os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update the inetd section.

Browse source
This commit is contained in:
Ceri Davies 2006-02-11 21:57:46 +00:00
parent 19edfb52f7
commit 55c07a15fa
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=27089
1 changed files with 104 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

245
en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
View file

@ -102,6 +102,12 @@
<contrib>Contributed by </contrib>
</author>
</authorgroup>
<authorgroup>
<author>
<contrib>Updated for &os; 6.1-RELEASE by </contrib>
<othername>The &os; Documentation Project</othername>
</author>
</authorgroup>
</sect1info>
<title>The <application>inetd</application> <quote>Super-Server</quote></title>
@ -109,7 +115,7 @@
<sect2 id="network-inetd-overview">
<title>Overview</title>
<para>&man.inetd.8; is referred to as the <quote>Internet
<para>&man.inetd.8; is sometimes referred to as the <quote>Internet
Super-Server</quote> because it manages connections for
several services. When a
connection is received by <application>inetd</application>, it
@ -117,8 +123,8 @@
the particular process and delegates the socket to it (the program
is invoked with the service socket as its standard input, output
and error descriptors). Running
one instance of <application>inetd</application> reduces the
overall system load as compared to running each daemon
<application>inetd</application> for servers that are not heavily used can reduce the
overall system load, when compared to running each daemon
individually in stand-alone mode.</para>
<para>Primarily, <application>inetd</application> is used to
@ -137,15 +143,19 @@
<title>Settings</title>
<para><application>inetd</application> is initialized through
the <filename>/etc/rc.conf</filename> system. The
the &man.rc.8; system. The
<literal>inetd_enable</literal> option is set to
<literal>NO</literal> by default, but is often times turned on
by <application>sysinstall</application> with the medium
security profile. Placing:
<literal>NO</literal> by default, but may be turned on
by <application>sysinstall</application> during installation,
depending on the configuration chosen by the user.
Placing:
<programlisting>inetd_enable="YES"</programlisting> or
<programlisting>inetd_enable="NO"</programlisting> into
<filename>/etc/rc.conf</filename> can enable or disable
<application>inetd</application> starting at boot time.</para>
<filename>/etc/rc.conf</filename> will enable or disable
<application>inetd</application> starting at boot time.
The command:
<programlisting>/etc/rc.d/inetd rcvar</programlisting>
can be run to display the current effective setting.</para>
<para>Additionally, different command-line options can be passed
to <application>inetd</application> via the
@ -155,47 +165,30 @@
<sect2 id="network-inetd-cmdline">
<title>Command-Line Options</title>
<para><application>inetd</application> synopsis:</para>
<para>Like most server daemons, <application>inetd</application>
has a number of options that it can be passed in order to
modify its behaviour. The full list of options reads:</para>
<para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
[-p filename] [-R rate] [configuration file]</option></para>
<para><command>inetd</command> <option>[-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
[-p filename] [-R rate] [-s maximum] [configuration file]</option></para>
<para>Options can be passed to <application>inetd</application> using the
<literal>inetd_flags</literal> option in
<filename>/etc/rc.conf</filename>. By default,
<literal>inetd_flags</literal> is set to
<literal>-wW -C 60</literal>, which turns on TCP wrapping for
<application>inetd</application>'s services, and prevents any
single IP address from requesting any service more than 60 times
in any given minute.</para>
<para>Novice users may be pleased to note that
these parameters usually do not need to be modified,
although we mention the rate-limiting options below as
they be useful should you find that you are receiving an
excessive amount of connections. A full list of options
can be found in the &man.inetd.8; manual.</para>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>Turn on debugging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>Turn on logging of successful connections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>Turn on TCP Wrapping for external services (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W</term>
<listitem>
<para>Turn on TCP Wrapping for internal services which are
built into <application>inetd</application> (on by
default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c maximum</term>
@ -231,94 +224,53 @@
</varlistentry>
<varlistentry>
<term>-a</term>
<term>-s maximum</term>
<listitem>
<para>Specify one specific IP address to bind to.
