|
|
茫茫網海中的冷日
發生過的事,不可能遺忘,只是想不起來而已! |
|
恭喜您是本站第 1671411
位訪客!
登入 | 註冊
|
|
|
|
發表者 |
討論內容 |
冷日 (冷日) |
發表時間:2005/8/28 13:02 |
- Webmaster
- 註冊日: 2008/2/19
- 來自:
- 發表數: 15771
|
- [分享]Xinetd在solaris8安裝配置過程
- 一相關資訊:
1、 說明: xinetd取代了inetd+tcp_wrappers,並且提供了訪問控制、加強的日誌和資源管理功能,已經成了Internet標準超級守護進程。但是現在還沒有在solaris上的完整安裝配置手冊,我希望寫一個關於在solaris上的傻瓜安裝配置手冊。 2、 基本資訊 伺服器基本資訊:Sun-Fire-280R 作業系統:SunOS 5.8 Generic_117350-02 3、 Xinetd軟體資訊 軟體版本:2.3.10 下載地址: ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz 套裝軟體說明:該套裝軟體已經添加了--with-libwrap、--with-loadavg、--with-inet6編譯模組選項。 4、 系統默認使用xinetd的服務可以分為如下幾類: 標準internet服務:telnet ftp 資訊服務:finger netstat systat 郵件服務:imap imaps pop2 pop3 pops RPC服務:rquotad rstatd rusersd sprayd walld BSD服務:comsat exec login ntalk shell talk 內部服務:chargen daytime echo servers services time 安全服務:irc 其他服務:name tftp uucp 5、 更多支援資訊: http://www.xinetd.org/ 二、安裝配置xinetd 1、安裝過程 1)#gzip ?d xinetd-2.3.10-sol8-sparc-local.gz 2)#pkgadd ?d xinetd-2.3.10-sol8-sparc-local 沒有報錯的話,安裝完畢。 2、xinetd軟體安裝後的基本資訊 1)文檔位置:/usr/local/doc/xinetd 裡面有安裝說明和配置檔文檔。 2)命令位置:/usr/local/sbin/ Xinetd、xconv.pl、itox 3、配置過程: 說明:配置主要涉及倆個檔:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成) 1)生成/etc/xinetd.conf文件: a) 說明:/etc/xinetd.conf這個檔是由/etc/inetd.conf檔轉換生成的!主要是xinetd替代inetd以後的配置檔 b) 生成命令:
# /usr/local/sbin/xconv.pl < /etc/inetd.conf > /etc/xinetd.conf
c) 注意: 在/etc/inetd.conf??面可以事先去掉不必要的埠,如finger、login等,在/etc/xinetd.conf可以得到比較簡潔的配置文。(我在轉換前在/etc/inetd.conf檔??只保留了telnet和ftp)需要別的服務如ssh等可以自己添加。 2)修改/etc/init.d/inetsvc文件: 主要有倆個地方需要修改: a) 修改一:(建議注釋掉舊的配置,添加新的配置) 修改前:/usr/bin/pkill -x -u 0 'in.named|inetd'
修改後:/usr/bin/pkill -x -u 0 'in.named|xinetd'
b) 修改二: 修改前: 修改後:/usr/local/sbin/xinetd -s &
3)測試: 停止原來的服務:# /etc/init.d/inetsvc stop
啟動新的服務:# /etc/init.d/inetsvc start
檢查進程: 殺掉得到的進程號: 查看xinetd的進程: 顯示如下xinetd配置正常:
root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd ?s
備註: Xinetd啟動過程有問題,一般是/etc/xinetd.conf配置檔的原因。 三、用xinetd限制ssh登陸配置過程: 1、測試方法: 1)編輯/etc/xinetd.conf: 添加如下:
service ssh
{
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/sshd
port = 22
server_args = -i
only_from = 192.0.0.109
}
2、測試過程: 重新啟動機器,查看xinetd載入是否正常。 從內網192.0.0.109 ssh登陸伺服器可以登陸為正常。 別的IP ssh登陸伺服器不可以登陸為正常。 3、注意: SSH安裝以後,不用在/etc/rc2.d下面添加S99sshd,因為xinetd已經可以啟動ssh進程了。否則達不到限制ip的作用。 四、備註: 安裝完成以後伺服器狀態:
