Red Flag asianux Server 3 System Management: XINETD

Security is the basis of reliable operation of network server. With the wide application of http://www.aliyun.com/zixun/aggregation/26684.html "> communication technology and the Internet, server attacks can occur frequently, and security threats from the network are The main source of Linux server security issues.

This chapter describes how to use the security tools provided by the system on a server platform built by Red Flag Asianux Server 3 to effectively protect your system, reduce the number of successful intrusions, detect and track intrusion logs, reduce the level of damage, and quickly recover from an attack.

For a knowledge of physical and file system security, please refer to Chapter 6th system security.

7.1Xinetd

7.1.1 Introduction

XINETD provides access control, improved logging capabilities, and resource management, and is the Internet standard Super Daemon in the Red Flag asianux Server 3 system.

INETD is called a super server to control host network connections. When a request reaches a service port managed by inetd, inetd forwards the request to a program named TCPD. TCPD based on the profile/etc/hosts.allow and/etc/hosts.deny to determine whether the service should be allowed to ring on request. If the request is allowed, the corresponding server program (such as: telnetd) will be started. This mechanism is also called tcp_wrapper.

XINETD (eXtended InterNET Services daemon) provides functionality similar to inetd + Tcp_wrapper, but is more robust and secure. It has the following characteristics:

Support for TCP, UDP, RPC services (but current RPC support is not stable enough to initiate protmap and xinetd coexistence to solve this problem).
Access control based on time period.
full-featured log function, that is, can record the success of the connection can also record the failure of the connection behavior.
Can effectively prevent DoS attacks (denial of Services).
Can limit the number of servers of the same type running concurrently.
Can limit the number of all servers that are started.
Can limit log file size.
Bind a service to a specific system interface to enable private networks to access only one service.
Can be implemented as a proxy for other systems. If combined with IP camouflage, access to the internal private network can be achieved.

7.1.2 xinetd Configuration

The xinetd configuration file is a directory of network connection profiles named Xinetd.d in/etc/xinetd.conf and etc directories. The syntax and/etc/inetd.conf in the configuration file are completely different and incompatible. It is essentially a combination of/etc/inetd.conf and/etc/hosts.allow,/etc/hosts.deny functions.

The files in the/ETC/XINETD.D directory are shown below

Each file represents a network server program, which generally has the following form.

Service Service-name {

......

.......

}

Where the service is a required keyword, each item defines the services defined by Service-name. For example, the contents of the document/etc/xinetd.d/telnet are given below;

Service-name is arbitrary, but is typically a standard network service name, and can also add other non-standard services, as long as they can be activated over a network request, including a network request made by localhost itself.

The operator can be =,+=, or-=. All properties can use = To assign one or more values, and some properties can use + = or-= To add the value to an existing value table or remove it from the existing value table.