Add section about configuring inetd.
Reviewed by: murray
This commit is contained in:
parent
05e77c4672
commit
be2032ed93
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=10234
1 changed files with 448 additions and 1 deletions
|
@ -1,7 +1,7 @@
|
|||
<!--
|
||||
The FreeBSD Documentation Project
|
||||
|
||||
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.69 2001/08/06 21:25:27 chern Exp $
|
||||
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.70 2001/08/06 22:50:16 chern Exp $
|
||||
-->
|
||||
|
||||
<chapter id="advanced-networking">
|
||||
|
@ -4076,6 +4076,453 @@ natd_flags=""</programlisting>
|
|||
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="inetd">
|
||||
<sect1info>
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Chern</firstname>
|
||||
<surname>Lee</surname>
|
||||
<contrib>Contributed</contrib>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</sect1info>
|
||||
|
||||
<title>inetd <quote>Super-Server</quote></title>
|
||||
|
||||
<sect2 id="inetd-overview">
|
||||
<title>Overview</title>
|
||||
|
||||
<para>&man.inetd.8; is referred to as the <quote>Internet
|
||||
Super-Server</quote> because it manages connections for several
|
||||
daemons. Programs that provide network service are commonly
|
||||
known as daemons. <application>inetd</application> serves as a
|
||||
managing server for other daemons. When a connection is
|
||||
received by <application>inetd</application>, it determines
|
||||
which daemon the connection is destined for, spawns the
|
||||
particular daemon and delegates the socket to it. Running one
|
||||
instance of <application>inetd</application> reduces the overall
|
||||
system load as compared to running each daemon individually in
|
||||
stand-alone mode.</para>
|
||||
|
||||
<para>Primarily, <application>inetd</application> is used to
|
||||
spawn other daemons, but several trivial protocols are handled
|
||||
directly, such as <application>chargen</application>,
|
||||
<application>auth</application>, and
|
||||
<application>daytime</application>.</para>
|
||||
|
||||
<para>This section will cover the basics in configuring
|
||||
<application>inetd</application> through its command-line
|
||||
options and it's configuration file,
|
||||
<filename>/etc/inetd.conf</filename>.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="inetd-settings">
|
||||
<title>Settings</title>
|
||||
|
||||
<para><application>inetd</application> is initialized through
|
||||
the <filename>/etc/rc.conf</filename> system. The
|
||||
<literal>inetd_enable</literal> option is set to
|
||||
<quote>NO</quote> by default, but is often times turned on by
|
||||
<application>sysinstall</application> with the medium security
|
||||
profile. Placing:
|
||||
<programlisting>inetd_enable="YES"</programlisting> or
|
||||
<programlisting>inetd_enable="NO"</programlisting> into
|
||||
<filename>/etc/rc.conf</filename> can enable or disable
|
||||
<application>inetd</application> starting at boot time.</para>
|
||||
|
||||
<para>Additionally, different command-line options can be passed
|
||||
to <application>inetd</application> via the
|
||||
<literal>inetd_flags</literal> option.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="inetd-cmdline">
|
||||
<title>Command-Line Options</title>
|
||||
|
||||
<para><application>inetd</application> sypnosis:</para>
|
||||
|
||||
<para><option> inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname]
|
||||
[-p filename] [-R rate] [configuration file]</option></para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>-d</term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on debugging.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-l</term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on logging of successful connections.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-w</term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on TCP Wrapping for external services. (on by
|
||||
default)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-W</term>
|
||||
|
||||
<listitem>
|
||||
<para>Turn on TCP Wrapping for internal services which are
|
||||
built in to <application>inetd</application>. (on by
|
||||
default)</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-c maximum</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the default maximum number of simultaneous
|
||||
invocations of each service; the default is unlimited.
|
||||
May be overridden on a per-service basis with the
|
||||
<option>max-child</option> parameter.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-C rate</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the default maximum number of times a
|
||||
service can be invoked from a single IP address in one
|
||||
minute; the default is unlimited. May be overridden on a
|
||||
per-service basis with the
|
||||
<option>max-connections-per-ip-per-minute</option>
|
||||
parameter.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-R rate</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify the maximum number of times a service can be
|
||||
invoked in one minute; the default is 256. A rate of 0
|
||||
allows an unlimited number of invocations.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-a</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify one specific IP address to bind to.
