inetd, inetd.conf

internet super-server

inetd [-d] [-E] [-i] [-l] [-q length] [-R rate] [configuration_file]

Listens for connections on internet sockets. When a connection is found it invokes a program to service the request. After the program is finished, it continues to listen on the socket (except in some cases).
Allows running one daemon to invoke several others, reducing load on the system.

-d Turns on debugging.
-E Environment variables ( a selection of poterntially harmful, including $PATH) are not removed.
Without -E they will be removed and not inherited by services.
-i Not daemonize
-l Turns on libwrap connection logging and access control.
/usr/sbin/tcpd is silently not executed even if present in /etc/inetd.conf.
Internal services cannot be wrapped.
-q length of the listen(2) connections queue; Default 128.
-R i/min Rate, in invokes per minute, a service can be invoked. Default is 256 (i.e. every 23 ms!).
If a service reaches this, inetd will log the problem and stop servicing requests for the service for 10 minutes.
See wait/nowait configuration

inetd reads its configuration file, by default: /etc/inetd.conf.
There is an entry for each service with entries for each field separated by a tab or a space.
Comments lines have "#" at the beginning
The fields are :

           user[.group] or user[:group]
           server program
           server program arguments

     For a Sun-RPC based service: (change these lines to)
For internet services, the first field may include a host . Multiple local addresses can be specified on the same line, separated by commas.
Numeric IP addresses can be used. Symbolic hostnames are looked up using getaddrinfo(). If a hostname has multiple address mappings, inetd creates a socket to listen on each address.

* indicates INADDR_ANY, meaning "all local addresses".
A line with only a host address causes that to be used for the following lines.
If the protocol is "unix", this value is ignored.

The serviceName is in /etc/services or a port number.
For "internal" services the name must be the official name of the service (that is, the first entry in /etc/services).
To specify a Sun-RPC based service, this is a service in /etc/rpc. This can be a single numeric argument or a range of versions. A range is bounded by the low version to the high version - "rusers/1-3".

For UNIX-domain sockets this field is the path name of the socket.

The socketType should be one of stream, dgram, raw, rdm(reliably delivered message), or seqpacket (sequenced packet).

The protocol is in /etc/protocols or unix. Examples: "tcp" or "udp". RPC based services are specified with the "rpc/tcp" or "rpc/udp" service type. "tcp" and "udp" will be recognized as "TCP or UDP over default IP version". This is currently IPv4, but in the future it will be IPv6. To specify IPv4 or IPv6 explicitly, use "tcp4" or "udp6". A protocol of "unix" is used to specify a socket in the UNIX-domain.

In addition to the protocol, the configuration may specify the socket buffer sizes. This is useful for TCP as the window scale factor, which is based on the receive socket buffer size, is advertised when the connection handshake occurs, thus the socket buffer size for the server must be set on the listen socket. By increasing the socket buffer sizes, better TCP performance may be realized in some situations. The socket buffer sizes are specified by appending their values to the protocol specification
A value may include 'k' to indicate kilobytes or 'm' to indicate megabytes.


wait/nowait specifies that inted wait for the server program to return, or continue processing connections on the socket. If a datagram server connects to its peer, freeing the socket so inetd can receive further messages on the socket, A "multi-threaded" server should use "nowait" .
For datagram servers which process all incoming datagrams on a socket and eventually time out, the server is said to be "single-threaded" and should use "wait" . comsat(8) (biff(1)) and talkd(8) are both examples of the latter type of datagram server.
max suffix is the maximum number of times a service can be invoked in one minute; the default is 256. If a service reaches this limit, inetd will log the problem and stop servicing requests for the service for 10 minutes. See also -R

Stream servers are usually marked as "nowait" but if a single server process is to handle multiple connections, it may be marked as "wait". The master socket will then be passed as fd 0 to the server, which will then need to accept the incoming connection.
The server should time out and exit when no more connections are active. inetd will continue to listen on the master socket for connections, so the server should not close it when it exits.

user is the user name the server will run as. This allows servers to be given less permission than root. group name allows for servers to run with a different (primary) group ID than specified in the password file. If a group is specified and user is not root, the supplementary groups associated with that user will still be set.

The server program entry should contain the pathname of the program which is to be executed by inetd when a request is found on its socket. If inetd provides this service internally, this entry should be "internal".

The server program arguments should be just as arguments normally are, starting with argv[0], which is the name of the program. If the service is provided internally, the word "internal" should take the place of this entry.

inetd provides several "trivial" services internally by use of routines within itself. These ser- vices are "echo", "discard", "chargen" (character generator), "daytime" (human readable time), and "time" (machine readable time, in the form of the number of seconds since midnight, January 1, 1900). All of these services are TCP based. For details of these services, consult the appropriate RFC from the Network Information Center.

inetd rereads its configuration file when it receives a hangup signal, SIGHUP. Services may be added, deleted or modified when the configuration file is reread.

libwrap Support for TCP wrappers is included with inetd to provide built-in tcpd-like access control func- tionality. An external tcpd program is not needed. You do not need to change the /etc/inetd.conf server-program entry to enable this capability. inetd uses /etc/hosts.allow and /etc/hosts.deny for access control facility configurations, as described in hosts_access(5).

