Recipe 3.3 Enabling/Disabling a Service (xinetd)

3.3.1 Problem

You want to prevent a specific TCP service from being invoked on your system by xinetd .

3.3.2 Solution

If the service's name is "myservice," locate its configuration in /etc/xinetd.d/myservice or /etc/xinetd.conf and add:

disable = yes

to its parameters. For example, to disable telnet, edit /etc/xinetd.d/telnet:

service telnet
{
        ...
        disable = yes
}

Then inform xinetd by signal to pick up your changes:

# kill -USR2 `pidof xinetd`

To permit access, remove the disable line and resend the SIGUSR2 signal.

3.3.3 Discussion

Instead of disabling the service, you could delete its xinetd configuration file (e.g., /etc/xinetd.d/telnet), or even delete the service's executable from the machine, but such deletions are harder to undo. (Don't remove the executable and leave the service enabled, or xinetd will still try to run it and will complain.)

Alternatively use ipchains or iptables [Recipe 2.7] if you want to keep the service runnable but restrict the network source addresses allowed to invoke it. Specific services might also have their own, program-level controls for restricting allowed client addresses.

3.3.4 See Also

xinetd(8). The xinetd home page is http://www.synack.net/xinetd.