Red Hat Linux 7 Unleashed

By William Ball

• Table of Contents
  • Copyright
  • About the Lead Authors
  • About the Contributing Authors
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • I. Red Hat Linux Installation and User Services
  • Chapter 1. Introduction to Red Hat Linux
  • Chapter 2. Installation of Your Red Hat System
  • Chapter 3. LILO and Other Boot Managers
  • Chapter 4. Configuring the X Window System, Version 11
  • Chapter 5. Window Managers
  • Chapter 6. Connecting to the Internet
  • Chapter 7. IRC, ICQ, and Chat Clients
  • Chapter 8. Using Multimedia and Graphics Clients
  • II. Configuring Services
  • Chapter 9. System Startup and Shutdown
  • Chapter 10. SMTP and Protocols
  • Chapter 11. FTP
  • Chapter 12. Apache Server
  • Chapter 13. Internet News
  • Chapter 14. Domain Name Service and Dynamic Host Configuration Protocol
  • Chapter 15. NIS: Network Information Service
  • Chapter 16. NFS: Network Filesystem
  • Chapter 17. Samba
  • III. System Administration and Management
  • Chapter 18. Linux Filesystems, Disks, and Other Devices
  • Chapter 19. Printing with Linux
  • Chapter 20. TCP/IP Network Management
    • TCP/IP Basics
    • Configuring the Network
    • Network Daemons
    • TCP/IP Troubleshooting Tools
    • Network Security Tools
    • Summary
  • Chapter 21. Linux System Administration
  • Chapter 22. Backup and Restore
  • Chapter 23. System Security
  • IV. Red Hat Development and Productivity
  • Chapter 24. Linux C/C++ Programming Tools
  • Chapter 25. Shell Scripting
  • Chapter 26. Automating Tasks
  • Chapter 27. Configuring and Building Kernels
  • Chapter 28. Emulators, Tools, and Window Clients
  • V. Appendixes
  • A. The Linux Documentation Project
  • B. Top Linux Commands and Utilities
  • C. The GNU General Public License
  • D. Red Hat Linux RPM Package Listings

Network Daemons

A daemon is a program that waits for another program to ask it to do something. Network daemons in particular are similar to the jacks in an operator's switchboard. They create one or more sockets and listen to those sockets, waiting for another process to connect. In Linux, as with most variants of UNIX, network services can be provided in one of two ways: as standalone daemons where they handle each session themselves or incorporated into another configuration (such as inetd) that handles the connections and disconnections for it.

Standalone TCP/IP Daemons

Originally, all UNIX network servers were standalone daemons. When you wanted to start a server, you ran a program that created the socket and listened to it. Many UNIX server programs still run in this manner. Examples are Squid, the Web cache/proxy server; Samba, the SMB file/print server; Apache, the Web server, and many others (see Chapter 12, "Apache Server," and Chapter 17, "Samba").

Even though they have many functions, most network daemons usually share a few characteristics:

• Their names end with a d (for daemon).
• They respond to the HUP signal (HANG UP signal; read man 7 signal for more information) by rereading their configuration files. The HUP signal is sent by the kill -HUP command.
• They are usually started at boot time by scripts in the /etc/init.d directory. These scripts minimally accept the start and stop parameters to start and end the daemons. Most of them accept the restart parameter to tell the daemon to reread its configuration files.
• When they receive a request, they create another copy of themselves to service it. Thus, there may be several copies of each daemon running simultaneously at any given time.

Networking Service Control

In the standalone daemon model, each service you run on a server has a corresponding daemon. This poses several problems:

• If you have many services on a server, you need to have many daemons running, even if they are idle. Although inactive daemons will probably be swapped out to disk, they still take up valuable resources, such as virtual memory and process table entries.
• There is no centralized way of modifying the daemons to provide services such as encryption or access control. Each daemon program must be modified to provide these services.
• If a daemon dies because of user or programmer error, the service will not be available until it is restarted. The restart procedure can be automated, but then the program that restarts the daemon can also die.
• Programming a network daemon isn't easy, especially because most daemons must be multithreaded. Being multithreaded enables them to manage several requests at once.

Eventually someone came up with a solution. How about a single daemon that could be configured to listen to any number of sockets and transfer control to different programs when it was needed? This daemon would also take care of multithreading and of managing the sockets. Thus was born inetd, the original so-called "Internet super-server." This is the time we should mention a relatively new addition to Red Hat Linux: xinetd. This program is meant to be a secure replacement for inetd. Though not completely secure, it is much more secure than inetd.

Configuring xinetd

xinetd has built-in access control features for stopping connections from undesired clients or only allowing desired connections. It can limit the number of incoming connections, number of incoming connections from specific hosts, or total number of connections for a service. This feature is particularly useful for assistance in thwarting what is known as DdoS (Distributed Denial of Service) attacks. It can limit access to services based on access time of day. xinetd can have services bind to specific IPs. This lets you provide different services to internal clients than external clients. xinetd is installed at installation time with Red Hat Linux if you select the Everything option for your installation.

When xinetd is installed, a Perl script is supplied in the same directory as the xinetd binary that conveniently converts an inetd.conf into an xinetd.conf. It may be run when you are logged in as root by typing the string /usr/sbin/xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf, where /usr/sbin is your path to the xinetd executable. The xinetd.conf looks much like a legacy inetd.conf file and may be edited much the same as well. As with most subjects with regard to Red Hat Linux, an entire chapter could be written on xinetd. You may read more in depth about xinetd at http://www.synack.org/xinetd/. Here are some of the keywords most commonly used when configuring this new "Super Server":

You can (as root) control what services are started or not run during bootup by using the ntsysv command. However, you should know that you'll shut off all networking services unless you run xinetd. A much better approach is to edit its configuaration files, found under the /etc directory, and the /etc/xinetd.d directory. For example, here is the default telnet control file under xinetd's /etc/xinetd.d directory:

# default: on
# description: The telnet server serves telnet sessions; it uses #       unencrypted username/password pairs for authentication.
service telnet
{
        disable = no
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
}

As you can see, the default state for telnet access is enabled with Red Hat Linux. Your job as a system administrator will be to decide what services to provide on your system.

Share This