Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

Internet daemon

  • Internet superdaemon
    inetd (superceded)

    Largely superceded by 'xinetd'. Neither superdaemons are installed by default in Ubuntu (>13 at least) based distributions as it seems that more and more server daemons are designed to run securely as standalone programs rather than being invoked by either superdaemon.

    If want to use one it is recommended that you use 'xinetd':

    • xinetd - replacement for inetd with many enhancements
    • inetutils-inetd - internet super server

    Sample configurations - /etc/inetd.conf

    # Internet superdaemon, being replaced by 'xinetd'.  A single service that 
    # listens to all desired ports and starts appropriate service daemon upon
    # inbound request.
    
    # Format: 
    # <service> <socket_type> <proto> <flags> <user> <server_path> <args>
    #
    # <flags>
    # wait|nowait[.max]    dgram services only, helps to control handling of inbound requests
    #            [.max]    Limits the number of server instances spawned by inetd within any 
    #                      60 second interval
    # <user[.group]>       Under which user and optionally which group the service should run
    
    ftp       stream        tcp     nowait   root     /usr/sbin/tcpd     /usr/sbin/in.ftpd
    telnet    stream        tcp     nowait   root     /usr/sbin/tcpd     /usr/sbin/in.telnetd
    imap      stream        tcp     nowait   root     /usr/sbin/tcpd     imapd
    ident     stream        tcp     nowait   nobody   /usr/sbin/identd   identd -I
    tftp      dgram         udp     wait     nobody   /usr/sbin/tcpd     /usr/sbin/in.tftpd /boot
    
  • TCP Wrappers
    • TCP wrappers are provided by 'tcpd'.
    • It provides detailed syslog logging via authpriv facility.
    • 'tcpd' listens on configured ports, responds to connection requests and does some security tests on information provided in the connection request.
    • The wrappers allow the definition of restrictions on the origin of inbound requests by consulting /etc/hosts.allow and /etc/host.deny files.
    /etc/hosts.allow

    Access will be granted when a (daemon,client) pair matches an entry in the this file.

    /etc/hosts.deny

    Access will be denied when a (daemon,client) pair matches an entry in the this file,

    Neither file

    Access will be granted.

    • Access is granted by default. This makes the allow file redundant so it can be omitted. Non-authorised hosts can be listed in the deny file.
    • The search stops at the first match starting with host.allow.
    • If any file does not exist then it is treated as being empty meaning all access is permitted. Can switch off access control by removing both files.
    • If access is granted in hosts.allow, hosts.deny is not checked.
    • Only hosts explicitly specified in /etc/hosts.deny are refused access.
    • Once access is approved, 'tcpd' hands over to the requested service else denies access.

    Sample configurations - /etc/hosts.allow

    # Format: 
    # <service>: [patterns] <list of hosts or IPs>
    
    ALL: LOCAL @a_grp                       # Permits access from hosts in the local 
                                            # domain and members of the a_grp net group.
    ALL: .bar.edu EXCEPT tserver.bar.edu    # Permits access from all hosts in bar.edu
                                            # domain except tserver.bar.edu.
    

    Sample configurations - /etc/hosts.deny

    # Format: 
    # <service>: [patterns] <list of hosts or IPs>
    
    ALL: ALL                                                 # Denies all services to all hosts, unless
                                                             # allowed access by hosts.allow
    ALL: some.host.name, .some.domain                        # Denies some hosts and domains all services
    ALL EXCEPT in.fingerd: other.host.name, .other.domain    # Permits finger requests from other hosts and
                                                             # domains
    
  • TCP Wrappers
    patterns, wildcards and operators

    These an be used to more finely tune the selection criteria in hosts.allow and hosts.deny files.

    Pattern Example Action
    Starts with . .tue.nl Matches the host name wzv.win.tue.nl
    Ends with . 131.155. Matches the address of every host 131.155.x.x
    Starts with @ @netgroup Treated as an NIS (formerly YP) netgroup name
    Starts with / /file_name Matches any host name or address pattern in file_name
    n.n.n.n/m.m.m.m 31.155.72.0/255.255.254.0 Matches every address 131.155.72.0-131.155.73.255
    [n:n:n:n:n:n:n:n]/m [3ffe:505:2:1::]/64 Matches every address3ffe:505:2:1:: - 3ffe:505:2:1:ffff:ffff:ffff:ffff
    Operator Example Action
    EXCEPT list_1 EXCEPT list_2 matches list_1 unless it matches list_2
    Wildcard Explanation
    * 0 or more hostnames or IPs
    ? 0 or 1 hostname/IP addresses. Cannot be used with starts/ends with . or network/mask
    ALL Universal wildcard, always matches
    LOCAL Matches any host whose name does not contain a dot . character
    UNKNOWN Matches any user whose name is unknown and any host whose name or address is unknown
    KNOWN Matches any user whose name is known, and any host whose name and address are known
    PARANOID Matches any host whose name does not match its address
  • Start, stop inetd services

    Usually started/stopped via the boot/shutdown scripts. There are a number of ways, some will be distribution specific.

