From 55c07a15fa7cfadde325c2ec9dc0a64182547077 Mon Sep 17 00:00:00 2001 From: Ceri Davies Date: Sat, 11 Feb 2006 21:57:46 +0000 Subject: [PATCH] Update the inetd section. --- .../handbook/network-servers/chapter.sgml | 245 ++++++++---------- 1 file changed, 104 insertions(+), 141 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml index 82444855bc..0322ac6f93 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml @@ -102,6 +102,12 @@ Contributed by + + + Updated for &os; 6.1-RELEASE by + The &os; Documentation Project + + The <application>inetd</application> <quote>Super-Server</quote> @@ -109,7 +115,7 @@ Overview - &man.inetd.8; is referred to as the Internet + &man.inetd.8; is sometimes referred to as the Internet Super-Server because it manages connections for several services. When a connection is received by inetd, it @@ -117,8 +123,8 @@ the particular process and delegates the socket to it (the program is invoked with the service socket as its standard input, output and error descriptors). Running - one instance of inetd reduces the - overall system load as compared to running each daemon + inetd for servers that are not heavily used can reduce the + overall system load, when compared to running each daemon individually in stand-alone mode. Primarily, inetd is used to @@ -137,15 +143,19 @@ Settings inetd is initialized through - the /etc/rc.conf system. The + the &man.rc.8; system. The inetd_enable option is set to - NO by default, but is often times turned on - by sysinstall with the medium - security profile. Placing: + NO by default, but may be turned on + by sysinstall during installation, + depending on the configuration chosen by the user. + Placing: inetd_enable="YES" or inetd_enable="NO" into - /etc/rc.conf can enable or disable - inetd starting at boot time. + /etc/rc.conf will enable or disable + inetd starting at boot time. + The command: + /etc/rc.d/inetd rcvar + can be run to display the current effective setting. Additionally, different command-line options can be passed to inetd via the @@ -155,47 +165,30 @@ Command-Line Options - inetd synopsis: + Like most server daemons, inetd + has a number of options that it can be passed in order to + modify its behaviour. The full list of options reads: - + inetd + + Options can be passed to inetd using the + inetd_flags option in + /etc/rc.conf. By default, + inetd_flags is set to + -wW -C 60, which turns on TCP wrapping for + inetd's services, and prevents any + single IP address from requesting any service more than 60 times + in any given minute. + + Novice users may be pleased to note that + these parameters usually do not need to be modified, + although we mention the rate-limiting options below as + they be useful should you find that you are receiving an + excessive amount of connections. A full list of options + can be found in the &man.inetd.8; manual. - - -d - - - Turn on debugging. - - - - - -l - - - Turn on logging of successful connections. - - - - - -w - - - Turn on TCP Wrapping for external services (on by - default). - - - - - -W - - - Turn on TCP Wrapping for internal services which are - built into inetd (on by - default). - - - -c maximum @@ -231,94 +224,53 @@ - -a + -s maximum - Specify one specific IP address to bind to. - Alternatively, a hostname can be specified, in which case - the IPv4 or IPv6 address which corresponds to that - hostname is used. Usually a hostname is specified when - inetd is run inside a - &man.jail.8;, in which case the hostname corresponds to - the &man.jail.8; environment. - - When hostname specification is used and both IPv4 - and IPv6 bindings are desired, one entry with the - appropriate protocol type for each binding is required - for each service in - /etc/inetd.conf. For example, a - TCP-based service would need two entries, one using - tcp4 for the protocol and the other - using tcp6. - - - - - -p - - - Specify an alternate file in which to store the - process ID. + Specify the maximum number of times a service can be + invoked from a single IP address at any one time; the + default is unlimited. May be overridden on a per-service + basis with the + parameter. - - These options can be passed to - inetd using the - inetd_flags option in - /etc/rc.conf. By default, - inetd_flags is set to - -wW, which turns on TCP wrapping for - inetd's internal and external - services. For novice users, these parameters usually do not - need to be modified or even entered in - /etc/rc.conf. - - - An external service is a daemon outside of - inetd, which is invoked when a - connection is received for it. On the other hand, an - internal service is one that - inetd has the facility of - offering within itself. - - + <filename>inetd.conf</filename> Configuration of inetd is - controlled through the /etc/inetd.conf - file. + done via the file /etc/inetd.conf. When a modification is made to /etc/inetd.conf, inetd can be forced to re-read its - configuration file by sending a HangUP signal to the - inetd process as shown: + configuration file by running the command: - - Sending <application>inetd</application> a HangUP Signal + + Reloading the <application>inetd</application> + configuration