Xinetd 下 Solaris 8 安装配置过程 | |
---|---|
http://www.sina.com.cn 2006年10月12日 22:17 ChinaByte | |
xinetd取代了inetd+tcp_wrappers,并且提供了访问控制、加强的日志和资源管理功能,已经成了Internet标准超级守护进程。但是现在还没有在solaris上的完整安装配置手册,我希望写一个关于在solaris上的傻瓜安装配置手册。 2、 基本信息 服务器基本信息:Sun-Fire-280R 操作系统:SunOS 5.8 Generic_117350-02 3、 Xinetd软件信息 软件版本:2.3.10 下载地址: ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz 软件包说明:该软件包已经添加了--with-libwrap、--with-loadavg、--with-inet6编译模块选项。 4、 系统默认使用xinetd的服务可以分为如下几类: 标准internet服务:telnet ftp 信息服务:finger netstat systat 邮件服务:imap imaps pop2 pop3 pops RPC服务:rquotad rstatd rusersd sprayd walld BSD服务:comsat exec login ntalk shell talk 内部服务:chargen daytime echo servers services time 安全服务:irc 其他服务:name tftp uucp 5、 更多支持信息: http://www.xinetd.org/ 二、安装配置xinetd 1、安装过程 1)#gzip –d xinetd-2.3.10-sol8-sparc-local.gz 2)#pkgadd –d xinetd-2.3.10-sol8-sparc-local 没有报错的话,安装完毕。 2、xinetd软件安装后的基本信息 1)文档位置:/usr/local/doc/xinetd 里面有安装说明和配置文件文档。 2)命令位置:/usr/local/sbin/ Xinetd、xconv.pl、itox 3、配置过程: 说明:配置主要涉及俩个文件:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成) 1)生成/etc/xinetd.conf文件: a) 说明:/etc/xinetd.conf这个文件是由/etc/inetd.conf文件转换生成的!主要是xinetd替代inetd以后的配置文件 b) 生成命令: # /usr/local/sbin/xconv.pl < /etc/inetd.conf > /etc/xinetd.conf c) 注意: 在/etc/inetd.conf里面可以事先去掉不必要的端口,如finger、login等,在/etc/xinetd.conf可以得到比较简洁的配置文。(我在转换前在/etc/inetd.conf文件里只保留了telnet和ftp)需要别的服务如ssh等可以自己添加。 2)修改/etc/init.d/inetsvc文件: 主要有俩个地方需要修改: a) 修改一:(建议注释掉旧的配置,添加新的配置) 修改前:/usr/bin/pkill -x -u 0 'in.named|inetd' 修改后:/usr/bin/pkill -x -u 0 'in.named|xinetd' b) 修改二: 修改前/usr/sbin/inetd -s & 修改后:/usr/local/sbin/xinetd -s & 3)测试: 停止原来的服务:# /etc/init.d/inetsvc stop 启动新的服务:# /etc/init.d/inetsvc start 检查进程:#ps –ef|grep inetd 杀掉得到的进程号:#kill -9 *** 查看xinetd的进程:#ps –ef|grep xinetd 显示如下xinetd配置正常: root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd –s 备注: Xinetd启动过程有问题,一般是/etc/xinetd.conf配置文件的原因。 三、用xinetd限制ssh登陆配置过程: 1、测试方法: 1)编辑/etc/xinetd.conf: 添加如下: service ssh { socket_type = stream wait = no user = root server = /usr/local/sbin/sshd port = 22 server_args = -i only_from = 192.0.0.109 } 2、测试过程: 重新启动机器,查看xinetd加载是否正常。 从内网192.0.0.109 ssh登陆服务器可以登陆为正常。 别的IP ssh登陆服务器不可以登陆为正常。 3、注意: SSH安装以后,不用在/etc/rc2.d下面添加S99sshd,因为xinetd已经可以启动ssh进程了。否则达不到限制ip的作用。 四、备注: 安装完成以后服务器状态: #nmap -P0 127.0.0.1 22/tcp open ssh 只留了ssh端口,而且可以限制ssh登陆的IP地址为:内网的192.0.0.109 ----------------------------------------------------- 完整的/etc/init.d/inetsvc文件: # more /etc/init.d/inetsvc #!/sbin/sh # # Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)inetsvc 1.24 99/03/21 SMI" # # This is third phase of TCP/IP startup/configuration. This script # runs after the NIS/NIS+ startup script. We run things here that may # depend on NIS/NIS+ maps. # case "$1" in 'start') ;; # Fall through -- rest of script is the initialization code 'stop') # /usr/bin/pkill -x -u 0 'in.named|inetd' /usr/bin/pkill -x -u 0 'in.named|xinetd' exit 0 ;; *) echo "Usage: $0 { start | stop }" exit 1 ;; esac # If boot variables are not set, set variables we use [ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n` if [ -z "$_INIT_PREV_LEVEL" ]; then set -- `/usr/bin/who -r` _INIT_PREV_LEVEL="$9" fi # # wait_nis # Wait up to 5 seconds for ypbind to obtain a binding. # wait_nis () { for i in 1 2 3 4 5; do server=`/usr/bin/ypwhich 2>/dev/null` [ $? -eq 0 -a -n "$server" ] && return 0 || sleep 1 done return 1 } # # We now need to reset the netmask and broadcast address for our network # interfaces. Since this may result in a name service lookup, we want to # now wait for NIS to come up if we previously started