    If there is /etc/init.d/inetd

    # /etc/init.d/inetd [start|stop|status|restart|reload]
    

    If you have killproc

    # killproc inetd
    

    To reread /etc/inetd.conf after changes have been made

    # killall -HUP inetd
    # kill -SIGHUP <PID of inetd>
    

    Other ways to stop

    # killall -SIGTERM inetd
    # kill <PID of inetd>               (Defaults to sending TERM, SIGTERM, 15)
    # kill -l TERM <PID of inetd>
    # kill -15 <PID of inetd>
    # kill -9 <PID of inetd>            (If you want to be brutal about it)
    

    There are several ways to send the same signal using 'kill'.

  • Xinetd

    inetd replacement.

    • inetd.conf format only allows for a single configuration file
    • xinetd.conf can implement either single or multiple config files
    • with multiple config files each service has its own 'xinetd section' in a separate file whose filename is the service name.
    • xinetd.conf still exists though has only a default section and a 'includedir' directive.
    • the default 'includedir' is /etc/xinetd.d/

    Default configuration - /etc/xinetd.conf

    # Default file example when using multiple config 
    # files in /etc/xinetd.d/<service>
    defaults
    {
    
    # The next two items are intended to be a quick access
    # place to temporarily enable or disable services.
    #       enabled   =
    #       disabled  =
    
    # Define general logging characteristics.
            log_type  = SYSLOG daemon info
    .....
    .....
    }
    includedir /etc/xinetd.d
    

    Sample service file for xinetd - /etc/xinetd.d/telnet

    # default: on
    # description: The telnet server serves telnet sessions; it uses
    # unencrypted username/password pairs for authentication.
    service telnet
    {
      disable         = no
      flags           = REUSE
      socket_type     = stream
      wait            = no
      user            = root
      server          = /usr/sbin/in.telnetd      # Use tcp wrappers
      log_on_failure += USERID                    # Log 'USERID' of the remote user, 
                                                  # 'HOST' = log remote host address
      no_access       = 10.0.0.0/16               # Access is granted to everyone 
                                                  # except 10.0.x.x network.
      only_from       = 0.0.0.0/0, 10.0.0.0/24    # 10.0.0.x however gets access
    }
    

    Frequently used 'xinetd' options

     bind = <interface>                                  Listen/bind to a specific interface only
     disable = yes                                       Disable a service
     enabled = no                                        Disable a service
     id = name                                           Uniquely identify a service
     instances = <int|UNLIMITED>                         Number of active servers for a service, default=UNLIMITED
     port = <int>                                        Port number if service is not listed in /etc/services
     no_access = <IP|CIDR|hostname|domain names>         Lists remote hosts to which the service is unavailable
     only_from = <IP|CIDR|hostname|domain names>         Lists remote hosts to which the service is available
     log_on_success =                                    Information is logged when a server starts/exits
        +=                                               Adds the option below to the existing defaults
                                                         any combination of the following in a space separated list
        PID                                              Logs the server process id
        HOST                                             Logs the remote host address
        USERID                                           Logs the user id of the remote user
        EXIT                                             Logs a server's exit along with the exit status
        DURATION                                         Logs the duration of a service session
        TRAFFIC                                          Logs the total bytes in and out for a redirected service
     log_on_failure =                                    Information to be logged when a server cannot be started
        +=
        HOST                                             Logs the remote host address.
        USERID                                           Logs the user id of the remote user
        ATTEMPT                                          Logs the fact that a failed attempt was made
     protocol = prot                                     Any protocol listed in /etc/protocols
     redirect = <IP> <port>                              Redirects connections to another host
     server = program                                    The program to run as the server e.g. /usr/sbin/tcpd
     server_args = <args>                                Args to use for server program e.g. /usr/sbin/in.telnetd
     user = user                                         User the server will run as(valid id in /etc/passwd)
     wait = <yes | no>                                   Wait for a connection to end before starting another
                                                         (yes for UDP, no for TCP)
    

    If both 'only_from' and 'no_access' are specified, the best match for the address determines access i.e.

    In /etc/xinetd.conf (or a service specific file)

    .....
    only_from = 128.138.209.0
    no_access =  128.138.209.10
    

    128.138.209.10 is denied access to the service.