Access control for Transient daemons

Access control of the transient daemon

we know that the transient daemon is made up of the Super daemon process xinetd management, due to the super-guardian process to accept TCP Wrappers access control, so the transient daemon also accepts TCP Wrappers of control management.

Although TCP Wrappers access restrictions can be made to the transient daemon, but he can only control which users have access to which services and cannot precisely control the use of each service. For example, control the maximum number of simultaneous connections for the Telnet service, control the maximum number of connections per client to access the service, and so on. TCP Wrappers is not possible.

To effectively manage these transient daemons, you need to edit the configuration file for the Super daemon.

The Super Daemon file is /etc/xinetd.conf and the /etc/xinetd.d/*

which /etc/xinetd.conf primary configuration file, or default profile

/etc/xinetd.conf The syntax format is as follows:

#vim/etc/xinetd.conf

Defaults

{

Aryuement = value

...

includedir/etc/xinetd.d/

The parameters defined in the master configuration file are global, meaning they are in any one of the xinetd It is valid in the configuration file of the transient daemon that is administered on behalf of.

The common parameters are:

enable = {Yes|no} Indicates whether the service is enabled, Yes to enable the service

disabled = {Yes|no} Indicates whether the service is enabled, No indicates that the service is enabled

Log_type = SYSLOG Daemon Info indicates that the log type is Syslig Log level is Info

There is also a log type of file followed by log files

Example:log_type = File/var/log/telnet.log

log_on_failure = HOST indicates that access to the host information is logged when Access fails

log_on_success = PID HOST DURATION EXIT

# indicates that when the access is successful, the service's PID , access to the host, and information about it during this session and when it exits #  It 's all recorded .

cps = NUM1 num2 indicates that the maximum number of connections per second is NUM1, if more than NUM1 just pause . num2 seconds

instances = Num1 represents the maximum number of connections for a service

Per_source = Num1 indicates the maximum number of connections allowed per client

Only_from = {ip| network/mask| hostname| DOMAIN}

# indicates that only the specified host can access the service

No_access = {ip| network/mask| hostname| DOMAIN}

# represents a host that does not allow access to a service.

bind = IP

# by default, if a service has more than one IP , then these IP The default is in the listening state. bind = IP represents only

#  which one is allowed IP is in the listening state. or understand that only which IP is allowed to use this service

interface = IP and the Bind of the same meaning.

Access_tiomes = hh:mm-hh:mm

# indicates that only a service is allowed to be accessed within a specified segment

Port = Port Specifies the port number of a service that you can use if you do not use the default port

wait = {No|yes}

# Indicates if there are multiple requests at the same time, whether the service is responding at the same time, or one response, and the other requests are in

#  wait state. No indicates a response to start multiple processes or threads at the same time. Default is no

Socket_type = {Stream|dgram|raw}

#stream expressed as TCP messages, Dgram expressed as UDP messages, Raw represents the Use RPC protocol to connect

user = root indicates which user identity the service runs on

Group = root indicates the identity of the group to run and User The meaning is roughly the same

Server = Binary Program represents a binary program for a service

# For example: Server =/usr/bin/rsync

Server_args = args represents parameters passed to a binary program

# For example: /usr/bin/rsync--daemon

umask = Umask represents the setting of properties when a user establishes a directory and a file

banner =/path/to/file Displays the contents of the file after it has been successfully logged in

these parameters, if defined in the master configuration file, are global in effect. Of course, it can also be defined in the configuration file for each service. The configuration files for these transient daemons are in the /etc/xinetd.d/ directory. If these parameters are defined in the configuration file for each service, only the service will take effect. The configuration file syntax format for these transient daemons is as follows:

Service <service_name>

{

<attribute> <assign_op> <value> <value> ...

...

}

which <service_name> same as the configuration file name

<attribute> represents the parameter option, which is the above parameter

<assign_op> represents an operator, such as "="

<value> represents assigning a value to a parameter

Example: Setting a local rsync Service (non-independent daemon) to meet the following requirements:

1. Only listen on the local 192.168.0.103 address to provide services

2. only allow host access within the 192.168.0.0/24 network, but 192.168.0.100 access is not allowed

3. only up to 3 instances are allowed, and only 2 connection requests per IP are allowed to be initiated

Workaround:

#vim/etc/xinetd.d/rsync

Service rsync

{

Disable = no

Socket_type = Stream

wait = no

user = root

Server =/usr/bin/rsync

Server_args =--daemon

Log_on_failure + = USERID

bind = 192.168.0.103

Only_from = 192.168.0.0/24

No_access = 192.168.0.100

instances = 3

Per_source = 2

}

start the transient daemon in addition to modifying parameters Disable = no or enable = yes , you can also use

Chkconfig Service Name on to start the service

Use Chkconfig the order was modified by the fact that Disable or enables The value of this parameter.

This article is from the "Linux Learning path" blog, so be sure to keep this source http://xslwahaha.blog.51cto.com/4738972/1573869

Access control for Transient daemons