Date: Fri, 31 Jan 2014 17:03:24 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43707 - in head/en_US.ISO8859-1/books/handbook: install network-servers Message-ID: <201401311703.s0VH3OG4006953@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Jan 31 17:03:23 2014 New Revision: 43707 URL: http://svnweb.freebsd.org/changeset/doc/43707 Log: Finish up this section. Some additional shuffling to improve the flow. Fix reference in another chapter. This section should be much clearer now. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/install/chapter.xml head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/install/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 15:30:54 2014 (r43706) +++ head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) @@ -2604,7 +2604,7 @@ Do you want to configure inetd and the n will not be enabled. These services can be enabled after installation by editing <filename>/etc/inetd.conf</filename> with a text editor. - See <xref linkend="network-inetd-overview"/> for more information.</para> + See <xref linkend="network-inetd-conf"/> for more information.</para> <para>Otherwise, select &gui.yes; to configure these services during install. An additional Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 15:30:54 2014 (r43706) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) @@ -113,6 +113,9 @@ </sect1> <sect1 xml:id="network-inetd"> + <title>The <application>inetd</application> + Super-Server</title> + <!-- <sect1info> <authorgroup> @@ -130,12 +133,7 @@ </authorgroup> </sect1info> --> - - <title>The <application>inetd</application> - Super-Server</title> - - <sect2 xml:id="network-inetd-overview"> - + <para>The &man.inetd.8; daemon is sometimes referred to as a Super-Server because it manages connections for many services. Instead of starting multiple @@ -151,13 +149,15 @@ <para>Primarily, <application>inetd</application> is used to spawn other daemons, but several trivial protocols are handled - directly, such as <application>chargen</application>, - <application>auth</application>, and + internally, such as <application>chargen</application>, + <application>auth</application>, + <application>time</application>, + <application>echo</application>, + <application>discard</application>, and <application>daytime</application>.</para> <para>This section covers the basics of configuring <application>inetd</application>.</para> - </sect2> <sect2 xml:id="network-inetd-conf"> <title>Configuration File</title> @@ -182,13 +182,24 @@ the service you configured, type:</para> <screen>&prompt.root; <userinput>service inetd start</userinput></screen> - + + <para>Once <application>inetd</application> is started, it needs + to be notified whenever a modification is made to + <filename>/etc/inetd.conf</filename>:</para> + + <example xml:id="network-inetd-reread"> + <title>Reloading the <application>inetd</application> + Configuration File</title> + + <screen>&prompt.root; <userinput>service inetd reload</userinput></screen> + </example> + <para>Typically, the default entry for an application does not need to be edited beyond removing the <literal>#</literal>. In some situations, it may be appropriate to edit the default entry.</para> - <para>As an example, this is the default entry for &man.ftpd.8; using IPv4:</para> + <para>As an example, this is the default entry for &man.ftpd.8; over IPv4:</para> <programlisting>ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l</programlisting> @@ -209,13 +220,13 @@ server-program-arguments</programlisting <term>service-name</term> <listitem> - <para>This is the service name of the particular daemon. + <para>The service name of the daemon to start. It must correspond to a service listed in <filename>/etc/services</filename>. This determines - which port <application>inetd</application> must listen - to. If a new service is being created, it must be - placed in <filename>/etc/services</filename> - first.</para> + which port <application>inetd</application> listens on + for incoming connections to that service. + When using a custom service, it must first be + added to <filename>/etc/services</filename>.</para> </listitem> </varlistentry> @@ -225,10 +236,10 @@ server-program-arguments</programlisting <listitem> <para>Either <literal>stream</literal>, <literal>dgram</literal>, <literal>raw</literal>, or - <literal>seqpacket</literal>. <literal>stream</literal> - must be used for connection-based, TCP daemons, while - <literal>dgram</literal> is used for daemons utilizing - the <acronym>UDP</acronym> transport protocol.</para> + <literal>seqpacket</literal>. Use <literal>stream</literal> + for TCP connections and + <literal>dgram</literal> for + <acronym>UDP</acronym> services.