My Centos, Tips,article,how to,guide,intro to centos,

Administrator of every UNIX is familiar with Inetd,Inetd is a guardianship program,The configuration document that amasses through (Inetd.conf) will manage the most link that join a network.Xinetd guards the program is Inetd to replace,It offers a lot of improvement or new character,And easier configuration.The idea that Ted explained Inetd backside,The give a demonstration that and gave out sets Xinetd on your own site.

Classical Inetd guards a program to had existed very long.The method that has a few kinds of functions that replace Inetd,But the the most agile, simplest method is Xinetd it seems that.Inetd can do,Xinetd also can be done,And Xinetd is returned can do more businesses.For example,TCP is enclosed, modular configuration, join is heavy directional with limitation of load of the connective that enter a station,And these just make Xinetd becomes systematic manager the part of good choice is characteristic.

The article is to arrive from abecedarian secondary system manager such reader and of preparation,And the specification in article and give typical examples do not try hypothesis you had been familiar with Inetd.In the article,A few simple use that we will study Xinetd,Come true from what install security strategy.

Before beginning

To achieve the goal of the article,Your system had better install recent mainstream (2000 or update) UNIX (Linux, Solaris, BSD) .These give typical examples are mixed in Perl UNIX (and other operating system) also can move on inchoate version,But the obstacle of their function respect should be solved by the reader as the exercise.Given specific give typical examples is be used at Red Hat Linux,But they should be OK also on other system move (except Chkconfig beyond) .

What is Inetd after all

To manager of UNIX system,Inetd and Cp/rm/mv order are euqally basic.It always exists,Preparing to handle a station to join.But what is it after all?It is used what to do?

Above all from TCP/IP (it also includes UDP,But we still are taken no account of at present) begin to reply.When you establish the link with a lead plane,Was to found a TCP/IP to join actually (it is word of a dowel joint normally) this is like ? is a telephone call was made between you and lead plane.TCP/IP join is mixed by initiative lead plane receive lead plane to be defined exclusively,But still other marks.If we join to a server,How does it distinguish Webserver, Telnet, SSH, FTP and other join?The port that dowel joint word also uses through establishing join institute will define.For example,Port 21 is 22 of the FTP that enter a station, port it is 23 of SSH, port it is TELNET (port of concerned other great majority,Can examine UNIX system to go up / Etc/services) .

Once established link,Someone took a telephone call in another end.This can be operator or linear.State you received a server repeatedly directly point-blank,And the operator is the method that involves Inetd.Actually processing joins the operator one group the station is linear (the port on lead plane) ,Give them personally responsible procedure (server) .

UDP is method of another kind of join.Like TCP,UDP basically is with someone's dialog,But do not make sure it is reliable.UDP (the analogy that continues to use a phone) just like cast the news to conveyer belt,Let receiver stand to another end.You can get a lot of informations from conveyer belt,But if the message is too much (network flow is high) perhaps read take a message to take too long (the server is busy) ,Criterion receiver may lose a few informations.

If use Inetd,After carrying out a few examinations,You are weighed directional to specific server.Only one configures file ? Inetd.conf,Manage all link that enter a station.Add on the system consequently, delete, change or check the service becomes more simple.For example,On Solaris system use TCP is enclosed implement define Ftp as follows:

Detailed list 1,The Inetd.conf that FTP serves is defined

ftp     stream  tcp     nowait  root    /usr/sbin/tcpd          in.ftpd

These are all parameter that establish a FTP to join place needs.Say simply,We flow with facing (Stream) means uses TCP/IP (Tcp) when,Allow many FTP to join at the same time (Nowait) , move as Root and call FTP (next,TCP is enclosed implement will call FTP to defend a program) .

With one morning time is analytic very difficult?Absolutely difficulty.Be necessary so complex?Not.Xinetd acceded of Inetd design and it modular,It is OK that this means every service in the configuration file of consist in itself.Xinetd still added TCP of a few elephants to enclose implement the functional component of and so on,Make configuration more simple.