|
||||
Alternatively, a hostname can be specified, in which case
|
||||
the IPv4 or IPv6 address which corresponds to that
|
||||
hostname is used. Usually a hostname is specified when
|
||||
<application>inetd</application> is run inside a
|
||||
&man.jail.8;, in which case the hostname corresponds to
|
||||
the &man.jail.8; environment.</para>
|
||||
|
||||
<para>When hostname specification is used and both IPv4
|
||||
and IPv6 bindings are desired, one entry with the
|
||||
appropriate protocol type for each binding is required for
|
||||
each service in <filename>/etc/inetd.conf</filename>. For
|
||||
example, a TCP-based service would need two entries, one
|
||||
using ``tcp4'' for the protocol and the other using
|
||||
``tcp6''.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-p</term>
|
||||
|
||||
<listitem>
|
||||
<para>Specify an alternate file in which to store the
|
||||
process ID.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>These options can be passed to
|
||||
<application>inetd</application> using the
|
||||
<literal>inetd_flags</literal> option in
|
||||
<filename>/etc/rc.conf</filename>. By default,
|
||||
<literal>inetd_flags</literal> is set to <quote>-wW</quote>,
|
||||
which turns on TCP wrapping for
|
||||
<application>inetd</application>'s internal and external
|
||||
services. For novice users, these parameters usually do not need
|
||||
to be modified or even entered in
|
||||
<filename>/etc/rc.conf</filename></para>
|
||||
|
||||
<note>
|
||||
<para>An external service is a daemon outside of
|
||||
<application>inetd</application>, which is invoked when a
|
||||
connection is received for it. On the other hand, an internal
|
||||
service is one that <application>inetd</application> has the
|
||||
facility of offering within itself.</para>
|
||||
</note>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2 id="inetd-conf">
|
||||
<title><filename>inetd.conf</filename></title>
|
||||
|
||||
<para>Configuration of <application>inetd</application> is
|
||||
controlled through the <filename>/etc/inetd.conf</filename>
|
||||
file.</para>
|
||||
|
||||
<para>When a modification is made to
|
||||
<filename>/etc/inetd.conf</filename>,
|
||||
<application>inetd</application> can be forced to re-read its
|
||||
configuration file by sending a HangUP signal to the
|
||||
<application>inetd</application> procces as shown:.</para>
|
||||
|
||||
<example id="inetd-hangup">
|
||||
<title>Sending <application>inetd</application> a HangUP signal</title>
|
||||
|
||||
<screen>&prompt.root kill -HUP `cat /var/run/inetd.pid`</screen>
|
||||
</example>
|
||||
|
||||
<para>Each line of the configuration file specifies an
|
||||
individual daemon. Comments in the file are preceded by a
|
||||
<quote>#</quote>. The format of
|
||||
<filename>/etc/inetd.conf</filename> is as follows:</para>
|
||||
|
||||
<programlisting>service-name
|
||||
socket-type
|
||||
protocol
|
||||
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
|
||||
user[:group][/login-class]
|
||||
server-program
|
||||
server-program-arguments</programlisting>
|
||||
|
||||
<para>An example entry for the <application>ftpd</application> daemon
|
||||
using IPv4:</para>
|
||||
|
||||
<programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>service-name</term>
|
||||
|
||||
<listitem>
|
||||
<para>This is the service name of the particular daemon.
|
||||
It must correspond to a service listed in
|
||||
<filename>/etc/services</filename>. This determines which
|
||||
port <application>inetd</application> must listen to. If
|
||||
a new service is being created, it must be placed in
|
||||
<filename>/etc/services</filename>
|
||||
first.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>socket-type</term>
|
||||
|
||||
<listitem>
|
||||
<para>Either <literal>stream</literal>,
|
||||
<literal>dgram</literal>, <literal>raw</literal>, or
|
||||
<literal>seqpacket</literal>. <literal>stream</literal>
|
||||
must be used for connection-based, TCP daemons, while
|
||||
<literal>dgram</literal> is used for daemons utilizing the
|
||||
UDP transport protocol.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>protocol</term>
|
||||
|
||||
<listitem>
|
||||
<para>One of the following:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="2">
|
||||
<thead>
|
||||
<row>
|
||||
<entry>Protocol</entry>
|
||||
<entry>Explanation</entry>
|
||||
</row>
|
||||
</thead>
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>tcp, tcp4</entry>
|
||||
<entry>TCP IPv4</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>udp, udp4</entry>
|
||||
<entry>UDP IPv4</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>tcp6</entry>
|
||||
<entry>TCP IPv6</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>udp6</entry>
|
||||
<entry>UDP IPv6</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>tcp46</entry>
|
||||
<entry>Both TCP IPv4 and v6</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>udp46</entry>
|
||||
<entry>Both UDP IPv4 and v6</entry>
|
||||
</row>
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]</term>
|
||||
|
||||
<listitem>
|
||||
<para><option>wait|nowait</option> indicates whether the
|
||||
daemon invoked from <application>inetd</application> is
|
||||
able to handle its own socket or not.
|
||||
<option>dgram</option> socket types must use the wait
|
||||
option, while stream socket daemons, which are usually
|
||||
multi-threaded, should use <option>nowait</option>.
|
||||
<option>wait</option> usually hands off multiple sockets
|
||||
to a single daemon, while <option>nowait</option> spawns a
|
||||
child daemon for each new socket.</para>
|
||||
|
||||
<para>The maximum number of child daemons
|
||||
<application>inetd</application> may spawn can be set using
|
||||
the <option>max-child</option> option. If a limit of ten
|
||||
instances of a particular daemon is needed, a
|
||||
<literal>/10</literal> would be placed after
|
||||
<option>nowait</option>.</para>
|
||||
|
||||
<para>In addition to <option>max-child</option> another
|
||||
option limiting the maximum connections from a single
|
||||
place to a particular daemon can be enabled.
