/etc/inetd.conf


ENSURE that the permissions on this file are set to 600.

ENSURE that the owner is root.

DO disable any services which you do not require.

To do this we suggest that you comment out ALL services by placing a "#" at the beginning of each line. Even seemingly innocuous services such as echo and chargen may be used in a DoS attack.

Enable the ones you NEED by removing the "#" from the beginning of the line. In particular, it is best to avoid "r" commands (e.g. rsh, rlogin) and tftp, as they have been major sources of insecurities.

For changes to take effect, you need to restart the inetd process. Do this by issuing the commands in C.1. For some systems (including AIX), these commands are not sufficient. Refer to vendor documentation for more information.

Verify that you have disabled any unnecessary startup scripts. This may be done by removing the executable bit, or renaming the files so they do not start with K or S under /etc/init.d or startup script directory for your system. See your vendor's documentation for specific details.

DO use tcp_wrappers to provide greater access and logging on any enabled network services (see 2.2).

DO enable access controls and logging for inetd if your version supports it.

CONSIDER alternatives to inetd. Xinetd is claimed to have enhanced access control and logging capabilities as well as resistance to DoS attacks. It is included in the Red Hat Linux 7 distribution and the source code is available for other systems from:
http://www.xinetd.org/

referance: http://www.cert.org/tech_tips/usc20_full.html