inetd(8) 被称为``Internet Super-Server'', 因为它管理几个守护程序的链接。提供网络 服务的程序被称为守护进程。inetd 作为一个为其他daemon的管理服务器,当一个被inetd 收到后,它将决定连接将前往哪个程序,然后拉起对应的守护进程, 并将socket转交过去。 比起来将所有守护进程以stand-alone模式 运行,运行单个inetd实例可以降低 系统开销。
一般说来,inetd 被用来拉起 其他守护进程,不过有些细碎的协议被直接接管,比如chargen, auth,和 daytime。
这一部分将通过命令行选项和/etc/inetd.conf 文件来介绍配置inetd 的基础知识。
inetd 通过 /etc/rc.conf 系统进行初始化。inetd_enable 选项默认被设定为 NO,不过可以通过sysinstall打开, 如果选用中等安全的模板。在/etc/rc.conf中设定:
inetd_enable="YES"或
inetd_enable="NO"可以激活或者禁止inetd在启动时加载。
此外,可以通过inetd_flags把不同的 命令行参数传给inetd。
inetd 语法:
inetd [-d] [-l] [-w] [-W] [-c maximum] [-C rate] [-a address | hostname] [-p filename] [-R rate] [configuration file]
打开调试选项。
纪录成功的连接
为外部服务打开TCP Wrapping(默认).
为inetd的内置服务打开TCP Wrapping (默认)。
指定单个服务的最大并发访问数量,默认为不限。 也可以在此服务的具体配置里面通过max-child改掉。
指定单个服务一分钟内能被单个IP地址调用的最大次数, 默认不限。也可以在此服务的具体配置里面通过max-connections-per-ip-per-minute 改掉.
指定单个服务一分钟内能被调用的最大次数,默认为256。 设为0 则允许不限次数调用。
Specify one specific IP address to bind to. Alternatively, a hostname can be specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is used. Usually a hostname is specified when inetd is run inside a jail(8), in which case the hostname corresponds to the jail(8) environment.
When hostname specification is used and both IPv4 and IPv6 bindings are desired, one entry with the appropriate protocol type for each binding is required for each service in /etc/inetd.conf. For example, a TCP-based service would need two entries, one using tcp4 for the protocol and the other using tcp6.
Specify an alternate file in which to store the process ID.
These options can be passed to inetd using the inetd_flags option in /etc/rc.conf. By default, inetd_flags is set to -wW, which turns on TCP wrapping for inetd's internal and external services. For novice users, these parameters usually do not need to be modified or even entered in /etc/rc.conf.
注: An external service is a daemon outside of inetd, which is invoked when a connection is received for it. On the other hand, an internal service is one that inetd has the facility of offering within itself.
Configuration of inetd is controlled through the /etc/inetd.conf file.
When a modification is made to /etc/inetd.conf, inetd can be forced to re-read its configuration file by sending a HangUP signal to the inetd process as shown:
Each line of the configuration file specifies an individual daemon. Comments in the file are preceded by a ``#''. The format of /etc/inetd.conf is as follows:
service-name
socket-type
protocol
{wait|nowait}[/max-child[/max-connections-per-ip-per-minute]]
user[:group][/login-class]
server-program
server-program-arguments
An example entry for the ftpd daemon using IPv4:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
This is the service name of the particular daemon. It must correspond to a service listed in /etc/services. This determines which port inetd must listen to. If a new service is being created, it must be placed in /etc/services first.
Either stream, dgram, raw, or seqpacket. stream must be used for connection-based, TCP daemons, while dgram is used for daemons utilizing the UDP transport protocol.
One of the following:
wait|nowait indicates whether the daemon invoked from inetd is able to handle its own socket or not. dgram socket types must use the wait option, while stream socket daemons, which are usually multi-threaded, should use nowait. wait usually hands off multiple sockets to a single daemon, while nowait spawns a child daemon for each new socket.
The maximum number of child daemons inetd may spawn can be set using the max-child option. If a limit of ten instances of a particular daemon is needed, a /10 would be placed after nowait.
In addition to max-child, another option limiting the maximum connections from a single place to a particular daemon can be enabled. max-connections-per-ip-per-minute does just this. A value of ten here would limit any particular IP address connecting to a particular service to ten attempts per minute. This is useful to prevent intentional or unintentional resource consumption and Denial of Service (DoS) attacks to a machine.
In this field, wait or nowait is mandatory. max-child and max-connections-per-ip-per-minute are optional.
A stream-type multi-threaded daemon without any max-child or max-connections-per-ip-per-minute limits would simply be: nowait.
The same daemon with a maximum limit of ten daemons would read: nowait/10.
Additionally, the same setup with a limit of twenty connections per IP address per minute and a maximum total limit of ten child daemons would read: nowait/10/20.
These options are all utilized by the default settings of the fingerd daemon, as seen here:
finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
This is the username that the particular daemon should run as. Most commonly, daemons run as the root user. For security purposes, it is common to find some servers running as the daemon user, or the least privileged nobody user.
The full path of the daemon to be executed when a connection is received. If the daemon is a service provided by inetd internally, then internal should be used.
This works in conjunction with server-program by specifying the arguments, starting with argv[0], passed to the daemon on invocation. If mydaemon -d is the command line, mydaemon -d would be the value of server-program-arguments. Again, if the daemon is an internal service, use internal here.
Depending on the security profile chosen at install, many of inetd's daemons may be enabled by default. If there is no apparent need for a particular daemon, disable it! Place a ``#'' in front of the daemon in question in /etc/inetd.conf, and then send a hangup signal to inetd. Some daemons, such as fingerd, may not be desired at all because they provide an attacker with too much information.
Some daemons are not security-conscious and have long, or non-existent timeouts for connection attempts. This allows an attacker to slowly send connections to a particular daemon, thus saturating available resources. It may be a good idea to place max-connections-per-ip-per-minute and max-child limitations on certain daemons.
By default, TCP wrapping is turned on. Consult the hosts_access(5) manual page for more information on placing TCP restrictions on various inetd invoked daemons.
daytime, time, echo, discard, chargen, and auth are all internally provided services of inetd.
The auth service provides identity (ident, identd) network services, and is configurable to a certain degree.
Consult the inetd(8) manual page for more in-depth information.