Linux Daemon Init.d and XINETD.D

Linux servers start with a number of system services that provide local and network users with a system-functional interface for Linux that is directly targeted to applications and users. The programs that provide these services are executed by daemons running in the background. A daemon is a process that has a long lifetime. They are independent of the control terminal and periodically perform certain tasks or wait to handle certain occurrences. They often start when the system boots and terminate when the system shuts down. Linux systems have many daemons, and most servers are implemented with daemons. At the same time, the daemon completes many system tasks, such as job planning process crond, printing process lqd and so on. Some books and materials also call the daemon a "service".

Daemon, which means daemon and service.

Classification of the two Linux daemons

Depending on how the daemon is started and managed, it can be divided into two types, independent boot daemon and Super daemon.

Stand-alone Boot (stand_alone): This class of process starts with memory, so it always consumes system resources. Its biggest advantage is that it will always start, when the outside world has the corresponding speed faster, such as httpd process;
Super Daemon: The system starts with a unified daemon xinet to manage some processes, and when the corresponding request arrives, it needs to be xinet to wake up the Xinet managed process. The advantages of this process when initially only xinet this daemon occupies the system resources, other internal services do not always occupy the system resources, only the arrival of the packet will be xinet by the administrator to wake. And we can also use Xinet to set some access rights to the process it manages, which is equivalent to a layer of management mechanism.

If two metaphors are used to describe a class of daemons, it is common to use the Bank's Business processing window to analogy:
Independent start: There is a single-service window in the bank, such as taking money, saving and other windows, these windows will always sit on the side of a person, if someone to withdraw money or save, you can directly to the corresponding window to handle, this single service is always the existence of the person is the independent start of the Guardian process;

Super Daemon: There is also a window in the bank, providing comprehensive services, such as remittances, transfers, withdrawals and other business; This window is also always sitting near a person (xinet), she may not provide specific services, provide specific services to the people in the idle chat ah, tea ah, but when someone comes to the remittance, he will shout a word, Xiao Wang, someone sent money, and then the inside tube remittance of the small Wang will immediately run to help finish the remittance business. Others continued to chat and have tea. Those who are responsible for the specific business we call the Super daemon process. Of course, the sender may have some rules, may not be able to send money to Beijing, he will tell Xinet early, so if someone to send money to the remittance to Beijing, the administrator directly told him that we can not do here, so it will not go to shout remittance clerk, equivalent to provide a layer of management mechanism. For this window there are multithreading and single-threaded differences: Multithreading: All the user's requirements are brought up, inside the people do not idle, all work together;
Single-threaded: Everyone is lined up, one by one, and the people in it. At the same time only one person at work.

It is important to note that the Super Daemon administrator xinet is also a daemon, but its task is to relay, in fact, this is a very specific very difficult task Oh.

Of course, each daemon will listen to a port (bank window), some of the common daemon monitoring port is fixed, such as httpd monitoring 80 port, sshd monitoring 22 port, etc., we can understand it as a responsibility, time to wait, responsive. The specific port information can be viewed through cat/etc/services.

Third, the Linux Daemon management tool

Linux offers three different daemon management tools: Redhat-config-services, NTSYSV, and Chkconfig, which can be used flexibly depending on the specific needs.

# service Iptables status #查看相应服务的状态 exists in the/etc/init.d/directory with services required
# Netstat-tulp #会列出相应的服务及其监听的端口号等, the port number is listed if the n parameter is added
#chkconfig--list |grep service name #会列出现在当前服务的各种状态, including at different operating levels of the startup situation, divided into two parts, the upper part of the service is independent start, you will see XINETD is also in the following section is the inet management of the Super Daemon, There is no running level to divide.

How the four Linux daemons work

1. Independent run (stand-alone) daemon

The standalone daemon is managed by the Init script, and the scripts for all the independently running daemons are in the/etc/rc.d/init.d/directory. System services are self-running daemons, including SYSLOGD and Cron. The standalone daemon works as stand-alone, which is a UNIX-traditional access pattern for the C/s mode. The stand-alone mode works as shown in 4-4.

Work in stand-alone mode network services have xinetd, route, gated, in addition to the Web server Apache and mail server sendmail, domain name server bind. Services initiated through stand-alone mode on Linux systems are started by symbolic links in the corresponding runlevel below/etc/rc.d/.

2. XINETD mode runs an independent daemon

From the daemon concept, it can be seen that for each service that the system is going through, it must run a daemon that listens to a port connection, which usually means a waste of resources. To solve this problem, Linux introduces the concept of "Network Daemon Service Program". The network daemon used by Red Hat Linux 9.0 is xinted (eXtended Internet daemon). XINETD can listen to multiple specified ports at the same time, when accepting user requests, it can initiate different network service processes to handle these user requests depending on the port the user requests. You can think of xinetd as a Management server that manages the startup service, decides which program to hand a client request to, and then initiates the appropriate daemon. XINETD does not run and listens for services on all ports it manages. When a request arrives for a service to which it manages, XINETD initiates the appropriate server for the service. The XINETD mode works as shown in 4-5.