Alternatively, a hostname can be specified, in which case
the IPv4 or IPv6 address which corresponds to that
hostname is used. Usually a hostname is specified when
<application>inetd</application> is run inside a
&man.jail.8;, in which case the hostname corresponds to
the &man.jail.8; environment.</para>
<para>When hostname specification is used and both IPv4
and IPv6 bindings are desired, one entry with the
appropriate protocol type for each binding is required
for each service in
<filename>/etc/inetd.conf</filename>. For example, a
TCP-based service would need two entries, one using
<literal>tcp4</literal> for the protocol and the other
using <literal>tcp6</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>Specify an alternate file in which to store the
process ID.</para>
<para>Specify the maximum number of times a service can be
invoked from a single IP address at any one time; the
default is unlimited. May be overridden on a per-service
basis with the <option>max-child-per-ip</option>
parameter.</para>
</listitem>
</varlistentry>
</variablelist>
<para>These options can be passed to
<application>inetd</application> using the
<literal>inetd_flags</literal> option in
<filename>/etc/rc.conf</filename>. By default,
<literal>inetd_flags</literal> is set to
<literal>-wW</literal>, which turns on TCP wrapping for
<application>inetd</application>'s internal and external
services. For novice users, these parameters usually do not
need to be modified or even entered in
<filename>/etc/rc.conf</filename>.</para>
<note>
<para>An external service is a daemon outside of
<application>inetd</application>, which is invoked when a
connection is received for it. On the other hand, an
internal service is one that
<application>inetd</application> has the facility of
offering within itself.</para>
</note>
</sect2>
<sect2 id="network-inetd-conf">
<!-- XXX This section isn't very clear, and could do with some lovin' -->
<title><filename>inetd.conf</filename></title>
<para>Configuration of <application>inetd</application> is
controlled through the <filename>/etc/inetd.conf</filename>
file.</para>
done via the file <filename>/etc/inetd.conf</filename>.</para>
<para>When a modification is made to
<filename>/etc/inetd.conf</filename>,
<application>inetd</application> can be forced to re-read its
configuration file by sending a HangUP signal to the
<application>inetd</application> process as shown:</para>
configuration file by running the command:</para>
<example id="network-inetd-hangup">
<title>Sending <application>inetd</application> a HangUP Signal</title>
<example id="network-inetd-reread">
<title>Reloading the <application>inetd</application>
configuration file</title>
<screen>&prompt.root; <userinput>kill -HUP `cat /var/run/inetd.pid`</userinput></screen>
<screen>&prompt.root; <userinput>/etc/rc.d/inetd reload</userinput></screen>
</example>
<para>Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
<quote>#</quote>. The format of
<quote>#</quote>. The format of each entry in
<filename>/etc/inetd.conf</filename> is as follows:</para>
<programlisting>service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]
user[:group][/login-class]
server-program
server-program-arguments</programlisting>
<para>An example entry for the <application>ftpd</application> daemon
using IPv4:</para>
<para>An example entry for the &man.ftpd.8; daemon
using IPv4 might read:</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
@ -396,7 +348,7 @@ server-program-arguments</programlisting>
</varlistentry>
<varlistentry>
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term>
<listitem>
<para><option>wait|nowait</option> indicates whether the
@ -415,42 +367,54 @@ server-program-arguments</programlisting>
using the <option>max-child</option> option. If a limit
of ten instances of a particular daemon is needed, a
<literal>/10</literal> would be placed after
<option>nowait</option>.</para>
<option>nowait</option>. Specifying <literal>/0</literal>
allows an unlimited number of children</para>
<para>In addition to <option>max-child</option>, another
option limiting the maximum connections from a single
<para>In addition to <option>max-child</option>, two other
options which limit the maximum connections from a single
place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option> does
just this. A value of ten here would limit any particular
<option>max-connections-per-ip-per-minute</option> limits
the number of connections from any particular IP address
per minutes, e.g. a value of ten would limit any particular
IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent
intentional or unintentional resource consumption and
Denial of Service (DoS) attacks to a machine.</para>
attempts per minute. <option>max-child-per-ip</option>
limits the number of children that can be started on
behalf on any single IP address at any moment. These
options are useful to prevent intentional or unintentional
excessive resource consumption and Denial of Service (DoS)
attacks to a machine.</para>
<para>In this field, <option>wait</option> or
<para>In this field, either of <option>wait</option> or
<option>nowait</option> is mandatory.
