Chapter 12: Basic network services

Chapter 12

Basic network services

In this chapter:

	Configuring basic services that are initialized by inetd
	Configuring inetd to run recurring services: echo, daytime, chargen, and time
	Enabling other services: shell, login, telnet, talk, ntalk, finger, systat, netstat, pop, and ident

Before looking at services that involve more complex configurations, we look at the ones that are6 easy to set up. Basic doesn't mean that the service it not useful or less complex. On the contrary, these are rather important services that are frequently used. Basic is meant in terms of the setup8 of the service.

The services listed in this chapter need very little maintenance. They are started by inetd and most of them receive their configuration on the command line entry without the need of a11 somewhat complex configuration file. SuSE provides a working example of /etc/inetd.conf. In this section, we discuss what these services are rather than how to start them. Providing these services is an easy task -- you simply remove the comment sign (a hash: #) from the line in1 /etc/inetd.conf. Most of the services are active by default, and no action needs to be taken.

12.1 Services provided by inetd

We start with the services handled solely by the superserver, inetd. These are as follows.

12.1.1 echo

The echo service simply "echoes" everything that is sent to this port. You can enable this service18 and try it by simply connecting to the echo port using telnet and typing something. It will be echoed to you as soon as you press Enter:

> telnet localhost echo  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
Hi echo service  
Hi echo service  
please repeat this line  
please repeat this line  
^]  

 

telnet> q  
Connection closed.

12.1.2 daytime

This service gives you the local time in "human-readable form." Again, you can test it by using telnet:

> telnet localhost daytime  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
Sun Feb 14 00:10:51 1999  
Connection closed by foreign host.

12.1.3 chargen

The character generation service. Connecting to this service will give you an endless stream of ASCII characters:

> telnet localhost chargen  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  

 

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh  
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi  
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij  
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk  
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl  
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm  
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn  
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno  
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop  
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq  
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr  
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs  
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst  
[...]

12.1.4 time

Nearly the same as the daytime service, but this service returns the time in machine-readable format, which is equal to the number of seconds that have elapsed since midnight, January 1,68 1900. This service is used by utilities such as net date to set the local time via a remote source for a reference.

These four services (echo, daytime, chargen, and time) need no special application to activate them. Their beauty lies in the fact that they are handled by inetd.

12.2 Standard Services

There are more easy to configure and useful serives. Brief explanations follow.

12.2.1 shell

Provides remote shell access. This service allows the execution of single commands, where the output is returned to the requester. This service is provided by the /usr/sbin/in.rshd daemon. Please refer to the rshd(8) and rsh(1) man pages for more details on this service. We recommend that you not enable this service because it has proven to be unsecure. If you want or need to have this functionality, a far better choice is the secure shell, which is provided by sshd and is discussed in Chapter 13 .

12.2.2 login

Almost the same as the telnet service, but uses the same kind of (weak) authentification features found in the shell service. The daemon for this service is /usr/sbin/in.rlogind. You should not enable this service, for the same reasons given for shell: it too is unsecure. As in the previous example, sshd provides the same functionality, but with greater security.

12.2.3 telnet

The DARPA telnet interactive communication protocol. This service allows remote login sessions on the machine providing the service. The daemon providing this service is /usr/sbin/in.telnetd. Connecting to the telnet port will give you a login: and password: prompt just as you log in on the local console:

> telnet localhost  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  

 

Welcome to SuSE Linux 6.0 (i386) - Kernel 2.2.1 (ttyp5).  

