DOCSLIB.ORG

Herding Daemons

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Herding Daemons SYSADMIN Admin Workshop: inetd & xinetd Insider Tips: Server Management with inetd and xinetd HERDING DAEMONS If you have many daemons running on your server, it can be quite difficult to keep track of them all. inetd and xinetd manage these services centrally and also take care of exchanges with your clients, allowing programs without network code to operate as Internet servers. BY MARC ANDRÉ SELIG ypical server applications handle work code. The super Server network communication servers listen to network Ports Processes Tautonomously. They open a ports and pass on 80 pop3 socket and listen at a TCP port, using the incoming connections to 25 inetd imap port to send and receive data. Interac- the appropriate Internet 22 exim tion with a socket is not exactly rocket processes. The processes science, but coding a program for socket use stdin and stdout to 21 ftpd interaction can be troublesome and talk to their clients. As 79 fingerd prone to error. its configuration file, It can also be quite difficult to keep inetd uses a table of the track of the various configurations. Cen- TCP and UDP ports that Figure 1: The Internet super server inetd offloads networking tral security settings involve a lot of it should listen to and tasks from server processes. Processes can use stdin and std- effort if each server has its own set of the programs mapped to out for client communication. configuration files. And what’s more, it these ports. It opens doesn’t always make sense to re-invent sockets for the ports in the table and complete list of registered numbers for the wheel by coding each program sepa- waits for incoming connections. Listing UDP and TCP ports. rately for network access. 1 shows a sample configuration. The second field in the configuration The fields in each line of the configu- file has the socket type (this is always Centralized Server ration file describe the service. The sym- stream for TCP and dgram for UDP). The Management bolic name, such as smtp, also specifies third field has the protocol (such as tcp The so-called super servers, the required port, as inetd looks for the or udp). The nowait option in the next inetd and xinetd provide name in /etc/services. Users are column tells inetd not to wait for the a simple alternative to allowed to add their own ports to running process to finish. In other independent dae- the inetd configuration file, however, words, the daemon will simply launch mons with their if you add a port, make sure you another process in case of another own net- choose a port number between 49152 incoming connection. and 65535, as these ports are wait tells inetd to wait for the reserved for private applica- running process to finish before tions. IANA [1] has a accepting another connection to the port. wait is typically used with datagram sockets, such as UDP servers. UDP cannot assign datagrams to sessions at the transport layer. This means that inetd can only handle one process at any given time and will need to pass any datagrams for the port in question to the current process. The last three arguments in the configuration line spec- ify the user with whose privileges the server will run, the path to the www.scx.hu binary, and any arguments. Depending on the implementation and 66 ISSUE 52 MARCH 2005 WWW.LINUX-MAGAZINE.COM Admin Workshop: inetd & xinetd SYSADMIN Listing 1: inetd Configuration File sampleserver stream tcp U nowait mas U 01 # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> /usr/local/bin/sampleserver 02 03 smtp stream tcp nowait mail /usr/sbin/exim exim -bs sampleserver is the symbolic service 04 printer stream tcp nowait lp /usr/lib/cups/daemon/cups-lpd cups-lpd name in this case. An entry for sample- 05 ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/proftpd server 50000/tcp in /etc/services tells inetd the port. After modifying the con- version, the server may only support a ports a maximum of 50 connections per figuration file, you need to let the super small number of arguments (typically second, blocking the service for 20 sec- server know about the changes. To do five or 20); the super server just ignores onds if this limit is exceeded (cps = 50 so, enter the following command as any other arguments. 20). root: killall -HUP inetd. Inetd does not provide access controls The rlimit_as variable restricts the per- The server should now be running as or security. This is the domain of pro- centage of memory that a process is a TCP service. You can enter telnet local- grams such as the TCP wrapper pro- allowed to hog. And no_access = host 50000 to see the following output gram, tcpd, which parses 24.0.0.0 blocks connections from the 24/ (the first three lines come from the telnet /etc/hosts.allow and /etc/hosts.deny to 8 subnet. client): apply granular controls to specific ports. If the required server cannot launch because the required resources are Trying 127.0.0.1... xinetd Does a Better Job exhausted, or the requesting computer Connected to anmen. xinetd is a vastly improved version of has an IP address the administrator has Escape character is '^]'. the original inetd that supports modular blocked, this configuration directs xinetd This is me and I am called configuration and mechanisms such as to perform an ident lookup to discover anmen. access control and protection against the user name and logs this name along Connection closed by foreign denial of service attacks. Listing 2 shows with the IP address. host. an example for the Exim mail server. xinetd has two kinds of configuration Your Own Server Pitfalls files: /etc/xinetd.conf contains global set- An inetd or xinetd