inetd(8) 有時候又被稱做 “Internet Super-Server”,因為它管理很多網路服務的連線。 當 inetd 收到一個連線,它會判斷此連線 該由哪個程式負責處理,spawns the particular process and delegates the socket to it (the program is invoked with the service socket as its standard input, output and error descriptors). Running inetd for servers that are not heavily used can reduce the overall system load, when compared to running each daemon individually in stand-alone mode.
Primarily, inetd is used to spawn other daemons, but several trivial protocols are handled directly, such as chargen, auth, and daytime.
This section will cover the basics in configuring inetd through its command-line options and its configuration file, /etc/inetd.conf.
inetd 藉由 rc(8) 來初始。 inetd_enable 選項預設為 NO, 但是或許在安裝過程中被 sysinstall 開啟, 這取決於使用者選擇何種設定。 在 /etc/rc.conf 加上:
inetd_enable="YES"
或者
inetd_enable="NO"
將會在開機時開啟或關閉 inetd。 下面的指令:
# /etc/rc.d/inetd rcvar
可以用來顯示目前的設定值。
另外,不同的命令列選項可以透過inetd_flags 選項 傳遞給 inetd。
就像大多數的 server daemons,inetd 有許多選項可以用來改變其行為。這些選項如下:
inetd [-d] [-l] [-w] [-W] [-c maximum]
[-C rate] [-a address | hostname] [-p filename] [-R rate] [-s maximum] [configuration
file]
選項可在 /etc/rc.conf 透過 inetd_flags 來傳遞給 inetd。 inetd_flags 預設值是 -wW -C 60,用來開啟 inetd 的 TCP wrapping, 並提供每分鐘超過六十次來自任何 IP 要求的任何服務。
Novice users may be pleased to note that these parameters usually do not need to be modified, although we mention the rate-limiting options below as they be useful should you find that you are receiving an excessive amount of connections. A full list of options can be found in the inetd(8) manual.
Specify the default maximum number of simultaneous invocations of each service; the
default is unlimited. May be overridden on a per-service basis with the max-child
parameter.
Specify the default maximum number of times a service can be invoked from a single IP
address in one minute; the default is unlimited. May be overridden on a per-service basis
with the max-connections-per-ip-per-minute
parameter.
Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations.
Specify the maximum number of times a service can be invoked from a single IP address
at any one time; the default is unlimited. May be overridden on a per-service basis with
the max-child-per-ip
parameter.
Configuration of inetd is done via the file /etc/inetd.conf.
When a modification is made to /etc/inetd.conf, inetd can be forced to re-read its configuration file by running the command:
Each line of the configuration file specifies an individual daemon. Comments in the file are preceded by a “#”. The format of each entry in /etc/inetd.conf is as follows:
service-name socket-type protocol {wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] user[:group][/login-class] server-program server-program-arguments
An example entry for the ftpd(8) daemon using IPv4 might read:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
This is the service name of the particular daemon. It must correspond to a service listed in /etc/services. This determines which port inetd must listen to. If a new service is being created, it must be placed in /etc/services first.
Either stream, dgram, raw, or seqpacket. stream must be used for connection-based, TCP daemons, while dgram is used for daemons utilizing the UDP transport protocol.
One of the following:
wait|nowait
indicates whether the daemon invoked from inetd is able to handle its own socket or not. dgram
socket types must use the wait
option, while stream socket daemons, which are usually multi-threaded, should use nowait
. wait
usually hands off multiple
sockets to a single daemon, while nowait
spawns a child
daemon for each new socket.
The maximum number of child daemons inetd may spawn can be
set using the max-child
option. If a limit of ten instances
of a particular daemon is needed, a /10 would be placed after
nowait
. Specifying /0 allows an
unlimited number of children
In addition to max-child
, two other options which limit
the maximum connections from a single place to a particular daemon can be enabled. max-connections-per-ip-per-minute
limits the number of connections
from any particular IP address per minutes, e.g. a value of ten would limit any
particular IP address connecting to a particular service to ten attempts per minute.
max-child-per-ip
limits the number of children that can be
started on behalf on any single IP address at any moment. These options are useful to
prevent intentional or unintentional excessive resource consumption and Denial of Service
(DoS) attacks to a machine.
In this field, either of wait
or nowait
is mandatory. max-child
, max-connections-per-ip-per-minute
and max-child-per-ip
are optional.
A stream-type multi-threaded daemon without any max-child
,
max-connections-per-ip-per-minute
or max-child-per-ip
limits would simply be: nowait.
The same daemon with a maximum limit of ten daemons would read: nowait/10.
The same setup with a limit of twenty connections per IP address per minute and a maximum total limit of ten child daemons would read: nowait/10/20.
These options are utilized by the default settings of the fingerd(8) daemon, as seen here:
finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
Finally, an example of this field with a maximum of 100 children in total, with a maximum of 5 for any one IP address would read: nowait/100/0/5.
This is the username that the particular daemon should run as. Most commonly, daemons run as the root user. For security purposes, it is common to find some servers running as the daemon user, or the least privileged nobody user.
The full path of the daemon to be executed when a connection is received. If the
daemon is a service provided by inetd internally, then internal
should be used.
This works in conjunction with server-program
by
specifying the arguments, starting with argv[0], passed to the
daemon on invocation. If mydaemon -d is the command line, mydaemon -d would be the value of server-program-arguments
. Again, if the daemon is an internal
service, use internal
here.
依照安裝時的選擇,大部分 inetd 的服務 預設是啟動的。如果有什麼很明顯是不需要的服務,請考慮關閉它。在 /etc/inetd.conf 中 服務的前面加個 “#”,然後重新載入 inetd 設定。 某些服務,例如 fingerd, 可能就不想開啟,因為它有可能會讓駭客取得一些有用的資訊。
Some daemons are not security-conscious and have long, or non-existent, timeouts for
connection attempts. This allows an attacker to slowly send connections to a particular
daemon, thus saturating available resources. It may be a good idea to place max-connections-per-ip-per-minute
, max-child
or max-child-per-ip
limitations on certain daemons if you find that you have too many connections.
TCP wrapping 預設是開啟的。您可以參閱 hosts_access(5) manual page 取得更多 變更 inetd 提供的服務的 TCP 連線限制相關說明。
daytime、 time、 echo、 discard、 chargen 及 auth 都是由 inetd 提供的內部服務。
The auth service provides identity network services, and is configurable to a certain degree, whilst the others are simply on or off.
Consult the inetd(8) manual page for more in-depth information.
本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。