inetd

What is inetd?

In traditional Unix scenarios, one server (daemon) process watches for connections on a particular port, and handles incoming requests. Now if a machine offers many services, many daemon processes would be needed, mostly running idle but still wasting resources like memory. The internet super server, inetd, is an approach to this problem. It listens on a number of ports, and when it receives a request it then determines which program to run to handle the request and starts an instance of that program.
Following is a very simple diagram to illustrate inetd(8):

  pop3  ------    |
                      |
  ftpd -------     | INETD | ---- Internet / DMZ / Switch / Whatever . . .
                      |
 cvsupserver -  |

In the above diagram you can see the general idea. The inetd process receives a request and then starts the appropriate server process. What inetd is doing is software multiplexing. An important note here, regarding security: On many other UNIX-like systems, a package called tcpwrappers is used as a security enhancement for inetd.

Configuring inetd - /etc/inetd.conf

The operation of inetd(8) is controlled by its own config file, named /etc/inetd.conf, see inetd.conf(5). The inetd.conf file basically provides enabling and mapping of services the systems administrator would like to have multiplexed through inetd(8), indicating which program should be started for incoming requests on which port.
inetd.conf(5) is an ascii file containing one service per line, and several fields per line.
The basic field layout is:

service-name socket-type protocol wait/nowait user:group server-program arguments

Services - /etc/services

The next file to consider is the service name data base that can be found in /etc/services. This file basically contains information mapping a service name to a port number.
The format of the /etc/services file is:

service-name port-number/protocol-name [aliases]

"service-name" is the name of the service, "port-number" is the port number assigned to the service, "protocol-name" is either "tcp" or "udp", and if alias names for a port are needed, they can be added as "aliases", separated by white spaces.

Let's take a look at the "ssh" entries as an example:

ssh             22/tcp           # Secure Shell
ssh             22/udp

As we can see, from the left, the service name is "ssh", the port number is "22", the protocols are both "tcp" and "udp". Notice that there is a separate entry for every protocol a service can use (even on the same port).

Protocols - /etc/protocols

Another file read by inetd(8) is /etc/protocols. This file has the information pertaining to DARPA Internet protocols. The format of the protocols name data base is:

protocol-name number [aliases]

where "protocol-name" describes the payload of an IP packet, e.g. "tcp" or "udp". "number" is the official protocol number assigned by IANA, and optional alias names can be added after that. Let's look at the seventh entry in the /etc/protocols db as an example:

tcp     6       TCP             # transmission control protocol

Remote Procedure Calls (RPC) - /etc/rpc

The rpc program number data base used by services with the "rpc" protocol type in inetd.conf(5) is kept in /etc/rpc and contains name mappings to rpc program numbers.
The format of the file is:

server-name program-number aliases

For example, here is the nfs entry:

nfs             100003  nfsprog

Allowing and denying hosts - /etc/hosts.{allow,deny}

NetBSD's inetd(8) has the tcpwrapper package built in via the libwrap library. As such, inetd(8) can allow or deny access to each service on a more fine-grained base than just allowing a service to everyone, or not enabling it at all. The access control is defined in the files /etc/hosts.allow and /etc/hosts.deny


Securing the configuration files - 
 1.  Change the permissions on this file to 600
root shell > chmod 600 /etc/inetd.conf

2.  Ensure that the owner is root.
root shell > stat /etc/inetd.conf
3.  Edit the inetd.conf file vi /etc/inetd.conf and disable services like: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you plan to use it. If it's turned off, it's much less of a risk

root shell > killall  -HUP inetd

4. One more security measure you can take to secure the inetd.conf file is to set it immutable, using the chattr command. To set the file immutable simply, execute the following command:

root shell > chattr  +i /etc/inetd.conf

This will prevent any changes accidental or otherwise to the inetd.conf file. A file with the immutable attribute set i cannot be modified, deleted or renamed, no link can be created to this file and no data can be written to it. The only person that can set or clear this attribute is the super-user root. If you wish later to modify the inetd.conf file you will need to unset the immutable flag: To unset the immutable flag, simply execute the following command:

root shell > chattr  -i /etc/inetd.conf

References: 
http://www.netbsd.org/docs/guide/en/chap-inetd.html
http://www.faqs.org/docs/securing/chap5sec36.html