IPv6 TCP/UDP behavior If you wish to run a server for IPv4 and IPv6 traffic, you'll need to run two separate processes for the same server program, specified as two separate lines in inetd.conf, for "tcp4" and "tcp6".

Under various combinations of IPv4/v6 daemon settings, inetd will behave as follows: o If you have only one server on "tcp4", IPv4 traffic will be routed to the server. IPv6 traffic will not be accepted. o If you have two servers on "tcp4" and "tcp6", IPv4 traffic will be routed to the server on "tcp4", and IPv6 traffic will go to server on "tcp6". o If you have only one server on "tcp6", only IPv6 traffic will be routed to the server. The special "tcp46" parameter can be used for obsolete servers which require to receive IPv4 con- nections mapped in an IPv6 socket. Its usage is discouraged.


fingerd(8), ftpd(8), identd(8), talkd(8)


On Linux systems, the daemon cannot reload its configuration and needs to be restarted when the host address for a service is changed between "*" and a specific address.

Server programs used with "dgram" "udp" "nowait" must read from the network socket, or inetd will spawn processes until the maximum is reached.

Host address specifiers, while they make conceptual sense for RPC services, do not work entirely correctly. This is largely because the portmapper interface does not provide a way to register different ports for the same service on different local addresses. Provided you never have more than one entry for a given RPC service, everything should work correctly. (Note that default host address specifiers do apply to RPC lines with no explicit specifier.)

inetd update-inetd

update-inetd - create, remove, enable or disable entry /etc/inetd.conf [option …...] command argument

Used to add, remove, enable or disable entries in /etc/inetd.conf
After the changes, signals inetd with SIGHUP

Add entries that are 'commented out' by default to be be treated like normal entries. No entry can be added if an entry iscommented out for the same service

Use single '#' character to "commented out" a service using update-inetd, and for the service to remain disabled after upgrades,
run update-inetd --comment-chars '#'


--add entry-line Add an entry

A description of the entry-line format can be found in the inetd(8) or inetd.conf(5) manual pages (or just look at /etc/inetd.conf). Quote entry-line.

To add the entry-line to a specific section use <>code>--group .

Adding an entry which exists, and is commented out it, enables the existing entry.
To replace an entry remove the entry with the --remove then --add

--remove entry-regex Remove an entry-line matching entry-regex (e.g. "telnet")
The entry-regex will be anchored at the beginning of the line.
--enable service[… ,] Enable service (e.g. "ftp"). To enable more than one service use a comma-separated list of services (no whitespace characters allowed).
--disable service[,…] Disable service. To disable more than one service you can use a comma-separated list of services (no whitespace characters allowed).
--enable and --remove are ignored for service entries that are commented out using anything but the value specified with --comment-chars (or the default value if none is specified).


--group groupname The new entry is be placed in group groupname (e.g. "MAIL"). If the group does not exist the entry will be placed at the end of the file. The default group is "OTHER". only with --add
--pattern pattern To select a service if there are multiple services of the same name. (not a good idea ed) not relevant with --add
--comment-chars characters "## " are the default comment characters. This is only necessary if when dealing with multiple services of the same name.
--multi Used to disable/remove more than one entry at a time.
--file filename Use filename instead of /etc/inetd.conf.
--verbose Explain what is being done.
--debug Enables debugging mode.
--help Print a usage message on standard output and exit
--version output version information on standard output and exit


After installing ssh (secure encrypting remote shell) disable its unencrypted cousins:
  update-inetd --comment-chars '#' --disable login,shell,exec,telnet
Using a single '#' character as a comment-char prevents update-inetd to re-enable the services on package upgrades. Prohibit other systems from reaeding the system clock.
update-inetd --comment-chars '#' --disable time,daytime
Allow other systems to reaeding the system clock.
update-inetd --enable time,daytime
Information that inetd is crashed via a SYN attack against the time and daytime services.
Turn off only the TCP versions, while leaving the UDP services enabled:
update-inetd --comment-chars '#' --pattern tcp --disable time,daytime
After building a POP3 server, install the entry from the Makefile:
update-inetd --group MAIL --add \

Sample initd.conf

From raspberry pi bullseye 9/3/23.
# /etc/inetd.conf:  see inetd(8) for further informations.
# Internet superserver configuration database
# Lines starting with "#:LABEL:" or "##" should not
# be changed unless you know what you are doing!
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
# Packages should modify this file by using update-inetd(8)
#:INTERNAL: Internal services
#discard        stream  tcp nowait  root    internal
#discard        dgram   udp wait    root    internal
#daytime        stream  tcp nowait  root    internal
#time       stream  tcp nowait  root    internal

#:STANDARD: These are standard services.
telnet      stream  tcp nowait  telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd

#:BSD: Shell, login, exec and talk are BSD protocols.

#:MAIL: Mail, news and uucp services.

#:INFO: Info services
finger      stream  tcp nowait  root    /usr/sbin/tcpd  /usr/sbin/cfingerd

#:BOOT: TFTP service is provided primarily for booting.  Most sites
#       run this only on machines acting as "boot servers."

Perl scripts use the Perl module DebianNet. See DebianNet(3pm)

Package maintainer scripts should not override the default comment chars


SEE ALSO DebianNet(3pm)

perl v5.32.0 2020-12-24