inetdr

Back in November of 1994, someone broke into ren and stimpy, two of the UNIX machines at the Johns Hopkins Department of Psychology. At the time, I was working as a research assistant for the department, under the direction of graduate student Fred Merkel. In response to the breakin, Fred and I wrote two pieces of security software: inetdr and rkloffl.

inetdr is a modification of inetd, the Internet superserver, that allows the administrator to define an IP-address based access list for each network service. Andy Poling wrote the original inetdr in 1992 as an alternative to tcp_wrappers. Andy didn't like tcp_wrappers because of the overhead incurred by reading the hosts.allow and hosts.deny files each time a new connection was received -- he was the administrator of an already-overloaded host that serviced hundreds of connections per minute.

After the breakin in Psychology, Fred and I decided to start using Andy's inetdr, but we found that it had some problems of its own. Most notably, it required that the access list for each network service be kept in the inetd.conf file itself. This proved to be too cumbersome for two reasons: first, since we had a large number of trusted sites for each network service, trying to list all of them on a single huge line in inetd.conf was confusing and difficult to edit. Second, most of our services had the same access list (e.g., "telnet", "rsh", and "shell" had the same list of allowed sites), and it was hard to keep the access list synchronized.

Another problem with both inetdr and tcp_wrappers is that there is no way to define both "allowed" and "disallowed" sites -- for example, there's no way to say "Do not accept connections from any site except sites at Hopkins, except that connections from the Cognitive Science department should not be accepted."

My version of inetdr solves all of these problems and more! It's a dessert topping and a floor wax.

inetdr allows you to create an access control list for each service in its own file. The file has the same name as the service with the .acl extension; for example, the hosts allowed to access the telnet server are listed in a file called telnet.acl. Each network and netmask is listed with either a plus sign (+) or a minus sign (-), indicating whether the line indicates a positive or negative filter. Incoming hosts are matched against each filter, in order, down to the end of the access control list. This is illustrated with the following example ACL:

-0.0.0.0/0.0.0.0               # Allow nobody...
+128.220.0.0/255.255.0.0       # Except that we *should* allow Hopkins in
-128.220.13.0/255.255.255.0    # But we don't trust Hopkins CS Department
-128.220.29.0/255.255.255.0    # We don't trust Hopkins CogSci either
+128.220.13.85/255.255.255.255 # But DO let me log in from my CS machine
The great thing about keeping each access list in its own file is that the list is easy to edit, and it's easy to add comments (e.g., the user who requested each allowed host). Another advantage is that inetdr's base configuration file (inetd.conf) has exactly the same syntax as the standard inetd's configuration file. Plus, it's easy to keep multiple ACLs synchronized by using symbolic links:
% cat > local-users.acl
-0.0.0.0/0.0.0.0
+128.220.13.0/255.255.255.0
^D
% ln -s local-users.acl telnet.acl
% ln -s local-users.acl login.acl
% ln -s local-users.acl exec.acl
% ln -s local-users.acl shell.acl
Now, changes to the access list are made in only one place, and the change is automatically reflected everywhere. My inetdr also maintains the efficiency of Andy's -- the access control lists are only read when inetdr starts, or when it receives a HUP signal.

Another cute feature of my version of inetdr is that it doesn't just disconnect sites who are disallowed; it allows you to define an optional message printed before the refused connection is cut off. This is useful because you can try to trick potential attackers into thinking that your machine is broken or down, instead of tantalizing them with the knowledge that their site is being screened out. For example:

% cat > telnet.msg
Sorry, the machine is down for system maintenance.
^D
% cat > ftp.msg
530-Service unavailable
^D
% cat > login.msg
Protocol error.
^D

I really loved using inetdr -- it was such a beautiful little program, and it did its job perfectly. I'm still really proud of it. Unfortunately, I don't use it any more because it has problems compiling under anything but IRIX; I never tried very hard to port it. Maybe I will someday if I'm feeling nostalgic.


Back to my software page
Back to my home page

Jeremy Elson
Last updated: 1 June 1998