server program can Whether you write a program in C, Java, tings; individual services have their own be very simple. It has to receive and Perl, or shell script, make sure you pay a description files. The file name typically send data using an existing TCP connec- lot of attention to security. Don’t forget includes the name of the service and is tion via standard input and output. Data to validate any input from clients. stored in the /etc/xinetd.d/ directory. from the client is accepted via stdin, and Also, in the Unix workspace, a new- Besides standard options, you can the server talks to the client via stdout. A line is a single \n, whereas the Internet configure a number of security and opti- trivial example of an inetd server only newline is a combination of linefeed and mization variables, such as a list of needs two lines of code: newline (\r\n). inetd and xinetd do not hosts, or IP addresses, that are allowed convert character sets, so your server to access a port. The ability to specify #!/bin/sh process will have to handle this itself. resource limits for the programs, or to echo This is me and I U log access in logfiles or the syslog, is am called `uname -n`. Sense and Nonsense another useful feature. It does not make sense to use the super The configuration in Listing 3 allows a To allow network access to this program, server to launch every single daemon; maximum of ten concurrent instances of just add the following line to each connection to one of these services each server. xinetd calls the servers with /etc/inetd.conf: causes overhead, as it involves relaunch- a low priority (nice = 5), does not start ing the program. This is not a problem any more processes when the load Listing 3: /etc/xinetd.conf for small-footprint daemons that only reaches 2.5 (max_load = 2.5), and sup- run occasionally, but major services 01 defaults such as Apache or SSH take too long to 02 { launch, and this makes it impossible to Listing 2: /etc/xinetd.d/exim 03 instances = 10 use them effectively with inetd. On the 01 service smtp 04 cps = 50 20 02 { upside, running as many services as pos- 05 nice = 5 03 disable = no sible via the super server keeps the 06 max_load = 2.5 04 socket_type = stream process table clean and saves configura- 07 rlimit_as = 32M 05 wait = no tion work. ■ 08 no_access = 24.0.0.0 06 user = mail 09 log_type = SYSLOG daemon 07 server = /usr/ 10 log_on_failure = HOST USERID INFO sbin/exim 11 log_on_success = HOST PID EXIT 08 server_args = -bs [1] IANA port list: http://www.iana.org/ assignments/port-numbers 09 flags = REUSE DURATION 10 } 12 } [2] xinetd: http://www.xinetd.org WWW.LINUX-MAGAZINE.COM ISSUE 52 MARCH 2005 67.
Load more

Recommended publications
  • CIS Ubuntu Linux 18.04 LTS Benchmark
    CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0 - 08-13-2018 Terms of Use Please see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/ 1 | P a g e Table of Contents Terms of Use ........................................................................................................................................................... 1 Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 13 Typographical Conventions ...................................................................................................................... 14 Scoring Information ..................................................................................................................................... 14 Profile Definitions ......................................................................................................................................... 15 Acknowledgements ...................................................................................................................................... 17 Recommendations ............................................................................................................................................
    [Show full text]
  • 01 Introduction to System Services
    Certification Introduction to System Services UNIT 1 Introduction to System Services 1 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. Objectives • Understand how services are managed • Learn common traits among services • Introduce service fault analysis methods 2 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. Agenda • Service management concepts • System V-managed services • xinetd managed services • The /etc/sysconfig files • Fault Analysis 3 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. Service Management • Services are managed several ways: • by init • by System V scripts • by direct command • by xinetd 4 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. Services Managed by init • Typically non-TCP/IP services, for example dial-in modems • Provides respawn capability • Configured in /etc/inittab 5 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. System V Service Management • Processes are “wrapped” by System V (‘SysV’) initialization script methods • More than one script, and several configuration files are often used, per service • The service command is a “wrapper of wrappers” • /etc/init.d/cups start • service cups start 6 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. chkconfig • Manages service definitions in run levels • To start the cups service on boot: chkconfig cups on • Does not modify current run state of System V services • List run level definitions with chkconfig --list 7 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc. xinetd Managed Services • Services are started by xinetd in response to incoming request • Activated with chkconfig: chkconfig cups-lpd on • Uses files in /etc/xinetd.d/ 8 Rev RH253-RHEL-1 Copyright © 2003 Red Hat, Inc.
