Опубликован: 06.08.2012 | Доступ: свободный | Студентов: 1328 / 46 | Оценка: 5.00 / 5.00 | Длительность: 53:41:00
Лекция 25:

Basic network access: servers

Аннотация: Running servers from inetd; Configuring ftpd; Running sshd; rsyncd; Setting up a web server; NFS server; Samba.
Ключевые слова: previous, chapter, SAW, this, half, picture, course, end, service, client, server, daemon, FROM, sftp, FTPD, addition, look, configuration, AND, ALL, LIKE, Web, CAN, very, example, with, netbsd, size, ONE, setup, GET, running, basic configuration, WHERE, information, if, find, available, MOST, NOT, IDEA, offer, IP, alternative, anonymous, FTP, receive, HAVING, TIME, startup, configuration file, determine, format, Unix, RAN, AS, part, procedure, security, default, installation, change, Line, remove, comment, perform, additional, collection, USER, base, system, SEE, slow, MAN, Apache, long, phase, contrast, standard, inconsistency, stream, NoWait, root, option, send, Write, read, VIA, boot time, convenience, save, overhead, hand, session, exit, First, Connection, hash mark, Add, logging, NEXT, remote user, root directory, symbolic link, interference, subdirectory, incoming data, unauthorized access, ITS, VALUES, require, create, used, apply, supply, global, list, log, output, directory, MODULE, enclose, square bracket, relationship, CASE, text, listing, important, choice, install, documentation, HTML, useful, home directory, arbitrary, unchangeable, speedup, PHP3, theoretical, Default Configuration, guarantee, data hierarchy, MultiView, default option, infection, pose, threat, loadable, proxy server, conjunction, reinstall, stall-on-use, automatic start, server process, port number, implication, sophisticated, remote system, hang, CIFS, software component, mailing list, sensitive data, security level, writable, default behaviour, brackets, inefficiency, response time, octal, file sharing

In the previous chapter, we saw how to use clients to access other systems. This is only half the picture, of course. At the other end of the link, we need servers to provide this service. For each client, there is a server (a daemon) whose name is usually derived from the client name by adding a d to it:

Таблица 25.1. Server daemons for basic services
Client Server
ssh sshd
telnet telnetd
sftp sftp-server
ftp ftpd
rsync rsyncd
(browser) httpd
(NFS) nfsd

In addition to these servers, we look at a few others in other chapters:

Some servers don’t need any configuration, and about all you need to do is to start them. Others, like web servers, can be very complicated. None of the complication is related to FreeBSD. For example, the issues involved in configuring apache are the same whether you run it with FreeBSD, NetBSD, Linux or Solaris. There are several good books, each at least the size of this one, on the detailed setup of some of these servers. In this chapter we'll look at how to get the servers up and running in a basic configuration, and where to turn for more information.

Running servers from inetd

If you look at /etc/services, you'll find that there are over 800 services available, most of which are only supported on a small number of machines. It's not always the best idea to start up a daemon for every possible service you may want to offer. IP supplies an alternative: inetd, the Internet daemon, sometimes called a super-server, which listens on multiple ports. When a request arrives on a specific port, inetd starts a daemon specific to the port. For example, FreeBSD supports anonymous ftp, but most people don't receive enough requests to warrant having the ftp daemon, ftpd, running all the time. Instead, inetd starts an ftpd when a request comes in on port 21.

At startup, inetd reads a configuration file /etc/inetd.conf to determine which ports to monitor and what to do when a message comes in. Here's an excerpt:

#$FreeBSD: src/etc/inetd.conf,v 1.58 2002/08/09 17:34:13 gordon Exp $ #
#Internet server configuration database
#
#ftp     stream  tcp   nowait  root  /usr/libexec/lukemftpd  ftpd -l -r
#ftp     stream  tcp   nowait  root  /usr/libexec/ftpd       ftpd -l
#ftp     stream  tcp6  nowait  root  /usr/libexec/ftpd       ftpd -l
#telnet  stream  tcp   nowait  root  /usr/libexec/telnetd    telnetd
#telnet  stream  tcp6  nowait  root  /usr/libexec/telnetd    telnetd
#shell   stream  tcp   nowait  root  /usr/libexec/rshd       rshd
#shell   stream  tcp6  nowait  root  /usr/libexec/rshd       rshd
#login   stream  tcp   nowait  root  /usr/libexec/rlogind    rlogind
#login   stream  tcp6  nowait  root  /usr/libexec/rlogind    rlogind
#exec    stream  tcp   nowait  root  /usr/libexec/rexecd     rexecd
#shell   stream  tcp6  nowait  root  /usr/libexec/rshd       rshd

