Xinetd full Guide

Article title: Xinetd full guide. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1. what is xinetd?
　　
?? You must be familiar with the Inetd called a super server, and its implementation control is related to the network connection of the host. When a request arrives at the service port managed by Inetd, Inetd forwards the request to a program named tcpd. Tcpd checks whether the request is allowed based on the configuration file hosts. {allow, deny. If the request is allowed, the corresponding server program (such as ftpd and telnetd) will be started. This mechanism is also called tcp_wrapper.
　　
?? Xinetd (eXtended InterNET services daemon) provides functions similar to inetd + tcp_wrapper, but is more powerful and secure. It provides the following features:
　　
Support for tcp, ucp, and RPC services (but the current support for RPC is not stable enough)
Time period-based access control
A fully functional log function allows you to record successful connections or failed connections.
Effectively prevents DoS attacks (Denial of Services)
Limit the number of servers that can run simultaneously.
Limit the number of all started servers
Limit log file size
Binds a service to a specific system interface, so that only the private network can be allowed to access a service.
Can be used as a proxy for other systems. Access to the internal private network can be achieved through combination with ip camouflage
?? Its biggest drawback is the instability of RPC support, but it can start protmap and coexist with xinetd to solve this problem.
　　
2. Compile and install
　　
?? You can download xinetd from www.xinetd.org. The latest version is xinetd 2.1.8.8p3. By default, it is very simple to compile and install xinetd. follow these steps:
　　
?? #./Configure; make install
　　
.
　　
?? The following useful options are supported during configure:
　　
-- With-libwrap: if xinetd is used, the tcpd configuration file (/etc/hosts. {allow, deny}) for access control. to use this function, tcp_wrapper and related libraries must be installed on the system.
-- With-loadavg: This option is used, and xinetd only processes the max-load configuration options. In this way, some service processes are shut down when the system load is too heavy to implement some DoS attacks.
-- With-inet6: using this option xinetd will support IPv6.
?? If redhat7.0 is used, xinetd is installed by default, and you do not need to install it on your own.
　　
3. configuration
　　
?? The default configuration file of xinetd is/etc/xinetd. conf. Its syntax is completely different from/etc/inetd. conf and is not compatible. It is essentially a combination of/etc/inetd. conf and/etc/hosts. allow,/etc/hosts. deny. Each item in/etc/xinetd. conf takes the following form:
　　
?? Service-name
?? {
?? .......
??}
　　
?? The service is a required keyword, and the attribute table must be enclosed in braces. Each item defines a service defined by service-name.
　　
?? The Service-name is arbitrary, but it is usually a standard network Service name. you can also add other non-standard services as long as they can be activated through network requests, including network requests sent by localhost itself. There are many attributes that can be used, which are described in detail in the following table. Later, we will describe the use rules of required attributes and attributes.
　　
?? The operator can be =, + =, or-=. All attributes can use = to assign one or more values. some attributes can use the form of + = OR-=, the function is to increase the value to an existing value table or delete the value from the existing value table. In table 10.10, the following form of attributes can be used.
　　
?? Value is a parameter set for a given attribute.
　　
?? Table 1 extended lnernet service process attributes
　　
?? Socket_type
?? The TCP/IP socket type used. the values may be stream (TCP), dgram (UDP), raw, and seqpacket (reliable and ordered datagram)
?? Protocol
?? Specify the protocol used by the service. The value must be defined in/etc/protocols. If this parameter is not specified, the default protocol of the service is used.
?? Server
?? The complete path must be specified for the process to be activated.
?? Server_args
?? Specifies the parameter sent to the process, but does not include the Service Program Name
?? Port
?? Define the port number related to the service. If the service is listed in/etc/services, they must match
?? Wait
?? This property has two possible values. If yes, xinetd will start the requesting process and stop processing the service request until the process is terminated. This is a single-threaded service. If no, xinetd will start a process for each request regardless of the status of the previously started process. This is a multi-threaded service.
?? User
?? Sets the UID of the service process. However, if the valid UID of xinetd is not 0, this attribute is invalid.
?? Group
?? Set the GID of the process. If the valid UID of xinetd is not 0, this attribute is invalid.
?? Nice
?? Nice value of the specified process
?? Id
?? This attribute is used to uniquely specify a service. Because some services only use different protocols, you need to use this attribute to differentiate them. By default, the service id and service name are the same. For example, echo supports both dgram and streama services. Set id = echo_dgram and id = echo_streams to uniquely identify the two services.
