Article title: RedHat-Wrapper and xinetd implementation (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Section 1 overview
RedHat 7.2 has two main system service access control mechanisms: one is the firewall mechanism implemented by ipchains or iptables, and the other is the xinetd mechanism implemented by TCP Wrapper. This document describes the specific implementation of the latter mechanism.
1 About TCP Wrapper
TCP Wrapper is used for many network services such as Telnet, SSH, FTP, POP, and SMTP. it is designed as an intermediate processing software between external service requests and system service responses. The basic process is as follows: when the system receives an external service request, TCP Wrapper processes the request first, TCP Wrapper determines whether the other party has the permission to use the service based on the requested service and the access control rules customized for the service. If yes, TCP Wrapper transfers the request to the corresponding daemon for processing and recording the request action according to the rules defined in the configuration file, and then waits for the processing of the next request.
The main purpose of the TCP Wrapper mechanism is that requests from the client can only communicate directly with the same independent Daemon (xinetd), and the target service requested by the client is wrapped by the TCP Wrapper, this improves the security of the system and the convenience of system management.
On the one hand, TCP Wrapper improves system security. There are two main manifestations of system security: one is the control before obtaining access permissions, and the other is the processing after obtaining access permissions. Before obtaining the permission, it will According to/etc/hosts. allow and/etc/hosts. deny custom rules are used to determine whether the other party has the permission. after obtaining the permission, the setting of attributes such as bind and redirect may have been processed by another host or another service, however, the other party does not perceive that the process has gone through.
TCP Wrapper makes system management easier. On the one hand, you can extract all the common attributes of the system services and place them in/etc/xinetd. conf, and put the specific configuration of each service in/etc/inetd. d directory, and each configuration file follows the same syntax and rules.
The TCP Wrapper function comes from libwrap. a. It is a network service Library. many system services such as xinetd, sshd, and portmap depend on it during compilation, you can add this compilation option to other network service programs or even your own network service programs to provide the TCP Wrapper function.
2 about xinetd
However, the TCP Wrapper mechanism does not work only when libwrap. a is used in combination with the xinetd service. Xinetd is a super daemon of RedHat 7.x. It provides services such as access control, request record, address binding, redirection, and resource utilization control.
In RedHat Linux 7. x, many system services use xinetd, such as FTP, IMAP, POP, and telnet. When all services in/etc/services access the server through their ports, xinetd is used to process the services requested by the other party, xinetd first checks whether the requester meets the specified access control rules in the configuration file, whether the current access exceeds the specified number of simultaneous access, and other rules specified in the configuration file, after the check is passed, xinetd delivers the request to the corresponding service for processing, and enters the sleep state, waiting for the processing of the next request.
Rredhat 7. x is more focused on system security. The biggest feature is that xinetd. conf replaces the original inetd. conf.
In addition, ftp and telnet services are not installed in 7.x by default, but ssh is safer. 7.x also adds firewall and other services to enhance system security. Xinetd (eXtended InterNET services daemon) provides functions similar to inetd + tcp_wrapper, but is more powerful and secure. It provides the following features:
1. powerful access control functions:
Built-in differential treatment settings for malicious and malicious users;
Libwrap is supported, which is more efficient than tcpd.
You can limit the connection level, host-based connections, and service-based connections.
Set a specific connection time
Set a service to a specific host to provide services
2. effectively prevent DOS attacks
Limit the connection level
You can limit the maximum number of connections of a host to prevent a host from occupying a service exclusively.
You can limit the size of log files to prevent disk space from being filled up.
3. powerful log functions
You can set the log level for each service.
If syslog is not used, you can create a log file for each service.
The request start time and end time can be recorded to determine the access time of the other party.
Attackers can record requests for illegal access.
4. steering function
You can forward client requests to another host for processing.
5. IPv6 support
Xinetd versions starting with xinetd 2.1.8.8pre * Support IPv6
6. interaction with the client
No matter whether the client request is successful or not, xinetd will prompt to inform the connection status
At present, the biggest drawback of this architecture is the instability of RPC support. However, it can solve this problem by starting the coexistence of protmap and xinetd.
When to use xinetd?
In principle, any system service can use xinetd. However, in my opinion, the most suitable internet services are commonly used. at the same time, the number and frequency of requests for this service are not too high. Similar to DNS and Apache, xinetd is not suitable for Ftp, telnet, and SSH. whether pop, imap, and other mail services are suitable for this method, it is difficult for me to draw a conclusion that the system uses xinetd by default. many people do the same, but I do not have this test.
By default, xinetd services can be divided into the following categories:
1. standard internet service: telnet ftp
2. Information Service: finger netstat done
3. email service: imap imaps pop2 pop3 pops
4. RPC service: rquotad rstatd rusersd sprayd walld
5. BSD service: comsat exec login ntalk shell talk
6. internal service: chargen daytime echo servers services time
7. security service: irc
8. other services: name tftp uucp
Section 2 acquisition, compilation, and installation
Xinetd is installed by default in RedHat 7.2, so generally you do not need to install it yourself. However, if you are on a lower version of RedHat, you may need the following installation steps.
1. software acquisition
The latest version of Xinetd is 2.3.5, which is released on May.28.2002. You can get its source code package from the address below: http://www.xinetd.org/xinetd-2.3.5.tar.gz
2. Compile and install
Now, if you download the software to the/home/src directory, the installation steps are as follows:
Cd/home/src
Tar xvzf xinetd *
Cd xinetd *
./Configure-prefix =/etc-with-libwrap-with-loadavg-with-inet6
Make
Make install
Cp xinetd/sample. conf/etc/xinetd. conf
If you install on the old version of RedHat, you may use the following command. this perl script can convert inetd. conf to xinetd. conf:
Xinetd/xconv. pl </etc/inetd. conf>/tmp/xinetd. conf
The following describes the compilation parameters:
-- Prefix specifies the installation directory
-- With-libwrap load library libwrap. a so that you can use the TCP Wrapper function
-- With-loadavg enables it to limit the number of connections to avoid DOS attacks
-- With-inet6 to support ipv6
Note:
If you are using RedHat 7.x, we recommend that you do not install it on your own. this is different from other services. if you install it on your own, unexpected troubles may occur.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.