Summary: This article briefly introduces, set inetd services in the system to enhance system security methods, we put focus on the IPFWADM system management tool, and the inetd service settings. -------------------------------------------------- -------------- First, we must clarify what is inetd. Simply put, inetd is a servo program that controls the services provided when the host is connected to the Internet. You may encounter a computer that does not set inetd to control all services, so the first thing is to find / set the /etc/inetd.conf file, and check what existing The service is controlled by it (that is, the line of content that does not start with the "#" symbol). The first advice to you is, unless you really need this service, don't start it, those servo programs that have never been used, may have bugs, avoiding the best way to use such vulnerabilities, Just don't use it. Suppose the reader has a content of the INET.CONF file, and then I will explain the meaning of the head. For example, the following line: ftp stream tcp noait root / usr / sbin / tcpd in.ftpd -l -a first word is the service name provided (this example is "FTP", we can / etc / service file, which is the number it is connected to it). The second field is the open Socket type, which can be: stream (such as this example), DGRAM, RAW, RDM, or SEQPacket. The next field is the communication agreement used, you must first declare in the / etc / protocols file, in the precedent, we have assured that you have announced the TCP communication protocol in this file. After the communication agreement, it is then the field of Wait / NOWAIT. In addition to the Socket outside the DataGram (DGRAM), you should be NOWAIT, as for the DataGram type Socket, if the servo program supports multi-execution, then we should set upait, if the servo program only supports a single execution, then please set It is set to Wait. The reason is the multi-execution system, when it receives the connection requirements, it will start a new process, then release the original socket, let inetd can continue Listen other connection requirements, so use Nowait. In the case of a single execution system, you need to set to Wait because the servo program will keep the same Socket, instead of additional Process for connecting. In addition, there are some changes in formats, we can write to NOWAIT.50 - represents up to 50 servo programs in a short period of time (from another perspective, or can be said, so many Connection requirements). Its preset value is 40. The fifth field, indicating the servo program, is executed in which user's name, in this example, FTP is executed in the ROOT user name. The sixth and next fields are the execution program and the parameters they receive.
In our example, the servo program TCPD is started, and the servo program is connected to the servo program IN.FTPD and -L -A are parameters. Next, we will talk about the most interesting part, the TCPD setting problem. Well, TCPD is a servo program that is used to filter wiring requirements. It will decide what to do according to which servo program will be started to make a response to the IP address required by these connection. How do you make a decision, then /etc/hosts.allow and /etc/hosts.deny how these two files are set. In principle, the /etc/hosts.deny file is used to specify which host provides services, and /etc/hosts.allow files are used to specify which machines allowed to provide services. The setting format of these two files is as follows: daem: ip [: option1 [: option2]] The above DAEMON can be a servo program that wants to start, as shown in the previous example, or ALL this word It represents all servo programs. IP can be a particular IP, or a URL, or an IP (or URL) of a range, or wait for the universal words explained. In order to specify an IP address of a range, for example, we can write: `123.32, this expression, represents all IPs of 123.32.xxx.xxx, the same, like`ml.org can be specified A range of URLs, which represents the subnet under all ml.org. In the form of IP / Mask, you specify a scope of IP, is a more traditional method, for example, from 127.0.0.0 to 127.0.255.255, this range of IP can be designated as 127.0.0.0/255.255. 0.0 The usage words mentioned earlier are: All of the possible values, all possible values are allowed to match the host in all names, the host Unknown represents all names or IP orders to unknown host Known Representing all names and IP accesss to the host PARANOID representing all the names and IP addresses, the options mentioned in front of the host: Allow does not care about why hosts.allow is in the Hosts.deny file, in line with this A set condition is accepting its connection requirements. This option is set, should be placed in the end of the line. DENY is similar to the above option setting, but it is used to specify the conditions for rejecting the connection. SpaWn When receiving a connection request, SPAWN will start a command of a command housing. For example, you can perform a beep notice at each other, when you enter my machine. Twist This is similar to the spawn option, however, the connection status will be interrupted when the housing instruction is executed. This option must also be placed in the last side of the set line.
