编者:Wrapper和xinetd是实现Linux的存取限制一种方式。我们在第一篇文章中介绍了其基本原理和安装编译的方法,在第二篇文章中跟大家仔细说了一下它的配置。没有看到的朋友可以去看一下页面底部的相关文章。今天讲到一些实例,便于大家的理解和掌握。最后还提到了日志管理。
配置实例
1. defaults配置
【范例1】/etc/xinetd.conf
# Simple configuration file for xinetd
# Some defaults, and include /etc/xinetd.d/
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
解读:RedHat 7.x建议的配置方法不是将所有服务项都写在一个文件里面,/etc/xinetd.conf是作为默认配置文件用的,/etc/xinetd.d目录下面的每个文件对应一个服务。前面说过,默认项的设置是作用于所有服务的,由此可以看出上面的对所有服务都是设置了60个实例、设置的日志方式为SYSLOG authpriv,登陆成功时记录HOST和PID,失败时仅记录HOST,
每秒最多处理25个连接,如果超过这个数目的连接则等待30秒后继续处理。Includedir指令指定了配置文件的目录是/etc/xinetd.d
2.telnet的配置
【范例1】/etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
instances = 10
server = /usr/sbin/in.telnetd
log_on_failure += USERID
rlimit_as = 8M
rlimit_cpu=20
}
解读:
1、 instances的设置覆盖了defaults项的设置;
2、 log_on_failure属性在defaults项的基础上加上了USERID。
3、 对TELNET服务设置了资源限制,最多可用内存为8M,CPU每秒处理20个进程。
3 .echo的配置
【范例3.1】/etc/xinetd.d/echo
# default: off
# description: An echo server. This is the tcp
# version.
service echo
{
disable = yes
type = INTERNAL
id = echo-stream
socket_type = stream
protocol = tcp
user = root
wait = no
}
【范例3.2】/etc/xinetd.d/echo-udp
# default: off
# description: An echo server. This is the udp
# version.
service echo
{
disable = yes
type = INTERNAL UNLISTED
id = echo-dgram
socket_type = dgram
protocol = udp
user = root
wait = yes
port = 7
}
解读:由于它们的服务名相同,只是socket类型不同,所以,使用id属性来区分。
4. RPC类服务例子
【范例4】/etc/xinetd.d/rstatd
service rstatd
{
type = RPC
socket_type = dgram
protocol = udp
server = /usr/etc/rpc.rstatd
wait = yes
user = root
rpc_version = 2-4
env =LD_LIBRARY_PATH=/etc/securelib
}
5. 自定义的服务配置范例
【范例4】/etc/xinetd.d/sample
service sample
{
type = UNLISTED
socket_type = stream
protocol = tcp
server = /usr/bin/sample
port =20020
}
xinetd进程
1 启动与中止:
如果你使用的是7.x 的默认安装:
/etc/rc.d/init.d/xinetd start
/etc/rc.d/init.d/xinetd stop
/etc/rc.d/init.d/xinetd restart
/etc/rc.d/init.d/xinetd reload
或者
/sbin/service xinetd start
/sbin/service xinetd stop
/sbin/service xinetd restart
/sbin/service xinetd reload
如果你使用的是6.x上的自行编译安装:
你需要自行建立xinetd启动脚本:
touch /var/run/xinetd.pid
touch /var/lock/subsys/xinetd
chmod 755 /etc/rc.d/init.d/xinetd
你可以用下面的命令来控制进程:
/etc/rc.d/init.d/xinetd start
/etc/rc.d/init.d/xinetd stop
/etc/rc.d/init.d/xinetd restart
/etc/rc.d/init.d/xinetd reload
vi /etc/rc.d/init.d/xinetd
##文件内容如下:
/etc/rc.d/init.d/xinetd文件内容
#!/bin/bash
#
# xinetd This starts and stops xinetd.
#
# chkconfig: 345 56 50
# description: xinetd is a powerful replacement for inetd.
# xinetd has access control machanisms, extensive
# logging capabilities, the ability to make services
# available based on time, and can place
# limits on the number of servers that can be started,
# among other things.
#
# processname: /usr/sbin/xinetd
# config: /etc/sysconfig/network
# config: /etc/xinetd.conf
# pidfile: /var/run/xinetd.pid
prog="xinetd"
PATH=/sbin:/bin:/usr/bin:/usr/sbin
# Source function library.
. /etc/rc.d/init.d/functions
# Get config.
test -f /etc/sysconfig/network && . /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "yes" ] || exit 0
[ -f /usr/sbin/xinetd ] || exit 1
[ -f /etc/xinetd.conf ] || exit 1
RETVAL=0
start(){
echo -n $"Starting $prog: "
# Need to get rid of localization for external services -
# it doesn't make much sense to have i18n on the server side here
LANG=en_US
LC_TIME=en_US
LC_ALL=en_US
LC_MESSAGES=en_US
LC_NUMERIC=en_US
LC_MONETARY=en_US
LC_COLLATE=en_US