    [Show full text]
  • 1.113.1 Configure and Manage Inetd, Xinetd, and Related Services Weight
    1.113.1 Configure and manage inetd, xinetd, and related services Weight 4 1.113.1 Angus Lees Context Configure and manage inetd, xinetd, and Objective inetd, xinetd related services tcpwrappers Weight 4 xinetd License Of This Linux Professional Institute Certification — 102 Document Angus Lees [email protected] Geoffrey Robertson [email protected] Nick Urbanik [email protected] This document Licensed under GPL—see section 6 2005 July 1.113.1 Configure and manage Outline inetd, xinetd, and related services Weight 4 Angus Lees Context Objective inetd, xinetd tcpwrappers xinetd inetd.conf License Of This Context Document tcpwrappers Objective xinetd inetd, xinetd License Of This Document 1.113.1 Configure and manage Topic 113 Networking Services [24] inetd, xinetd, and Where we are up to related services Weight 4 Angus Lees Context Objective 1.113.1 Configure and manage inetd, xinetd, and inetd, xinetd related services [4] tcpwrappers xinetd 1.113.2 Operate and perform basic configuration of License Of This sendmail [4] Document 1.113.3 Operate and perform basic configuration of Apache [4] 1.113.4 Properly manage the NFS, smb, and nmb daemons [4] 1.113.5 Setup and configure basic DNS services [4] 1.113.7 Set up secure shell (OpenSSH) [4] 1.113.1 Configure and manage Description of Objective inetd, xinetd, and 1.113.1 Configure and manage inetd, xinetd, and related services related services Weight 4 Angus Lees Context Objective inetd, xinetd Candidates should be able to configure tcpwrappers which services are available through xinetd License Of This inetd, use tcpwrappers to allow or deny Document services on a host-by-host basis, manually start, stop, and restart internet services, configure basic network services including telnet and ftp.
    [Show full text]
  • NAME DESCRIPTION Manpag.Es Fedora 31
    fedora 31 manpag.es XINETD.CONF(5) XINETD.CONF(5) NAME xinetd.conf − Extended Internet Services Daemon configuration file DESCRIPTION xinetd.conf is the configuration file that determines the services provided by xinetd.Any line whose first non-white-space character is a ’#’ is considered a comment line. Empty lines are ignored. The file contains entries of the form: service <service_name> { <attribute> <assign_op> <value> <value> ... ... } The assignment operator, assign_op, can be one of ’=’, ’+=’, ’-=’. The majority of attributes support only the simple assignment operator, ’=’. Attributes whose value is a set of values support all assign- ment operators. Forsuch attributes, ’+=’ means adding a value to the set and ’-=’ means removing a value from the set. Alist of these attributes will be givenafter all the attributes are described. Each entry defines a service identified by the service_name.The following is a list of available attributes: id This attribute is used to uniquely identify a service. This is useful because there exist services that can use different protocols and need to be described with differ- ent entries in the configuration file. By default, the service id is the same as the service name. type Anycombination of the following values may be used: RPC if this is an RPC service INTERNAL if this is a service provided by xinetd. TCPMUX/TCPMUXPLUS if this is a service that will be started according to the RFC 1078 protocol on the TCPMUX well-known port. See the section describing TCPMUX services below. UNLISTED if this is a service not listed in a standard system file (like /etc/rpc for RPC services, or /etc/services for non-RPC services).
    [Show full text]
  • (VI.) Connections: How CUPS Talks to Servers, Clients and Printers
    Linux Printing Tutorial at Linux−Kongress 2002 Cologne, Germany: (VI.) Connections: How CUPS talks to Print Servers, Print Clients and Printers (VI.) Connections: How CUPS talks to Servers, Clients and Printers Table of Contents (VI.) Connections: How CUPS talks to Print Servers, Print Clients and Printers...................1 CUPS in heterogeneous networks.....................................................................................................1 Receiving print data − CUPS as a print server..................................................................................3 IPP − Internet printing protocol............................................................................................3 LPD − Unix clients...............................................................................................................4 SMB/CIFS − Windows clients.............................................................................................5 AppleTalk/NetATalk − Mac clients.....................................................................................5 Sending print data − The CUPS backends........................................................................................6 Local printers: Parallel, USB, serial, FireWire, SCSI..........................................................6 HP's multi−function devices.................................................................................................8 IPP − Internet printing protocol............................................................................................8
    [Show full text]
  • Securing Your Linux System for the Internet
    Securing your Linux System for the Internet SHARE 98 Nashville, TN Session 5512 Abstract ! You've gotten your Linux system installed, and are ready to connect it to the Internet. What should you do now? What can you expect to happen when you plug it into the net? What tools are available to make sure your system is secure? If you don't know the answers to these questions, then this session is for you. The Speaker Harold Pritchett The University of Georgia (706) 542-5110 [email protected] Disclaimer Everybody has lawyers: The ideas and concepts set forth in this presentation are solely those of the respective authors, and not of the companies and or vendors referenced within and these organizations do not endorse, guarantee, or otherwise certify any such ideas or concepts in application or usage. This material should be verified for applicability and correctness in each user environment. No warranty of any kind available. Introduction ! Who am I? ! What makes me qualified to talk about this subject? ! 25 Years working with computers ! 10 Years experience with Unix ! Unix Security Administrator ! Security Incident Handling Team for UGA The One Minute Security Manager ! Common Sense Security ! Passwords ! Use good passwords ! Use a Shadow password file ! Check for accounts without passwords ! Superuser accounts ! root ! root equivalent accounts The One Minute Security Manager ! Common Sense Security (cont) ! File Permissions ! Read, Write, Execute ! User, group, others ! The “chmod” command ! The “umask” command The One Minute Security Manager
    [Show full text]
  • 1 COMPUTER NETWORKS UNIT-V Socket
    COMPUTER NETWORKS UNIT-V Socket Programming: Socket Address: A socket is one endpoint of a two-way communication link between two programs running on the network. A socket is bound to a port number so that the TCP layer can identify the application that data is destined to be sent to. An endpoint is a combination of an IP address and a port number. Every TCP connection can be uniquely identified by its two endpoints. That way you can have multiple connections between your host and the server. TCP/IP creates the socket address as an identifier that is unique throughout all Internet networks. TCP/IP concatenates the Internet address of the local host interface with the port number to devise the Internet socket address. Two types of (TCP/IP) sockets : Stream sockets (e.g. uses TCP) : provide reliable byte-stream service Datagram sockets (e.g. uses UDP) :provide best-effort datagram service , messages up to 65.500 bytes Sockets – Procedures: 1 Client - Server Communication – Unix: Elementary Socket System Calls: socket To do network I/O, the first thing a process must do is to call the socket system call, specifying the type of communication protocol desired. #include <sys/types.h> #include <sys/socket.h> int socket(int family, int type, int protocol); The family is one of AF_UNIX -- Unix internal protocols AF_INET -- Internet protocols AF_NS -- Xerox NS Protocols AF_IMPLINK -- IMP link layer The AF_ prefix stands for "address family." 2 The socket type is one of the following: SOCK_STREAM stream socket SOCK_DGRAM datagram socket SOCK_RAW raw socket SOCK_SEQPACKET sequenced packet socket SOCK_RDM reliably delivered message socket (not implemented yet) The protocol argument to the socket system call is typically set to 0 for most user applications.
    [Show full text]
  • Administration Guide Administration Guide SUSE Linux Enterprise Server 15 SP1
    SUSE Linux Enterprise Server 15 SP1 Administration Guide Administration Guide SUSE Linux Enterprise Server 15 SP1 Covers system administration tasks like maintaining, monitoring and customizing an initially installed system. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xxii 1 Available Documentation xxiii 2 Giving Feedback xxv 3 Documentation Conventions xxv 4 Product Life Cycle and Support xxvii Support Statement for SUSE Linux Enterprise Server xxviii • Technology Previews xxix I COMMON TASKS 1 1 Bash and Bash
    [Show full text]
  • 4Bf18907-Ubuntu-Server-Guide.Pdf
    Welcome to the Ubuntu Server Guide! Changes, Errors, and Bugs This is the current edition for Ubuntu 20.04 LTS, Focal Fossa. Ubuntu serverguides for previous LTS versions: 18.04 (PDF), 16.04 (PDF). If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with each page. Offline Download this guide as a PDF Support There are a couple of different ways that Ubuntu Server Edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions. See the Ubuntu Support page for more information. Installation This chapter provides a quick overview of installing Ubuntu 20.04 Server Edition. For more detailed instruc- tions, please refer to the Ubuntu Installation Guide. Preparing to Install This section explains various aspects to consider before starting the installation. System Requirements Ubuntu 20.04 Server Edition provides a common, minimalist base for a variety of server applications, such as file/print services, web hosting, email hosting, etc.
