Xinetd - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
• %N — Returns the server's hostname. If unavailable, unknown is printed. If the server's hostname
and host address do not match, paranoid is printed.
• %p — Returns the daemon's process ID.
• %s —Returns various types of server information, such as the daemon process and the host or IP
address of the server.
• %u — Returns the client's username. If unavailable, unknown is printed.
The following sample rule uses an expansion in conjunction with the spawn command to identify the
client host in a customized log file.
When connections to the SSH daemon (sshd) are attempted from a host in the example.com
domain, execute the echo command to log the attempt, including the client hostname (by using the %h
expansion), to a special file:
sshd : .example.com
: spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \
: deny
Similarly, expansions can be used to personalize messages back to the client. In the following
example, clients attempting to access FTP services from the example.com domain are informed that
they have been banned from the server:
vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"
For a full explanation of available expansions, as well as additional access control options, refer to
section 5 of the man pages for hosts_access (man 5 hosts_access) and the man page for
hosts_options.
Section 43.5.5, "Additional Resources"
Refer to

43.5.3. xinetd

The xinetd daemon is a TCP-wrapped super service which controls access to a subset of popular
network services, including FTP, IMAP, and Telnet. It also provides service-specific configuration
options for access control, enhanced logging, binding, redirection, and resource utilization control.
When a client attempts to connect to a network service controlled by xinetd, the super service
receives the request and checks for any TCP Wrappers access control rules.
If access is allowed, xinetd verifies that the connection is allowed under its own access rules for
that service. It also checks that the service can have more resources allotted to it and that it is not in
breach of any defined rules.
If all these conditions are met (that is, access is allowed to the service; the service has not reached
its resource limit; and the service is not in breach of any defined rule), xinetd then starts an instance
of the requested service and passes control of the connection to it. After the connection has been
established, xinetd takes no further part in the communication between the client and the server.
660
\
for more information about TCP Wrappers.