HPE Community
Operating System - Linux
1751694 Members
5221 Online
108781 Solutions
New Discussion юеВ

Re: xinet question

 
SOLVED
Go to solution
A.K.
Frequent Advisor

тАО07-11-2010 12:48 PM

тАО07-11-2010 12:48 PM

xinet question

Hi,
I need to enable xinet on several Linux machines (SLES 9/10).
Can anyone tell me what are the security risks?

thanks,
A.K.
0 Kudos
Reply
5 REPLIES 5
Steven Schweda
Honored Contributor

тАО07-11-2010 12:55 PM

тАО07-11-2010 12:55 PM

Re: xinet question

Do you mean "xinet" or "xinetd"?

http://www.xinet.com/index.php
http://www.xinetd.org/

> Can anyone tell me what are the security
> risks?

Knowing nothing (else) about what you're
doing, I can't.
0 Kudos
Reply
A.K.
Frequent Advisor

тАО07-11-2010 01:14 PM

тАО07-11-2010 01:14 PM

Re: xinet question

Hi,
I am installing nrpe package and would like to enable it to allow access from the Nagios host.

BTW,
what other options I can use instead of xinet?

Thanks,
A.K.
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО07-11-2010 07:31 PM

тАО07-11-2010 07:31 PM

Re: xinet question

Do you know what you're talking about? I
don't know what you're talking about. A
Google search for:
nrpe nagios xinet
gets redirected to a search for:
nrpe nagios xinetd
I assume, for good reason.


> Do you mean "xinet" or "xinetd"?

Still wondering...


That Google search, by the way, turns up
several documents which might be useful,
depending on what you're really looking for.
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-12-2010 05:13 AM

тАО07-12-2010 05:13 AM

Solution

Re: xinet question

"xinet" seems to be digital asset management and at first glance, not at all helpful in running Nagios NRPE.

"xinetd" on the other hand, is a very common and very widely used software component for running network services on many Unix-style systems, not only Linux. It is the "internet super-server daemon". See the description in Wikipedia:
http://en.wikipedia.org/wiki/Inetd

Traditional Unix systems may still use "inetd", but many Linux distributions and some Unix systems already offer xinetd instead of inetd by default.

xinetd allows you to restrict the source IP addresses and the number of connections allowed for each service you run through xinetd. These are very useful features for keeping your network services secure.

xinetd can run many services at the same time, and its default configuration may include several traditional "debugging/testing" services (chargen, discard, echo, time, daytime): make sure you disable these services unless you really need them.

Every network service can be a security risk - but xinetd is so simple, stable and widely used that it should be a pretty small risk when properly configured. I would be more concerned about NRPE: because it is normally used to gather information from the system, it may have to run more complex things, possibly even as root. Be very very careful in configuring NRPE.

MK
MK
Reply
Ralph Grothe
Honored Contributor

тАО07-13-2010 02:50 AM

тАО07-13-2010 02:50 AM

Re: xinet question

You can restrict access by source ip address through xinetd if you have nrpe started through it (recommended rather than starting nrpe standalone).
Edit the file /etc/xinetd.d/nrpe
and add the only_from attribute for this service. To the right of the equals sign add IP addresses (or whole subnets) for clients' source IPs who are permitted to connect to nrpe.
There, of course, should be the IP address of your Nagios server among them.
After having made changes to the file send the xinetd PID a SIGHUP or execute "service xinetd reload".
Then enable a service check on your Nagios server that accesses your nrpe (probably you would have to define some nrpe check command on the nrpe host in e.g. /ect/nagios/nrpe.cfg first; but for any changes/additions to that file you don't need to reload xinetd like above because the nrpe daemon is spawned each time a connect request comes in anew by xinetd whereupon it reads the contents of nrpe.cfg)
Madness, thy name is system administration
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.