Xinetd 簡介
一. 概論:
傳統 Linux 上簡易的安全機制藉由 tcp_wrapper 加以建構而成,這其中的要角即是由 inetd 扮演; inetd 可對存取主機的網路連線掌控規範,當外界有一個請求透由為 inetd 所管理的 por t時, inetd 會轉由 tcpd 的程式加以處理由其依 hosts.allow 及 hosts.deny 二個檔來就其請求的服務決定準許存取與否,再啟動相關的網路服務,如 telnet、ftp 等。
二. 特點:
RedHat 7.x 以 xinetd 取代 inetd ,主要著眼於其更為強大的存取控制功能,其主要特點如后:
1.強大的存取控制功能:
(1)內建針對惡意用戶端及善意用戶端差別待遇的存取管控設定
(2)藉由 libwrap 的支援,使其效能更甚於 tcpd
(3)xinetd 可限制連線進來的等級、從特定主機來的連線數目及一個網路服務的總次數
(4)對存取時間作特定的限制
(5)可將特定的網路服務設於特定的介面ip位址供內部網路之用
2.防阻 DoS 的攻擊
(1)藉由限制連線進來的等級以阻止「埠號炸彈」DoS 攻擊
(2)藉由限制特定主機來的同步連線數目,以防止其霸佔特定的網路服務
(3)藉由限制 log 檔的大小,以避免硬碟悉遭佔據
3.強大的 log 檔功能
(1)可為每一個網路服務獨立就 syslog 設定 logging 層級
(2)如不利用 syslog 功能,可為每一個網路服務建立一個單獨的 log 檔
(3)可記錄連線開始及結束的時間以決定用戶端存取服務的時間
(4)可記錄企圖連線而失敗的資訊
4.導向的功能
可在一台提供 NAT'd 功能的主機,執行 xinetd 的 redir 功能,將 TCP 資料流的網路服務導向另一主機
5.支援 IPv6
xinetd 自 xinetd 2.1.8.8pre* 起的版本支援 IPv6
6.與客戶端使用者的交談功能
當客戶端連線請求成功或失敗時xinetd會有標題警示使的客戶端能知悉連線狀態的改變
三. inetd 與 xinetd 檔案型態的比較
inetd 的設定檔一般悉將各個網路服務集中放在 inetd.conf 此一檔案中管理,新版的 inetd,inetd.conf 依舊保留但較為簡潔,而將各個網路服務以單一檔案的型態放在 /etc/inet.d 目錄下,作設定時則不在 inetd.conf 檔案中作設定,直接在 /etc/inet.d 目錄下作設定;此點與 RedHat 7.* 版本其設定檔為 /etc/xinetd.conf,且將各個網路服務以單一檔案的型態放在 /etc/xinetd.d 目錄下,甚為類似,然其檔案的表現型式則極為不同,茲表列如后:
(1)舊版 inetd.conf:
# These are standard services. # ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd #gopher stream tcp nowait root /usr/sbin/tcpd gn # do not uncomment smtp unless you *really* know what you are doing. # smtp is handled by the sendmail daemon now, not smtpd. It does NOT # run from here, it is started at boot time from /etc/rc.d/rc#.d. #smtp stream tcp nowait root /usr/bin/smtpd smtpd #nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd # # # Pop and imap mail services et al # pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d imap stream tcp nowait root /usr/sbin/tcpd imapd # # Authentication # auth stream tcp nowait root /usr/sbin/in.identd in.identd swat stream tcp nowait.400 root /usr/sbin/tcpd swat # # End of inetd.conf |
(2)新版 inetd.conf:
| # # inetd.conf This file describes the services that will be available # through the INETD TCP/IP super server. To re-configure # the running INETD process, edit this file, then send the # INETD process a SIGHUP signal. # # In order to comply with the Linux Standard Base # specification, many services are now configured # via individual files in the /etc/inet.d directory. # # # Builtin services (silently drop requests from ports < 512) # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal # # WARNING WARNING WARNING # # When editing your inetd configuration manually, please # edit the files in the /etc/inet.d subdirectory rather # than inetd.conf. In particular, having entries for the # same service both in inetd.conf and a file in /etc/inet.d # is undefined. # |
單一檔案的型態: 放置 /etc/inet.d 目錄下,例如 /etc/inet.d/wu-ftpd
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
(3) xinetd : 例如
/etc/xinetd.conf
| # # Simple configuration file for xinetd # # Some defaults, and include /etc/xinetd.d/ defaults { instances = 60 log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST } includedir /etc/xinetd.d |
/etc/xinetd.d/wu-ftpd