file - &prompt.root; kill -HUP `cat /var/run/inetd.pid` + &prompt.root; /etc/rc.d/inetd reload Each line of the configuration file specifies an individual daemon. Comments in the file are preceded by a - #. The format of + #. The format of each entry in /etc/inetd.conf is as follows: service-name socket-type protocol -{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] +{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] user[:group][/login-class] server-program server-program-arguments - An example entry for the ftpd daemon - using IPv4: + An example entry for the &man.ftpd.8; daemon + using IPv4 might read: ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l @@ -396,7 +348,7 @@ server-program-arguments - {wait|nowait}[/max-child[/max-connections-per-ip-per-minute]] + {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] indicates whether the @@ -415,42 +367,54 @@ server-program-arguments using the option. If a limit of ten instances of a particular daemon is needed, a /10 would be placed after - . + . Specifying /0 + allows an unlimited number of children - In addition to , another - option limiting the maximum connections from a single + In addition to , two other + options which limit the maximum connections from a single place to a particular daemon can be enabled. - does - just this. A value of ten here would limit any particular + limits + the number of connections from any particular IP address + per minutes, e.g. a value of ten would limit any particular IP address connecting to a particular service to ten - attempts per minute. This is useful to prevent - intentional or unintentional resource consumption and - Denial of Service (DoS) attacks to a machine. + attempts per minute. + limits the number of children that can be started on + behalf on any single IP address at any moment. These + options are useful to prevent intentional or unintentional + excessive resource consumption and Denial of Service (DoS) + attacks to a machine. - In this field, or + In this field, either of or is mandatory. - and - are + , + and + are optional. A stream-type multi-threaded daemon without any - or - limits + , + or + limits would simply be: nowait. The same daemon with a maximum limit of ten daemons would read: nowait/10. - Additionally, the same setup with a limit of twenty + The same setup with a limit of twenty connections per IP address per minute and a maximum total limit of ten child daemons would read: nowait/10/20. - These options are all utilized by the default - settings of the fingerd daemon, + These options are utilized by the default + settings of the &man.fingerd.8; daemon, as seen here: finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s + + Finally, an example of this field with a maximum of + 100 children in total, with a maximum of 5 for any one + IP address would read: + nowait/100/0/5. @@ -500,24 +464,24 @@ server-program-arguments Security - Depending on the security profile chosen at install, many - of inetd's daemons may be enabled + Depending on the choices made at install time, many + of inetd's services may be enabled by default. If there is no apparent need for a particular - daemon, disable it! Place a # in front of the + daemon, consider disabling it. Place a # in front of the daemon in question in /etc/inetd.conf, - and then send a hangup - signal to inetd. Some daemons, such as + and then reload the + inetd configuration. Some daemons, such as fingerd, may not be desired at all - because they provide an attacker with too much - information. + because they + information that may be useful to an attacker. Some daemons are not security-conscious and have long, or - non-existent timeouts for connection attempts. This allows an + non-existent, timeouts for connection attempts. This allows an attacker to slowly send connections to a particular daemon, thus saturating available resources. It may be a good idea to - place and - limitations on certain - daemons. + place , + or limitations on certain + daemons if you find that you have too many connections. By default, TCP wrapping is turned on. Consult the &man.hosts.access.5; manual page for more information on placing @@ -537,9 +501,9 @@ server-program-arguments services of inetd. The auth service provides - identity (ident, - identd) network services, and is - configurable to a certain degree. + identity + network services, and is + configurable to a certain degree, whilst the others are simply on or off. Consult the &man.inetd.8; manual page for more in-depth information. @@ -4661,8 +4625,8 @@ AddModule mod_php5.c ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l - As explained in , a - HangUP Signal must be sent to inetd + As explained in , + the inetd configuration must be reloaded after this configuration file is changed. You can now log on to your FTP server by typing: @@ -4776,9 +4740,8 @@ AddModule mod_php5.c used to configure Samba: swat stream tcp nowait/400 root /usr/local/sbin/swat - As explained in , a - HangUP Signal must be sent to - inetd after this configuration + As explained in , + the inetd must be reloaded after this configuration file is changed. Once swat has been enabled in