Linux Exercise: xinetd and TCP Wrappers

Note: Red Hat/CentOS 7 or earlier only

TCP Wrappers is "deprecated" (marked as obsolete in the future) in Red Hat/CentOS 7, and has been removed from Red Hat/CentOS 8 altogether. Also, the TFTP daemon has been transformed into a standalone daemon running under systemd in Red Hat/CentOS 8, so it does not use xinetd anymore. Therefore, if you want to do these exercises, you will need to do so on a Red Hat/CentOS 7 or earlier system.

xinetd

  1. If the xinetd daemon is not installed yet, install it. Also install tftp and tftp-server.
    • # yum -y install xinetd
      # yum -y install tftp tftp-server
  2. Look at the configuration of xinetd. Do you see tftp? Make sure tftp is enabled, if it wasn't.
    • # cat /etc/xinetd.conf
    • # ls -l /etc/xinetd.d/*
    • # vi /etc/xinetd.d/tftp
      Change "disabled = yes" into "disabled = no"
  3. Start the xinetd daemon.
    • # systemctl restart xinetd
  4. Look at which application opened port 69 (tftp).
    • # netstat -anutp | grep 69
      The xinetd daemon opened port 69 on behalf of tftpd.
  5. See if the tftpd daemon is running.
    • # ps aux | grep tftp
      No tftp daemon is running yet.
  6. Copy the file /etc/passwd to /var/lib/tftpboot.
    • # cp /etc/passwd /var/lib/tftpboot/passwd
  7. Open a different terminal window or login session. Login as a regular user. Use the tftp tool to login to the TFTP server. Retrieve the file passwd.
    • $ tftp localhost
    • tftp> get passwd
  8. Switch back to the window or session where you were logged in as root. See if the TFTP daemon is running now.
    • # ps aux | grep tftp
    • # pstree
      You should now see the tftp daemon running as a child process of xinetd.

TCP Wrappers

  1. From your Windows host or from another Linux system, start an SSH connection. Look at the output of the w or who command what the origin of this connection is.
    • # w
    • # who
      If you are using VirtualBox, the connection most likely comes from 192.168.56.1.
  2. Use the ldd command on the executable of the SSH daemon. Does SSH use TCP Wrappers?
    • # ldd $( which sshd )
      See if libwrap is in the list.
  3. Create a "secure by default" configuration for TCP Wrappers. Then try to setup a new connection - leave your current session open! Does this work?
    • # vi /etc/hosts.deny 
      ALL: ALL
    • Now try to setup a new SSH session from your Windows or Linux system. This should not work.
  4. Now configure TCP Wrappers so that SSH connections from your own IP address are allowed. Try this.
    • # vi /etc/hosts.allow 
      sshd: 192.168.56.1
  5. Try the connection again. This time things should work.
End of exercise