Xinetd在solaris8安装配置过程
一、相关信息:
1、 说明:
xinetd取代了inetd+tcp_wrappers,并且提供了访问控制、加强的日志和资源管理功能,已经成了Internet标准超级守护进程。但是现在还没有在solaris上的完整安装配置手册,我希望写一个关于在solaris上的傻瓜安装配置手册。
2、 基本信息
服务器基本信息:Sun-Fire-280R
操作系统:SunOS 5.8 Generic_117350-02
3、 Xinetd软件信息
软件版本:2.3.10
下载地址:
ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz
软件包说明:该软件包已经添加了--with-libwrap、--with-loadavg、--with-inet6编译模块选项。
4、 系统默认使用xinetd的服务可以分为如下几类:
标准internet服务:telnet ftp
信息服务:finger netstat systat
邮件服务:imap imaps pop2 pop3 pops
RPC服务:rquotad rstatd rusersd sprayd walld
BSD服务:comsat exec login ntalk shell talk
内部服务:chargen daytime echo servers services time
安全服务:irc
其他服务:name tftp uucp
5、 更多支持信息:
http://www.xinetd.org/
二、安装配置xinetd
1、安装过程
1)#gzip ?d xinetd-2.3.10-sol8-sparc-local.gz
2)#pkgadd ?d xinetd-2.3.10-sol8-sparc-local
没有报错的话,安装完毕。
2、xinetd软件安装后的基本信息
1)文档位置:/usr/local/doc/xinetd
里面有安装说明和配置文件文档。
2)命令位置:/usr/local/sbin/
Xinetd、xconv.pl、itox
3、配置过程:
说明:配置主要涉及俩个文件:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成)
1)生成/etc/xinetd.conf文件:
a) 说明:/etc/xinetd.conf这个文件是由/etc/inetd.conf文件转换生成的!主要是xinetd替代inetd以后的配置文件
b) 生成命令:
# /usr/local/sbin/xconv.pl /etc/xinetd.conf
c) 注意:
在/etc/inetd.conf里面可以事先去掉不必要的端口,如finger、login等,在/etc/xinetd.conf可以得到比较简洁的配置文。(我在转换前在/etc/inetd.conf文件里只保留了telnet和ftp)需要别的服务如ssh等可以自己添加。
2)修改/etc/init.d/inetsvc文件:
主要有俩个地方需要修改:
a) 修改一:(建议注释掉旧的配置,添加新的配置)
修改前:/usr/bin/pkill -x -u 0 'in.named|inetd'
修改后:/usr/bin/pkill -x -u 0 'in.named|xinetd'
b) 修改二:
修改前/usr/sbin/inetd -s &
修改后:/usr/local/sbin/xinetd -s &
3)测试:
停止原来的服务:# /etc/init.d/inetsvc stop
启动新的服务:# /etc/init.d/inetsvc start
检查进程:#ps ?ef|grep inetd
杀掉得到的进程号:#kill -9 ***
查看xinetd的进程:#ps ?ef|grep xinetd
显示如下xinetd配置正常:
root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd ?s
备注:
Xinetd启动过程有问题,一般是/etc/xinetd.conf配置文件的原因。
三、用xinetd限制ssh登陆配置过程:
1、测试方法:
1)编辑/etc/xinetd.conf:
添加如下:
service ssh
{
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/sshd
port = 22
server_args = -i
only_from = 192.0.0.109
}
2、测试过程:
重新启动机器,查看xinetd加载是否正常。
从内网192.0.0.109 ssh登陆服务器可以登陆为正常。
别的IP ssh登陆服务器不可以登陆为正常。
3、注意:
SSH安装以后,不用在/etc/rc2.d下面添加S99sshd,因为xinetd已经可以启动ssh进程了。否则达不到限制ip的作用。
四、备注:
安装完成以后服务器状态:
#nmap -P0 127.0.0.1
22/tcp open ssh
只留了ssh端口,而且可以限制ssh登陆的IP地址为:内网的192.0.0.109
-----------------------------------------------------
完整的/etc/init.d/inetsvc文件:
# more /etc/init.d/inetsvc
#!/sbin/sh
#
# Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)inetsvc 1.24 99/03/21 SMI"
#
# This is third phase of TCP/IP startup/configuration. This script
# runs after the NIS/NIS+ startup script. We run things here that may
# depend on NIS/NIS+ maps.
#
case "$1" in
'start')
;; # Fall through -- rest of script is the initialization code
'stop')
# /usr/bin/pkill -x -u 0 'in.named|inetd'
/usr/bin/pkill -x -u 0 'in.named|xinetd'
exit 0
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
# If boot variables are not set, set variables we use
[ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n`
if [ -z "$_INIT_PREV_LEVEL" ]; then
set -- `/usr/bin/who -r`
_INIT_PREV_LEVEL="$9"
fi
#
# wait_nis
# Wait up to 5 seconds for ypbind to obtain a binding.
#
wait_nis ()
{
for i in 1 2 3 4 5; do
server=`/usr/bin/ypwhich 2/dev/null`
[ $? -eq 0 -a -n "$server" ] && return 0 || sleep 1
done
return 1
}
#
# We now need to reset the netmask and broadcast address for our network
# interfaces. Since this may result in a name service lookup, we want to
# now wait for NIS to come up if we previously started it.
#
domain=`/usr/bin/domainname 2/dev/null`
[ -z "$domain" ] || [ ! -d /var/yp/binding/$domain ] || wait_nis || echo "WARNING: Timed out waiting for NIS to come up" & 2
#
# Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig
# is run here, after waiting for name services, so that "netmask +" will find
# the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to
# mess with the interface if it is under DHCP control
#
/usr/sbin/ifconfig -auD4 netmask + broadcast +
# Uncomment these lines to print complete network interface configuration
# echo "network interface configuration:"
# /usr/sbin/ifconfig -a
#
# If this machine is configured to be an Internet Domain Name System (DNS)
# server, run the name daemon. Start named prior to: route add net host,
# to avoid dns gethostbyname timout delay for nameserver during boot.
#
if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then
echo 'starting internet domain name server.'
/usr/sbin/in.named &
fi
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
dnsdomain=`/sbin/dhcpinfo DNSdmain`
else
dnsdomain=
fi
if [ -n "$dnsdomain" ]; then
dnsservers=`/sbin/dhcpinfo DNSserv`
if [ -n "$dnsservers" ]; then
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' /etc/resolv.conf /tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" /tmp/resolv.conf.$$
for name in $dnsservers; do
echo nameserver $name /tmp/resolv.conf.$$
done
else
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf /tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" /tmp/resolv.conf.$$
fi
#
# Warning: The umask is 000 during boot, which requires explicit
# setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf
# Add dns to the nsswitch file, if it isn't already there.
/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/awk ' $1 ~ /^hosts:/ {
n = split($0, a);
newl = a[1];
if ($0 !~ /dns/) {
printf("#%s # Commented out by DHCP\n", $0);
updated = 0;
for (i = 2; i
if (updated == 0 && ind