Xinetd maintained central configuration (operator) method,To single position all configuration filestore,It is normally / Etc/xinetd.conf and / Etc/xinetd.d/* ,Make systematic manager can be obtained easily.Modular configuration is meant,You can duplicate to go up to Xinetd.d catalog through will serving distribute this service,Also can use congener method eliminate it.Outside can specifying the specified amount even include list.

Finally,Xinetd FAQ (consult please the reference material at the back of the article) it is not quite good that sound understands RPC program to move below Xinetd.Be no problem nevertheless,To RPC use Inetd,All to other service uses Xinetd.This is just like employed two operators,One says spanish,Another says all other language.

Xinetd brief introduction

So what is Xinetd?A word,It is a program.Processing joins into station network it doesn't matter is magical.Can use Perl, Python or Java to handle.Xinetd is with what C writes,And it and its elder Inetd is euqally fast,If not be faster word (for example,TCP is enclosed implement need not join into the station for every and carry out;They load memory when start) .

Xinetd is in development.(your version is possible outdated,Be sure to search newest version to the homepage please so;Consult please reference material.) in be being developed because of it,So the safe flaw of Xinetd is able to make up for quickly,And unlike Inetd fragile in that way,Want for a long time to just can be made up for normally.Of course,Xinetd is to follow source code one case of consign,So you can check source code and the place that oneself find a likelihood to be put in the weakness.

How to use Xinetd to define a service?Write document of a service,It besides appoint / besides the general parameter that appoints in Etc/xinetd.conf,Still appoint specific configuration.So,If / Etc/xinetd.conf is such:

Detailed list 2,Example Xinetd.conf (standard Red Hat 7.1)

defaults
{
        instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success          = HOST PID
        log_on_failure          = HOST
        cps                     = 25 30
}

service telnet
{
        flags           = REUSE
        socket_type     = stream        
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = yes
}

includedir /etc/xinetd.d

You are put / the every service file in Etc/xinetd.d can accede these default are worth,The parameter that appoints itself.Here,Telnet serves in top class definition,is not define in subdirectory.This is too marvellous,This kind of modularity allows complex configuration.

Should make Xinetd is read afresh take configuration file,Need not start it afresh.Should send USR2 signal to it only can.

Those parameter express what meaning?Make our read through whole detailed list.You also can go in the command next useman xinetd.conf Will examine list (if that helps a page be installed correctly) ,But this overview tries to use simpler term to explain parameter,Do not assume you had known all news about dowel joint word and service.A few parameter (Rpc_version, Rpc_number) be jumped over.

Groovy parameter

Id

The unique name of this service.Service name is appointed before beautiful bracket,But ID makes the same service on logic may have many agreements.This is to temporarily of the user suffer be restricted to use.For example,NFS service can be transmitted in UDP or TCP move on the agreement.On Red Hat Linux 7.1,TCP version (in / in Etc/xinetd.d/time) with UDP version (in / in Etc/xinetd.d/time-udp) in offerred to Xinetd for in-house time serves.

Type

This should be called actually " special kind " ,Because it applies to special service only.The combination that it can be the following kinds of types:" RPC " ,Use at RPC to serve (the long-range course that introduces by SUN is called,Caused problem of a lot of security,Had better avoid to use) ;" INTERNAL " ,With the service that establishs Xinetd interior at compose,For example time serves;" UNLISTED " ,Use at be in systematic list (/ Etc/services or be used at RPC service / Etc/rpc) in those who cannot find is nonstandard service.