</para> </listitem> </varlistentry> @@ -236,25 +247,25 @@ server-program-arguments</programlisting <term>protocol</term> <listitem> - <para>One of the following:</para> + <para>Use one of the following protocol names:</para> <informaltable frame="none" pgwide="1"> <tgroup cols="2"> <thead> <row> - <entry>Protocol</entry> + <entry>Protocol Name</entry> <entry>Explanation</entry> </row> </thead> <tbody> <row> - <entry>tcp, tcp4</entry> + <entry>tcp or tcp4</entry> <entry>TCP IPv4</entry> </row> <row> - <entry>udp, udp4</entry> + <entry>udp or udp4</entry> <entry><acronym>UDP</acronym> IPv4</entry> </row> @@ -270,12 +281,12 @@ server-program-arguments</programlisting <row> <entry>tcp46</entry> - <entry>Both TCP IPv4 and v6</entry> + <entry>Both TCP IPv4 and IPv6</entry> </row> <row> <entry>udp46</entry> - <entry>Both <acronym>UDP</acronym> IPv4 and v6</entry> + <entry>Both <acronym>UDP</acronym> IPv4 and IPv6</entry> </row> </tbody> </tgroup> @@ -287,11 +298,17 @@ server-program-arguments</programlisting <term>{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]]</term> <listitem> - <para><option>wait|nowait</option> indicates whether the - daemon invoked from <application>inetd</application> is - able to handle its own socket or not. + <para>In this field, <option>wait</option> or + <option>nowait</option> must be specified. + <option>max-child</option>, + <option>max-connections-per-ip-per-minute</option> and + <option>max-child-per-ip</option> are optional.</para> + + <para><option>wait|nowait</option> indicates whether or not the + service is + able to handle its own socket. <option>dgram</option> socket types must use the - <option>wait</option> option, while stream socket + <option>wait</option> option while <option>stream</option> daemons, which are usually multi-threaded, should use <option>nowait</option>. <option>wait</option> usually hands off multiple sockets to a single daemon, while @@ -299,60 +316,32 @@ server-program-arguments</programlisting new socket.</para> <para>The maximum number of child daemons - <application>inetd</application> may spawn can be set - using the <option>max-child</option> option. If a limit - of ten instances of a particular daemon is needed, a - <literal>/10</literal> would be placed after + <application>inetd</application> may spawn is set by + <option>max-child</option>. For example, to limit + ten instances of the daemon, place a + <literal>/10</literal> after <option>nowait</option>. Specifying <literal>/0</literal> allows an unlimited number of - children</para> + children.</para> - <para>In addition to <option>max-child</option>, two other - options which limit the maximum connections from a - single place to a particular daemon can be enabled. - <option>max-connections-per-ip-per-minute</option> + <para><option>max-connections-per-ip-per-minute</option> limits the number of connections from any particular - <acronym>IP</acronym> address per minutes, e.g., a value - of ten would limit any particular <acronym>IP</acronym> - address connecting to a particular service to ten - attempts per minute. <option>max-child-per-ip</option> - limits the number of children that can be started on + <acronym>IP</acronym> address per minute. Once the limit + is reached, further connections from this IP address + will be dropped until the end of the minute. For example, a value + of <literal>/10</literal> would limit any particular <acronym>IP</acronym> + address to ten + connection attempts per minute. <option>max-child-per-ip</option> + limits the number of child processes that can be started on behalf on any single <acronym>IP</acronym> address at - any moment. These options are useful to prevent - intentional or unintentional excessive resource - consumption and Denial of Service (DoS) attacks to a - machine.</para> + any moment. These options can limit + excessive resource + consumption and help to prevent Denial of Service attacks.</para> - <para>In this field, either of <option>wait</option> or - <option>nowait</option> is mandatory. - <option>max-child</option>, - <option>max-connections-per-ip-per-minute</option> and - <option>max-child-per-ip</option> are optional.</para> + <para>An example can be seen in the default + settings for &man.fingerd.8;:</para> - <para>A stream-type multi-threaded daemon without any - <option>max-child</option>, - <option>max-connections-per-ip-per-minute</option> or - <option>max-child-per-ip</option> limits would simply - be: <literal>nowait</literal>.</para> - - <para>The same daemon with a maximum limit of ten daemons - would read: <literal>nowait/10</literal>.</para> - - <para>The same setup with a limit of twenty connections - per <acronym>IP</acronym> address per minute and a - maximum total limit of ten child daemons would read: - <literal>nowait/10/20</literal>.