topic Re: xinet question in Operating System - Linux

xinet question

A.K. — Sun, 11 Jul 2010 19:48:20 GMT

Hi,
I need to enable xinet on several Linux machines (SLES 9/10).
Can anyone tell me what are the security risks?

thanks,
A.K.

Re: xinet question

Steven Schweda — Sun, 11 Jul 2010 19:55:53 GMT

Do you mean "xinet" or "xinetd"?

http://www.xinet.com/index.php
http://www.xinetd.org/

> Can anyone tell me what are the security
> risks?

Knowing nothing (else) about what you're
doing, I can't.

Re: xinet question

A.K. — Sun, 11 Jul 2010 20:14:02 GMT

Hi,
I am installing nrpe package and would like to enable it to allow access from the Nagios host.

BTW,
what other options I can use instead of xinet?

Thanks,
A.K.

Re: xinet question

Steven Schweda — Mon, 12 Jul 2010 02:31:02 GMT

Do you know what you're talking about? I
don't know what you're talking about. A
Google search for:
nrpe nagios xinet
gets redirected to a search for:
nrpe nagios xinetd
I assume, for good reason.

> Do you mean "xinet" or "xinetd"?

Still wondering...

That Google search, by the way, turns up
several documents which might be useful,
depending on what you're really looking for.

Re: xinet question

Matti_Kurkela — Mon, 12 Jul 2010 12:13:54 GMT

"xinet" seems to be digital asset management and at first glance, not at all helpful in running Nagios NRPE.

"xinetd" on the other hand, is a very common and very widely used software component for running network services on many Unix-style systems, not only Linux. It is the "internet super-server daemon". See the description in Wikipedia:
http://en.wikipedia.org/wiki/Inetd

Traditional Unix systems may still use "inetd", but many Linux distributions and some Unix systems already offer xinetd instead of inetd by default.

xinetd allows you to restrict the source IP addresses and the number of connections allowed for each service you run through xinetd. These are very useful features for keeping your network services secure.

xinetd can run many services at the same time, and its default configuration may include several traditional "debugging/testing" services (chargen, discard, echo, time, daytime): make sure you disable these services unless you really need them.

Every network service can be a security risk - but xinetd is so simple, stable and widely used that it should be a pretty small risk when properly configured. I would be more concerned about NRPE: because it is normally used to gather information from the system, it may have to run more complex things, possibly even as root. Be very very careful in configuring NRPE.

MK

Re: xinet question

Ralph Grothe — Tue, 13 Jul 2010 09:50:18 GMT

You can restrict access by source ip address through xinetd if you have nrpe started through it (recommended rather than starting nrpe standalone).
Edit the file /etc/xinetd.d/nrpe
and add the only_from attribute for this service. To the right of the equals sign add IP addresses (or whole subnets) for clients' source IPs who are permitted to connect to nrpe.
There, of course, should be the IP address of your Nagios server among them.
After having made changes to the file send the xinetd PID a SIGHUP or execute "service xinetd reload".
Then enable a service check on your Nagios server that accesses your nrpe (probably you would have to define some nrpe check command on the nrpe host in e.g. /ect/nagios/nrpe.cfg first; but for any changes/additions to that file you don't need to reload xinetd like above because the nrpe daemon is spawned each time a connect request comes in anew by xinetd whereupon it reads the contents of nrpe.cfg)