 

Tosh login: bb  
Password:  
Have a lot of fun...  
Last login: Sat Feb 13 19:19:21 on ttyp0 from Netwinder.suse.com.  
You have mail.  
Directory: /home/bb  
Sun Feb 14 00:31:27 PST 1999  
[tcshrc]  
bb has logged on ttyp0 from netwinder.  
bb has logged on ttyp5 from localhost.  
[bb@Tosh:1] ~ >

This service has one special feature you should know about. It uses the login program to actually log onto the machine. This means that it is influenced by the settings in /etc/login.defs. SuSE configures this file in a way that root-logins over the telnet port are prohibited when the variable ROOT_LOGIN_REMOTE in /etc/rc.config is set to no. This is done for security reasons. It doesn't mean that you can't login remotely and perform administrative work that requires root permissions. You can still do this by logging in on a regular user account and using the utility su (set user) to become root. The difference is that when you use su, this will be logged in /var/log/messages with the user name who identified himself or herself as root. The advantage of this method is obvious; you can trace who logged in over a network connection, became root, and excercised privileges not assigned to that user.

Even if telnet doesn't have the same (weak) authentifications method as the r-utilities have, it's still far from being secure. User name, password, and the ongoing interactive session are transmitted unencrypted over the Internet. This makes it possible to sniff for passwords and even hijack the telnet session. We can't overemphasize that ssh is a better choice than telnet and should be used if possible.

12.2.4 talk

This service is used to notify a user that someone else wants to initiate a conversation. It acts as a repository of invitations and responding to requests by clients who wish to rendezvous for conversation. The caller usually uses the command talk to initiate the conversation. The daemon handling this is /usr/sbin/in.talkd.

12.2.5 ntalk

Same as the utility talk, but it listens in on another port, which usually is used by ntalk(1).

12.2.6 finger

The daemon providing this service is /usr/sbin/in.fingerd. This is a simple daemon based on RFC1196 that provides an interface to the finger program at most network sites. The program is supposed to return either a friendly, human-oriented status report on the state of the system at the moment or provide in-depth information on a particular person. If this person created the file ~/.plan, it will be displayed by finger.

> finger bb  
Login: bb Name: Bodo Bauer  
Directory: /home/bb Shell: /bin/tcsh  
Last login Sat Mar 20 15:03 (PDT) on :0 from console  
No mail.  
No Plan.

12.2.7 systat

Connecting to this service will return a status report of the system to which you connect. On SuSE Linux systems, this is the output of /bin/ps -auwwx.

>telnet localhost systat 
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'. 
warning: `-' deprecated; use `ps auwwx', not `ps -auwwx' 
USER      PID %CPU %MEM  SIZE  RSS TTY STAT START   TIME COMMAND 
at        161  0.0  0.0   892  112  ?  S   Aug 30   0:00 /usr/sbin/atd 
bb        479  0.0  0.9  3884 1176  ?  S   Aug 30   0:04 Eterm 
bb        548  0.0  0.0  2104    0  a0 SW  Aug 30   0:00 (tcsh) 
bb        573 79.5  0.2   628  320  a0 R N Aug 30 7185:50 (rc5des) 
bb        617  0.0  0.3  3928  508  ?  S   Aug 30   0:06 Eterm 
bb        626  0.0  0.0  2056    0  p0 SW  Aug 30   0:01 (tcsh) 
[...] 
root      547  0.0  0.0  1632  124  ?  S   Aug 30   0:09 SCREEN -R 
root    13898  0.0  0.6  1388  776  ?  S    17:55   0:00 /usr/sbin/nmbd -D 
root    13901  0.0  0.5  1760  752  ?  S    17:55   0:00 /usr/sbin/smbd -D 
root    14318  0.2  0.9  1908 1268  p6 S    20:34   0:00 -bash 
root    31829  0.0  0.0  1912    0  p3 SW  Sep  3   0:00 (bash) 
root    31863  0.0  0.0   960   52  ?  S   Sep  3   0:00 /usr/sbin/lpd 
root    32670  1.1  0.3  1520  424  p3 S   Sep  3  39:40 top 
wwwrun    214  0.0  0.0  5572    0  ?  SW  Aug 30   0:00 (httpd) 
wwwrun    215  0.0  0.0  5572    0  ?  SW  Aug 30   0:00 (httpd) 
wwwrun    218  0.0  0.0  5572    0  ?  SW  Aug 30   0:00 (httpd) 
Connection closed by foreign host.

