A, xinetd Profile
1. What is xinetd
xinetd: eXtended InterNET Daemon extended Internet daemon
xinetd is a new generation of network daemon service program, also known as super daemon, used to manage a variety of lightweight Internet service. xinetd provides functionality similar to inetd + tcp_wrapper, but more powerful and safe.
2, Xinetd disadvantages
The biggest drawback is the current RPC support instability, but you can start protmap, it coexist with xinetd to solve this problem.
3, using xinetd daemon start
any system services can use xinetd in principle, but should be those best suited to commonly used network services, at the same time, the number of requests and the frequency of service is not too high . DNS is not suitable as Apache and in this way, and like FTP, Telnet, SSH, etc. on suitable xinetd mode.
Two, xinetd use
There are two types of service on llinux:
standalone: Independent daemon
transient: non-independent daemon process depends on the xinetd super
xinetd less to receive a user request to provide specialized service monitor function, when requested, to start the corresponding service xinetd and temporary response to the request to turn off after the end of the corresponding service.
This is called xinetd service management non-independent daemon is also known as transient daemon: they need to define at run level, only need to define once xinetd run level
Self-management without listening service xinetd provide a process called independent (standalone) daemon
1, how it started xinetd-based service?
For example, I want to start the rsync service
In /etc/inetd.d/ directory service managed by xinetd each has a profile:
Configuration file has two parts:
1, the global configuration (default configuration services)
2, Service Configuration
service <service_name>
{
<attribute> <assign_op> <value> <value> ...
...
}
xinetd --> (n个非独立进程)
/etc/xinetd.conf
/etc/xinetd.d/*
[root@Node4 ~]# cd /etc/xinetd.d [root@Node4 xinetd.d]# ls chargen-dgram daytime-stream echo-dgram tcpmux-server time-stream chargen-stream discard-dgram echo-stream telnet daytime-dgram discard-stream rsync time-dgram
[root@Node4 xinetd.d]# cat rsync # default: off # description: The rsync server is a good addition to an ftp server, as it \ Crc checksumming etc. android.permission #
Service rsync { disable = yes # if disabled, then no change is enabled, no need to restart xinetd flags = IPv6 socket_type = Stream the wait = no the User = root Server = / usr / bin / rsync server_args = - daemon log_on_failure + = the USERID } # can directly use chkconfig disposed [the Node4 the xinetd.d the root @] # chkconfig --list | grep the rsync the rsync: ON [root @ Node4 xinetd.d] # chkconfig rsync OFF [root@Node4 xinetd.d]# chkconfig --list|grep rsync rsync: off [root@Node4 xinetd.d]# cat rsync # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = yes #chkconfig命令也是修改这个值 flags = IPv6 socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }
Services dedicated to logging (rsyslogd system log, klogd kernel log): SYSLOG
SOCKET three kinds of services : tcp / udp / rpc (Remote Procedure Call)
portmap rpc services provided
nfs rpc service use
man xinetd.conf to see:
* Basic Access Control
only_from 仅允许 例:only_from = 172.16.22.1 only_from = 172.16.22.1/16
IP
the NETWORK
HOSTNAME: the FQDN of the
DOMAIN: domain name
no_access FuMakoto许example: no_access = 172.16.22.1 no_access = 172.16.22.1/16
Note: Use both general who who match the range of the small force, but is not recommended for use.
