Add section about configuring inetd.

Reviewed by:	murray
This commit is contained in:
Chern Lee 2001-08-07 23:58:38 +00:00
parent 05e77c4672
commit be2032ed93
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=10234

View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.69 2001/08/06 21:25:27 chern Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.70 2001/08/06 22:50:16 chern Exp $
-->
<chapter id="advanced-networking">
@ -4076,6 +4076,453 @@ natd_flags=""</programlisting>
</sect2>
</sect1>
<sect1 id="inetd">
<sect1info>
<authorgroup>
<author>
<firstname>Chern</firstname>
<surname>Lee</surname>
<contrib>Contributed</contrib>
</author>
</authorgroup>
</sect1info>
<title>inetd <quote>Super-Server</quote></title>
<sect2 id="inetd-overview">
<title>Overview</title>
<para>&man.inetd.8; is referred to as the <quote>Internet
Super-Server</quote> because it manages connections for several
daemons. Programs that provide network service are commonly
known as daemons. <application>inetd</application> serves as a
managing server for other daemons. When a connection is
received by <application>inetd</application>, it determines
which daemon the connection is destined for, spawns the
particular daemon and delegates the socket to it. Running one
instance of <application>inetd</application> reduces the overall
system load as compared to running each daemon individually in
stand-alone mode.</para>
<para>Primarily, <application>inetd</application> is used to
spawn other daemons, but several trivial protocols are handled
directly, such as <application>chargen</application>,
<application>auth</application>, and
<application>daytime</application>.</para>
<para>This section will cover the basics in configuring
<application>inetd</application> through its command-line
options and it's configuration file,
<filename>/etc/inetd.conf</filename>.</para>
</sect2>
<sect2 id="inetd-settings">
<title>Settings</title>
<para><application>inetd</application> is initialized through
the <filename>/etc/rc.conf</filename> system. The
<literal>inetd_enable</literal> option is set to
<quote>NO</quote> by default, but is often times turned on by
<application>sysinstall</application> with the medium security
profile. Placing:
<programlisting>inetd_enable="YES"</programlisting> or
<programlisting>inetd_enable="NO"</programlisting> into
<filename>/etc/rc.conf</filename> can enable or disable
<application>inetd</application> starting at boot time.</para>
<para>Additionally, different command-line options can be passed
to <application>inetd</application> via the
<literal>inetd_flags</literal> option.</para>
</sect2>
<sect2 id="inetd-cmdline">
<title>Command-Line Options</title>
<para><application>inetd</application> sypnosis:</para>
<para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
[-p filename] [-R rate] [configuration file]</option></para>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>Turn on debugging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>Turn on logging of successful connections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>Turn on TCP Wrapping for external services. (on by
default)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W</term>
<listitem>
<para>Turn on TCP Wrapping for internal services which are
built in to <application>inetd</application>. (on by
default)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c maximum</term>
<listitem>
<para>Specify the default maximum number of simultaneous
invocations of each service; the default is unlimited.
May be overridden on a per-service basis with the
<option>max-child</option> parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C rate</term>
<listitem>
<para>Specify the default maximum number of times a
service can be invoked from a single IP address in one
minute; the default is unlimited. May be overridden on a
per-service basis with the
<option>max-connections-per-ip-per-minute</option>
parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R rate</term>
<listitem>
<para>Specify the maximum number of times a service can be
invoked in one minute; the default is 256. A rate of 0
allows an unlimited number of invocations.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>Specify one specific IP address to bind to.
Alternatively, a hostname can be specified, in which case
the IPv4 or IPv6 address which corresponds to that
hostname is used. Usually a hostname is specified when
<application>inetd</application> is run inside a
&man.jail.8;, in which case the hostname corresponds to
the &man.jail.8; environment.</para>
<para>When hostname specification is used and both IPv4
and IPv6 bindings are desired, one entry with the
appropriate protocol type for each binding is required for
each service in <filename>/etc/inetd.conf</filename>. For
example, a TCP-based service would need two entries, one
using ``tcp4'' for the protocol and the other using
``tcp6''.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>Specify an alternate file in which to store the
process ID.</para>
</listitem>
</varlistentry>
</variablelist>
<para>These options can be passed to
<application>inetd</application> using the
<literal>inetd_flags</literal> option in
<filename>/etc/rc.conf</filename>. By default,
<literal>inetd_flags</literal> is set to <quote>-wW</quote>,
which turns on TCP wrapping for
<application>inetd</application>'s internal and external
services. For novice users, these parameters usually do not need
to be modified or even entered in
<filename>/etc/rc.conf</filename></para>
<note>
<para>An external service is a daemon outside of
<application>inetd</application>, which is invoked when a
connection is received for it. On the other hand, an internal
service is one that <application>inetd</application> has the
facility of offering within itself.</para>
</note>
</sect2>
<sect2 id="inetd-conf">
<title><filename>inetd.conf</filename></title>
<para>Configuration of <application>inetd</application> is
controlled through the <filename>/etc/inetd.conf</filename>
file.</para>
<para>When a modification is made to
<filename>/etc/inetd.conf</filename>,
<application>inetd</application> can be forced to re-read its
configuration file by sending a HangUP signal to the
<application>inetd</application> procces as shown:.</para>
<example id="inetd-hangup">
<title>Sending <application>inetd</application> a HangUP signal</title>
<screen>&prompt.root kill -HUP `cat /var/run/inetd.pid`</screen>
</example>
<para>Each line of the configuration file specifies an
individual daemon. Comments in the file are preceded by a
<quote>#</quote>. The format of
<filename>/etc/inetd.conf</filename> is as follows:</para>
<programlisting>service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-arguments</programlisting>
<para>An example entry for the <application>ftpd</application> daemon
using IPv4:</para>
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
<variablelist>
<varlistentry>
<term>service-name</term>
<listitem>
<para>This is the service name of the particular daemon.