12.2.8 netstat

Similar to systat, but network focused. Requests to this service will return the output of /bin/netstat -a.

> telnet localhost netstat 
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'. 
Active Internet connections (servers and established) 
Proto Recv-Q Send-Q Local Address        Foreign Address       State 
tcp        0      0 localhost:auth       localhost:2086        TIME_WAIT 
tcp        1      0 localhost:2086       localhost:auth        CLOSE 
tcp        0      0 localhost:netstat    localhost:2085        ESTABLISHED 
tcp        0      0 localhost:2085       localhost:netstat     ESTABLISHED 
tcp        0      0 localhost:auth       localhost:2084        TIME_WAIT 
tcp        0      0 localhost:netstat    localhost:2083        TIME_WAIT 
tcp        0      0 *:netstat            *:*                   LISTEN 
tcp        0      0 *:systat             *:*                   LISTEN 
tcp        0      0 *:netbios-ssn        *:*                   LISTEN 
tcp        0      0 *:printer            *:*                   LISTEN 
tcp        0      0 localhost:4552       localhost:5001        CLOSE 
tcp        0      0 *:1025               *:*                   LISTEN 
tcp        0      0 *:6000               *:*                   LISTEN 
tcp        0      0 *:1024               *:*                   LISTEN 
tcp        0      0 *:mysql              *:*                   LISTEN 
tcp        0      0 *:smtp               *:*                   LISTEN 
tcp        0      0 *:ssh                *:*                   LISTEN 
[...] 
unix  1      [ N ]     STREAM    CONNECTED     266    /tmp/.X11-unix/X0 
unix  1      [ ]       STREAM    CONNECTED     255    /tmp/.X11-unix/X0 
unix  1      [ ]       STREAM    CONNECTED     244    /tmp/.X11-unix/X0 
unix  1      [ ]       STREAM    CONNECTED     239    /tmp/.X11-unix/X0 
unix  1      [ ]       STREAM    CONNECTED     164    /tmp/.X11-unix/X0 
unix  1      [ ]       STREAM    CONNECTED     144    /dev/log 
unix  1      [ ]       STREAM    CONNECTED     142    /dev/log 
unix  1      [ ]       STREAM    CONNECTED     134    /dev/log 
unix  1      [ ]       STREAM    CONNECTED     80     /dev/log 
unix  1      [ ]       STREAM    CONNECTED     61     /dev/log 
unix  1      [ ]       STREAM    CONNECTED     57     /dev/log 
Connection closed by foreign host.

12.2.9 POP

The Post Office Protocol. It is used to manage electronic mail for Macintosh and MS-DOS computers. SuSE uses /usr/sbin/popper to provide this service. There is not very much to configure. You can turn logging on with the -d flag, which makes popper write debug messages into /var/log/messages. Statistical messages are turned on by default (the -s flag is given in the default SuSE configuration). This results in one-line log entries in /var/log/messages for each POP request processed by the server.

12.2.10 ident

The Identification Protocol (also called "ident" or sometimes "the Ident Protocol") provides a means to determine the identity of a user of a particular TCP connection. Given a TCP port number pair, it returns a character string that identifies the owner of that connection on the server's system. The daemon responsible for this service is /usr/sbin/in.identd. Please look up the man page ident(8) for more details on this service.

When you install SuSE Linux, not all of these services are enabled by default. Some of them are not needed on every system, and some deal with sensitive information, which you probably don't want to broadcast to the world. By default, only the services telnet, shell, login, talk, ntalk, finger, and ident are enabled.

As pointed out in the introduction to this section, working configurations for all these services can be found in /etc/inetd.conf, and all you have to do is to remove the comment character # from the referring line to enable the service. Don't forget to force inetd to reread its configuration after every change you make by sending it a SIGHUP; otherwise, your changes will have no effect.

Summary:

Some basic services don't need large configuration files. Their focus is limited and the command line covers all features.

Some of these services -- especially the login-related ones-are possible security risks and should be disabled. The secure shell daemon sshd is a good and secure replacement for these services.