*-Based access control time period
access_times = hh:mm-hh:mm
access_times 例:access_times = 10:00-16:00
* Resource-based access control
cps can limit the number of clients per second can be started and services (with two parameters: the maximum number of connections per second; the duration exceeds the maximum number of connections temporarily disabled) Example: cps = 50 5
per_source can limit the maximum number of servers in each embodiment can be client initiated: per_source = 20
instances the total number of cases to limit the maximum number of clients the server can be initiated: instances = 200
* Fully functional log function, which can record a successful connection can also record the behavior of connection failure
type_log type_log=FILE /var/log/ftp.log
* The service bindings on a specific system interfaces, so that it can achieve only allows a private network to access a service
bind Example: bind = 172.16.22.1
Pass parameters to the server to start:
server_args =
greeting:
Banner =
We can conclude that:
Independent and non-independent daemon daemon is not the same, non-independent daemon is running chkconfig since set the boot, but also set the service is currently open and closed, and an independent daemon chkconfig is only to set the boot is running which operating level
Instantaneous daemon listening port is dependent on xinetd, when xinetd service did not start, start the non-independent daemon is useless
[root@Node4 ~]# service xinetd status xinetd (pid 1637) is running... [root@Node4 ~]# ss -tunlp|grep :23 [root@Node4 ~]# chkconfig telnet on [root@Node4 ~]# ss -tunlp|grep :23 tcp LISTEN 0 64 :::23 :::* users:(("xinetd",1637,5)) [root@Node4 ~]# service xinetd stop Stopping xinetd: [ OK ] [root@Node4 ~]# service xinetd status xinetd is stopped [root@Node4 ~]# chkconfig --list|grep telnet telnet: on [root@Node4 ~]# ss -tunlp|grep :23 [root@Node4 ~]#
Telnet service:
After the telnet service is not turned on by default service, modify the file /etc/xinetd.d/ telnet to start the service: Note: If you modify the first modification, if this file exists, you can create your own vim Review: Modify disable = yes to disable = NO the Telnet modified file is: # default: yes # the Description: at the the Telnet Server servestelnet Sessions; IT uses \ # UNENCRYPTED username / password pairs for authentication. Service the Telnet { flags = REUSE socket_type = Stream the wait = NO User = the root Server = / usr / sbin / in .telnetd
# Log_type = FILE /var/log/telnet.log custom log_on_failure + = the USERID (+ =: based on the default value to add an option) # log format failure is disable = NO }
Test telent, enter ip + username + password (under normal circumstances):
My mistake (linux root user can not telnet login), has been using the root login prompt Login incorrect, solution:
Type the command tail / var / log / secure log view as follows:
The reciprocal of the three lines is the last time I log failed login information. Look at the third line pam_securetty prompt access denied (denied access): tty pts / 3 is not secure ( terminal pts / 3 unsafe).