Flags

There is all and additional sign here.List is very long and technical very strong;The mark that we are interested in includes REUSE (at put sb in a very important position of dowel joint word with,For example Telnet) , NAMEINARGS/NOLIBWRAP (if you hope handiwork calls TCP to enclose implement perhaps avoid to use out and out enclose implement) , NODELAY/KEEPALIVE (use at adjusting word of TCP dowel joint) , DISABLE (enclothe top class " Disable " parameter) and SENSOR (be used at detect and preventing certain type "

Disable

Unless you hope to ban,serve with some,Always set it into otherwise " No " .The Chkconfig program of Red Hat Linux will be opened for you or shut " Disable " parameter;On Red Hat,Be enabled with Chkconfig and ban may compare manual pattern with specific service some simpler.Notice please,Chkconfig anticipates in / service document is found in Etc/xinetd.d/SERVICE.So to above the give typical examples in detailed list 2,Chkconfig will not be opened when the request or shut Telnet.Can consider as it a mistake or character,Depend on your viewpoint.

Socket_type

Normally you hope this parameter is installed " Stream " ,Unless use UDP to serve,Right now the setting is become " Dgram " .This parameter also can be installed " Raw " and " Seqpacket " ,But seldom see.

Protocol

This is the agreement that join place uses,It is normally " Tcp " or " Udp " ,But in theoretic you can be used come from / any values of Etc/protocols.

Wait

If be installed " No " ,Xinetd will join for every the service that attend starts a new processing program.If be " Yes " ,Xinetd anticipates this processing program handles all follow-up join to die till it.Below most circumstance,This parameter is " No " .

Server, server_args

The program name that handles an order,And the parameter that it ought to obtain.Processing program name should be not resembled fall in Inetd environment in that way,In appearing in parameter.

Port

The port of the service.Do not need normally,Because port is passed / Etc/services file comes map arrives service.

Redirect

Allow Xinetd to send the discharge of all services another lead plane.Because of this,The leader that gets firewall protection can accept safe discharge through transponder of central Xinetd,And need not establish the link with exterior network.In certain work,Can use this feature to carry out breakdown to change a service.

Banner, banner_success, banner_fail

One will be in " random / a success / do not succeed " the comes from a file custom-built text that prints on join piece.

Enabled

Compensatory on global level " Disabled " parameter and DISABLE indicate.

Include, includedir

Tell Xinetd to want to include file or list.

Environmental parameter

User, group, umask, groups

When the service that start handles an order,The UNIX attribute that Xinetd should act.This basically is used at be not safe service.

Nice

The UNIX with decide this service has many to the system important is preferential class grade.Can adjust it in the light of your system,Examine please " Nice " Man page.

Env

The environment that is used at serving processing program is variable.

Passenv

The environment in the Xinetd that should deliver a service to handle an order downward is variable.

Resource manages parameter

Instances

The processing program that can start at the same time is counted.Can adjust this parameter to reject in order to prevent to serve attack.If you hope default (absoluteness) behavior,it the setting is become " UNLIMITED " .

Max_load

I: ) if systematic overload,Stop to accept connection.Laden number depends on system,Know when you the ability when what are oneself doing adjusts it really only.

Rlimit_as, rlmist_cpu, rlimit_data, rlimit_rss, rlimit_stack

Rlimit parameter appoints the resource that is used at serving processing program to restrict (area of CPU and memory, specific memory) .

Specific the parameter at security

Only_from, no_access

Enclose to TCP implement compensatory,This is to hold back lead plane to establish one of connective methods with us.Notice please,Default value is the visit that allows pair of anyone,Unless TCP is enclosed implement (its regulation is in normally / in Etc/hosts.allow) have a regulation additionally.

Access_times

Time of practicable of the service in a day.For example," 6:00-23:00 " mean a service from in the morning 6 is nodded in the evening 11:01 is usable.

Log_type, log_on_success, log_on_failure

All sorts of logs record option.USERID sign may be particularly troublesome,With our connective user about to inquiry of connective lead plane because of it,This makes processing slows.Avoid to use USERID as far as possible.

Bind

Accessible for servicing is specific at interface,It is to stem from security to consider normally.For example,In the network in-house FTP serves is FTP only,And join of exterior FTP will make warning of the person that inbreak." Id " parameter is here very useful.

Per_source

The biggest example that assigns the service that comes from source IP is counted.To processing " only source declines a service (Single-source Denial-of-service) " atttack or make mistake the overmuch link that the program establishs is very useful.

