CentOS6.5 xinetd startup/restart error

CentOS6.5 xinetd startup/restart error

Tags: centos

2017-06-19 17:04 904 people read Comments (0) Collection report

Classification:

Linux（8）

Copyright statement: This article is an original article by the blogger and may not be reproduced without the blogger's permission.

Question: The rsync service is installed, installed with rpm package, and started after installation. After modifying rsyncd.conf, the xinetd service needs to be restarted, and it is prompted that there are not many xinetd services. The result is as follows:
[root@linuxzgf ~]# service xinetd restart
xinetd : unrecognized service
[root@linuxzgf ~]# service xinetd reload
xinetd: unrecognized service
[root@linuxzgf ~]#
[root@linuxzgf ~]# service xinetd restart
xinetd: unrecognized service
[root@linuxzgf ~] # /etc/init.d/xin

1. After checking that the system defaults to the installation without xinetd installed, you can use the installation method

[root@linuxzgf ~]# yum -y install xinetd
can be restarted after installation
[root@linuxzgf ~]# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@linuxzgf ~]# /etc/init .d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@linuxzgf ~]#Many servers
associated with xinetd must be restarted by xinetd/start some daemons with xinetd
cvs eklogin ekrb5-telnet gssftp klogin krb5-telnet kshell rsync
Notes
Start xinetd can be used, /etc/rc.d/init.d/xinetd start
You can use ntsysv to set whether to start the xinetd service at startup.
The configuration files of xinetd are in the /etc/xinetd.d/ directory, and each file corresponds to a service.

2. what is xinetd

The extended internet daemon
xinetd is a new generation of network daemon service program, also known as super Internet server, which is often used to manage a variety of lightweight Internet services.
xinetd provides functionality similar to inetd+tcp_wrapper, but more powerful and secure.
2. Features of xinetd
1) Powerful access control function
- built-in differential treatment settings for malicious users and benign users.
— Use libwrap support, which is more efficient than tcpd.
— You can limit the level of connections, the number of connections based on host and the number of connections based on service.
— Set a specific connection time.
— Set a service to a specific host to provide the service.
2) Effectively prevent DoS attacks
- the level of connection can be limited.
— The maximum number of connections to a host can be limited to prevent a host from monopolizing a service.
— The log file size can be limited to prevent disk space from filling up.
3) Powerful log function
- you can set the log level for syslog for each service.
— If syslog is not used, log files can also be created for each service.
— The start and end time of the request can be recorded to determine the access time of the other party.
— Requests for unauthorized access can be logged.
4) Forwarding function
The client's request can be forwarded to another host for processing.
5) Support IPv6
xinetd supports IPv6 since xinetd 2.1.8.8pre*, which can be done by using the with-inet6 capability option in the ./configure script.
Note that for this to work, the core and network must support IPv6. IPv4 is still supported.
6) Interaction with the client
No matter whether the client request is successful or not, xinetd will prompt to inform the connection status.

3. Disadvantages of Xinetd

The biggest drawback currently is the instability of RPC support, but it is possible to start protmap and make it coexist with xinetd to solve this problem.

4. Start the daemon with xinetd

In principle, any system service can use xinetd, but the most suitable ones should be those commonly used network services. At the same time, the number and frequency of requests for this service will not be too high.
Such methods are not suitable for DNS and Apache,
while FTP, Telnet, SSH, etc. are suitable for using xinetd mode.
The services that use xinetd by default in the system can be divided into the following categories.
① Standard Internet services: telnet, ftp.
② Information service: finger, netstat, systat.
③ Mail service: imap, imaps, pop2, pop3, pops.
④ RPC services: rquotad, rstatd, rusersd, sprayd, walld.
⑤ BSD services: comsat, exec, login, ntalk, shell, talk.
⑥ Internal services: chargen, daytime, echo, servers, services, time.
⑦ Security service: irc.
⑧ Other services: name, tftp, uucp.
The specific services that can be used with xinetd are pointed out in the /etc/services file.
Excerpt from this file:
/etc/services:
I d : s e r v i c e s , v1.402004/09/2305:45:18 n o t t i n g E x p
service-name port/protocol [aliases …] [# comment]
tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
………
In the Internet network service file, record the network service name and They correspond to the port number and protocol used. Each line in the file corresponds to a service, which consists of 4 fields, separated by a Tab key or a space bar, representing "service name", "use port", "protocol name" and "alias". In general, do not modify the contents of this file, because these settings are Internet standard settings. Once modified, it may cause system conflicts and prevent users from accessing resources normally. The port number of the Linux system ranges from 0 to 65 535. Port numbers in different ranges have different meanings.
— 0: Not used.
— 1~1 023: reserved by the system, can only be used by the root user.
— 1 024~4 999: Freely allocated by the client program.
— 5 000~65 535: Freely allocated by the server program.