Then we need to know what pam_securetty is, first of all you need to know is what pam, Baidu, a lot of bloggers gave a very detailed explanation. Log system is also to be called pam module, and login authentication in /etc/pam.d/login profile. Not surprisingly, open the file you'll see a line included in this pam_securetty.so mark. And then view the use of man tool man pam_securetty results are as follows:
作用是对root用户的登录进行限制。
description第一行解释说:pam_securetty是一个pam模块,他要对root用户的登录进行校验,保证root登录的tty(终端)是安全的。那么什么样的终端才是安全的呢– –as defined by the listing in /etc/securetty(在这个文件里面列出来的才是安全的)。
所以结合上面的错误日志以及这段解释应该大概明白了,root登录失败的原因是那个终端“pts/3”没有在/etc/securetty这个文件里列出。所以我们打开/etc/securetty新建一行按照原来的格式加入“pts/3”。
然后重启telnet服务。此时root用户就可以再远程使用telnet登录了。
service xinetd restart
systemctl restart xinetd.service
11===》设置服务开机启动:
chkconfig --level 35 xinetd on
systemctl enable xinetd.service
12===》怎么退出telnet:
(1)比较多的协议支持quit命令,以telent界面上键入该命令后,系统会自动断开与远程的连接
(2)如果不嫌多一步可以考虑用CTRL+]键,这时会强制退到telnet命令界面下,再用quit退出就行了,百试百灵。
(3)其它就是用CTRL +C或CTRL+D两种方式来强行断开与远程的连接,但能支持这种命令的比较少(反正我的电脑是不支持这种方式)。最后的方法就是关掉telnet的窗口。
CentOS安装telnet服务和xinetd服务和iptables和linux运行级别
三、tcp_wrapper
1、tcp_wrapper简介
tcp_wrapper tcp包装器,
是一种访问控制工具,类似于iptables,可以作访问控制。
tcp_wrapper只能对基于tcp协议的服务作访问控制,但并不是所有基于tcp协议的服务都能实现用tcp wraper作访问控制。
2、tcp_wrapper工作机制
守护进程:tcpd,也可以说tcp_wrapper是一个库,程序依赖于tcp_wrapper就表明接受tcp_wrapper控制
配置文件:/etc/hosts.allow,/etc/hosts.deny
注意:
并非所有服务均能由tcp_wrapper控制
判断某服务程序是否能由tcp_wrap控制
动态编译:
ldd命令检测其是否链接至libwrap库上即可
libwarp.so.0 =>/lib64/libwarp.so.0
静态编译:
string /path/to/program
strings `which porgram` | grep host
如果出现以下某项说明也接受tcp_wrapper控制
hosts.allow
hosts.deny
tcp_wrapper实现访问控制主要依靠两个文件,一个是/etc.hosts.allow文件,另一个是/etc/hosts.deny文件从文件的名字上可以理解:一个是定义允许的,一个是定义拒绝的。那这两个文件生效的次序是怎样的呢?
说明:如图所示,N表示没有匹配的规则,Y表示有匹配的规则,OK表示允许访问,DENY表示拒绝访问。
匹配机制:
1.先检查/etc/hosts.allow,如果被允许,则直接放心
2.如果/etc/hosts.allow没有匹配项,则检查/etc/hosts.deny,如果被拒绝,则禁止访问;
3.如果二者均无匹配,则放行
3、tcp_wrapper配置
配置文件语法格式:
daemon_list:client_list [:options]
进程列表:客户端列表
daemon_list的格式:
Daemon_list 要写的可执行程序的二进制文件名。例ssh的二进制文件名sshd,http的二进制文件名为httpd
应用程序名称(不是进程名),如果有多个,用逗号分隔即可
ALL:匹配所有的列表
client_list:
ip地址:172.16.100.100
etwork address 不能使用长度格式,只能使用完整长度格式。例:172.16. 172.16.0.1/255.255.0.0 但不能使用172.16.0.1/16
主机名:www.magedu.com
网络地址/子网掩码:掩码仅允许使用长格式,不允许使用CIDR格式
172.16. 表示172.16.0.0/255.255.0.0
[:options]
在hosts.allow文件中使用deny选项:表示在hosts.allow文件中定义拒绝规则
在hosts.deny文件中使用allow选项:表示在hosts.deny文件中定义放行规则
tcp_wrapper有几个内置的宏:
用于client_list的有:ALL,KNOWN(主机名能正常解析的),UNKNOWN(主机名不能正常解析),PARANOID(主机名正反项解析不匹配的)
用于daemon_list的有:ALL
EXCEPT:除了不包含的意思。可以用户client和daemon之中,起到排除功能
例子: in.telnetd: 172.16. EXCEPT 172.16.251.105 in.telnetd: 172.16. :deny # 表示在deny这个172.16.0.0网段中的主机
spawn :启动
发起执行一条命令的意思,可以用来记录日志
%c:客户端信息 user@host
%s:服务端信息 server@host
%h:客户端主机名
%p:服务器上的进程PID
例:ssh允许172.16.0.0/16网段访问,记录日志。
sshd:172.16. :spawn echo ”someone login attempt from%c to %s” >> /var/log/tcpwrapper.log
man 5 hosts_access:获取其完整帮助信息
注意:
spaw要定义在客户端被哪个文件拒绝的那个文件里才生效
echo的信息无需加引号,否则,命令替换可能不会进行
Exercise:
All hosts using tcp_wrapper control vsftp service only allows access to the host 172.16.0.0 network, but refused 172.16.200. In, deny access to all attempts to use logging