#nmap -P0 127.0.0.1
22/tcp open ssh
只留了ssh埠,而且可以限制ssh登陸的IP位址為:內網的192.0.0.109
附件一:完整的/etc/init.d/inetsvc文件 附件二:完整的/etc/xinetd.conf文件。
# more /etc/xinetd.conf
# This file generated by xconv.pl, included with the xinetd
# package. xconv.pl was written by Rob Braun (bbraun@synack.net)
#
# The file is merely a translation of your inetd.conf file into
# the equivalent in xinetd.conf syntax. xinetd has many
# features that may not be taken advantage of with this translation.
# Please refer to the xinetd.conf man page for more information
# on how to properly configure xinetd.
# The defaults section sets some information for all services
defaults
{
#The maximum number of requests a particular service may handle
# at once.
instances = 25
# The type of logging. This logs to a file that is specified.
# Another option is: SYSLOG syslog_facility [syslog_level]
log_type = FILE /var/log/servicelog
# What to log when the connection succeeds.
# PID logs the pid of the server processing the request.
# HOST logs the remote host's ip address.
# USERID logs the remote user (using RFC 1413)
# EXIT logs the exit status of the server.
# DURATION logs the duration of the session.
log_on_success = HOST PID
# What to log when the connection fails. Same options as above
log_on_failure = HOST RECORD
# The maximum number of connections a specific IP address can
# have to a specific service.
per_source = 5
}
#service ftp
{
flags = NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/local/bin/tcpd
server_args = in.ftpd
}
#service telnet
{
flags = NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/local/bin/tcpd
server_args = in.telnetd
}
service ssh
{
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/sshd
port = 22
server_args = -i
only_from = 192.0.0.109
}
## more /etc/init.d/inetsvc
#!/sbin/sh
#
# Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)inetsvc 1.24 99/03/21 SMI"
#
# This is third phase of TCP/IP startup/configuration. This script
# runs after the NIS/NIS+ startup script. We run things here that may
# depend on NIS/NIS+ maps.
#
case "$1" in
'start')
;; # Fall through -- rest of script is the initialization code
'stop')
# /usr/bin/pkill -x -u 0 'in.named|inetd'
/usr/bin/pkill -x -u 0 'in.named|xinetd'
exit 0
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
# If boot variables are not set, set variables we use
[ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n`
if [ -z "$_INIT_PREV_LEVEL" ]; then
set -- `/usr/bin/who -r`
_INIT_PREV_LEVEL="$9"
fi
#
# wait_nis
# Wait up to 5 seconds for ypbind to obtain a binding.
#
wait_nis ()
{
for i in 1 2 3 4 5; do
server=`/usr/bin/ypwhich 2>/dev/null`
[ $? -eq 0 -a -n "$server" ] && return 0 || sleep 1
done
return 1
}
#
# We now need to reset the netmask and broadcast address for our network
# interfaces. Since this may result in a name service lookup, we want to
# now wait for NIS to come up if we previously started it.
#
domain=`/usr/bin/domainname 2>/dev/null`
[ -z "$domain" ] || [ ! -d /var/yp/binding/$domain ] || wait_nis ||
echo "WARNING: Timed out waiting for NIS to come up" >& 2
#
# Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig
# is run here, after waiting for name services, so that "netmask +" will find
# the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to
# mess with the interface if it is under DHCP control
#
/usr/sbin/ifconfig -auD4 netmask + broadcast +
# Uncomment these lines to print complete network interface configuration
# echo "network interface configuration:"
# /usr/sbin/ifconfig -a
#
# If this machine is configured to be an Internet Domain Name System (DNS)
# server, run the name daemon. Start named prior to: route add net host,
# to avoid dns gethostbyname timout delay for nameserver during boot.
#
if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then
echo 'starting internet domain name server.'