3. xinetd and stand-alone mode of operation, the system does not want each network service process to listen to its service port, running a single xinetd can simultaneously listen to all service ports, thus reducing the system overhead and protecting system resources. However, in the case of large access and frequent concurrent access, XINETD will frequently start the corresponding network service process, which can result in degraded system performance. To see what mode of operation the system provides for Linux services, you can use the Pstree command on the Linux command line to see two different mode-initiated network services. In general, some of the high-load services in the system, Sendmail, Apache services are started separately, and other service types can be managed using XINETD Super server.

Five Xinetd

1. What is xinetd

XINETD is extended Internet daemon,xinetd is a new generation of Network Daemon service program, also known as Super Internet server. Often used to manage a variety of lightweight Internet services. XINETD provides functionality similar to Inetd+tcp_wrapper, but is more powerful and secure.

2. Features of XINETD

1) Powerful access control function
-built-in differential treatment settings for malicious and bona fide users.
-With libwrap support, it is more effective than TCPD.
-You can limit the level of connections, the number of host-based connections, and the number of service-based connections.
-Set a specific connection time.
-Set a service to a specific host to provide the service.

2) effectively prevent Dos attacks
-You can limit the level of connections.
-You can limit the maximum number of connections for a host to prevent a host from monopolizing a service.
-You can limit the size of the log file to prevent disk space from being filled.

3) Powerful log function
-Log levels can be set for each service on the syslog.
-If you do not use syslog, you can also create a log file for each service.
-You can record the start and end times of the request to determine the access time for each other.
-You can log requests that you attempted to access illegally.

4) Steering function
The client's request can be forwarded to another host for processing.

5) Support IPV6
XINETD from xinetd 2.1.8.8pre* support IPV6, can be done by using the/configure with-inet6 option in the. Capability script. Note that in order for this to take effect, the core and network must support IPV6. Of course IPv4 is still supported.

6) Interactive functions with the client
Regardless of whether the client request is successful, xinetd will be prompted to inform the connection status.

3. Disadvantages of XINETD
At present, its biggest disadvantage is the instability of RPC support, but it is possible to start protmap so that it can coexist with xinetd to solve this problem.

4 starting the daemon with xinetd
In principle, any system service can use XINETD, but the most suitable should be those commonly used network services, at the same time, the number of requests and the frequency of the service is not too high. Like DNS and Apache is not suitable for this way, and like FTP, Telnet, SSH and so on for the use of XINETD mode, the system default use of XINETD services can be divided into the following categories.
① standard Internet service: Telnet, ftp.
② Information Service: Finger, netstat, systat.
③ Mail Service: IMAP, IMAPS, POP2, POP3, pops.
④RPC services: Rquotad, RSTATD, RUSERSD, Sprayd, Walld.
⑤BSD services: Comsat, exec, login, ntalk, Shell, talk.
⑥ Internal services: Chargen, Daytime, ECHO, servers, services, time.
⑦ Security services: IRC.
⑧ Other services: Name, TFTP, UUCP.

5. Interpreting xinet configuration Files/etc/services,/etc/xinetd.conf and/etc/xinetd.d/*

0)/etc/services

The port under XINETD is set in/etc/services, for example:

$ cat/etc/services | grep rsync
rsync 873/tcp # rsync
rsync 873/UDP # rsync

1)/etc/xinetd.conf
The xinetd configuration file is/etc/xinetd.conf, but it includes only a few default values and a configuration file in the/etc/xinetd.d directory. If you want to enable or disable an xinetd service, edit the configuration file that is located in the/etc/xinetd.d directory. For example, the Disable property is set to Yes to indicate that the service is disabled, and the Disable property is set to No, indicating that the service is enabled. /etc/xinetd.conf has many options, the following is the/etc/xinetd.conf of Rhel 4.0.
# Simple configuration file for xinetd
# Some defaults, and include/etc/xinetd.d/
Defaults
{
instances = 60
Log_type = SYSLOG Authpriv
log_on_success = HOST PID
Log_on_failure = HOST
CPS = 25 30
}
Includedir/etc/xinetd.d

-instances = 60: Indicates the maximum number of connection processes is 60.
-log_type = Syslog Authpriv: Indicates a service enlistment using a syslog.
-log_on_success= HOST PID: Indicates the process ID that records the IP address of the client after it has been successfully set.
-log_on_failure = HOST: Indicates that the client's IP address is logged when the setting fails.
-cps = 25 30: Represents 25 inbound connections per second, and waits 30 seconds if the limit is exceeded. Mainly used to deal with denial of service attacks.
-INCLUDEDIR/ETC/XINETD.D: Indicates that the file or directory to which XINETD is to be included is/ETC/XINETD.D.

