From owner-svn-doc-all@FreeBSD.ORG Fri Jan 31 17:03:24 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A21D9AF2; Fri, 31 Jan 2014 17:03:24 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8CA3013B6; Fri, 31 Jan 2014 17:03:24 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0VH3OCC006955; Fri, 31 Jan 2014 17:03:24 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0VH3OG4006953; Fri, 31 Jan 2014 17:03:24 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201401311703.s0VH3OG4006953@svn.freebsd.org> From: Dru Lavigne Date: Fri, 31 Jan 2014 17:03:24 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r43707 - in head/en_US.ISO8859-1/books/handbook: install network-servers X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jan 2014 17:03:24 -0000 Author: dru Date: Fri Jan 31 17:03:23 2014 New Revision: 43707 URL: http://svnweb.freebsd.org/changeset/doc/43707 Log: Finish up this section. Some additional shuffling to improve the flow. Fix reference in another chapter. This section should be much clearer now. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/install/chapter.xml head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/install/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 15:30:54 2014 (r43706) +++ head/en_US.ISO8859-1/books/handbook/install/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) @@ -2604,7 +2604,7 @@ Do you want to configure inetd and the n will not be enabled. These services can be enabled after installation by editing /etc/inetd.conf with a text editor. - See for more information. + See for more information. Otherwise, select &gui.yes; to configure these services during install. An additional Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 15:30:54 2014 (r43706) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Fri Jan 31 17:03:23 2014 (r43707) @@ -113,6 +113,9 @@ + The <application>inetd</application> + Super-Server + - - The <application>inetd</application> - Super-Server - - - + The &man.inetd.8; daemon is sometimes referred to as a Super-Server because it manages connections for many services. Instead of starting multiple @@ -151,13 +149,15 @@ Primarily, inetd is used to spawn other daemons, but several trivial protocols are handled - directly, such as chargen, - auth, and + internally, such as chargen, + auth, + time, + echo, + discard, and daytime. This section covers the basics of configuring inetd. - Configuration File @@ -182,13 +182,24 @@ the service you configured, type: &prompt.root; service inetd start - + + Once inetd is started, it needs + to be notified whenever a modification is made to + /etc/inetd.conf: + + + Reloading the <application>inetd</application> + Configuration File + + &prompt.root; service inetd reload + + Typically, the default entry for an application does not need to be edited beyond removing the #. In some situations, it may be appropriate to edit the default entry. - As an example, this is the default entry for &man.ftpd.8; using IPv4: + As an example, this is the default entry for &man.ftpd.8; over IPv4: ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l @@ -209,13 +220,13 @@ server-program-argumentsservice-name - This is the service name of the particular daemon. + The service name of the daemon to start. It must correspond to a service listed in /etc/services. This determines - which port inetd must listen - to. If a new service is being created, it must be - placed in /etc/services - first. + which port inetd listens on + for incoming connections to that service. + When using a custom service, it must first be + added to /etc/services. @@ -225,10 +236,10 @@ server-program-arguments Either stream, dgram, raw, or - seqpacket. stream - must be used for connection-based, TCP daemons, while - dgram is used for daemons utilizing - the UDP transport protocol. + seqpacket. Use stream + for TCP connections and + dgram for + UDP services. @@ -236,25 +247,25 @@ server-program-argumentsprotocol - One of the following: + Use one of the following protocol names: - Protocol + Protocol Name Explanation - tcp, tcp4 + tcp or tcp4 TCP IPv4 - udp, udp4 + udp or udp4 UDP IPv4 @@ -270,12 +281,12 @@ server-program-arguments tcp46 - Both TCP IPv4 and v6 + Both TCP IPv4 and IPv6 udp46 - Both UDP IPv4 and v6 + Both UDP IPv4 and IPv6 @@ -287,11 +298,17 @@ server-program-arguments{wait|nowait}[/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] - indicates whether the - daemon invoked from inetd is - able to handle its own socket or not. + In this field, or + must be specified. + , + and + are optional. + + indicates whether or not the + service is + able to handle its own socket. socket types must use the - option, while stream socket + option while daemons, which are usually multi-threaded, should use . usually hands off multiple sockets to a single daemon, while @@ -299,60 +316,32 @@ server-program-arguments The maximum number of child daemons - inetd may spawn can be set - using the option. If a limit - of ten instances of a particular daemon is needed, a - /10 would be placed after + inetd may spawn is set by + . For example, to limit + ten instances of the daemon, place a + /10 after . Specifying /0 allows an unlimited number of - children + children. - In addition to , two other - options which limit the maximum connections from a - single place to a particular daemon can be enabled. - + limits the number of connections from any particular - IP address per minutes, e.g., a value - of ten would limit any particular IP - address connecting to a particular service to ten - attempts per minute. - limits the number of children that can be started on + IP address per minute. Once the limit + is reached, further connections from this IP address + will be dropped until the end of the minute. For example, a value + of /10 would limit any particular IP + address to ten + connection attempts per minute. + limits the number of child processes that can be started on behalf on any single IP address at - any moment. These options are useful to prevent - intentional or unintentional excessive resource - consumption and Denial of Service (DoS) attacks to a - machine. + any moment. These options can limit + excessive resource + consumption and help to prevent Denial of Service attacks. - In this field, either of or - is mandatory. - , - and - are optional. + An example can be seen in the default + settings for &man.fingerd.8;: - A stream-type multi-threaded daemon without any - , - or - limits would simply - be: nowait. - - The same daemon with a maximum limit of ten daemons - would read: nowait/10. - - The same setup with a limit of twenty connections - per IP address per minute and a - maximum total limit of ten child daemons would read: - nowait/10/20. - - These options are utilized by the default - settings of the &man.fingerd.8; daemon, - as seen here: - - finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s - - Finally, an example of this field with a maximum of - 100 children in total, with a maximum of 5 for any one - IP address would read: - nowait/100/0/5. + finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -k -s @@ -360,12 +349,11 @@ server-program-argumentsuser - This is the username that the particular daemon - should run as. Most commonly, daemons run as the - root user. For security purposes, - it is common to find some servers running as the - daemon user, or the least - privileged nobody user. + The username the daemon + will run as. Daemons typically run as + root, + daemon, or + nobody. @@ -373,11 +361,10 @@ server-program-argumentsserver-program - The full path of the daemon to be executed when a - connection is received. If the daemon is a service + The full path to the daemon. + If the daemon is a service provided by inetd internally, - then should be - used. + use . @@ -385,58 +372,36 @@ server-program-argumentsserver-program-arguments - This works in conjunction with - by specifying the - arguments, starting with argv[0], + Used to + specify any command + arguments to be passed to the daemon on invocation. If - mydaemon -d is the command line, - mydaemon -d would be the value of - . Again, if the daemon is an internal service, use - here. + . - - When a modification is made to - /etc/inetd.conf, - inetd can be forced to re-read its - configuration file by running the command: - - - Reloading the <application>inetd</application> - Configuration File - - &prompt.root; service inetd reload - Command-Line Options - Additionally, different command-line options can be passed - to inetd via the - inetd_flags option. Like most server daemons, inetd - has a number of options that it can be passed in order to - modify its behaviour. Refer to &man.inetd.8; for - the full list of options. + has a number of options that can be used to + modify its behaviour. By default, + inetd is started with + -wW -C 60. These options enable TCP wrappers for + all services, including internal services, and prevent any + IP address from requesting any + service more than 60 times per minute. + + To change the default options which are passed to inetd, + add an entry for inetd_flags in + /etc/rc.conf. If + inetd is already running, restart + it with service inetd restart. - Options can be passed to inetd - using the inetd_flags option in - /etc/rc.conf. By default, - inetd_flags is set to - -wW -C 60, which turns on TCP wrapping for - inetd's services, and prevents any - single IP address from requesting any - service more than 60 times in any given minute. - - Although we mention rate-limiting options below, novice - users may be pleased to note that these parameters usually do - not need to be modified. These options may be useful if - an excessive amount of connections are being established. - A full list of options can be found in - &man.inetd.8;. + The available rate limiting options are: @@ -444,9 +409,9 @@ server-program-arguments Specify the default maximum number of simultaneous - invocations of each service; the default is unlimited. - May be overridden on a per-service basis with the - parameter. + invocations of each service, where the default is unlimited. + May be overridden on a per-service basis by using + in /etc/inetd.conf. @@ -456,11 +421,10 @@ server-program-arguments Specify the default maximum number of times a service can be invoked from a single - IP address in one minute; the default - is unlimited. May be overridden on a per-service basis - with the - - parameter. + IP address per minute. May be overridden on a per-service basis + by using + in + /etc/inetd.conf. @@ -469,8 +433,8 @@ server-program-arguments Specify the maximum number of times a service can be - invoked in one minute; the default is 256. A rate of 0 - allows an unlimited number of invocations. + invoked in one minute, where the default is 256. A rate of 0 + allows an unlimited number. @@ -480,63 +444,37 @@ server-program-arguments Specify the maximum number of times a service can be invoked from a single IP address at - any one time; the default is unlimited. May be - overridden on a per-service basis with the - parameter. + any one time, where the default is unlimited. May be + overridden on a per-service basis by using + in /etc/inetd.conf. + + Additional options are available. Refer to &man.inetd.8; for + the full list of options. - Security + Security Considerations - Depending on the choices made at install time, many - of inetd's services may be enabled - by default. If there is no apparent need for a particular - daemon, consider disabling it. Place a # in - front of the daemon in question in - /etc/inetd.conf, and then - reload the - inetd configuration. Some daemons, such as - fingerd, may not be desired at all - because they provide information that may be useful to an - attacker. - - Some daemons are not security-conscious and have long or - non-existent timeouts for connection attempts. An attacker - can send connections to a particular daemon, eventually - consuming available resources and resulting in a Denial of - Service (DoS). + Many of the daemons which can be managed by + inetd are not security-conscious. + Some daemons, such as + fingerd, can + provide information that may be useful to an + attacker. Only enable the services which are needed and + monitor the system for excessive connection attempts. max-connections-per-ip-per-minute, max-child and max-child-per-ip can be used to limit such attacks. - By default, TCP wrapping is turned on. Consult + By default, TCP wrappers is enabled. Consult &man.hosts.access.5; for more information on placing TCP restrictions on various inetd invoked daemons. - - - Miscellaneous - - daytime, - time, - echo, - discard, - chargen, and - auth are all internally provided - services of inetd. - - The auth service provides - identity network services, and is configurable to a certain - degree, whilst the others are simply on or off. - - Consult &man.inetd.8; for more in-depth - information. -