This file has the following format:

  • • The first column is the service on which inetd should listen. If it starts with a # sign, it's a comment, and inetd ignores it. You'll note in this example that all the listed services have been commented out. Unless you run the daemon independently of inetd, a request for one of these services will be rejected with the message:
    Unable to connect to remote host: Connection refused
    
  • The next three columns determine the nature of the connection, the protocol to use, and whether inetd should wait for the process to complete before listening for new connections. In the example, all the services are TCP, but there are entries both for tcp (the normal TCP protocol for IP Version 4) and tcp6 (the same service for IP Version 6).
  • The next column specifies the user as which the function should be performed.
  • The next column is the full pathname of the program (almost always a daemon) to start when a message comes in. Alternatively, it might be the keyword internal, which specifies that inetd should perform the function itself.
  • All remaining columns are the parameters to be passed to the daemon.

Older versions of UNIX ran inetd as part of the startup procedure. That isn't always necessary, of course, and for security reasons the default installation of FreeBSD no longer starts it. You can change that by adding the following line to your /etc/rc.conf:

inetd_enable="YES"  # Run the network daemon dispatcher (YES/NO).

To enable services in /etc/inetd.conf, it may be enough to remove the comment from the corresponding line. This applies for most the services in the example above. In some cases, though, you may have to perform additional steps. For example, lukemftpd, an alternative ftpd, and nntpd, the Network News Transfer Protocol, are not part of FreeBSD: they're in the Ports Collection. Also, nntpd is intended to run as user use net, which is not in the base system.

The other daemons are not mentioned in /etc/inetd.conf:

The preferred way to run sshd is at system startup. As we'll see, the startup is quite slow, so it's not a good idea to run it from /etc/inetd.conf though it is possible—see the man page if you really want to.

sftp-server is the server for sftp. It gets started from sshd.

httpd, the Apache Web Server, also has quite a long startup phase that makes it impractical to start it from /etc/inetd.conf. Note also that httpd requires a configuration file. We'll look at that on page 455.

By contrast, it's perfectly possible to start rsyncd from inetd. It's not included in the standard /etc/inetd.conf file because it's a port. Yes, so are lukemftpd and nntpd. It's just a little inconsistent. This is the line you need to put in /etc/inetd.conf to start rsyncd.

rsync stream tcp nowait root /usr/local/bin/rsync rsync –daemon

The name rsync is not a typo. rsync and rsyncd are the same thing; it's the --daemon option that makes rsync run as a daemon.

inetd doesn't notice alterations to /etc/inetd.conf automatically. After modifying the file, you must send it a SIGHUP signal:

# killall -HUP inetd

You can write -1 instead of -HUP. This causes inetd to re-read /etc/inetd.conf.

Instead of starting daemons via inetd, you can start them at boot time. inetd is convenient for servers that don't get run very often, but if you make frequent connections, you can save overhead by running the servers continuously. On the other hand, it's not practical to start rshd, rlogind, rexecd or telnetd at boot time: they're designed to be started once for each session, and they exit after the first connection closes. We'll look at starting the other daemons in the following sections, along with their configuration.

Configuring ftpd

Normally you'll run ftpd from inetd, as we saw above. If you want to run it directly, perform the following steps:

  • Add the following line in /etc/rc.local:
    echo -n 'starting local daemons:' #put your local stuff here echo " ftpd" && ftpd -D
    

    The option -D tells ftpd to run as a daemon. You will possibly want other options as well; see the discussion below.

  • Comment out the ftp line in /etc/inetd.conf by adding a hash mark (#) in front of it:
    #  ftp  stream   tcp  nowait  root  /usr/libexec/ftpd  ftpd -l
    
  • Either reboot, or cause inetd to re-read its configuration file:
    #  killall -1 inetd  send a SIGHUP
    

    If you don't perform this step, inetd keeps the ftp port open, and ftpd can't run.

For security reasons, you will probably want to add options such as logging and anonymous ftp. We'll look at how to do that in the next two sections.

anonymous ftp