30.2 Starting Internet Services
 |
The network services can be started in one of two ways. In the first case, a service daemon is started at boot time with the help of rc scripts. These scripts are stored in the /sbin/init.d directory and are linked to startup and shutdown scripts in the /sbin/rc n .d directories where n shows a system run level. Configuration files for these scripts are present in the /etc/rc.config.d directory. Management of startup and shutdown scripts has already been discussed in Chapter 14.
The second method of starting a service is through the inetd daemon. It is also called a TCP wrapper and listens for a number of network ports, depending on network services enabled through it. When a connection request arrives at a particular port, it starts a server process, depending on its configuration file entry for that service.
Starting a Service as a Daemon
Server daemons are started with the help of the /sbin/rc script. This is executed during the system startup process. It scans the /sbin/rc n .d directories at each system run level, where n in the directory name represents a run level. Each of these directories contains link files associated with actual scripts in the /sbin/init.d directory. These link files start with either letter S or K . A link file name starting with S shows that the service is being started at this run level, while a link file name starting with K shows that the service is being stopped when the system moves into this run level. For example, file S370named in directory /sbin/rc2.d is linked to the /sbin/init.d/named file. It shows that script /sbin/init.d/named will be run when the system enters into run level 2. This script starts the domain name server daemon used to resolve host names .
When a daemon is started, it binds itself to its designated port and starts listening to incoming connection requests on that port. Any client on the network can then send a request at that port and start communication with the server process.
Starting a Service through inetd
The inetd daemon is started at run level 2. It listens to incoming connection requests for many services. When a request arrives at a certain port, it invokes the server process corresponding to that port and starts listening to the port again. At startup time, the inetd daemon reads its configuration file, /etc/inetd.conf , that contains a list of the services to be served by inetd . This file contains one line for each service. A line starting with the # character is considered a comment line. A typical entry for telnet service in this file is as follows .
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
Each line contains seven fields as listed next . These fields show how the service will behave and what server process will be invoked.
| Service Name | This is the name of the service as mentioned in the /etc/services or /etc/rpc file. In the telnetd example above, the service name is telnet . |
| Socket Type | This is either stream or dgram . This shows the type of socket used for the service. In the above-mentioned example, the socket type is stream . The stream type socket is used with the TCP protocol and the dgram type socket is used with the UDP protocol. |
| Protocol | The list of protocols as present in /etc/protocols . This shows the protocol used for the service. The protocol used for telnet service is TCP. |
| Wait/nowait | The wait applies for dgram sockets only. For stream-based sockets, nowait is used. This is used to configure a service as a single-threaded or multithreaded service. The wait keyword causes inetd to wait until any previously started server process finishes. When the previous instance finishes, then inetd starts listening to the port again, thus causing a service to be activated as single threaded. With a nowait keyword, inetd starts the server process for an incoming request and immediately starts listening to the port again. If a second request arrives while the first server instance is still running, another instance of the server process is started. Usually UDP-based services use wait , whereas TCP services use nowait . |
| User | This is the name of the user who will be the owner of the server process. |
| Server Program | The complete path to the server program file. |
| Arguments | This last field contains a list of arguments to be passed to the server program. The first argument is the program name itself. |
A sample /etc/inetd.conf file is shown next where you can find a list of services invoked with the help of the inetd daemon. An entry can be continued to the next line by using a backslash character at the end of a line. Lines starting with the # character are comments.