<option>max-child</option> and
<option>max-connections-per-ip-per-minute</option> are
<option>max-child</option>,
<option>max-connections-per-ip-per-minute</option> and
<option>max-child-per-ip</option> are
optional.</para>
<para>A stream-type multi-threaded daemon without any
<option>max-child</option> or
<option>max-connections-per-ip-per-minute</option> limits
<option>max-child</option>,
<option>max-connections-per-ip-per-minute</option> or
<option>max-child-per-ip</option> limits
would simply be: <literal>nowait</literal>.</para>
<para>The same daemon with a maximum limit of ten daemons
would read: <literal>nowait/10</literal>.</para>
<para>Additionally, the same setup with a limit of twenty
<para>The same setup with a limit of twenty
connections per IP address per minute and a maximum
total limit of ten child daemons would read:
<literal>nowait/10/20</literal>.</para>
<para>These options are all utilized by the default
settings of the <application>fingerd</application> daemon,
<para>These options are utilized by the default
settings of the &man.fingerd.8; daemon,
as seen here:</para>
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
<para>Finally, an example of this field with a maximum of
100 children in total, with a maximum of 5 for any one
IP address would read:
<literal>nowait/100/0/5</literal>.</para>
</listitem>
</varlistentry>
@ -500,24 +464,24 @@ server-program-arguments</programlisting>
<sect2 id="network-inetd-security">
<title>Security</title>
<para>Depending on the security profile chosen at install, many
of <application>inetd</application>'s daemons may be enabled
<para>Depending on the choices made at install time, many
of <application>inetd</application>'s services may be enabled
by default. If there is no apparent need for a particular
daemon, disable it! Place a <quote>#</quote> in front of the
daemon, consider disabling it. Place a <quote>#</quote> in front of the
daemon in question in <filename>/etc/inetd.conf</filename>,
and then send a <link linkend="network-inetd-hangup">hangup
signal to inetd</link>. Some daemons, such as
and then <link linkend="network-inetd-reread">reload the
inetd configuration</link>. Some daemons, such as
<application>fingerd</application>, may not be desired at all
because they provide an attacker with too much
information.</para>
because they
information that may be useful to an attacker.</para>
<para>Some daemons are not security-conscious and have long, or
non-existent timeouts for connection attempts. This allows an
non-existent, timeouts for connection attempts. This allows an
attacker to slowly send connections to a particular daemon,
thus saturating available resources. It may be a good idea to
place <option>max-connections-per-ip-per-minute</option> and
<option>max-child</option> limitations on certain
daemons.</para>
place <option>max-connections-per-ip-per-minute</option>,
<option>max-child</option> or <option>max-child-per-ip</option> limitations on certain
daemons if you find that you have too many connections.</para>
<para>By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; manual page for more information on placing
@ -537,9 +501,9 @@ server-program-arguments</programlisting>
services of <application>inetd</application>.</para>
<para>The <application>auth</application> service provides
identity (<application>ident</application>,
<application>identd</application>) network services, and is
configurable to a certain degree.</para>
identity
network services, and is
configurable to a certain degree, whilst the others are simply on or off.</para>
<para>Consult the &man.inetd.8; manual page for more in-depth
information.</para>
@ -4661,8 +4625,8 @@ AddModule mod_php5.c
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
<para>As explained in <xref linkend="network-inetd-hangup">, a
HangUP Signal must be sent to <application>inetd</application>
<para>As explained in <xref linkend="network-inetd-reread">,
the <application>inetd</application> configuration must be reloaded
after this configuration file is changed.</para>
<para>You can now log on to your FTP server by typing:</para>
@ -4776,9 +4740,8 @@ AddModule mod_php5.c
used to configure <application>Samba</application>:</para>
<programlisting>swat stream tcp nowait/400 root /usr/local/sbin/swat</programlisting>
<para>As explained in <xref linkend="network-inetd-hangup">, a
HangUP Signal must be sent to
<application>inetd</application> after this configuration
<para>As explained in <xref linkend="network-inetd-reread">,
the <application>inetd</application> must be reloaded after this configuration
file is changed.</para>
<para>Once <application>swat</application> has been enabled in