The last two options described above can also be used with the appropriate expansion character to TCPD, which is:% a client host location% C client information (probably like user @ machine, or other The information obtained by the client)% D% h is in the case where the client's name or IP location% N client name% P servo PID% s servo-based PID% s servo program (for example, Daemon @ Machine or only DAEMON information, depending on the situation)% u client user name %% This is the% this character with these expansion character and page, you can do a lot, for example, I know someone setting Cheng, once someone wants to connect his host through Telnet, it will automatically send a Teardrop attack :) Note: Teardrop is a DOS (Denial of Service, will cause the system to reboot, or reacting the attack mode). It is because the bugs when the TCP package is reorganized, and most of the working systems have this problem (or said, because many of the core programs have been revised, revised), on the Internet Information is transmitted through the TCP / IP communication agreement (this communication is set, you can also see on other types of onlines, such as intranet), in fact, it is two kinds of communication protocols: TCP is responsible for the information, The segmentation into a segment of the package, then pass it to the IP communication agreement, sent to the destination; once the data is delivered to the host, the TCP communication agreement will check, if all packets are complete, then they will It consists of original information. However, the above-mentioned (and many of the above principles), using most working systems, before the recombination package, the problem will not be checked too small, so such a machine will have a mess after the reorganization package. situation. Obviously, it is not a complete explanation for this, so you are welcome to propose all kinds of criticism and advice. Ok, after the above brief explanation, let us continue ... Example: # Hosts.Allow All: 127.0.0.1 # Allow localhost to enter do everything IN.FTPD: All: spawn (WAVPLAY / USR / Share / Sounds / Intruder.wav &) # 所有人 can enter, #, #, will start a sound file (so it can warn me) in.telnetd: all: twist (teardrop% h% h) # Everyone wants to transfer After telnet, # 送 一 #fin # hosts.deny all: `.bsa.org # Disable all connected in .fingerd: All # disables all fingerd services :) # FIN About TCPD, I want to say is these, because the learning is limited, it may not be good enough. The suggestion below is to try to experiment some setting items, and the manual is read from the manual (TCPD, Host_acess (5), believe that the reader can learn more than what I teach. Next, let's enter the I PFWADM process.
First, indispensable is that in the core, support to IP FireWalling (Networking -> Network Firewalls IP: firewalling). Next, after recompilation and system reboot, we are ready to use this tool. IPFWADM allows us to manage certain programs (these applications are not limited to I am introduced herein), their TCP, UDP, ICMP packets. Simply put, administrators can specify which packages allow for entry, which can be specified includes: from a host, or a certain number of IP-wide hosts, which particular port number, which particular communication protocol, or It is a combination of various conditions ... Similarly, we can also have the same degree of management control for packets that are ready to be sent to the main unit. IpfwadM has several main parameters: -A Specifying record (Accounting) processing mode -i Specifies the processing method of incoming packets in the host-O specified to be sent to the seal package outside the main unit (Outgoing Packets) Method-F Specify the processing method of packet transfer (Forwarding) to perform IP Masquareding management this article, I only intend to introduce the -i and -o parameters, both of which have the same syntax. The options for these parameters are: -A Adjusts one or more processing mode after the form is added to one or more processing mode -D from the form, delete one or more processing mode -L display forms on the form. Method -F Delete Form All of the processing mode -P specifies which packets must be used by Acceppted (A), DENIED (D), or REIECTED (R) -C, which processing method -H auxiliary instructions apply Important parameters are: -P Specifies the communication protocol to the processing mode on a form. The communication protocol here can be TCP, UDP, ICMP, or ALL (representing all communication protocols) -s specify the source address of the package. The format is: address [/ mask] [port] For example, it is similar to that of the IP range -D specified package from 123.32.34.0 to 123.32.34.5, its format In principle, these are the most basic parameters, so you want to let all packets from my computer, you can reach my own computer, you can set your own way: i pfwadm -i -ia - S 127.0.0.1 I also want to block packets from 123.34.22.xxx, which can be set: i pfwadm -i -ad -s 123.34.22.0/255.255.255.0 Next, if 111.222.123.221 IP In addition, I want to block all other connection requirements for Netbios, which can be set: I Pfwadm -i -aa -p TCP -S 111.222.123.221 139 ipfwadm -i -ad -p tcp -d 0.0 .0.0 / 0 139