|
||||
<option>max-connections-per-ip-per-minute</option> does
|
||||
just this. A value of ten here would limit any particular
|
||||
IP address connecting to a particular service to ten
|
||||
attempts per minute. This is useful to prevent
|
||||
intentional or unintentional resource consumption and
|
||||
Denial of Service (DoS) attacks to a machine.</para>
|
||||
|
||||
<para>In this field, <option>wait</option> or
|
||||
<option>nowait</option> is mandatory.
|
||||
<option>max-child</option> and
|
||||
<option>max-connections-per-ip-per-minute</option> are
|
||||
optional.</para>
|
||||
|
||||
<para>A stream-type multi-threaded daemon without any
|
||||
<option>max-child</option> or
|
||||
<option>max-connections-per-ip-per-minute</option> limits
|
||||
would simply be: <literal>nowait</literal></para>
|
||||
|
||||
<para>The same daemon with a maximum limit of ten daemons
|
||||
would read: <literal>nowait/10</literal></para>
|
||||
|
||||
<para>Additionally, the same setup with a limit of twenty
|
||||
connections per IP address per minute and a maximum
|
||||
total limit of ten child daemons would read:
|
||||
<literal>nowait/10/20</literal></para>
|
||||
|
||||
<para>These options are all utilized by the default
|
||||
settings of the <application>fingerd</application> daemon,
|
||||
as seen here:</para>
|
||||
|
||||
<programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>user</term>
|
||||
|
||||
<listitem>
|
||||
<para>The user is the username that the particular daemon
|
||||
should run as. Most commonly, daemons run as the
|
||||
<username>root</username> user. For security purposes, it is
|
||||
common to find some servers running as the
|
||||
<username>daemon</username> user, or the least privileged
|
||||
<username>nobody</username> user.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>server-program</term>
|
||||
|
||||
<listitem>
|
||||
<para>The full path of the daemon to be executed when a
|
||||
connection is received. If the daemon is a service
|
||||
provided by <application>inetd</application> internally,
|
||||
then <option>internal</option> should be
|
||||
used.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>server-program-arguments</term>
|
||||
|
||||
<listitem>
|
||||
<para>This works in conjunction with
|
||||
<option>server-program</option> by specifying the
|
||||
arguments, starting with argv[0], passed to the daemon on
|
||||
invocation. If <application>mydaemon -d</application> is
|
||||
the command line, <literal>mydaemon -d</literal> would be
|
||||
the value of <option>server program arguments</option>.
|
||||
Again, if the daemon is an internal service, use
|
||||
<option>internal</option> here.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</sect2>
|
||||
|
||||
<sect2 id="inetd-security">
|
||||
<title>Security</title>
|
||||
|
||||
<para>Depending on the security profile chosen at install, many
|
||||
of <application>inetd</application>'s daemons may be enabled by
|
||||
default. If there is no apparent need for a particular daemon,
|
||||
disable it! Place a <quote>#</quote> in front of the daemon in
|
||||
question, and send a <command>kill -HUP `cat
|
||||
/var/run/inetd.pid`</command> to
|
||||
<application>inetd</application>. Some daemons, such as
|
||||
<application>fingerd</application>, may not be desired at all
|
||||
because it provides an attacker with too much
|
||||
information.</para>
|
||||
|
||||
<para>Some daemons are not security-concious and have long, or
|
||||
non-existent timeouts for connection attempts. This allows an
|
||||
attacker to slowly send connections to a particular daemon, thus
|
||||
saturating available resources. It may be a good idea to place
|
||||
<option>ip-per-minute</option> and <option>max-child</option>
|
||||
limitations on certain daemons.</para>
|
||||
|
||||
<para>By default, TCP wrapping is turned on. Consult the
|
||||
&man.hosts.access.5; man page for more information on placing
|
||||
TCP restrictions on various <application>inetd</application>
|
||||
invoked daemons.
|
||||
</sect2>
|
||||
|
||||
<sect2 id="inetd-misc">
|
||||
<title>Miscellaneous</title>
|
||||
|
||||
<para><application>daytime</application>,
|
||||
<application>time</application>,
|
||||
<application>echo</application>,
|
||||
<application>discard</application>,
|
||||
<application>chargen</application>, and
|
||||
<application>auth</application> are all internally provided
|
||||
services of <application>inetd</application>.</para>
|
||||
|
||||
<para>The <application>auth</application> service provides identity
|
||||
(ident, identd) network services, and is configurable to a certain
|
||||
degree.</para>
|
||||
|
||||
<para>Consult the &man.inetd.8; man page for more in-depth
|
||||
information.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
</chapter>
|
||||
|
||||
<!--
|
||||
|
|
Loading…
Reference in a new issue