</para> - - <para>These options are utilized by the default - settings of the &man.fingerd.8; daemon, - as seen here:</para> - - <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s</programlisting> - - <para>Finally, an example of this field with a maximum of - 100 children in total, with a maximum of 5 for any one - <acronym>IP</acronym> address would read: - <literal>nowait/100/0/5</literal>.</para> + <programlisting>finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s</programlisting> </listitem> </varlistentry> @@ -360,12 +349,11 @@ server-program-arguments</programlisting <term>user</term> <listitem> - <para>This is the username that the particular daemon - should run as. Most commonly, daemons run as the - <systemitem class="username">root</systemitem> user. For security purposes, - it is common to find some servers running as the - <systemitem class="username">daemon</systemitem> user, or the least - privileged <systemitem class="username">nobody</systemitem> user.</para> + <para>The username the daemon + will run as. Daemons typically run as + <systemitem class="username">root</systemitem>, + <systemitem class="username">daemon</systemitem>, or + <systemitem class="username">nobody</systemitem>.</para> </listitem> </varlistentry> @@ -373,11 +361,10 @@ server-program-arguments</programlisting <term>server-program</term> <listitem> - <para>The full path of the daemon to be executed when a - connection is received. If the daemon is a service + <para>The full path to the daemon. + If the daemon is a service provided by <application>inetd</application> internally, - then <option>internal</option> should be - used.</para> + use <option>internal</option>.</para> </listitem> </varlistentry> @@ -385,58 +372,36 @@ server-program-arguments</programlisting <term>server-program-arguments</term> <listitem> - <para>This works in conjunction with - <option>server-program</option> by specifying the - arguments, starting with <literal>argv[0]</literal>, + <para>Used to + specify any command + arguments to be passed to the daemon on invocation. If - <command>mydaemon -d</command> is the command line, - <literal>mydaemon -d</literal> would be the value of - <option>server-program-arguments</option>. Again, if the daemon is an internal service, use - <option>internal</option> here.</para> + <option>internal</option>.</para> </listitem> </varlistentry> </variablelist> - - <para>When a modification is made to - <filename>/etc/inetd.conf</filename>, - <application>inetd</application> can be forced to re-read its - configuration file by running the command:</para> - - <example xml:id="network-inetd-reread"> - <title>Reloading the <application>inetd</application> - Configuration File</title> - - <screen>&prompt.root; <userinput>service inetd reload</userinput></screen> - </example> </sect2> <sect2 xml:id="network-inetd-cmdline"> <title>Command-Line Options</title> - <para>Additionally, different command-line options can be passed - to <application>inetd</application> via the - <literal>inetd_flags</literal> option.</para> <para>Like most server daemons, <application>inetd</application> - has a number of options that it can be passed in order to - modify its behaviour. Refer to &man.inetd.8; for - the full list of options.</para> + has a number of options that can be used to + modify its behaviour. By default, + <application>inetd</application> is started with + <literal>-wW -C 60</literal>. These options enable TCP wrappers for + all services, including internal services, and prevent any + <acronym>IP</acronym> address from requesting any + service more than 60 times per minute.</para> + + <para>To change the default options which are passed to <application>inetd</application>, + add an entry for <literal>inetd_flags</literal> in + <filename>/etc/rc.conf</filename>. If + <application>inetd</application> is already running, restart + it with <command>service inetd restart</command>.</para> - <para>Options can be passed to <application>inetd</application> - using the <literal>inetd_flags</literal> option in - <filename>/etc/rc.conf</filename>. By default, - <literal>inetd_flags</literal> is set to - <literal>-wW -C 60</literal>, which turns on TCP wrapping for - <application>inetd</application>'s services, and prevents any - single <acronym>IP</acronym> address from requesting any - service more than 60 times in any given minute.</para> - - <para>Although we mention rate-limiting options below, novice - users may be pleased to note that these parameters usually do - not need to be modified. These options may be useful if - an excessive amount of connections are being established. - A full list of options can be found in - &man.inetd.8;.