Implementation of RedHat-Wrapper and xinetd (2)

Article title: RedHat-Wrapper and xinetd implementation (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Editor's note: Wrapper and xinetd are two methods to restrict access to Linux. We have introduced the basic principles and methods for installing and compiling in previous articles. if you don't see any of them, let's take a look at our configuration today. In the subsequent articles, we will also discuss some examples in detail to facilitate your understanding and understanding.
　　
Reminder: to ensure the integrity of the attribute table, the second page is relatively long and may take more time to download. please forgive me.
　　
1. configuration method
The related configuration files are as follows:
　　
/Etc/xinetd. conf
　　
/Etc/xinetd. d/* // all files in this directory
　　
/Etc/hosts. allow
　　
/Etc/hosts. deny
　　
　　
　　
The default configuration file of xinetd is/etc/xinetd. conf. Its syntax is completely different from/etc/inetd. conf and is not compatible. It is essentially a combination of/etc/inetd. conf and/etc/hosts. allow,/etc/hosts. deny. Each item in/etc/xinetd. conf takes the following form:
　　
　　
　　
Service-name
　　
{
　　
Attribute operator value
　　
......
　　
}
　　
　　
　　
The service is a required keyword, and the attribute table must be enclosed in braces. Each item defines a service defined by service-name.
　　
The Service-name is arbitrary, but it is usually a standard network Service name. you can also add other non-standard services as long as they can be activated through network requests, including network requests sent by localhost itself.
　　
Each service has many attributes that can be used, which are described in detail in the following table. Later, we will describe the use rules of required attributes and attributes.
　　
The operator can be =, + =, or-=. All attributes can use = to assign one or more values. some attributes can use the form of + = OR-=, the function is to increase the value to an existing value table or delete the value from the existing value table.
　　
Value is the Value set for a given attribute.
　　
　　
　　
Note that each service can be appended to/etc/xinetd. conf, or in/etc/xinetd. create a separate file in the directory specified in conf, RedHat 7. x suggests the latter approach, because it is scalable and easy to manage. The default service configuration file directory of RedHat 7. x is/etc/xinetd. d.
2. Attribute List
There are 45 xinetd attributes in total. The following table lists the original translations of the xinetd. conf help document. you can use man xinetd. conf to obtain the original English text. the attribute list is as follows:
　　
Note: This document is edited using word. all characters in this document are in lowercase. if the uppercase letters are the result of automatic conversion of the editor, all characters are in lowercase! This rule is only applicable to attribute names, attribute parameters, and so on!
　　
　　
　　
List of extended Internet service (xinetd) attributes
　　
Attribute
Description
　　
Id
This attribute is used to uniquely specify a service. Because some services only use different protocols, you need to use this attribute to differentiate them. By default, the id and service name are the same. For example, echo supports both dgram and streama services. Set id = echo_dgram and id = echo_streams to uniquely identify the two services.
　　
Type
It can be one or more of the following values:
　　
RPC: RPC-type service
　　
INTERNAL: a service provided by xinetd itself, such as echo
　　
UNLISTED: services not listed in standard system files such as/etc/rpc or/etc/service
　　
Flags
It can be any combination of the following or multiple options:
　　
REUSE: set TCP/IP socket to be reusable. That is, set the SO_REUSEADDR flag in the service socket. Restart xinetd upon interruption
　　
INTERCEPT: intercepts the Datagram for access check to determine whether it is from the permitted location of the connection. This attribute value is not available for INTERNAL and multithreading services.
　　
NORETRY: if fork fails, no retry
　　
IDONLY: the connection is accepted only when the remote end identifies a remote user (that is, the remote system must run the ident server). This flag is only applicable to connection-oriented services. If the USERID record option is not used, the tag is invalid. set the USERID value for the log_on_success or log_on_failure attribute to make the value take effect. Stream service for multithreading only
　　
NAMEINARGS: allows the first parameter in the server_args attribute to be a completely legal path of the process. in this case, the server attribute is specified in inetd mode. (Note: In my understanding, this label indicates that the service uses tcpd instead of tcp wrapper. See the NOLIBWRAP tag .)
　　
NODELAY: if the service is a tcp service and the NODELAY flag is set, the TCP_NODELAY flag is set. This flag is invalid if the service is not a tcp service
　　
DISABLE: indicates that the service with the DISABLE flag is disabled. This flag overwrites the specified enable. That is to say, if you specify "enable = foo" and foo has the DISABLE flag, foo will still be disabled. Services that use this tag will not be notified.
