Red Hat Enterprise Linux 5 Administration Unleashed

384CHAPTER 19Explaining Other Common Network ServicesTo have xinetd start at boot time, execute the following as root:chkconfig xinetd onAllowing xinetd ConnectionsAccess control can be configured in the individual files in the /etc/xinetd.d/ directory.When a request is made, the TCP wrappers access control configuration is checked first. Ifthe client is denied access from the TCP wrappers rules, the connection is denied. If theclient is allowed access from the TCP wrappers rules, the attributes in the individual/etc/xinetd.d/ files and the /etc/xinetd.conf file are checked. Both forms of accesscontrol can be used in conjunction with each other.TCP Wrappers and xinetdThe xinetd services are protected by TCP wrappers, which provide a mechanism for allowingand denying access to the services. Two files are used to control access: /etc/hosts.allowand /etc/hosts.deny.NOTExinetd is not the only network service protected by TCP wrappers. For example, in RedHat Enterprise Linux, both vsftpd and sshd are compiled against the TCP wrapperslibrary.As the names imply, the hosts.allow file contains a list of clients allowed access tospecific daemons, and the hosts.deny file contains rules denying client access. The filesare read from top to bottom, so as soon as a rule to allow or deny access is found, thatrule is applied, and the rest of the file is not read.The hosts.allow file is read first. If both files contain rules that contradict each other, thefirst rule in hosts.allow takes precedence. If no rules are found for a client, access isgranted. The access files are referenced each time a request is made, so changes to themtake effect immediately without restarting any daemons.Both hosts.allow and hosts.deny use the same file format. Blank lines and lines thatbegin with the hash mark (#) are ignored. If a line ends with the backslash character (\),the next line is considered a continuation of the previous line without the new line character.All other lines have the following format:daemon_list : client_list [: options]Only the daemon_list and client_list are required. The daemon_list is a list of one ormore daemons separated by commas. Wildcards can be used for this list. The client_listis a list of hostnames, IP addresses, patterns, or wildcards allowed or denied access(depending on the file in which is it listed) to the daemons in the daemon_list.In the client_list, the following patterns can be used: