Fliee
Páginas: 6 (1283 palabras)
Publicado: 7 de agosto de 2012
The inetd Daemon and inetd Services
Objectives
After completing this unit, students should be able to: Describe and configure the inetd daemon Describe and configure the tcpd daemon Describe and configure the xinetd daemon Describe, configure and use the most common inetd services
The inetd "Super" Daemon
A typical server offers a number of low-usage services telnet ftp talk finger ...Don't want to waste resources running individual daemons all day Solution: inetd Listens to a large number of ports Starts server application when needed Do not use inetd for high-usage services http mail
/etc/inetd.conf
#echo #echo #discard #discard #daytime #daytime #chargen #chargen #time #time ftp telnet shell login exec talk ntalk #pop-2 pop-3 #imap stream dgram stream dgram stream dgramstream dgram stream dgram stream stream stream stream stream dgram dgram stream stream stream tcp udp tcp udp tcp udp tcp udp tcp udp tcp tcp tcp tcp tcp udp udp tcp tcp tcp nowait wait nowait wait nowait wait nowait wait nowait wait nowait nowait nowait nowait nowait wait wait nowait nowait nowait root internal root internal root internal root internal root internal root internal root internalroot internal root internal root internal root /usr/sbin/tcpd in.ftpd -l -a root /usr/sbin/tcpd in.telnetd root /usr/sbin/tcpd in.rshd root /usr/sbin/tcpd in.rlogind root /usr/sbin/tcpd in.rexecd nobody.tty /usr/sbin/tcpd in.talkd nobody.tty /usr/sbin/tcpd in.ntalkd root /usr/sbin/tcpd ipop2d root /usr/sbin/tcpd ipop3d root /usr/sbin/tcpd imapd
The tcpd Wrapper Daemon
Extra security featurefor inetd services Transparent for user, inetd and daemon inetd starts "/usr/sbin/tcpd in.ftpd -l -a" tcpd tests connection origin and requested service against /etc/hosts.allow and /etc/hosts.deny If allowed, tcpd starts "in.ftpd -l -a" If denied, connection is broken Relies on reverse DNS lookup to work! (IP address to hostname)
/etc/hosts.allow and /etc/hosts.deny
Syntax for both files:Service: Hostlist Service may also be specified as service, service or ALL Hostlist may be specified using DNS domain names or IP address, or ALL Checking order: If /etc/hosts.allow allows the service, allow it If /etc/hosts.deny denies the service, deny it Otherwise, allow it Example:
# cat /etc/hosts.allow in.telnetd: .ibm.com, 9.0.0.0/8 # cat /etc/hosts.deny ALL: ALL
Can execute commands uponmatch using spawn
The xinetd "Super" Daemon
Successor of inetd Integrates tcpd functionality Configuration file syntax change Adds configuration directory: /etc/xinetd.d
/etc/xinetd.conf and /etc/xinetd.d/*
# cat /etc/xinetd.conf defaults { instances = log_type = log_on_success = log_on_failure = } includedir /etc/xinetd.d
60 SYSLOG authpriv HOST PID HOST RECORD
# cat/etc/xinetd.d/telnet telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }
Overview of inetd Services
Internal services (mostly used for testing) echo: replies everything back to sender discard: discards everything received daytime: sends time as 32-bit value chargen: generates data time: displays time in human-readableformat Common external services telnet, login: remote login ftp: file transfer exec: remote execute finger: retrieve information about a user talk: chat with another user rsync: remote synchronization
Remote Login, Execute and File Transfer
ARPAnet commands: Reasonably secure, not very powerful Platform independent Berkeley commands: Not very secure but powerful Works only between UNIX machinesARPANET remote login remote execute file transfer telnet rexec ftp BERKELEY rlogin rsh rcp
telnet
Login to another system Automatic configuration of certain environment variables TERM DISPLAY Example:
client$ telnet sys7 Trying 129.33.151.7... Connected to sys7. Escape character is '^]'. Welcome to sys7. login: tux1 Password: sys7$ echo $DISPLAY client:0.0 sys7$ ^] telnet> quit Connection...
Objectives
After completing this unit, students should be able to: Describe and configure the inetd daemon Describe and configure the tcpd daemon Describe and configure the xinetd daemon Describe, configure and use the most common inetd services
The inetd "Super" Daemon
A typical server offers a number of low-usage services telnet ftp talk finger ...Don't want to waste resources running individual daemons all day Solution: inetd Listens to a large number of ports Starts server application when needed Do not use inetd for high-usage services http mail
/etc/inetd.conf
#echo #echo #discard #discard #daytime #daytime #chargen #chargen #time #time ftp telnet shell login exec talk ntalk #pop-2 pop-3 #imap stream dgram stream dgram stream dgramstream dgram stream dgram stream stream stream stream stream dgram dgram stream stream stream tcp udp tcp udp tcp udp tcp udp tcp udp tcp tcp tcp tcp tcp udp udp tcp tcp tcp nowait wait nowait wait nowait wait nowait wait nowait wait nowait nowait nowait nowait nowait wait wait nowait nowait nowait root internal root internal root internal root internal root internal root internal root internalroot internal root internal root internal root /usr/sbin/tcpd in.ftpd -l -a root /usr/sbin/tcpd in.telnetd root /usr/sbin/tcpd in.rshd root /usr/sbin/tcpd in.rlogind root /usr/sbin/tcpd in.rexecd nobody.tty /usr/sbin/tcpd in.talkd nobody.tty /usr/sbin/tcpd in.ntalkd root /usr/sbin/tcpd ipop2d root /usr/sbin/tcpd ipop3d root /usr/sbin/tcpd imapd
The tcpd Wrapper Daemon
Extra security featurefor inetd services Transparent for user, inetd and daemon inetd starts "/usr/sbin/tcpd in.ftpd -l -a" tcpd tests connection origin and requested service against /etc/hosts.allow and /etc/hosts.deny If allowed, tcpd starts "in.ftpd -l -a" If denied, connection is broken Relies on reverse DNS lookup to work! (IP address to hostname)
/etc/hosts.allow and /etc/hosts.deny
Syntax for both files:Service: Hostlist Service may also be specified as service, service or ALL Hostlist may be specified using DNS domain names or IP address, or ALL Checking order: If /etc/hosts.allow allows the service, allow it If /etc/hosts.deny denies the service, deny it Otherwise, allow it Example:
# cat /etc/hosts.allow in.telnetd: .ibm.com, 9.0.0.0/8 # cat /etc/hosts.deny ALL: ALL
Can execute commands uponmatch using spawn
The xinetd "Super" Daemon
Successor of inetd Integrates tcpd functionality Configuration file syntax change Adds configuration directory: /etc/xinetd.d
/etc/xinetd.conf and /etc/xinetd.d/*
# cat /etc/xinetd.conf defaults { instances = log_type = log_on_success = log_on_failure = } includedir /etc/xinetd.d
60 SYSLOG authpriv HOST PID HOST RECORD
# cat/etc/xinetd.d/telnet telnet { disable = no flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID }
Overview of inetd Services
Internal services (mostly used for testing) echo: replies everything back to sender discard: discards everything received daytime: sends time as 32-bit value chargen: generates data time: displays time in human-readableformat Common external services telnet, login: remote login ftp: file transfer exec: remote execute finger: retrieve information about a user talk: chat with another user rsync: remote synchronization
Remote Login, Execute and File Transfer
ARPAnet commands: Reasonably secure, not very powerful Platform independent Berkeley commands: Not very secure but powerful Works only between UNIX machinesARPANET remote login remote execute file transfer telnet rexec ftp BERKELEY rlogin rsh rcp
telnet
Login to another system Automatic configuration of certain environment variables TERM DISPLAY Example:
client$ telnet sys7 Trying 129.33.151.7... Connected to sys7. Escape character is '^]'. Welcome to sys7. login: tux1 Password: sys7$ echo $DISPLAY client:0.0 sys7$ ^] telnet> quit Connection...
Leer documento completo
Regístrate para leer el documento completo.