Cps

The biggest link that every second allows is counted,And the second before the service is enabled once more is counted." 30 45 " express " every second 30 into station join,If exceed limitation,Await 45 second " .Basically use at making do to reject to serve attack.

Deny_time

The time that the person that indicates to causing SENSOR declines to serve.

Replace TCP to enclose implement

Classical TCP is enclosed implement software package is a very useful tool.The document that amasses type through (it is normally / Etc/hosts.allow and / Etc/hosts.deny) ,In the light of every service,The visit that allow according to needing to come or rejects any pair of lead plane.Unfortunate is,TCP is enclosed implement the situation that the library understands and so on of limitation of systematic load, resource, multiple attack not quite.Xinetd incorporated TCP is enclosed implement functional sex (through Libwrap library) ,You are OK and so successful the ground is migratory to Xinted,Continue to use with same before configuration document.

This is the complete work that migratory place should do almost.The Hosts.deny that keeps old and Hosts.allow file,Xinetd will abide by them gladly.But,Remember well please,Xinetd has a lot of is in TCP is enclosed implement the join that improves on the foundation controls option.For example,The join when restricting number of every second join or overload is counted,Can become extremely valuable to server management help.

Those who ensure you are to use Libwrap option to compile Xinetd,Otherwise,It will not know TCP is enclosed implement.If Xinetd comes from the RPM on Red Hat Linux,Ensure you are opening a machine " before " ,Test TCP is enclosed implement whether does the file move normally.

High-level use:Breakdown move

Although can a variety of methods use Xinetd,Redirect parameter provided the most interesting use means for us.Well-known,Breakdown move comes true very hard,And hardware breakdown is transferred very costly.The method that describes here (pass simple software) already cheap effective.It has only trouble to nod ? to weigh directional dot,So you should consider this way acceptability.If cannot be accepted,So,Hardware breakdown move is costly reasonable.

Above all,Determine a kind of method from two perhaps single out in more machines " of the activity " machine.Assume you are finished through Set_active.pl of a script (we will be Telnet service to complete this step,But it is effective also to any other services,Want to be able to maintain service switch only to other server do not bring bad influence) .The machine name that script will use us to use setting new trouble to transfer,And use appropriately at to us editorial / the service name of Etc/xinetd.d/SERVICE file.Ask optional and custom-built script with compiling different document,Or use different parameter.Can use group " Perl -p -i -e " script executes this operation,But you can are opposite in the future this kind of method makes a lot of expanding,Can carry out wrong examination to parameter.

This is too simple.The process that should decide to call this script only now can ? can be manual, work through a Cron, perhaps spark by another program.Right now,It becomes architecture decision-making.Did not forget to be in send USR2 signal to Xinetd at this moment,If be willing,Also can start it afresh.Can use on Red Hat Linux " Pkill -USR2 Xinetd " the automation of the signal that finish,And the new Xinetd that start should be used only " / Etc/rc.d/init.d/xinetd Restart " (go up in Linux) or other is similar command (go up in system of most UNIX) .

This kind of breakdown is transferred will " won't " even epicene become effective to the database,Unless in the database end does a lot of additional works.The agreement that suggests you had better use it at such as Rsync, Ssh, Ftp and Telnet and so on,Among them,Each other do not have breakdown move machine interdependent sex.

Last word

Very clear,The numerous character that Xinetd place offers is a when choose it good reason.But,The other advantage that does not forget Xinetd please:Once the mistake reports get correction, source code is free and usable and from existing Inetd configuration undertakes migratory (use when you along with Xinetd together when the program of Itox assistant of consign) very easy.

Why to use Xinetd?Backward compatibility will make your best argument,The blame compatibility that still has the specific platform with you.Xinetd software is the most popular on Solaris and Linux server,There may be the problem that has not solve on your specific platform so.

Textual link:Http://www-128.ibm.com/developerworks/cn/linux/sdk/perl/xinetd/index.html