/usr/sbin/in.named &
fi
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
dnsdomain=`/sbin/dhcpinfo DNSdmain`
else
dnsdomain=
fi
if [ -n "$dnsdomain" ]; then
dnsservers=`/sbin/dhcpinfo DNSserv`
if [ -n "$dnsservers" ]; then
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d'
/etc/resolv.conf >/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
for name in $dnsservers; do
echo nameserver $name >>/tmp/resolv.conf.$$
done
else
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf
>/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
fi
#
# Warning: The umask is 000 during boot, which requires explicit
# setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf
# Add dns to the nsswitch file, if it isn't already there.
/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/awk ' $1 ~ /^hosts:/ {
n = split($0, a);
newl = a[1];
if ($0 !~ /dns/) {
printf("#%s # Commented out by DHCP
", $0);
updated = 0;
for (i = 2; i <= n; i++) {
if (updated == 0 && index(a[i], "[") == 1) {
newl = newl" dns";
updated++;
}
newl = newl" "a[i];
}
if (updated == 0) {
newl = newl" dns";
updated++;
}
if (updated != 0)
newl = newl" # Added by DHCP";
else
newl = $0;
printf("%s
", newl);
} else
printf("%s
", $0);
} $1 !~ /^hosts:/ { printf("%s
", $0); }' /etc/nsswitch.conf
>/tmp/nsswitch.conf.$$
/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf
/usr/bin/chmod 644 /etc/nsswitch.conf
elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then
# If we added DNS to a hosts line in the nsswitch, remove it.
/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/sed
-e '/# Added by DHCP$/d'
-e 's/^(#hosts:)(.*[^#])(#.*)$/hosts: 2/'
/etc/nsswitch.conf >/tmp/nsswitch.conf.$$
/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf
/usr/bin/chmod 644 /etc/nsswitch.conf
fi
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
#
# if DHCP doesn't return a hostname, use "unknown" so
# client can resolve IP address into a local hostname.
#
hostname=`/sbin/dhcpinfo Hostname`
if [ -z "$hostname" ]; then
hostname="unknown"
fi
ipaddr=`/sbin/dhcpinfo Yiaddr`
/usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$
# Delete any old lines added by dhcp.
/usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts
> /tmp/hosts_clear.$$
shift $# # Clear $0-9 first in case grep fails
set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]"
/tmp/hosts_clear.$$ 2>/dev/null`
if [ $# -gt 0 ]; then
#
# IP address is already in the hosts file. Ensure the
# associated hostname is the same as the Hostname
# property returned by the DHCP server.
#
/usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/"
/tmp/hosts_clear.$$ >/tmp/hosts.$$
else
#
# IP address is missing from the hosts file. Now check
# to see if the hostname is present with a different IP.
#
shift $# # Clear $0-9 in case grep fails
set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ |
/usr/bin/egrep "[ ]${hostname}([ ]|$)"`
if [ $# -gt 0 ]; then
#
# Hostname is present in the hosts file. Rewrite this
# line to have the new IP address and the DHCP comment.
#
/usr/bin/sed -e "/^[ ]*${1}[ ]/d"
/tmp/hosts_clear.$$ >/tmp/hosts.$$
shift # Shift off $1 (the old IP)
echo "$ipaddr $*c" | /usr/bin/tr ' ' ' '
>>/tmp/hosts.$$
echo " # Added by DHCP" >>/tmp/hosts.$$
else
#
# Hostname is not present in the hosts file.
# Add a new line for the host at the end of
# the new hosts file.
#
/usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$
echo "${ipaddr} ${hostname} # Added by DHCP"
>>/tmp/hosts.$$
fi
fi
# Update loopback transport hosts files
for inet in /etc/net/*/hosts; do
echo "# RPC hosts" > $inet
echo "$hostname $hostname" >> $inet
/usr/bin/chmod 644 $inet
done
/usr/bin/rm -f /tmp/hosts_clear.$$
/usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts
/usr/bin/chmod 644 /etc/inet/hosts
fi
#
# Add a static route for multicast packets out our default interface.
# The default interface is the interface that corresponds to the node name.
# Run in background subshell to avoid waiting for name service.
#
(
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
else
mcastif=$_INIT_UTS_NODENAME
fi
echo "Setting default IPv4 interface for multicast:"
"add net 224.0/4: gateway $mcastif"
/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
) &
#
# Run inetd in "standalone" mode (-s flag) so that it doesn't have
# to submit to the will of SAF. Why did we ever let them change inetd?
#
#/usr/sbin/inetd -s &
/usr/local/sbin/xinetd -s &
|
|
|