# @(#)inetd.conf $Revision: 1.24.214.3 $ $Date: 97/09/10 14:50:49 $ # # See the inetd.conf(4) manual page for more information. # # ARPA/Berkeley services # ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l telnet stream tcp nowait root /usr/lbin/telnetd telnetd # Before uncommenting the "tftp" entry below, please make sure # that you have a "tftp" user in /etc/passwd. If you don't # have one, please consult the tftpd(1M) manual entry for # information about setting up this service. tftp dgram udp wait root /usr/lbin/tftpd tftpd\ /opt/ignite\ /var/opt/ignite #bootps dgram udp wait root /usr/lbin/bootpd bootpd #finger stream tcp nowait bin /usr/lbin/fingerd fingerd login stream tcp nowait root /usr/lbin/rlogind rlogind shell stream tcp nowait root /usr/lbin/remshd remshd exec stream tcp nowait root /usr/lbin/rexecd rexecd #uucp stream tcp nowait root /usr/sbin/uucpd uucpd ntalk dgram udp wait root /usr/lbin/ntalkd ntalkd ident stream tcp wait bin /usr/lbin/identd identd printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon -i daytime stream tcp nowait root internal daytime dgram udp nowait root internal time stream tcp nowait root internal #time dgram udp nowait root internal echo stream tcp nowait root internal echo dgram udp nowait root internal discard stream tcp nowait root internal discard dgram udp nowait root internal chargen stream tcp nowait root internal chargen dgram udp nowait root internal ## # rpc services, registered by inetd with portmap # Do not uncomment these unless your system is running portmap! ## # WARNING: The rpc.mountd should now be started from a startup script. # Please enable the mountd startup script to start rpc.mountd. ## #rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 rpc.rexd #rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd 100001 2-4 rpc.rstatd #rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd 100002 1-2 rpc.rusersd #rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld 100008 1 rpc.rwalld #rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1 rpc.rquotad #rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd 100012 1 rpc.sprayd ## # # The standard remshd and rlogind do not include the Kerberized # code. You must install the InternetSvcSec/INETSVCS-SEC fileset and # configure Kerberos as described in the SIS(5) man page. # ## kshell stream tcp nowait root /usr/lbin/remshd remshd -K klogin stream tcp nowait root /usr/lbin/rlogind rlogind -K
The /etc/services file maps service names to corresponding port numbers and protocols used for that port. The services mentioned in this file are well known. When the inetd daemon reads its configuration file, /etc/inetd.conf , and decides which services to start, it consults the /etc/services file to determine ports for each of these services. A sample file is shown next. Following the port number and protocol, an alias may be specified for the service.
# @(#)services $Revision: 1.32.214.7 $ $Date: 97/09/10 14:50:42 $ # The form for each entry is: # <official service name> <port number/protocol name> <aliases> tcpmux 1/tcp # TCP port multiplexer (RFC 1078) echo 7/tcp # Echo echo 7/udp # discard 9/tcp sink null # Discard discard 9/udp sink null # systat 11/tcp users # Active Users daytime 13/tcp # Daytime daytime 13/udp # qotd 17/tcp quote # Quote of the Day chargen 19/tcp ttytst source # Character Generator chargen 19/udp ttytst source # ftp-data 20/tcp # File Transfer Protocol (Data) ftp 21/tcp # File Transfer Protocol (Control) telnet 23/tcp # Virtual Terminal Protocol smtp 25/tcp # Simple Mail Transfer Protocol time 37/tcp timeserver # Time time 37/udp timeserver # rlp 39/udp resource # Resource Location Protocol whois 43/tcp nicname # Who Is domain 53/tcp nameserver # Domain Name Service domain 53/udp nameserver # bootps 67/udp # Bootstrap Protocol Server bootpc 68/udp # Bootstrap Protocol Client tftp 69/udp # Trivial File Transfer Protocol rje 77/tcp netrjs # private RJE Service finger 79/tcp # Finger http 80/tcp www # World Wide Web HTTP http 80/udp www # World Wide Web HTTP link 87/tcp ttylink # private terminal link supdup 95/tcp # hostnames 101/tcp hostname # NIC Host Name Server tsap 102/tcp iso_tsap iso-tsap # ISO TSAP (part of ISODE) pop 109/tcp postoffice pop2 # Post Office Protocol - Version 2 pop3 110/tcp pop-3 # Post Office Protocol - Version 3 portmap 111/tcp sunrpc # SUN Remote Procedure Call portmap 111/udp sunrpc # ident 113/tcp authentication # RFC1413 sftp 115/tcp # Simple File Transfer Protocol uucp-path 117/tcp # UUCP Path Service nntp 119/tcp readnews untp # Network News Transfer Protocol ntp 123/udp # Network Time Protocol netbios_ns 137/tcp # NetBIOS