Access control of the transient daemon
we know that the transient daemon is made up of the Super daemon process xinetd management, due to the super-guardian process to accept TCP Wrappers access control, so the transient daemon also accepts TCP Wrappers of control management.
Although TCP Wrappers access restrictions can be made to the transient daemon, but he can only control which users have access to which services and cannot precisely control the use of each service. For example, control the maximum number of simultaneous connections for the Telnet service, control the maximum number of connections per client to access the service, and so on. TCP Wrappers is not possible.
To effectively manage these transient daemons, you need to edit the configuration file for the Super daemon.
The Super Daemon file is /etc/xinetd.conf and the /etc/xinetd.d/*
which /etc/xinetd.conf primary configuration file, or default profile
/etc/xinetd.conf The syntax format is as follows:
#vim/etc/xinetd.conf
Defaults
{
Aryuement = value
...
includedir/etc/xinetd.d/
The parameters defined in the master configuration file are global, meaning they are in any one of the xinetd It is valid in the configuration file of the transient daemon that is administered on behalf of.
The common parameters are:
enable = {Yes|no} Indicates whether the service is enabled, Yes to enable the service
disabled = {Yes|no} Indicates whether the service is enabled, No indicates that the service is enabled
Log_type = SYSLOG Daemon Info indicates that the log type is Syslig Log level is Info
There is also a log type of file followed by log files
Example:log_type = File/var/log/telnet.log
log_on_failure = HOST indicates that access to the host information is logged when Access fails
log_on_success = PID HOST DURATION EXIT
# indicates that when the access is successful, the service's PID , access to the host, and information about it during this session and when it exits # It 's all recorded .
cps = NUM1 num2 indicates that the maximum number of connections per second is NUM1, if more than NUM1 just pause . num2 seconds
instances = Num1 represents the maximum number of connections for a service
Per_source = Num1 indicates the maximum number of connections allowed per client
Only_from = {ip| network/mask| hostname| DOMAIN}
# indicates that only the specified host can access the service
No_access = {ip| network/mask| hostname| DOMAIN}
# represents a host that does not allow access to a service.
bind = IP
# by default, if a service has more than one IP , then these IP The default is in the listening state. bind = IP represents only
# which one is allowed IP is in the listening state. or understand that only which IP is allowed to use this service
interface = IP and the Bind of the same meaning.
Access_tiomes = hh:mm-hh:mm
# indicates that only a service is allowed to be accessed within a specified segment
Port = Port Specifies the port number of a service that you can use if you do not use the default port
wait = {No|yes}
# Indicates if there are multiple requests at the same time, whether the service is responding at the same time, or one response, and the other requests are in
# wait state. No indicates a response to start multiple processes or threads at the same time. Default is no
Socket_type = {Stream|dgram|raw}
#stream expressed as TCP messages, Dgram expressed as UDP messages, Raw represents the Use RPC protocol to connect
user = root indicates which user identity the service runs on
Group = root indicates the identity of the group to run and User The meaning is roughly the same
Server = Binary Program represents a binary program for a service
# For example: Server =/usr/bin/rsync
Server_args = args represents parameters passed to a binary program
# For example: /usr/bin/rsync--daemon
umask = Umask represents the setting of properties when a user establishes a directory and a file
banner =/path/to/file Displays the contents of the file after it has been successfully logged in
these parameters, if defined in the master configuration file, are global in effect. Of course, it can also be defined in the configuration file for each service. The configuration files for these transient daemons are in the /etc/xinetd.d/ directory. If these parameters are defined in the configuration file for each service, only the service will take effect. The configuration file syntax format for these transient daemons is as follows:
Service <service_name>
{
<attribute> <assign_op> <value> <value> ...
...
}
which <service_name> same as the configuration file name
<attribute> represents the parameter option, which is the above parameter
<assign_op> represents an operator, such as "="
<value> represents assigning a value to a parameter
Example: Setting a local rsync Service (non-independent daemon) to meet the following requirements:
1. Only listen on the local 192.168.0.103 address to provide services
2. only allow host access within the 192.168.0.0/24 network, but 192.168.0.100 access is not allowed
3. only up to 3 instances are allowed, and only 2 connection requests per IP are allowed to be initiated
Workaround:
#vim/etc/xinetd.d/rsync
Service rsync
{
Disable = no
Socket_type = Stream
wait = no
user = root
Server =/usr/bin/rsync
Server_args =--daemon
Log_on_failure + = USERID
bind = 192.168.0.103
Only_from = 192.168.0.0/24
No_access = 192.168.0.100
instances = 3
Per_source = 2
}
start the transient daemon in addition to modifying parameters Disable = no or enable = yes , you can also use
Chkconfig Service Name on to start the service
Use Chkconfig the order was modified by the fact that Disable or enables The value of this parameter.
This article is from the "Linux Learning path" blog, so be sure to keep this source http://xslwahaha.blog.51cto.com/4738972/1573869
Access control for Transient daemons