Manage Linux inetd servers

The most important network service process is the inetd server program. In fact, most services with less frequent requests are started by it. The inetd program appears as a service process in the system. It listens to many ports and starts the service program of this port when receiving client requests. Because of its versatility, we will introduce it in this chapter. The inetd program can be started by the command line: the inetd [-d]-d option is used to open debugging information. The working method of inetd is set by the/etc/inetd. conf and/etc/services files. The following describes the two files. The format of the services file is basically as follows: netstat 15/tcpqotd 17/tcpquotemsp 18/tcp # message send protocolmsp 18/udp # message send protocolchargen19/tcpttytst sourcechargen19/udpttytst sourceftp2/tcp #22-rows/tcp each row is in two columns or three columns, the first column is the service name, and the second line is the port and protocol used. For example, telnet 23/tcp indicates that the telnet service should use port 23 and the protocol type is tcp. The third column is the service alias, which can be omitted. Inetd. conf depends on the services file, and it is also a text file. Each line represents a service working method, and the line guided by "#" indicates the comment line, the format of the non-Comment row is roughly as follows: Service name data type protocol listening mode user identity service program parameters such as, to start the telnet service, you should add such a line: telnetstreamtcp nowaitroot/usr/sbin/tcpdin. the telnetd service name is telnet, which will provide services on port 23 according to the definition of/etc/services; stream indicates that sending and receiving data will use simple stream file read/write to complete fscanf and fprintf); tcp indicates that the tcp protocol is used. There are two options in the listener mode column, that is, wait and nowait. To put it simply, if the corresponding service program is a multi-process, set it to nowait. At this time, inetd starts a service process every time it receives a request, for example, telnet works in this way. Each Independent telnet conversation starts a telnet service process. On the contrary, if it is a single process, you can set it to wait. User identity indicates the uid/euid used when the service process starts. Because telnet can be issued by any user and any command can be executed through telnet, the root user identity is used. /Usr/sbin/tcpd is the program actually started. This program is actually a common TCP connection processing program. The parameter uses in. when telnetd is connected to a connection request with port 23, inetd executes/usr/sbin/tcpd in. telnetd. Generally, various services have been written in inetd. conf, And the unenabled service uses comment # to invalidate it. To enable this service, you only need to delete the # annotation symbol of the pilot. It is worth mentioning that the/usr/sbin/tcpd program is a TCP connection filtering program. Generally, most services that require connection verification should be started through the tcpd program, this program can automatically verify the IP address of the customer's machine and perform some security filtering. The main function is to disable connections from some addresses. For example, the in. telnetd program is started through the/usr/sbin/tcpd program in the preceding format. Therefore, the address of the telnet request can be checked. The tcpd address is verified by/etc/hosts. deny and/etc/hosts. the allow file is complete. If such a file does not exist, you can create one by yourself. the syntax of the two is almost the same, just hosts. allow allows connections from an address, while hosts. deny is used to prohibit connections from somewhere. The basic syntax is: Service Program: the customer address service program is the name of the program started through the tcpd program. The customer address is a list of the relevant addresses, for example, in/etc/hosts. add the following line to the allow file: in. telnetd: 10.0.0.2 will allow machines at 10.0.0.2 to use the local telnet service. If this line is added to/etc/hosts. deny: Disable Machine Logon at 10.0.0.2. The address can be in the set form. The common set form mainly includes the following types: A string starting with a comma defines a domain. For example, .edu.cn indicates that all machines whose domain name suffixes are .edu.cn. Define an IP address string ending with a comma, for example, 202.199.248. represents 202.199.248.0 to 202.199.248.255. It is interpreted as a/separate string as a network address/subnet mask. For example, 172.13.0.0/255.255.0.0 represents 172.13.0.0 to 172.13.255.255. In addition, both addresses and service programs can use wildcards. The wildcard character "ALL" indicates ALL, ALL services, or ALL addresses. It is often used with the limit t clause. Limit t represents "". For example, writing ALL: ALL limits t 202.199.248 in hosts. deny will prohibit ALL client machines EXCEPT machines 202.199.248. * from using any tcpd-based service. Write ALL Except CT in. telnetd: ALL will disable ALL tcpd-based services except telnet. LOCAL refers to all machines without name suffixes. The unknown ip address of the machine whose IP addresses and domain names both know, or the paranoid ip address of the machine whose domain name cannot be determined, does not match the name returned from the Domain Name Service.