It must correspond to a service listed in
<filename>/etc/services</filename>. This determines which
port <application>inetd</application> must listen to. If
a new service is being created, it must be placed in
<filename>/etc/services</filename>
first.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>socket-type</term>
<listitem>
<para>Either <literal>stream</literal>,
<literal>dgram</literal>, <literal>raw</literal>, or
<literal>seqpacket</literal>. <literal>stream</literal>
must be used for connection-based, TCP daemons, while
<literal>dgram</literal> is used for daemons utilizing the
UDP transport protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>protocol</term>
<listitem>
<para>One of the following:</para>
<informaltable>
<tgroup cols="2">
<thead>
<row>
<entry>Protocol</entry>
<entry>Explanation</entry>
</row>
</thead>
<tbody>
<row>
<entry>tcp, tcp4</entry>
<entry>TCP IPv4</entry>
</row>
<row>
<entry>udp, udp4</entry>
<entry>UDP IPv4</entry>
</row>
<row>
<entry>tcp6</entry>
<entry>TCP IPv6</entry>
</row>
<row>
<entry>udp6</entry>
<entry>UDP IPv6</entry>
</row>
<row>
<entry>tcp46</entry>
<entry>Both TCP IPv4 and v6</entry>
</row>
<row>
<entry>udp46</entry>
<entry>Both UDP IPv4 and v6</entry>
</row>
</tgroup>
</informaltable>
</listitem>
</varlistentry>
<varlistentry>
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
<listitem>
<para><option>wait|nowait</option> indicates whether the
daemon invoked from <application>inetd</application> is
able to handle its own socket or not.
<option>dgram</option> socket types must use the wait
option, while stream socket daemons, which are usually
multi-threaded, should use <option>nowait</option>.
<option>wait</option> usually hands off multiple sockets
to a single daemon, while <option>nowait</option> spawns a
child daemon for each new socket.</para>
<para>The maximum number of child daemons
<application>inetd</application> may spawn can be set using
the <option>max-child</option> option. If a limit of ten
instances of a particular daemon is needed, a
<literal>/10</literal> would be placed after
<option>nowait</option>.</para>
<para>In addition to <option>max-child</option> another
option limiting the maximum connections from a single
place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option> does
just this. A value of ten here would limit any particular
IP address connecting to a particular service to ten
attempts per minute. This is useful to prevent
intentional or unintentional resource consumption and
Denial of Service (DoS) attacks to a machine.</para>
<para>In this field, <option>wait</option> or
<option>nowait</option> is mandatory.
<option>max-child</option> and
<option>max-connections-per-ip-per-minute</option> are
optional.</para>
<para>A stream-type multi-threaded daemon without any
<option>max-child</option> or
<option>max-connections-per-ip-per-minute</option> limits
would simply be: <literal>nowait</literal></para>
<para>The same daemon with a maximum limit of ten daemons
would read: <literal>nowait/10</literal></para>
<para>Additionally, the same setup with a limit of twenty
connections per IP address per minute and a maximum
total limit of ten child daemons would read:
<literal>nowait/10/20</literal></para>
<para>These options are all utilized by the default
settings of the <application>fingerd</application> daemon,
as seen here:</para>
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>user</term>
<listitem>
<para>The user is the username that the particular daemon
should run as. Most commonly, daemons run as the
<username>root</username> user. For security purposes, it is
common to find some servers running as the
<username>daemon</username> user, or the least privileged
<username>nobody</username> user.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program</term>
<listitem>
<para>The full path of the daemon to be executed when a
connection is received. If the daemon is a service
provided by <application>inetd</application> internally,
then <option>internal</option> should be
used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>server-program-arguments</term>
<listitem>
<para>This works in conjunction with
<option>server-program</option> by specifying the
arguments, starting with argv[0], passed to the daemon on
invocation. If <application>mydaemon -d</application> is
the command line, <literal>mydaemon -d</literal> would be
the value of <option>server program arguments</option>.
Again, if the daemon is an internal service, use
<option>internal</option> here.</para>
</listitem>
</varlistentry>
</variablelist>
</sect2>
<sect2 id="inetd-security">
<title>Security</title>
<para>Depending on the security profile chosen at install, many
of <application>inetd</application>'s daemons may be enabled by
default. If there is no apparent need for a particular daemon,
disable it! Place a <quote>#</quote> in front of the daemon in
question, and send a <command>kill -HUP `cat
/var/run/inetd.pid`</command> to
<application>inetd</application>. Some daemons, such as
<application>fingerd</application>, may not be desired at all
because it provides an attacker with too much
information.</para>
<para>Some daemons are not security-concious and have long, or
non-existent timeouts for connection attempts. This allows an
attacker to slowly send connections to a particular daemon, thus
saturating available resources. It may be a good idea to place
<option>ip-per-minute</option> and <option>max-child</option>
limitations on certain daemons.</para>
<para>By default, TCP wrapping is turned on. Consult the
&man.hosts.access.5; man page for more information on placing
TCP restrictions on various <application>inetd</application>
invoked daemons.
</sect2>
<sect2 id="inetd-misc">
<title>Miscellaneous</title>
<para><application>daytime</application>,
<application>time</application>,
<application>echo</application>,
<application>discard</application>,
<application>chargen</application>, and
<application>auth</application> are all internally provided
services of <application>inetd</application>.</para>
<para>The <application>auth</application> service provides identity
(ident, identd) network services, and is configurable to a certain
degree.</para>
<para>Consult the &man.inetd.8; man page for more in-depth
information.</para>
</sect2>
</sect1>
</chapter>
<!--