| # default: on # description: The wu-ftpd FTP server serves FTP connections. It uses # normal, unencrypted usernames and passwords for authentication. service ftp { socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 disable = yes } |
四. xinetd 的安裝方式:
xinetd 由 cs.colorado.edu.的 panos 所撰寫,各位可至: <ahref="http://www.xinetd.org/"> http://www.xinetd.org/ 下載之。最新版本為 xinetd-2.3.0.tar.gz ,具體安裝方式如后:
tar zxvf xinetd-2.3.0.tar.gz
cd xinetd-2.3.0
./configure –prefix=/etc –with-libwrap –with-loadavg –with-inet6
make
make install
xinetd/xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf (可將 inetd.conf 轉換成 xinetd.conf 的語法)
註: --with-libwrap :可使 xinetd 支援 tcp wrappers
–with-loadavg :可使 xinetd 支援 max_load,在系統超過負載時可停止服務
--with-inet6 : 可使 xinetd 支援 IPv6,例如 127.0.0.1 可對應成 ::ffff:127.0.0.1 IPv6 的型態
cp xinetd/sample.conf /etc/xinetd.conf
cp /etc/sbin/xinetd /usr/sbin
cp /etc/man/man5/* /usr/man/man5/ (RedHat)
cp /etc/man/man5/* /usr/share/man/en/man5/ (Caldera)
cp /etc/man/man8/* /usr/man/man8/ (RedHat)
cp /etc/man/man8/* /usr/share/man/en/man8/ (Caldera)
五.xinetd 啟動及停止方式
1. (1)啟動:在系統提示符號下 xinetd
(2)停止 : ps –aux | grep xinetd
kill –9 PID
2.在/etc/rc.d/init.d 目錄下編輯一 xinetd 檔(注意 function 檔放置路徑之不同),同時建立以下各檔
touch /var/run/xinetd.pid
touch /var/lock/subsys/xinetd
chmod 755 /etc/rc.d/init.d/xinetd
啟動 : /etc/rc.d/init.d/xinetd start
停止 : /etc/rc.d/init.d/xinetd stop
/etc/rc.d/init.d/xinetd 檔的內容如后:
| #!/bin/bash # # xinetd This starts and stops xinetd. # # chkconfig: 345 56 50 # description: xinetd is a powerful replacement for inetd. # xinetd has access control machanisms, extensive # logging capabilities, the ability to make services # available based on time, and can place # limits on the number of servers that can be started, # among other things. # # processname: /usr/sbin/xinetd # config: /etc/sysconfig/network # config: /etc/xinetd.conf # pidfile: /var/run/xinetd.pid prog="xinetd" PATH=/sbin:/bin:/usr/bin:/usr/sbin # Source function library. . /etc/rc.d/init.d/functions # Get config. test -f /etc/sysconfig/network && . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "yes" ] || exit 0 [ -f /usr/sbin/xinetd ] || exit 1 [ -f /etc/xinetd.conf ] || exit 1 RETVAL=0 start(){ echo -n $"Starting $prog: " # Need to get rid of localization for external services - # it doesn't make much sense to have i18n on the server side here LANG=en_US LC_TIME=en_US LC_ALL=en_US LC_MESSAGES=en_US LC_NUMERIC=en_US LC_MONETARY=en_US LC_COLLATE=en_US export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE unset HOME MAIL USER USERNAME daemon xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid RETVAL=$? echo touch /var/lock/subsys/xinetd return $RETVAL } stop(){ echo -n $"Stopping $prog: " killproc xinetd RETVAL=$? echo rm -f /var/lock/subsys/xinetd return $RETVAL } reload(){ echo -n $"Reloading configuration: " killproc xinetd -USR2 RETVAL=$? echo return $RETVAL } restart(){ stop start } condrestart(){ [ -e /var/lock/subsys/xinetd ] && restart return 0 } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) status xinetd ;; restart) restart ;; reload) reload ;; condrestart) condrestart ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload}" RETVAL=1 esac exit $RETVAL |
