Go to: use xinetd to manage network application services

Source: Internet
Author: User
Tags qmail

 

Use xinetd to manage network application services

■ Li Yang, computing Institute of the Chinese Emy of Sciences

This article focuses on how to use the xinetd (Extended super server) mechanism in Linux to manage network application services, and describes how to add and delete network services to effectively ensure Linux system security.

At present, the vast majority of servers from WWW servers to popular game servers are using Linux as a service platform. On the one hand, Linux provides users with a variety of high-quality network services, including Http, Ftp, Smtp, Pop3, etc. On the other hand, the increasing number of services means more risks. Each service must have some defects, which may be exploited by hackers to attack the system. Therefore, servers that provide specific services should open ports that are essential for providing services as much as possible, and disable services irrelevant to server services, such as a machine that serves as www and ftp servers, ports 80 and 25 should be opened, and other unrelated services should be turned off to reduce system vulnerabilities.

Introduction to the Xinetd Mechanism

In earlier versions of Linux, there was a network service management program called inetd, also known as "super server", which was used to monitor network request daemon processes, it calls the corresponding service process to process connection requests based on network requests. Inetd. conf is the configuration file of inetd, which tells inetd which network ports are listened for and which service is started for each port. To use Linux in any network environment, the first thing to do is to understand what services the server will provide. Unnecessary services should be disabled, so that hackers will lose some opportunities to attack the system, because the more services, the greater the risk of being attacked. You can view the "/etc/inetd. conf" file to learn about the services provided and opened by inetd, and perform corresponding processing based on the actual situation.

In Linux 7. x, the concept of xinetd (Extended super server) is used to expand and replace inetd. The default configuration file of xinetd is/etc/xinetd. conf. Its syntax is completely different from/etc/inetd. conf and is not compatible. It is essentially a combination of/etc/inetd. conf and/etc/hosts. allow and/etc/hosts. deny functions.

By default, xinetd services can be divided into the following types: standard internet services, such as http, telnet, ftp, and other information services, such as finger, netstat, and e-mail service, such as imap, pop3, and smtp; RPC services, such as rquotad, rstatd, rusersd, sprayd, and walld; BSD services, such as comsat, exec, login, ntalk, and shell talk; internal services, such as chargen, daytime, and echo; security services, such as irc; and other services, such as name, tftp, uucp, and wu-ftp. The following is an example of a typical/etc/xinetd. conf file:

# Vi xinetd. conf

# Simple configuration file for xinetd

# Some ults, and include/etc/xinetd. d/

Ults

{

Instances = 60

Log_type = SYSLOG authpriv

Log_on_success = HOST PID

Log_on_failure = HOST

Cps = 25 30

}

Includedir/etc/xinetd. d

The last line of the file clearly shows that/etc/xinetd. d directory is the core directory for storing various network services (including http and ftp). Therefore, the system administrator needs to familiarize himself with and understand the configuration files. In general, in each network service configuration file of/etc/xinetd. d, each item has the following forms:

Service-name

{

Disabled // indicates whether the service is Disabled

Flags // reusable flag

Socket_type // type of TCP/IP data stream, including stream, datasync, raw, etc.

Wait // whether the service is blocked, that is, a single thread or multiple threads

User // uid of the Service Process

Server // complete path of the Server daemon process

Log_on_failure // log of Logon errors

}

The service is a required keyword, and the attribute table must be enclosed in braces. Each item defines a service defined by service-name. The Service-name is arbitrary, but it is usually a standard network Service name. You can also add other non-standard services as long as they can be activated through network requests, including network requests sent by localhost itself. Each service has many attributes that can be used. The operators can be "=", "+ =", or "-= ". All attributes can use "=". The function is to assign one or more values. Some attributes can be in the form of "+ =" or "-=, the function is to increase the value to an existing value table or delete the value from the existing value table.

Note that the network service description that each user wants to add can be appended to the existing/etc/xinetd. conf, or in/etc/xinetd. separate files are created in the directory specified in Conf. RedHat 7. the latter approach is recommended for versions above X, because the scalability is good and the management is convenient, you only need to add the description of the corresponding service to append the new network service. The default service configuration file directory of RedHat 7. X is/etc/xinetd. D. in this directory, run the following command to view the services provided by many systems:

# Cd/etc/xinetd. d

# Ls

Chargen cvspserver daytime-udp echo-udp NTALK qmail-pop3 rexec RSH sgi_fam Telnet time-UDP chargen-udp daytime echo finger POP3 Qmail-SMTP rlogin rsync talk time wu-ftpd

However, many of the above services are disabled by default. Take a look at the following file content:

# Cat Telnet

# Default: Off // indicates that the service is disabled by default.

# Description: the telnet server serves Telnet sessions; it uses/

# Unencrypted username/password pairs for authentication.

Service telnet

{

Disable = Yes // indicates that the service is disabled by default.

Flags = Reuse

Socket_type = stream

Wait = No

User = root

Server =/usr/sbin/in. telnetd

Log_on_failure + = USERID

}

Service enabling and disabling

Generally, you can enable or disable the network service in two ways.

1. Use the files in the/etc/xinetd. d directory for configuration.

For the Telnet example listed above, to enable the service, you only need to use the vi editor to rewrite the file as follows. Then, use/etc/rc. d/init. d/xinetd restart to activate the Telnet service.

Service telnet

{

Disable = no // If the domain is set to "no", the service is enabled.

Flags = REUSE

Socket_type = stream

Wait = no

User = root

Server =/usr/sbin/in. telnetd

Log_on_failure + = USERID

}

Correspondingly, if the user wants to disable a service that is not needed, change "disable = no" to "disable = yes" to modify the service configuration, and use/etc/rc again. d/init. d/xinetd restart to enable the latest configuration.

 

Restart xinetd in suse linux:
Cd/etc/init. d/
./Xinetd restart

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.