Name Service netbios_ns 137/udp # netbios_dgm 138/tcp # NetBIOS Datagram Service netbios_dgm 138/udp # netbios_ssn 139/tcp # NetBIOS Session Service netbios_ssn 139/udp # bftp 152/tcp # Background File Transfer Protocol snmp 161/udp snmpd # Simple Network Management Protocol Agent snmp-trap 162/udp trapd # Simple Network Management Protocol Traps bgp 179/tcp # Border Gateway Protocol biff 512/udp comsat # mail notification exec 512/tcp # remote execution, passwd required login 513/tcp # remote login who 513/udp whod # remote who and uptime shell 514/tcp cmd # remote command, no passwd used syslog 514/udp # remote system logging printer 515/tcp spooler # remote print spooling talk 517/udp # conversation ntalk 518/udp # new talk, conversation route 520/udp router routed # routing information protocol efs 520/tcp # Extended file name server timed 525/udp timeserver # remote clock synchronization tempo 526/tcp newdate # courier 530/tcp rpc # conference 531/tcp chat # netnews 532/tcp readnews # netwall 533/udp # Emergency broadcasting uucp 540/tcp uucpd # uucp daemon
<Some data deleted from here>
SECURING INETD
To add security to the inetd daemon, the /var/adm/inetd.sec file is used. This file provides an extra layer of security for services started with inetd . This is in addition to security implemented by a service itself. The inetd daemon can selectively allow or deny access to other hosts using the /var/adm/inetd.sec file. The following rules apply to this file.
-
If this file does not exist, all hosts are granted access to start an inetd service.
-
If this file exists but is empty, access to all inetd services is allowed.
-
If the file exists and contains some of the service names in the specified format, only access to listed services is allowed.
Each line in the file starts with a service name followed by the allow or deny keyword. After that, a host specifier is present that may contain a host name or an IP address. Multiple host names can be separated by spaces. Wild cards can be used in IP addresses. Consider the following line in this file as an example.
ftp allow 192.168.2.* hp0
This line grants FTP access for all hosts in network 192.168.2 and the host with the name hp0 . A sample /var/adm/inetd.sec file is shown next.
login allow 10.3-5 192.34.56.5 ahost anetwork # # The above entry allows the following hosts to attempt to access your system # using rlogin: # hosts in subnets 3 through 5 in network 10, # the host with an Internet Address of 192.34.56.5, # the host by the name of "ahost", # all the hosts in the network "anetwork" # mountd deny 192.23.4.3 # # The mountd entry denies host 192.23.4.3 access to the NFS rpc.mountd # server. # # Hosts and network names must be official names, not aliases. # See the inetd.sec(4) manual page for more information.
Table 30-3 lists configuration and security files used for Internet services and a short description of each.
Table 30-3. Configuration Files for ARPA/Berkeley Services
| File Name | Description |
|---|---|
| /etc/inetd.conf | Configuration file for the inetd daemon |
| /etc/services | Lists service names and ports/protocols used with these services |
| /var/adm/inetd.sec | Security file to add an extra layer of security for inetd |
| /etc/hosts.equiv | Host equivalency file used to allow or deny access for specific services |
| $HOME/.rhosts | User-defined file used to allow or deny incoming network requests |
How a Connection Is Established
Before actual data communication starts, the client and server establish a communication session. If the server process is started as a daemon at boot time, it listens to its well-defined port for any incoming connection. If the server process is controlled by inetd , the inetd daemon reads its /etc/inetd.conf file configuration, gets the port number for all services from the /etc/services file, and starts listening to all of these ports. As soon as a connection request is received on a port, the inetd daemon starts the corresponding service daemon.
On the client side, when you start a client, for example, telnet , it does not need to know the port name for the server process on the server host as it is already defined. It opens a socket on an available port number, usually larger than 1024 on the client side, and tries to connect to the server port (Port number 23 in the case of telnet ). After accepting the incoming connection, a session is established between client and server and data communication starts, depending on the protocol used. A list of open network ports and established socket connections may be displayed using the netstat -a command.
 |
| |
| Top |
EAN: 2147483647
Pages: 390