hosts.deny files to configure access to system services. As the
names imply, hosts.allow contains a list of rules that allow clients to access the network services
controlled by xinetd, and hosts.deny contains rules to deny access. The hosts.allow file
takes precedence over the hosts.deny file. Permissions to grant or deny access can be based on
individual IP address (or hostnames) or on a pattern of clients. Refer to the Reference Guide and
hosts_access in section 5 of the man pages (man 5 hosts_access) for details.

19.2.1. xinetd

To control access to Internet services, use xinetd, which is a secure replacement for inetd. The
xinetd daemon conserves system resources, provides access control and logging, and can be used
to start special-purpose servers. xinetd can be used to provide access only to particular hosts, to
deny access to particular hosts, to provide access to a service at certain times, to limit the rate of
incoming connections and/or the load created by connections, and more
xinetd runs constantly and listens on all ports for the services it manages. When a connection
request arrives for one of its managed services, xinetd starts up the appropriate server for that
service.
190