科技时代新浪首页 > 科技时代 > 滚动新闻 > 正文

Xinetd 下 Solaris 8 安装配置过程


http://www.sina.com.cn 2006年10月12日 22:17 ChinaByte

  xinetd取代了inetd+tcp_wrappers,并且提供了访问控制、加强的日志和资源管理功能,已经成了Internet标准超级守护进程。但是现在还没有在solaris上的完整安装配置手册,我希望写一个关于在solaris上的傻瓜安装配置手册。

  2、 基本信息

  服务器基本信息:Sun-Fire-280R

  操作系统:SunOS 5.8 Generic_117350-02

  3、 Xinetd软件信息

  软件版本:2.3.10

  下载地址:

  ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz

  软件包说明:该软件包已经添加了--with-libwrap、--with-loadavg、--with-inet6编译模块选项。

  4、 系统默认使用xinetd的服务可以分为如下几类:

  标准internet服务:telnet ftp

  信息服务:finger netstat systat

  邮件服务:imap imaps pop2 pop3 pops

  RPC服务:rquotad rstatd rusersd sprayd walld

  BSD服务:comsat exec login ntalk shell talk

  内部服务:chargen daytime echo servers services time

  安全服务:irc

  其他服务:name tftp uucp

  5、 更多支持信息:

  http://www.xinetd.org/

  二、安装配置xinetd

  1、安装过程

  1)#gzip –d xinetd-2.3.10-sol8-sparc-local.gz

  2)#pkgadd –d xinetd-2.3.10-sol8-sparc-local

  没有报错的话,安装完毕。

  2、xinetd软件安装后的基本信息

  1)文档位置:/usr/local/doc/xinetd

  里面有安装说明和配置文件文档。

  2)命令位置:/usr/local/sbin/

  Xinetd、xconv.pl、itox

  3、配置过程:

  说明:配置主要涉及俩个文件:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成)

  1)生成/etc/xinetd.conf文件:

  a) 说明:/etc/xinetd.conf这个文件是由/etc/inetd.conf文件转换生成的!主要是xinetd替代inetd以后的配置文件

  b) 生成命令:

  # /usr/local/sbin/xconv.pl < /etc/inetd.conf > /etc/xinetd.conf

  c) 注意:

  在/etc/inetd.conf里面可以事先去掉不必要的端口,如finger、login等,在/etc/xinetd.conf可以得到比较简洁的配置文。(我在转换前在/etc/inetd.conf文件里只保留了telnet和ftp)需要别的服务如ssh等可以自己添加。

  2)修改/etc/init.d/inetsvc文件:

  主要有俩个地方需要修改:

  a) 修改一:(建议注释掉旧的配置,添加新的配置)

  修改前:/usr/bin/pkill -x -u 0 'in.named|inetd'

  修改后:/usr/bin/pkill -x -u 0 'in.named|xinetd'

  b) 修改二:

  修改前/usr/sbin/inetd -s &

  修改后:/usr/local/sbin/xinetd -s &

  3)测试:

  停止原来的服务:# /etc/init.d/inetsvc stop

  启动新的服务:# /etc/init.d/inetsvc start

  检查进程:#ps –ef|grep inetd

  杀掉得到的进程号:#kill -9 ***

  查看xinetd的进程:#ps –ef|grep xinetd

  显示如下xinetd配置正常:

  root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd –s

  备注:

  Xinetd启动过程有问题,一般是/etc/xinetd.conf配置文件的原因。

  三、用xinetd限制ssh登陆配置过程:

  1、测试方法:

  1)编辑/etc/xinetd.conf:

  添加如下:

  service ssh

  {

  socket_type = stream

  wait = no

  user = root

  server = /usr/local/sbin/sshd

  port = 22

  server_args = -i

  only_from = 192.0.0.109

  }

  2、测试过程:

  重新启动机器,查看xinetd加载是否正常。

  从内网192.0.0.109 ssh登陆服务器可以登陆为正常。

  别的IP ssh登陆服务器不可以登陆为正常。

  3、注意:

  SSH安装以后,不用在/etc/rc2.d下面添加S99sshd,因为xinetd已经可以启动ssh进程了。否则达不到限制ip的作用。

  四、备注:

  安装完成以后服务器状态:

  #nmap -P0 127.0.0.1

  22/tcp open ssh

  只留了ssh端口,而且可以限制ssh登陆的IP地址为:内网的192.0.0.109

  -----------------------------------------------------

  完整的/etc/init.d/inetsvc文件:

  # more /etc/init.d/inetsvc

  #!/sbin/sh

  #

  # Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc.