?? Type
?? It can be one or more of the following values: RPC (for RPC services), INTERNAL (services provided by xinetd itself, such as echo ), UNLISTED (no services listed in standard system files such as/etc/rpc or/etc/service)
?? Access_time
?? Set the time interval when the service is available. The format is hh: mm_hh: mm. for example, 8-6 means that the service is available from A.M to P.M..
?? Banner
?? Whether or not the connection is permitted, the file is displayed to the client when a connection is established.
?? Flags
?? It can be any combination of the following or multiple options:
　　
REUSE: set TCP/IP socket to be reusable. That is, set the SO_REUSEADDR flag in the service socket. When xinetd is interrupted and restarted
INTERCEPT: INTERCEPT is used to INTERCEPT data packets for access checks to determine where connections are allowed. This attribute value cannot be used with INTERNAL or multithreading services.
NORETRY: if fork fails, no retry
IDONLY: the connection is accepted only when the remote end identifies a remote user (that is, the remote system must run the ident server). This flag is only applicable to connection-oriented services. If the USERID record option is not used, the tag is invalid. set the USERID value in the log_on_success and/or log_on_failure attributes to make the value take effect. Stream service for multithreading only
NAMEINARGS: allow the first parameter in the server_args attribute to be a fully qualified path of the process to allow the use of TCP_Wrappers
NODELAY: if the service is a tcp service and the NODELAY flag is set, the TCP_NODELAY flag is set. This flag is invalid if the service is not a tcp service
?? Rpc_version
?? Specify the RPC version number or service number. The version number can be a single value or a range of 2-3
?? Rpc_number
?? If the RPC program number is not in/etc/rpc, specify it
?? Env
?? VAR = VALUE table separated by spaces, where VAR is a shell environment variable and VALUE is its set VALUE. These values and the xinetd environment are transmitted to the service program when activated. This attribute supports the = and + = operators.
?? Passenv
?? An environment variable table in the xinetd environment separated by spaces, which is passed to the service program when activated. No variables are transmitted when no is set. This attribute supports all operators
?? Only_from
?? Separate the client tables that are allowed to access the service with spaces. Table 2 provides the client syntax. If you do not specify a value for this attribute, access to this service is denied. This attribute supports all operators.
?? No_access
?? The table of the client that denies access to the service separated by spaces. Table 2 provides the client syntax. This attribute supports all operators
?? Instances
?? Accept an integer or UNLIMITED greater than or equal to 1. Sets the maximum number of processes that can run simultaneously. UNLIMITED means that xinetd has no limit on this number.
?? Log_type
?? Specifies the service log record method, which can be:
　　
SYSLOG facility [level]: set this tool to daemon, auth, user or loca10-7. You can set the level to emerg, alert, crit, err, warning, notice, info, and debug. the default value is info.
File [soft [hard]: specifies the file used to record logs, rather than syslog. Limit soft and hard are specified in KB (optional ). Once the soft limit is reached, xinetd registers a message. Once the hard limit is reached, xinetd stops registering all services that use the file. If the hard limit is not specified, it becomes soft plus 1%, but the lack of time cannot exceed 20 MB. the default soft limit is 5 MB.
?? Redirect
?? The syntax of this attribute is redirect = Ipaddress port. It redirects the TCP service to another system. If this attribute is used, the server attribute is ignored.
?? Bind
?? Bind a service to a specific port. The syntax is bind = Ipaddress. In this way, a host with multiple interfaces (physical or logical) allows an interface but not a specific service (or port) on other interfaces)
?? Log_on_success
?? Specifies the information to be registered when the request is successful. Possible value:
　　
PID: The PID of the process. If a new process is not forked, set the PID to 0.
HOST: The IP address of the client HOST.
USERID: capture the UID of the client user through RFC1413 high. It can only be used for multi-threaded stream services.
EXIT: register the process termination and status
DURATION: Registration Session DURATION
?? Do not register any information due to lack of time. This attribute supports all operators
?? Log_on_failure
?? Specifies the information to be registered when a failure occurs. Always register messages indicating the error nature.
　　
ATTEMPT: record a failed ATTEMPT. All other values are implicitly this value.
HOST: The IP address of the client HOST.
USERID: capture the UID of the client user by calling RFC1413. It can be used for multi-threaded stream services.
RECORD: RECORD the types of additional client information such as local users, remote users, and terminals. Do not register any information due to lack of time. This attribute supports all operators.
?? Disabled
?? It can only be used for the ULTS item (see the defaults item after this section). It specifies the list of disabled services, which is expressed by spaces. It has the same effect as commenting out this service item in the/etc/xinetd. conf file.
　　
?? Let's first look at a simple example. Example 1 is an example of the configuration file/etc/xinetd. conf. The definition of these two services looks like/etc/inetd. conf because they use it