5. Interpret /etc/xinetd.conf and /etc/xinetd.d/*

1) /etc/xinetd.conf
The configuration file of xinetd is /etc/xinetd.conf, but it only includes several default values ​​and configuration files in the /etc/xinetd.d directory. To enable or disable a xinetd service, edit the configuration file located in the /etc/xinetd.d directory. For example, the disable attribute is set to yes, indicating that the service is disabled; the disable attribute is set to no, indicating that the service is enabled. /etc/xinetd.conf has many options, below is /etc/xinetd.conf for RHEL 4.0.
Simple configuration file for xinetd
Some defaults, and include /etc/xinetd.d/
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
— instances = 60: Indicates that the maximum number of connected processes is 60.
— log_type = SYSLOG authpriv: Indicates that syslog is used for service registration.
— log_on_success= HOST PID: Indicates the process ID for logging the IP address of the client after the setting is successful.
— log_on_failure = HOST: Indicates that the IP address of the client is logged after the setting fails.
— cps=25 30: means 25 inbound connections per second, wait 30 seconds if the limit is exceeded. Mainly used to deal with denial of service attacks.
— includedir /etc/xinetd.d: It tells xinetd that the file or directory to be included is /etc/xinetd.d.
2) /etc/xinetd.d/*
The following takes a file (rsync) in /etc/xinetd.d/ as an example.
service rsync
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
log_on_failure += USERID
}
The meaning of each line of options is explained below.
— disable = yes: Indicates that this service is disabled.
— socket_type = stream: Indicates that the packet type of the service is stream.
— wait = no: Indicates that there is no need to wait, that is, the service will run in a multi-threaded manner.
— user = root: Indicates that the user executing this service process is root.
— server=/usr/bin/rsync: The location of the startup script.
— log_on_failure += USERID: Indicates that the UID is added to the system registry when the setting fails.

6. Configure xinetd

1) Format
Each entry in /etc/xinetd.conf has the following form:
service service-name
{
...
}
where service is a required keyword and the attribute table must be enclosed in curly brackets. Each item defines the service defined by service-name.
The service-name is arbitrary, but is usually a standard network service name. Other non-standard services can also be added, as long as they can be activated by network requests, including network requests made by localhost itself. There are many attributes that can be used, the required attributes and the rules for using the attributes will be described later.
The operator can be =, += or -=. All attributes can use =, which is used to assign one or more values, and some attributes can use += or -=, which respectively adds its value to an existing value table, or removes its value from an existing value. Deleted from the value table.
2) Configuration files
The relevant configuration files are as follows:
/etc/xinetd.conf
/etc/xinetd.d/* //All files in this directory
/etc/hosts.allow
/etc/hosts.deny
3) disabled and enabled
The parameter of the former is a list of disabled services, and the parameter of the latter is a list of enabled services. What they have in common is the same format (property name, service name list and service are separated by spaces, such as disabled = in.tftpd in.rexecd), in addition, they all act globally. If it is specified in the disabled list, then regardless of whether the services included in the list have configuration files and how they are set, they will be disabled; if the enabled list is specified, only the services in the list can be started, if enabled is not specified. , then all services other than the service specified by disabled can be started.
4) Note:
① During reconfiguration, the following attributes cannot be changed: socket_type, wait, protocol, type;
② If only_from and no_access attributes are not specified (whether directly specified in the service item or specified by default), Then there will be no restrictions on the access IP of the service;
③ The address verification is for the IP address instead of the domain name address.

7. Reasons why xinetd prevents Denial of Services attacks

The reasons why xinetd can effectively prevent Denial of Services attacks are as follows.
1) Limit the number of processes running at the
same time Set the number of concurrent processes running at the same time by setting the instances option:
instances=20
When the number of processes that the server is requested to connect to reaches 20, xinetd will stop accepting additional connection requests. Until the number of requested connections falls below the set value.
2) Limit the maximum number of connections to an IP address
By limiting the maximum number of connections to a host, to prevent a host from monopolizing a service.
per_source=5
Here the number of connections per IP address is 5.
3) Limit log file size to prevent disk space from filling
up Many attackers know that most services need to write to the log. An intruder can construct and send out a large number of error messages, and the server records these errors, which may cause the log file to be very large and even fill the hard disk. At the same time, administrators will face a large number of logs, and cannot find the real intrusion path of the intruder. Therefore, limiting log file size is one way to prevent denial of service attacks.
log_type FILE.1 /var/log/myservice.log 8388608 15728640
The threshold value of log file FILE.1 set here is 8MB. When this value is reached, an alarm will appear in the syslog file. When it reaches 15MB, the system will stop all users using this log system. Serve.
4) Limiting the load
xinetd can also use the method of limiting the load to prevent denial of service attacks. Use a floating point number as the load factor, when the load reaches this number, the service will pause processing subsequent connections.
max_load = 2.8
The above setting means that when a system load reaches 2.8, all services will be temporarily suspended until the system load drops below the set value.
Note that to use this option, "--with-loadavg" should be added when compiling, and xinetd will process the max-load configuration option to shut down some service processes when the system is overloaded to prevent some denial of service attacks.
5) Limit the number of all servers (connection rate)
xinetd can use the cps option to set the connection rate, the following example:
cps = 25 60
The above setting means that the server can start up to 25 connections, if this number is reached, it will stop starting new services 60 Second. No requests will be accepted during this time.
6) Restrict the utilization of hardware resources The
two options of rlimit_as and rlimit_cpu can effectively limit the resource occupation of memory and central processing unit of a service:
rlimit_as = 8M rlimit_cpu
=20
The above settings indicate the restrictions on the occupation of server hardware resources , the maximum available memory is 8MB, and the CPU processes 20 processes per second.
An important function of xinetd is that it can control the amount of resources available to subordinate services. The above settings can achieve this purpose and help prevent a xinetd service from occupying a lot of resources, resulting in a "denial of service" situation.