</para> + <para>The available rate limiting options are:</para> <variablelist> <varlistentry> @@ -444,9 +409,9 @@ server-program-arguments</programlisting <listitem> <para>Specify the default maximum number of simultaneous - invocations of each service; the default is unlimited. - May be overridden on a per-service basis with the - <option>max-child</option> parameter.</para> + invocations of each service, where the default is unlimited. + May be overridden on a per-service basis by using + <option>max-child</option> in <filename>/etc/inetd.conf</filename>.</para> </listitem> </varlistentry> @@ -456,11 +421,10 @@ server-program-arguments</programlisting <listitem> <para>Specify the default maximum number of times a service can be invoked from a single - <acronym>IP</acronym> address in one minute; the default - is unlimited. May be overridden on a per-service basis - with the - <option>max-connections-per-ip-per-minute</option> - parameter.</para> + <acronym>IP</acronym> address per minute. May be overridden on a per-service basis + by using + <option>max-connections-per-ip-per-minute</option> in + <filename>/etc/inetd.conf</filename>.</para> </listitem> </varlistentry> @@ -469,8 +433,8 @@ server-program-arguments</programlisting <listitem> <para>Specify the maximum number of times a service can be - invoked in one minute; the default is 256. A rate of 0 - allows an unlimited number of invocations.</para> + invoked in one minute, where the default is <literal>256</literal>. A rate of <literal>0</literal> + allows an unlimited number.</para> </listitem> </varlistentry> @@ -480,63 +444,37 @@ server-program-arguments</programlisting <listitem> <para>Specify the maximum number of times a service can be invoked from a single <acronym>IP</acronym> address at - any one time; the default is unlimited. May be - overridden on a per-service basis with the - <option>max-child-per-ip</option> parameter.</para> + any one time, where the default is unlimited. May be + overridden on a per-service basis by using + <option>max-child-per-ip</option> in <filename>/etc/inetd.conf</filename>.</para> </listitem> </varlistentry> </variablelist> + + <para>Additional options are available. Refer to &man.inetd.8; for + the full list of options.</para> </sect2> <sect2 xml:id="network-inetd-security"> - <title>Security</title> + <title>Security Considerations</title> - <para>Depending on the choices made at install time, many - of <application>inetd</application>'s services may be enabled - by default. If there is no apparent need for a particular - daemon, consider disabling it. Place a <quote>#</quote> in - front of the daemon in question in - <filename>/etc/inetd.conf</filename>, and then - <link linkend="network-inetd-reread">reload the - inetd configuration</link>. Some daemons, such as - <application>fingerd</application>, may not be desired at all - because they provide information that may be useful to an - attacker.</para> - - <para>Some daemons are not security-conscious and have long or - non-existent timeouts for connection attempts. An attacker - can send connections to a particular daemon, eventually - consuming available resources and resulting in a Denial of - Service (<acronym>DoS</acronym>). + <para>Many of the daemons which can be managed by + <application>inetd</application> are not security-conscious. + Some daemons, such as + <application>fingerd</application>, can + provide information that may be useful to an + attacker. Only enable the services which are needed and + monitor the system for excessive connection attempts. <literal>max-connections-per-ip-per-minute</literal>, <literal>max-child</literal> and <literal>max-child-per-ip</literal> can be used to limit such attacks.</para> - <para>By default, TCP wrapping is turned on. Consult + <para>By default, TCP wrappers is enabled. Consult &man.hosts.access.5; for more information on placing TCP restrictions on various <application>inetd</application> invoked daemons.</para> </sect2> - - <sect2 xml:id="network-inetd-misc"> - <title>Miscellaneous</title> - - <para><application>daytime</application>, - <application>time</application>, - <application>echo</application>, - <application>discard</application>, - <application>chargen</application>, and - <application>auth</application> are all internally provided - services of <application>inetd</application>.</para> - - <para>The <application>auth</application> service provides - identity network services, and is configurable to a certain - degree, whilst the others are simply on or off.</para> - - <para>Consult &man.inetd.8; for more in-depth - information.</para> - </sect2> </sect1> <sect1 xml:id="network-nfs">
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201401311703.s0VH3OG4006953>