  # All rights reserved.

  #

  #ident "@(#)inetsvc 1.24 99/03/21 SMI"

  #

  # This is third phase of TCP/IP startup/configuration. This script

  # runs after the NIS/NIS+ startup script. We run things here that may

  # depend on NIS/NIS+ maps.

  #

  case "$1" in

  'start')

  ;; # Fall through -- rest of script is the initialization code

  'stop')

  # /usr/bin/pkill -x -u 0 'in.named|inetd'

  /usr/bin/pkill -x -u 0 'in.named|xinetd'

  exit 0

  ;;

  *)

  echo "Usage: $0 { start | stop }"

  exit 1

  ;;

  esac

  # If boot variables are not set, set variables we use

  [ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n`

  if [ -z "$_INIT_PREV_LEVEL" ]; then

  set -- `/usr/bin/who -r`

  _INIT_PREV_LEVEL="$9"

  fi

  #

  # wait_nis

  # Wait up to 5 seconds for ypbind to obtain a binding.

  #

  wait_nis ()

  {

  for i in 1 2 3 4 5; do

  server=`/usr/bin/ypwhich 2>/dev/null`

  [ $? -eq 0 -a -n "$server" ] && return 0 || sleep 1

  done

  return 1

  }

  #

  # We now need to reset the netmask and broadcast address for our network

  # interfaces. Since this may result in a name service lookup, we want to

  # now wait for NIS to come up if we previously started it.

  #

  domain=`/usr/bin/domainname 2>/dev/null`

  [ -z "$domain" ] || [ ! -d /var/yp/binding/$domain ] || wait_nis || \

  echo "WARNING: Timed out waiting for NIS to come up" >& 2

  #

  # Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig

  # is run here, after waiting for name services, so that "netmask +" will find

  # the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to

  # mess with the interface if it is under DHCP control

  #

  /usr/sbin/ifconfig -auD4 netmask + broadcast +

  # Uncomment these lines to print complete network interface configuration

  # echo "network interface configuration:"

  # /usr/sbin/ifconfig -a

  #

  # If this machine is configured to be an Internet Domain Name System (DNS)

  # server, run the name daemon. Start named prior to: route add net host,

  # to avoid dns gethostbyname timout delay for nameserver during boot.

  #

  if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then

  echo 'starting internet domain name server.'

  /usr/sbin/in.named &

  fi

  if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then

  dnsdomain=`/sbin/dhcpinfo DNSdmain`

  else

  dnsdomain=

  fi

  if [ -n "$dnsdomain" ]; then

  dnsservers=`/sbin/dhcpinfo DNSserv`

  if [ -n "$dnsservers" ]; then

  if [ -f /etc/resolv.conf ]; then

  /usr/bin/rm -f /tmp/resolv.conf.$$

  /usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \

  /etc/resolv.conf >/tmp/resolv.conf.$$

  fi

  echo "domain $dnsdomain" >>/tmp/resolv.conf.$$

  for name in $dnsservers; do

  echo nameserver $name >>/tmp/resolv.conf.$$

  done

  else

  if [ -f /etc/resolv.conf ]; then

  /usr/bin/rm -f /tmp/resolv.conf.$$

  /usr/bin/sed -e '/^domain/d' /etc/resolv.conf \

  >/tmp/resolv.conf.$$

  fi

  echo "domain $dnsdomain" >>/tmp/resolv.conf.$$

  fi

  #

  # Warning: The umask is 000 during boot, which requires explicit

  # setting of file permission modes when we create files.

  #

  /usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf

  /usr/bin/chmod 644 /etc/resolv.conf

  # Add dns to the nsswitch file, if it isn't already there.

  /usr/bin/rm -f /tmp/nsswitch.conf.$$

  /usr/bin/awk ' $1 ~ /^hosts:/ {

  n = split($0, a);

  newl = a[1];

  if ($0 !~ /dns/) {

  printf("#%s # Commented out by DHCP\n", $0);

  updated = 0;

  for (i = 2; i <= n; i++) {

  if (updated == 0 && index(a[i], "[") == 1) {

  newl = newl" dns";

  updated++;

  }

  newl = newl" "a[i];

  }

  if (updated == 0) {

  newl = newl" dns";

  updated++;

  }

  if (updated != 0)

  newl = newl" # Added by DHCP";

  else

  newl = $0;

  printf("%s\n", newl);

  } else

  printf("%s\n", $0);

  } $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \

  >/tmp/nsswitch.conf.$$

  /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf

  /usr/bin/chmod 644 /etc/nsswitch.conf

  elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then

  # If we added DNS to a hosts line in the nsswitch, remove it.

  /usr/bin/rm -f /tmp/nsswitch.conf.$$

  /usr/bin/sed \

  -e '/# Added by DHCP$/d' \

  -e 's/^\(#hosts:\)\(.*[^#]\)\(#.*\)$/hosts: \2/' \

  /etc/nsswitch.conf >/tmp/nsswitch.conf.$$

  /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf

  /usr/bin/chmod 644 /etc/nsswitch.conf

  fi

  if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then

  #

  # if DHCP doesn't return a hostname, use "unknown" so

  # client can resolve IP address into a local hostname.

  #

  hostname=`/sbin/dhcpinfo Hostname`

  if [ -z "$hostname" ]; then

  hostname="unknown"