it. # domain=`/usr/bin/domainname 2>/dev/null` [ -z "$domain" ] || [ ! -d /var/yp/binding/$domain ] || wait_nis || \ echo "WARNING: Timed out waiting for NIS to come up" >& 2 # # Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig # is run here, after waiting for name services, so that "netmask +" will find # the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to # mess with the interface if it is under DHCP control # /usr/sbin/ifconfig -auD4 netmask + broadcast + # Uncomment these lines to print complete network interface configuration # echo "network interface configuration:" # /usr/sbin/ifconfig -a # # If this machine is configured to be an Internet Domain Name System (DNS) # server, run the name daemon. Start named prior to: route add net host, # to avoid dns gethostbyname timout delay for nameserver during boot. # if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then echo 'starting internet domain name server.' /usr/sbin/in.named & fi if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then dnsdomain=`/sbin/dhcpinfo DNSdmain` else dnsdomain= fi if [ -n "$dnsdomain" ]; then dnsservers=`/sbin/dhcpinfo DNSserv` if [ -n "$dnsservers" ]; then if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \ /etc/resolv.conf >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ for name in $dnsservers; do echo nameserver $name >>/tmp/resolv.conf.$$ done else if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' /etc/resolv.conf \ >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ fi # # Warning: The umask is 000 during boot, which requires explicit # setting of file permission modes when we create files. # /usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf /usr/bin/chmod 644 /etc/resolv.conf # Add dns to the nsswitch file, if it isn't already there. /usr/bin/rm -f /tmp/nsswitch.conf.$$ /usr/bin/awk ' $1 ~ /^hosts:/ { n = split($0, a); newl = a[1]; if ($0 !~ /dns/) { printf("#%s # Commented out by DHCP\n", $0); updated = 0; for (i = 2; i <= n; i++) { if (updated == 0 && index(a[i], "[") == 1) { newl = newl" dns"; updated++; } newl = newl" "a[i]; } if (updated == 0) { newl = newl" dns"; updated++; } if (updated != 0) newl = newl" # Added by DHCP"; else newl = $0; printf("%s\n", newl); } else printf("%s\n", $0); } $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \ >/tmp/nsswitch.conf.$$ /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then # If we added DNS to a hosts line in the nsswitch, remove it. /usr/bin/rm -f /tmp/nsswitch.conf.$$ /usr/bin/sed \ -e '/# Added by DHCP$/d' \ -e 's/^\(#hosts:\)\(.*[^#]\)\(#.*\)$/hosts: \2/' \ /etc/nsswitch.conf >/tmp/nsswitch.conf.$$ /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf fi if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then # # if DHCP doesn't return a hostname, use "unknown" so # client can resolve IP address into a local hostname. # hostname=`/sbin/dhcpinfo Hostname` if [ -z "$hostname" ]; then hostname="unknown" fi ipaddr=`/sbin/dhcpinfo Yiaddr` /usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$ # Delete any old lines added by dhcp. /usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts \ > /tmp/hosts_clear.$$ shift $# # Clear $0-9 first in case grep fails set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]" \ /tmp/hosts_clear.$$ 2>/dev/null` if [ $# -gt 0 ]; then # # IP address is already in the hosts file. Ensure the # associated hostname is the same as the Hostname # property returned by the DHCP server. # /usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \ /tmp/hosts_clear.$$ >/tmp/hosts.