This article focuses on how to use the xinetd (Extended super server) mechanism in Linux to manage network application services, and describes how to add and delete network services to effectively ensure Linux system security. At present, the vast majority of servers from WWW servers to popular game servers are using Linux as a service platform. On the one hand, Linux provides users with a variety of high-quality network services, including Http, Ftp, Smtp, Pop3, etc. On the other hand, the increasing number of services means more risks. Each service must have some defects, which may be exploited by hackers to attack the system. Therefore, servers that provide specific services should open ports that are essential for providing services as much as possible, and disable services irrelevant to server services, such as a machine that serves as www and ftp servers, ports 80 and 25 should be opened, and other unrelated services should be turned off to reduce system vulnerabilities. Introduction to the Xinetd Mechanism In earlier versions of Linux, there was a network service management program called inetd, also known as "super server", which was used to monitor network request daemon processes, it calls the corresponding service process to process connection requests based on network requests. Inetd. conf is the configuration file of inetd, which tells inetd which network ports are listened for and which service is started for each port. To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Unnecessary services should be disabled, so that hackers will lose some opportunities to attack the system, because the more services, the greater the risk of being attacked. You can view the "/etc/inetd. conf" file to learn about the services provided and opened by inetd, and perform corresponding processing based on the actual situation. In Linux 7. x, the concept of xinetd (Extended super server) is used to expand and replace inetd. The default configuration file of xinetd is/etc/xinetd. conf. Its syntax is completely different from/etc/inetd. conf and is not compatible. It is essentially a combination of/etc/inetd. conf and/etc/hosts. allow and/etc/hosts. deny functions. By default, xinetd services can be divided into the following types: standard internet services, such as http, telnet, ftp, and other information services, such as finger, netstat, and e-mail service, such as imap, pop3, and smtp; RPC services, such as rquotad, rstatd, rusersd, sprayd, and walld; BSD services, such as comsat, exec, login, ntalk, and shell talk; internal services, such as chargen, daytime, and echo; security services, such as irc; and other services, such as name, tftp, uucp, and wu-ftp. The following is an example of a typical/etc/xinetd. conf file: # Vi xinetd. conf # Simple configuration file for xinetd # Some ults, and include/etc/xinetd. d/ Ults { Instances = 60 Log_type = SYSLOG authpriv Log_on_success = HOST PID Log_on_failure = HOST Cps = 25 30 } Includedir/etc/xinetd. d The last line of the file clearly shows that/etc/xinetd. d directory is the core directory for storing various network services (including http and ftp). Therefore, the system administrator needs to familiarize himself with and understand the configuration files. In general, in each network service configuration file of/etc/xinetd. d, each item has the following forms: Service-name { Disabled // indicates whether the service is Disabled Flags // reusable flag Socket_type // type of TCP/IP data stream, including stream, datasync, raw, etc. Wait // whether the service is blocked, that is, a single thread or multiple threads User // uid of the Service Process Server // complete path of the Server daemon process Log_on_failure // log of Logon errors } The service is a required keyword, and the attribute table must be enclosed in braces. Each item defines a service defined by service-name. The Service-name is arbitrary, but it is usually a standard network Service name. You can also add other non-standard services as long as they can be activated through network requests, including network requests sent by localhost itself. Each service has many attributes that can be used. The operators can be "=", "+ =", or "-= ". All attributes can use "=". The function is to assign one or more values. Some attributes can be in the form of "+ =" or "-=, the function is to increase the value to an existing value table or delete the value from the existing value table. Note that the network service description that each user wants to add can be appended to the existing/etc/xinetd. conf, or in/etc/xinetd. separate files are created in the directory specified in Conf. RedHat 7. the latter approach is recommended for versions above X, because the scalability is good and the management is convenient, you only need to add the description of the corresponding service to append the new network service. The default service configuration file directory of RedHat 7. X is/etc/xinetd. D. in this directory, run the following command to view the services provided by many systems: # Cd/etc/xinetd. d # Ls Chargen cvspserver daytime-udp echo-udp NTALK qmail-pop3 rexec RSH sgi_fam Telnet time-UDP chargen-udp daytime echo finger POP3 Qmail-SMTP rlogin rsync talk time wu-ftpd However, many of the above services are disabled by default. Take a look at the following file content: # Cat Telnet # Default: Off // indicates that the service is disabled by default. # Description: the telnet server serves Telnet sessions; it uses/ # Unencrypted username/password pairs for authentication. Service telnet { Disable = Yes // indicates that the service is disabled by default. Flags = Reuse Socket_type = stream Wait = No User = root Server =/usr/sbin/in. telnetd Log_on_failure + = USERID } Service enabling and disabling Generally, you can enable or disable the network service in two ways. 1. Use the files in the/etc/xinetd. d directory for configuration. For the Telnet example listed above, to enable the service, you only need to use the vi editor to rewrite the file as follows. Then, use/etc/rc. d/init. d/xinetd restart to activate the Telnet service. Service telnet { Disable = no // If the domain is set to "no", the service is enabled. Flags = REUSE Socket_type = stream Wait = no User = root Server =/usr/sbin/in. telnetd Log_on_failure + = USERID } Correspondingly, if the user wants to disable a service that is not needed, change "disable = no" to "disable = yes" to modify the service configuration, and use/etc/rc again. d/init. d/xinetd restart to enable the latest configuration. |