　　
KEEPALIVE: if a TCP service is configured with the KEEPALIVE tag, the SOCKET of the service will be configured with the SO_KEEPALIVE tag, which does not apply to non-TCP services.
　　
NOLIBWRAP: disables the tcpwrap library to determine the request access control for a service. Like xinetd, it takes a long time to run (it is always running after the system starts). It is not advisable to call the libwrap function library all the time. This type of service requires this flag, they can be called directly without calling the libwrap function library to control access requests (see NAMEINARGS flag ).
　　
SENSOR: This tag uses a SENSOR to replace the current service. When using this tag, you need to pay attention to several issues: first, you should confirm that the service is unnecessary or you do not want to provide it; second, it cannot detect the secretly scanned action; third, it detects requests to the specified port of the service and records the requests to the no_access list acting on the global port, this means that the IP address requested for the service has been rejected until the specified time of deny_time expires. its 4: it also makes xinetd think that the server attribute of the service is INTERNAL; its 5: if the socket_type set by the service that uses this tag is stream, you need to set wait to no.
　　
Disable
You can set it to yes or no. if it is set to yes, a service will be disabled. for details, see the disable label of flags.
　　
Socket_type
The TCP/IP socket type used. the values may be stream (TCP), dgram (UDP), raw, and seqpacket (reliable and ordered datagram)
　　
Protocol
Specify the protocol used by the service. The value must be defined in/etc/protocols. If this parameter is not specified, the default protocol of the service is used.
　　
Wait
This property has two possible values. If yes, xinetd starts the process requested by the other party and stops processing other requests of the service until the process is terminated. this is a single-threaded service. If no, xinetd will start a process for each request, regardless of the status of the previously started process, suitable for multithreading services.
　　
User
Sets the UID of the service process. However, if the valid UID of xinetd is not 0, this attribute is invalid.
　　
Group
Set the GID of the process. If the valid UID of xinetd is not 0, this attribute is invalid.
　　
Instances
Accept an integer or UNLIMITED greater than or equal to 1. Sets the maximum number of processes that can run simultaneously. UNLIMITED means that xinetd has no limit on this number.
　　
Nice
The nice value of the specified process. It determines the priority of the service. The parameter value is a number or a negative number.
　　
Server
The complete path must be specified for the process to be activated.
　　
Server_args
Specifies the parameter sent to the process, but does not include the Service Program Name
　　
Only_from
List of clients allowed to access the service separated by spaces. If a value is not specified for this attribute, no one is allowed to access this service. This attribute supports all operators. The access control table syntax is as follows:
　　
A) IP address in the format of % d. % d. If the rightmost digit is 0, it is treated as a wildcard. For example, 10.35.1.0 indicates that any address in 10.35.1 meets the conditions. if the address is 0.0.0.0, all IP addresses are matched.
　　
B) the IP addresses listed in the decomposition form % d. {% d. % d ......}. Of course, not all four parts are listed, for example, % d. % d. {% d. % d ...} This format is also acceptable. However, the part to be split must be at the end, for example, % d. {% d. % d ...}. % D. % d; this format is not allowed.
　　
C) network name. The network name in/etc/networks.
　　
D) host name or domain name. When an IP address is connected to xinetd, it will reverse resolve the IP address and compare it with the specified host name to see if it matches. Of course, you can also use a domain name. The truth is the same.
　　
E) network/subnet. The format is IP Address/netmask, for example, 1.2.3.4/32.
　　
No_access
The table of the client that denies access to the service separated by spaces. This attribute supports all operators. for the syntax of the access control table, see only_from.
　　
Only_from and no_access determine whether a remote connection can access a service. If neither of these attributes is set, anyone can request the service. if both attributes are set, the most matched record takes precedence. For example, if you set 10.35.1.0 to allow access in only_from, and then set 10.35.1.10 to prohibit access in no_access, all IP addresses except 10.35.1.10 in 10.35.1 can be accessed.
　　
Access_time
Set the available time period of the service, that is, the period in which the service can be used. The format is hh: mm_hh: mm. for example, 8-6 means that the service is available from A.M to P.M..
　　
Log_type
Specifies the service log record method, which can be:
　　
SYSLOG facility [level]: set this tool to daemon, auth, user or local0-7. The level setting is optional. the available level values are emerg, alert, crit, err, warning, notice, info, and debug. the default value is info.
　　
File [soft [hard]: specify to use file to record logs instead of syslog. Limit soft and hard are specified in KB (optional ). Once the soft limit is reached, xinetd registers a message. Once the hard limit is reached, xinetd stops registering all services that use the file. If the hard limit is not specified, it becomes soft plus 1%, but the lack of time does not exceed 20 MB.