$$ else # # IP address is missing from the hosts file. Now check # to see if the hostname is present with a different IP. # shift $# # Clear $0-9 in case grep fails set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ | \ /usr/bin/egrep "[ ]${hostname}([ ]|$)"` if [ $# -gt 0 ]; then # # Hostname is present in the hosts file. Rewrite this # line to have the new IP address and the DHCP comment. # /usr/bin/sed -e "/^[ ]*${1}[ ]/d" \ /tmp/hosts_clear.$$ >/tmp/hosts.$$ shift # Shift off $1 (the old IP) echo "$ipaddr $*\c" | /usr/bin/tr ' ' '\t' \ >>/tmp/hosts.$$ echo "\t# Added by DHCP" >>/tmp/hosts.$$ else # # Hostname is not present in the hosts file. # Add a new line for the host at the end of # the new hosts file. # /usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$ echo "${ipaddr}\t${hostname}\t# Added by DHCP" \ >>/tmp/hosts.$$ fi fi # Update loopback transport hosts files for inet in /etc/net/*/hosts; do echo "# RPC hosts" > $inet echo "$hostname\t$hostname" >> $inet /usr/bin/chmod 644 $inet done /usr/bin/rm -f /tmp/hosts_clear.$$ /usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts /usr/bin/chmod 644 /etc/inet/hosts fi # # Add a static route for multicast packets out our default interface. # The default interface is the interface that corresponds to the node name. # Run in background subshell to avoid waiting for name service. # ( if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME else mcastif=$_INIT_UTS_NODENAME fi echo "Setting default IPv4 interface for multicast:" \ "add net 224.0/4: gateway $mcastif" /usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null ) & # # Run inetd in "standalone" mode (-s flag) so that it doesn't have # to submit to the will of SAF. Why did we ever let them change inetd? # #/usr/sbin/inetd -s & /usr/local/sbin/xinetd -s & 完整的/etc/xinetd.conf文件: # more /etc/xinetd.conf # This file generated by xconv.pl, included with the xinetd # package. xconv.pl was written by Rob Braun (bbraun@synack.net) # # The file is merely a translation of your inetd.conf file into # the equivalent in xinetd.conf syntax. xinetd has many # features that may not be taken advantage of with this translation. # Please refer to the xinetd.conf man page for more information # on how to properly configure xinetd. # The defaults section sets some information for all services defaults { #The maximum number of requests a particular service may handle # at once. instances = 25 # The type of logging. This logs to a file that is specified. # Another option is: SYSLOG syslog_facility [syslog_level] log_type = FILE /var/log/servicelog # What to log when the connection succeeds. # PID logs the pid of the server processing the request. # HOST logs the remote host's ip address. # USERID logs the remote user (using RFC 1413) # EXIT logs the exit status of the server. # DURATION logs the duration of the session. log_on_success = HOST PID # What to log when the connection fails. Same options as above log_on_failure = HOST RECORD # The maximum number of connections a specific IP address can # have to a specific service. per_source = 5 } #service ftp { flags = NAMEINARGS socket_type = stream protocol = tcp wait = no user = root server = /usr/local/bin/tcpd server_args = in.ftpd } #service telnet { flags = NAMEINARGS socket_type = stream protocol = tcp wait = no user = root server = /usr/local/bin/tcpd server_args = in.telnetd } service ssh { socket_type = stream wait = no user = root server = /usr/local/sbin/sshd port = 22 server_args = -i only_from = 192.0.0.109 } # |