Preface: Ah, the recent line to build a server, only to find themselves even system services are not very understanding, so immediately began to fill brain.
Content:
1. first explain a word, daemon ( (in Greek mythology) a half-man and half-divine spirit; a Guardian God . ). So daemon is no big difference with service, is to ensure that the machine can provide the normal service. If you have to differentiate, you have to have a daemon for each service, so daemon is the program that provides the services to start.
2. Service type: Stand_alone and Super daemon.
Stand_alone : is a service that can be started separately. HTTPD (WWW), VSFTPD (FTP) features: Always on standby (memory resident)
Supersaemon is to manage some of the daemon. is the Super Daemon (xinted) feature: Need to schedule (run out of memory) Super Daemon Classification: multi-threaded (multi-threaded), single-threaded (Single threaded).
Explanation: Here stand _alone is a single window, only to do a business, Super Daemon is a comprehensive window can handle a lot of business, but this window also has a different, there is a business, this window of business in addition to handle this business salesman, Rest, there is also a kind of is to accept a lot of business, this window of the clerk are doing different work.
differentiate the type of daemon work pattern:
Single-control : Through the signal management, as long as there are any customer needs, will start immediately.
Interval-control : To work at intervals, such as ATD, Crond
Note: The daemon naming convention is the program file name +d
3 . Daemon startup script and startup mode.
1 /etc/init.d/* startup script is placed in CentOS in/ETC/RC.D/INIT.D but/ETC/INIT.D is linked to/ETC/RC.D/INIT.D
2)/etc/sysconfig/* configuration files for various services
3)/etc/xinetd.conf,/etc/xinetd.d/* : Super Daemon configuration file.
/etc/xinetd.conf is the primary configuration file (default profile)
/etc/xinetd.d/* is the configuration of each managed service.
4)/etc/* configuration of various services
5)/var/lib/* The database generated by various services.
6)/var/run/*: The PID record of each service procedure.
Note the/etc/init.d/service name {start|stop|restart| status} can be used to start the Daemon method
You can also use the service name {start|stop|restart| status}, where the service is also a script, in fact, the execution of the/etc/init.d/service name method.
4.superdaemo the BOOT.
First: To enter into the/etc/xinted.d/* in the corresponding service to modify the configuration file, disable = no
Then: Restart xinted
Close Action: Modify the file and then restart xinted
5.xinted The ability to perform security or other administrative mechanisms is due to the ability to configure his profile/etc/xinted.conf
Simply say the configuration file:
Log_type = SYSLOG Daemon Info The record service type of the record file.
log_on_failure = HOST the information that needs to be logged when an error occurs is the host
log_on_success = PID HOST DURATION EXIT log information for successful login or startup.
CPS = Ten maximum number of connections in the same second is 50, more than 50 pauses for 10 seconds
instances = maximum simultaneous online number of the same server
Per_source = Ten The maximum number of online clients for the same source.
v6only = no only IPv6 is allowed.
groups = yes These two are environment parameter settings.
Umask = 002
Includedir/etc/xinetd.d with more set values in the/ETC/XINETD.D directory
Note: If the corresponding service/etc/xinetd.d/* does not have a related property configured in the corresponding service, it will be set according to the configuration in/etc/xinetd.conf.
6./etc/xinetd.d/* the format of the following configuration file is
Service <service_name>
{
<attribute> <assign_op> <value> <value>
}
explain: service_name to be the same as the/etc/services service name, because there is a name and port correspondence. The xinetd itself does not use a port, and the service has a port.
attribute is a number of management parameters, Assign_op is the parameter setting method, mainly by =,+=,-=, = indicates that the value is the attribute, + = is the original base on the addition of new values,-= is on the basis of the original minus the value.
7. Talk about the service firewall xinetd,tcp Wrappers
Linux The default is to provide a tool for software analysis,/etc/hosts.deny,/etc/hosts.allow
/etc/hosts. {Allow|deny} Be able to accept or reject online from the Internet.
Xinetd is through/etc/hosts. {Allow,deny} IP address filtering, in fact no_access, and Only_from can also achieve the purpose, but these two files can be centralized management.
Note:/etc/hosts. {Allow,deny} is also/USR/SBIN/TCPD configuration file, and/USR/SBIN/TCPD itself is to analyze the software into the system TCP network packets, so TCP wrapper control IP and IP segment, there is port.