    [Show full text]
  • Unix Daemons/Inetd
    Unix Daemons Daemons A daemon is a process that: runs in the background not associated with any terminal output doesn't end up in another session. terminal generated signals (^C) aren't received. Unix systems typically have many daemon processes. Most servers run as a daemon process. 2 Common Daemons Web server (httpd) Mail server (sendmail) SuperServer (inetd) System logging (syslogd) Print server (lpd) router process (routed, gated) 3 Daemon Output No terminal - must use something else: file system central logging facility Syslog is often used - provides central repository for system logging. 4 Syslog service syslogd daemon provides system logging services to "clients". Simple API for "clients" A library provided by O.S. A system administrator can control logging functions by specifying: where messages should go what kinds of messages are important what can be ignored 5 syslogd Unix domain socket Filesystem /dev/log /var/log/messages UDP socket port 514 syslogd Console /dev/klog Remote syslogd 6 Syslog messages Think of syslog as a server that accepts messages. Each message includes a number of fields, including: a level indicating the importance (8 levels) LOG_EMERG highest priority LOG_DEBUG lowest priority a facility that indicates the type of process that sent the message: LOG_MAIL, LOG_AUTH, LOG_USER, LOG_KERN, LOG_LPR, . A text string. 7 Message: (level,facility,string) /etc/syslog.conf Syslogd reads a configuration file that specifies how various messages should be handled (where they should go). The sysadmin controls all logged messages by editing this file. Examples: Sysadmin could set LOG_EMERG messages to be sent to the console low priority messages from lpr could be thrown away.
    [Show full text]
  • Networks and Network Programming
    Networks and Network Programming Wireshark screenshot of network traffic 1/45 Networking I Hardware I Protocols I Software The network is the computer. (John Gage) 2/45 3/45 3/45 3/45 Networking Options Network type maximum bandwidth latency (Mbits/second) (microsecs) Fast Ethernet 100 200 Gigabit Ethernet 1000 20–62 10 Gigabit Ethernet 10,000 4 Infiniband 2,000-290,000 0.5–5 I Ethernet is the most cost-effective choice. Ethernet is a packet-based serial multi-drop network requiring no centralized control. All network access and arbitration control is performed by distributed mechanisms. I Internet backbone uses specialized hardware and has speeds up to 500G/s. Experimental systems are available for much higher speeds. 4/45 Ethernet Protocol I In an Ethernet network, machines use the Carrier Sense Multiple Access with Collision Detect (CSMA/CD) protocol for arbitration when multiple machines try to access the network at the same time. I If packets collide, then the machines choose a random number from the interval (0;k) and try again. I On subsequent collisions, the value k is doubled each time, making it a lot less likely that a collision would occur again. This is an example of an exponential backoff protocol. 5/45 Ethernet Packets I The Ethernet packet has the format shown below. Ethernet Packet Format Frame Preamble Synch Destination Source Type Data Check 1010......1010 11 Address Address Sequence 62 bits2 bits 6 bytes 6 bytes 2 bytes 16−1500 bytes 4 bytes Used by higher level software I Note that the Maximum Transmission Unit (MTU) is 1500 bytes.
    [Show full text]
  • Xinetd Y Tcpwrappers Introducción (I)
    Control de acceso a los servicios I: Xinetd y TCPWrappers Introducción (I) • Actualmente el control de acceso se realiza mediante: – Envolventes de acceso (tcpwrappers). – Servidor xinetd. • Ambos son versiones mejoradas de: – Antiguos envolventes de acceso. – Servidor inetd. Administración y Gestión de Redes 1 Control de acceso a los servicios I: Xinetd y TCPWrappers El servidor inetd (I) • Surgió en la versión de UNIX 4.3 de BSD. – Anteriormente cada servicio escuchaba su propio puerto. – A partir de esta versión, existe un servidor que escucha los puertos y lanza los servidores adecuados. • El fichero de configuración del servidor es /etc/inetd.conf. • Es leído: – Al arrancar el servidor. – Al recibir el servidor la señal de SIGHUP. Administración y Gestión de Redes 2 Control de acceso a los servicios I: Xinetd y TCPWrappers El servidor inetd (II) • Cuando recibe una petición genera un nuevo proceso. – Si la petición es a un puerto TCP: • Este proceso lanza el servidor que atiende el puerto. • Le comunica la dirección IP/puerto del cliente. – Si la petición es a un puerto UDP: • Se libera el socket original para permitir a inetd seguir escuchando el puerto. • inetd permanece a la espera de que termine la solicitud. Administración y Gestión de Redes 3 Control de acceso a los servicios I: Xinetd y TCPWrappers El servidor inetd (III) • Ejemplo: ftp stream tcp nowait root /usr/etc/ftpd ftpd –l telnet stream tcp nowait root /usr/etc/telnetd telnetd daytime dgram udp wait root internal • Descripción de los campos: – Nombre del servicio. – Tipo de socket. – Protocolo de transporte. – Esperar (wait) o no (nowait) a que el servidor termine su ejecución.
    [Show full text]