  fi

  ipaddr=`/sbin/dhcpinfo Yiaddr`

  /usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$

  # Delete any old lines added by dhcp.

  /usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts \

  > /tmp/hosts_clear.$$

  shift $# # Clear $0-9 first in case grep fails

  set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]" \

  /tmp/hosts_clear.$$ 2>/dev/null`

  if [ $# -gt 0 ]; then

  #

  # IP address is already in the hosts file. Ensure the

  # associated hostname is the same as the Hostname

  # property returned by the DHCP server.

  #

  /usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \

  /tmp/hosts_clear.$$ >/tmp/hosts.$$

  else

  #

  # IP address is missing from the hosts file. Now check

  # to see if the hostname is present with a different IP.

  #

  shift $# # Clear $0-9 in case grep fails

  set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ | \

  /usr/bin/egrep "[ ]${hostname}([ ]|$)"`

  if [ $# -gt 0 ]; then

  #

  # Hostname is present in the hosts file. Rewrite this

  # line to have the new IP address and the DHCP comment.

  #

  /usr/bin/sed -e "/^[ ]*${1}[ ]/d" \

  /tmp/hosts_clear.$$ >/tmp/hosts.$$

  shift # Shift off $1 (the old IP)

  echo "$ipaddr $*\c" | /usr/bin/tr ' ' '\t' \

  >>/tmp/hosts.$$

  echo "\t# Added by DHCP" >>/tmp/hosts.$$

  else

  #

  # Hostname is not present in the hosts file.

  # Add a new line for the host at the end of

  # the new hosts file.

  #

  /usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$

  echo "${ipaddr}\t${hostname}\t# Added by DHCP" \

  >>/tmp/hosts.$$

  fi

  fi

  # Update loopback transport hosts files

  for inet in /etc/net/*/hosts; do

  echo "# RPC hosts" > $inet

  echo "$hostname\t$hostname" >> $inet

  /usr/bin/chmod 644 $inet

  done

  /usr/bin/rm -f /tmp/hosts_clear.$$

  /usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts

  /usr/bin/chmod 644 /etc/inet/hosts

  fi

  #

  # Add a static route for multicast packets out our default interface.

  # The default interface is the interface that corresponds to the node name.

  # Run in background subshell to avoid waiting for name service.

  #

  (

  if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then

  mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME

  else

  mcastif=$_INIT_UTS_NODENAME

  fi

  echo "Setting default IPv4 interface for multicast:" \

  "add net 224.0/4: gateway $mcastif"

  /usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null

  ) &

  #

  # Run inetd in "standalone" mode (-s flag) so that it doesn't have

  # to submit to the will of SAF. Why did we ever let them change inetd?

  #

  #/usr/sbin/inetd -s &

  /usr/local/sbin/xinetd -s &

  完整的/etc/xinetd.conf文件:

  # more /etc/xinetd.conf

  # This file generated by xconv.pl, included with the xinetd

  # package. xconv.pl was written by Rob Braun (bbraun@synack.net)

  #

  # The file is merely a translation of your inetd.conf file into

  # the equivalent in xinetd.conf syntax. xinetd has many

  # features that may not be taken advantage of with this translation.

  # Please refer to the xinetd.conf man page for more information

  # on how to properly configure xinetd.

  # The defaults section sets some information for all services

  defaults

  {

  #The maximum number of requests a particular service may handle

  # at once.

  instances = 25

  # The type of logging. This logs to a file that is specified.

  # Another option is: SYSLOG syslog_facility [syslog_level]

  log_type = FILE /var/log/servicelog

  # What to log when the connection succeeds.

  # PID logs the pid of the server processing the request.

  # HOST logs the remote host's ip address.

  # USERID logs the remote user (using RFC 1413)

  # EXIT logs the exit status of the server.

  # DURATION logs the duration of the session.

  log_on_success = HOST PID

  # What to log when the connection fails. Same options as above

  log_on_failure = HOST RECORD

  # The maximum number of connections a specific IP address can

  # have to a specific service.

  per_source = 5

  }

  #service ftp

  {

  flags = NAMEINARGS

  socket_type = stream

  protocol = tcp

  wait = no

  user = root

  server = /usr/local/bin/tcpd

  server_args = in.ftpd

  }

  #service telnet

  {

  flags = NAMEINARGS

  socket_type = stream

  protocol = tcp

  wait = no

  user = root

  server = /usr/local/bin/tcpd

  server_args = in.telnetd

  }

  service ssh

  {

  socket_type = stream

  wait = no

  user = root

  server = /usr/local/sbin/sshd

  port = 22

  server_args = -i

  only_from = 192.0.0.109

  }

  #

爱问(iAsk.com)



论坛】【收藏此页】【 】【多种方式看新闻】【下载点点通】【打印】【关闭




科技时代意见反馈留言板 电话:010-82628888-5595   欢迎批评指正

新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

Copyright © 1996 - 2006 SINA Inc. All Rights Reserved

新浪公司 版权所有