一、相关信息: 1、 说明: xinetd取代了inetd+tcp_wrappers,并且提供了访问控制、加强的日志和资源管理功能,已经成了Internet标准超级守护进程。但是现在还没有在solaris上的完整安装配置手册,我希望写一个关于在solaris上的傻瓜安装配置手册。 2、 基本信息 服务器基本信息:Sun-Fire-280R 操作系统:SunOS 5.8 Generic_117350-02 3、 Xinetd软件信息 软件版本:2.3.10 下载地址: FTP://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz 软件包说明:该软件包已经添加了--with-libwrap、--with-loadavg、--with-inet6编译模块选项。 4、 系统默认使用xinetd的服务可以分为如下几类: 标准internet服务:telnet ftp 信息服务:finger netstat systat 邮件服务:imap imaps pop2 pop3 pops RPC服务:rquotad rstatd rusersd sprayd walld BSD服务:comsat exec login ntalk shell talk 内部服务:chargen daytime echo servers services time 安全服务:irc 其他服务:name tftp uUCp 5、 更多支持信息: http://www.xinetd.org/
二、安装配置xinetd 1、安装过程 1)#gzip –d xinetd-2.3.10-sol8-sparc-local.gz 2)#pkgadd –d xinetd-2.3.10-sol8-sparc-local 没有报错的话,安装完毕。 2、xinetd软件安装后的基本信息 1)文档位置:/usr/local/doc/xinetd 里面有安装说明和配置文件文档。 2)命令位置:/usr/local/sbin/ Xinetd、xconv.pl、itox 3、配置过程: 说明:配置主要涉及俩个文件:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成) 1)生成/etc/xinetd.conf文件: a) 说明:/etc/xinetd.conf这个文件是由/etc/inetd.conf文件转换生成的!主要是xinetd替代inetd以后的配置文件 b) 生成命令: # /usr/local/sbin/xconv.pl < /etc/inetd.conf > /etc/xinetd.conf c) 注意: 在/etc/inetd.conf里面可以事先去掉不必要的端口,如finger、login等,在/etc/xinetd.conf可以得到比较简洁的配置文。(我在转换前在/etc/inetd.conf文件里只保留了telnet和ftp)需要别的服务如ssh等可以自己添加。 2)修改/etc/init.d/inetsvc文件: 主要有俩个地方需要修改: a) 修改一:(建议注释掉旧的配置,添加新的配置) 修改前:/usr/bin/pkill -x -u 0 'in.namedinetd' 修改后:/usr/bin/pkill -x -u 0 'in.namedxinetd' b) 修改二: 修改前/usr/sbin/inetd -s & 修改后:/usr/local/sbin/xinetd -s & 3)测试: 停止原来的服务:# /etc/init.d/inetsvc stop 启动新的服务:# /etc/init.d/inetsvc start 检查进程:#ps –efgrep inetd 杀掉得到的进程号:#kill -9 *** 查看xinetd的进程:#ps –efgrep xinetd 显示如下xinetd配置正常: root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd –s 备注: Xinetd启动过程有问题,一般是/etc/xinetd.conf配置文件的原因。
[1] [2] [3] 下一页
三、用xinetd限制ssh登陆配置过程: 1、测试方法: 1)编辑/etc/xinetd.conf: 添加如下: service ssh { socket_type = stream wait = no user = root server = /usr/local/sbin/sshd port = 22 server_args = -i only_from = 192.0.0.109 } 2、测试过程: 重新启动机器,查看xinetd加载是否正常。 从内网192.0.0.109 ssh登陆服务器可以登陆为正常。 别的IP ssh登陆服务器不可以登陆为正常。 3、注意: SSH安装以后,不用在/etc/rc2.d下面添加S99sshd,因为xinetd已经可以启动ssh进程了。否则达不到限制ip的作用。
四、备注: 安装完成以后服务器状态: #nmap -P0 127.0.0.1 22/tcp open ssh 只留了ssh端口,而且可以限制ssh登陆的IP地址为:内网的192.0.0.109 ----------------------------------------------------- 完整的/etc/init.d/inetsvc文件: # more /etc/init.d/inetsvc #!/sbin/sh # # Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)inetsvc 1.24 99/03/21 SMI" # # This is third phase of TCP/IP startup/configuration. This script # runs after the NIS/NIS+ startup script. We run things here that may # depend on NIS/NIS+ maps. # case "$1" in 'start') ;; # Fall through -- rest of script is the initialization code 'stop') # /usr/bin/pkill -x -u 0 'in.namedinetd' /usr/bin/pkill -x -u 0 'in.namedxinetd' exit 0 ;; *) echo "Usage: $0 { start stop }" exit 1 ;; esac # If boot variables are not set, set variables we use [ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n` if [ -z "$_INIT_PREV_LEVEL" ]; then set -- `/usr/bin/who -r` _INIT_PREV_LEVEL="$9" fi # # wait_nis # Wait up to 5 seconds for ypbind to oBTain a binding. # wait_nis () { for i in 1 2 3 4 5; do server=`/usr/bin/ypwhich 2>/dev/null` [ $? -eq 0 -a -n "$server" ] && return 0 sleep 1 done return 1 } # # We now need to reset the netmask and broadcast address for our network # interfaces. Since this may result in a name service lookup, we want to # now wait for NIS to come up if we previously started it. # domain=`/usr/bin/domainname 2>/dev/null` [ -z "$domain" ] [ ! -d /var/yp/binding/$domain ] wait_nis echo "WARNING: Timed out waiting for NIS to come up" >& 2 # # Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig # is run here, after waiting for name services, so that "netmask +" will find # the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to # mess with the interface if it is under DHCP control # /usr/sbin/ifconfig -auD4 netmask + broadcast + # Uncomment these lines to print complete network interface configuration # echo "network interface configuration:" # /usr/sbin/ifconfig -a # # If this machine is configured to be an Internet Domain Name System (DNS) # server, run the name daemon. Start named prior to: route add net host, # to avoid dns gethostbyname timout delay for nameserver during boot. # if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then echo 'starting internet domain name server.' /usr/sbin/in.named & fi if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then dnsdomain=`/sbin/dhcpinfo DNSdmain` else dnsdomain= fi if [ -n "$dnsdomain" ]; then dnsservers=`/sbin/dhcpinfo DNSserv` if [ -n "$dnsservers" ]; then if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' /etc/resolv.conf >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ for name in $dnsservers; do echo nameserver $name >>/tmp/resolv.conf.$$ done else if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' /etc/resolv.conf >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ fi # # Warning: The umask is 000 during boot, which requires eXPlicit # setting of file permission modes when we create files. # /usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf /usr/bin/chmod 644 /etc/resolv.conf # Add dns to the nsswitch file, if it isn't already there. /usr/bin/rm -f /tmp/nsswitch.conf.$$ /usr/bin/awk ' $1 ~ /^hosts:/ { n = split($0, a); newl = a[1]; if ($0 !
上一页 [1] [2] [3] 下一页
~ /dns/) { printf("#%s # Commented out by DHCP\n", $0); updated = 0; for (i = 2; i
~ /dns/) { printf("#%s # Commented out by DHCP\n", $0); updated = 0; for (i = 2; i