This means that TCP warppers is supported or managed by XINETD to use/etc/hosts. {Allow,deny} to process.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/4C/D1/wKioL1RFwobha2JZAAHsaXjs_ws214.jpg "title=" Capture 1. PNG "alt=" Wkiol1rfwobha2jzaahsaxjs_ws214.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/4C/D1/wKioL1RFwr-BjgflAAIQLuToxUE969.jpg "title=" Capture 2. PNG "alt=" Wkiol1rfwr-bjgflaaiqlutoxue969.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/4C/D0/wKiom1RFwouAbzY-AAGw_NuOk9g063.jpg "title=" Capture 3. PNG "alt=" Wkiom1rfwouabzy-aagw_nuok9g063.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/4C/D0/wKiom1RFwpeCvYRGAAJVCoJ4CLg244.jpg "title=" Capture 4. PNG "alt=" Wkiom1rfwpecvyrgaajvcoj4clg244.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/4C/D0/wKiom1RFwqezZeSVAACGLmPNKEc256.jpg "title=" Capture 5. PNG "alt=" Wkiom1rfwqezzesvaacglmpnkec256.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/4C/D1/wKioL1RFwwKTzfLgAAG7ut91ZSg855.jpg "title=" Capture 6. PNG "alt=" Wkiol1rfwwktzflgaag7ut91zsg855.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/4C/D1/wKioL1RFww_BvctKAAHb4sB-zRU545.jpg "title=" Capture 7. PNG "alt=" Wkiol1rfww_bvctkaahb4sb-zru545.jpg "/>
8. say how to know the program supports TCP wrapper
By checking that the program is not dependent on libwrap.so This function library, use the LDD $ (which sshd) command to check.
9. How to configure/etc/hosts.{ Allow,deny} These two files, the following is the syntax:
1) <service (program_name) >:<ip,domain,hostname>:<action>
program_name It's the name of the program. For example:/usr/bin/rsync writes Rsync.
2) Action: Allow and deny. High-Spawn:twist
Example: Vim/etc/hosts.deny
rsync:127.0.0.100127.0.0.200:d Eny
Note: The last allow in the/etc/hosts.allow file can be omitted, the same as in the/etc/hosts.deny, but these two are in the Order of judgment, two have differences in the time of the allowed file. The recommended notation for these two files is to write the allowable writes to the/etc/hosts.allow and write the disallowed writes to the/etc/hosts.deny
3) There are some special parameters for the first two fields:
All : Represents all program_name or all IPs accepted for example: ALL:ALL:deny (all IP addresses are not allowed to use any services)
LOCAL : Represents the meaning of the machine, for example: ALL:LOCAL:allow (this machine allows all services to be used)
UNKNOWN : Represents IP that is not known or is domain or service.
known : Represents a resolvable ip,domain, and so on information.
Note: It is emphasized here. SERVICE_NAME is actually the program to start the service, for example:/etc/init.d/sshd This script, is actually started the SSH service is sshd this program, so, your service_name is naturally sshd, and/etc/ Xinetd.d/telnet refers to in.telnetd this program to start, so with in.telnetd.
Talk about the special functions of Tcpwrappers .
Prerequisite: Install tcp_wrappers
more powerful action: spawn (Action), you can use the back of the shell for additional work, and the variable function, the main variables include:%H (hostname),%a (address),%d (daemon), etc.,
Twist (action) is immediately followed by a subsequent command to terminate the online request upon completion of the execution.
Example:
1. use Safe_finger to trace the host information (including host name, user-related information, etc.);
2. Send the results of this trace to the root of the machine by email;
3. on the other side of the screen display is not logged in and warned that he has been recorded.
Note: Since these are all mechanisms of resistance, most of these two actions are unloaded in/etc/hosts.deny
#Vim/etc/hosts.deny
Rsync:ALL:spawn (echo "Security notice from host \ $ (/bin/hostname)"; Echo;/usr/sbin/[email protected]%h) |/bin/mail –s "%d-%h security" root &: Twist (/bin/echo–e "\n\nwarningconnection not allowed.\n\n")
This article is from the "Technology First" blog, please be sure to keep this source http://wuxiangdong.blog.51cto.com/8274747/1566180
Linux System Services