Re: xinetd -> danted fails [repost]

bnyauok_at_wwipqo.com.gv
Date: 07/21/03


Date: Mon, 21 Jul 2003 03:50:58 GMT


|> A daemon that is to be run under *inetd has to be prepared to read
|> network traffic on stdin and write to stdout, i.e. not try to listen on
|> the port itself. If the daemon has code to switch into this mode, then
|> you need to use the appropriate command line option or config option to
|> make it do so. Have you checked the danted doco?
|
|Yes, I've checked and rechecked the danted and xinetd docs and FAQs. danted
|doesn't have a facility to connect via stdin/stdout as far as I can tell.

If that's the case, then you cannot run danted under *inetd, it is not
*inetd ready. However some hits I got from google suggest there is a
command line option for it, but the sites are down and the cached
versions are unclear. I can't even find the home site of danted with
google.

|What you say would explain how xinetd can take over listening on the ports
|usually used by the servers it manages. However, this is the first time
|I've heard this explanation, and I can't find any mention of it in the
|inetd or xinetd docs.

It's sort of implied by the description of xinetd in the man page, where
it says "it listens on all service ports for the services listed in
its configuration file". Since the port cannot be listened on by more
than one process, this means the real server has to not listen but wait
on stdin. Unfortunately this is part of BSD lore, I don't know where
it's documented, I don't remember how I learnt this.

|What I do find in the docs is some confusing (to me) explanations of the
|wait/nowait (inetd) or wait (xinetd) options. As best I can figure out, if
|danted wants to continue to listen on its port (1080), then I should
|specify "wait" (inetd) or "wait=yes" (xinetd) in *inetd.conf. But when I
|try this, I get the "Deactivating service socks due to excessive incoming
|connections" error, which no one, in my Google groups searches, seems to be
|able to figure out.

Wait means that *inetd will only fork off one process at a time to
handle the request. Nowait means that it will continue to serve more
requests while the last one is being served. This means that it will
fork off as many processes as needed, up to the limit. Since danted
doesn't run properly under xinetd, it exits immediately and the request
is still waiting to be served. So xinetd very quickly runs up lots of
processes and then decides enough is enough, there is something wrong.

Wait/nowait has nothing to do with *inetd readiness.

-- 


Relevant Pages

  • Re: How secure is inetd nowadays?
    ... There is no predefined limit to the number of instances, in this case, an attacker can open thousands of connections resulting in thousands of processes. ... And no, xinetd won't necessarily save you, although it may provide you with some configuration options you can set that will help. ... In certain ways, inetd is superior to xinetd, and preferable. ...
    (comp.os.linux.security)
  • Re: cant connect to ftp server
    ... Now I gather the problem is that the machine isn't listening on port ... which makes inetd log every connection to it and imposes some limits ... FTP uses both ports 20 and 21) and /etc/hosts.allow. ...
    (freebsd-questions)
  • Re: xinetd -> danted fails [repost]
    ... I've checked and rechecked the danted and xinetd docs and FAQs. ... > *inetd ready. ... > command line option for it, but the sites are down and the cached ... Since the port cannot be listened on by more ...
    (comp.os.linux.networking)
  • Re: cant change port in aix 5.1
    ... keeps listening in port 21. ... restarted inetd after every change, ... meaningfully represent port number - NOT as a configuration file that ...
    (comp.unix.aix)
  • Re: Secure Port Testing
    ... You could use the always old echo in inetd. ... listening where you say as fast as kill -HUP inetd. ... >Subject: Secure Port Testing ... >>is that if I get a positive connection I know the firewall is allowing ...
    (Security-Basics)