2)/etc/xinetd.d/*
The following is an example of a file (rsync) in/etc/xinetd.d/.
Service rsync
{
Disable = yes
Socket_type = Stream
wait = no
user = root
Server =/usr/bin/rsync
Log_on_failure + = USERID
}

The meanings of each line option are described below.
-disable = yes: Indicates that the service is disabled.
-socket_type = stream: The packet type that represents the service is stream.
-wait = No: Indicates that no wait is required, i.e. the service will run in a multithreaded manner.
-user = root: Indicates that the user executing this service process is root.
-server =/usr/bin/rsync: The location of the startup script.
-log_on_failure + = USERID: Indicates that the UID is added to the system registration form when the setting fails.

5 Configuring XINETD
1) format
Each entry in/etc/xinetd.conf has the following form:
Service Service-name
{
......
}

Where service is a required keyword, and the attribute table must be enclosed in curly braces. Each item defines a service defined by Service-name.
Service-name is arbitrary, but is typically a standard network service name and can also be added to other nonstandard services as long as they can be activated over a network request, including a network request from localhost itself. There are many properties that you can use, and you will later describe the usage rules for the required properties and properties.

The operator can be =, + =, or-=. All properties can use =, which is to assign one or more values, and some properties can use + = or-=, with the effect of increasing their values to an existing value table or removing their values from the existing value table.

2) configuration file
The relevant configuration files are as follows:
/etc/xinetd.conf
/etc/xinetd.d/*//All files in this directory
/etc/hosts.allow
/etc/hosts.deny

3) disabled and enabled in/etc/xinetd.conf
The parameter of the former is a list of disabled services, and the latter parameter is the list of services that are enabled. What they have in common is the same format (attribute names, service names, and services are separated by spaces, such as disabled = IN.TFTPD IN.REXECD), and they all work globally. If it is specified in the disabled list, it is disabled regardless of whether the service included in the list has a profile and how it is set, and if the enabled list is specified, only the services in the list can be started, and if enabled is not specified, All services other than the specified service disabled can be started.

4) Attention Issues
① when reconfiguring, the following properties cannot be changed: Socket_type, wait, protocol, type;
② if the Only_from and No_access properties are not specified (either directly or by default in the service item), there is no limit to the access IP for the service;
The ③ address check is for an IP address and not for a domain name address.

6 xinetd reasons for preventing denial of service attacks (denial of services)
XINETD can effectively prevent denial of service attacks (denial of services) for the following reasons.

1) Limit the number of processes running concurrently
Set the instances option to set the number of concurrent processes running concurrently:
Instances=20
When the number of processes that the server is requested to connect to is 20, XINETD will stop accepting more than one part of the connection request. Until the number of request connections is below the set value.

2) Limit the maximum number of connections to an IP address
Prevents a host from monopolizing a service by limiting the maximum number of connections to a host.
Per_source=5
Here the number of connections per IP address is 5.

3) Limit log file size to prevent disk space from being filled
Many attackers know that most services need to be written to the log. Intruders can construct a large number of error messages and send them out, and the server logs these errors, potentially causing the log files to be very large or even stuffed with hard disks. At the same time, the administrator will face a large number of logs, but not to discover the intruder's true intrusion path. Therefore, limiting the log file size is one way to protect against denial of service attacks.
Log_type File.1/var/log/myservice.log 8388608 15728640
The log file set here File.1 a critical value of 8MB, when this value is reached, the Syslog file will be alerted to reach 15MB, the system will stop all services using this log system.

4) Limit Load

XINETD can also protect against denial of service attacks using a method that restricts the load. With a floating-point number as the load factor, the service suspends processing of subsequent connections when the load reaches that amount.
Max_load = 2.8
The above setting indicates that when a system load reaches 2.8, all services are temporarily aborted until the system load drops below the set value.
Note that to use this option, compile with "--with-loadavg", XINETD will handle max-load configuration options to shut down certain service processes when the system is overloaded, to protect against certain denial of service attacks.

5) Limit the number of servers (connection rate)
XINETD can use the CPS option to set the connection rate, the following example:
CPS = 25 60
The above setting indicates that the server initiates a maximum of 25 connections, and if this number is reached, it will stop starting the new service for 60 seconds. No requests are accepted during this period.

6) Restricting the use of hardware resources
With the Rlimit_as and rlimit_cpu two options, you can effectively limit the resource usage of a service to memory and CPU:
Rlimit_as = 8M
Rlimit_cpu=20
The above setting represents a limit on server hardware resource usage, with up to 20 processes per second for 8MB,CPU memory.

An important feature of XINETD is its ability to control the amount of resources that a dependent service can utilize, which can be achieved through the above settings, helping to prevent a xinetd service from taking up a significant amount of resources, leading to a "denial of service" situation.

Six service commands

The service command for Linux is to view and control all of the independent boot daemon processes. This command is not available in all Linux distributions. Mainly in the Redhat system Linux. Service This command is located in/sbin/service, and viewing this command with the file command finds it to be a script command. The analysis script shows that the purpose of this command is to go to the/ETC/INIT.D directory to find the appropriate service, to open and close operations. For example, service mysqld stop is equivalent to/etc/init.d/mysqld stop.

The seven xinetd itself is also an independent daemon, in/etc/init.d/xinetd.

Linux Daemon Init.d and XINETD.D