个人工具

Quick HOWTO : Ch16 : Telnet, TFTP, and xinetd/zh

来自Ubuntu中文

Ranfow讨论 | 贡献2008年12月18日 (四) 13:17的版本 控制 xinetd管理的应用程序

跳转至: 导航, 搜索


简介

许多linux网络应用程序并不依靠它们自己向特定tcp端口提供访问限制或绑定;取而代之的是它们经常将大量的这种任务交给一个专门为这种目的而生的程序套件来负责;这个套件就是xinetd。

管理xinetd程序

Fedora linux默然下已安装xinetd并将/etc/xinetd.conf作为它的主配置文件。幸运的是你不必经常编辑此文件,这样xinetd每天的工作就是启动和停止xinetd管理的程序。

控制 xinetd

启动和停止xinetd守护进程由/etc/init.d目录下的脚本控制。在启动时的行为由chkconfig控制。

在系统启动后,你可以使用下面命令来启动/停止/重启 xinetd进程:

[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart

为了让xinetd在机器启动是运行,使用chconfig命令:

[root@bigboy tmp]# chkconfig xinetd on

控制 xinetd管理的应用程序

Xinetd管理应用程序将其所有的配置文件都保存在/etc/xinetd.d目录下。你可以通过将每个配置文件的disable状态设置为yes/no来告诉xinetd是否允许其启动。

你不必通过编辑这些文件来激活或关闭相应的应用程序。chkconfig命令会自动地帮你启动或停止相应的应用程序!这里有个激活和关闭Samba SWAT web GUI管理应用程序的例子。

[root@bigboy tmp]# chkconfig swat on
[root@bigboy tmp]# chkconfig swat off

Telnet

Telnet is a program that allows users to log into your server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux.

One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is possible for someone to use a network analyzer to peek into your data packets and see your username and password. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption.

In spite of this, the older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them. I'll show you how to limit your exposure to Telnet's insecurities are mentioned later in this chapter.

Using The Telnet Client

The command to do remote logins via telnet from the command line is simple. You enter the word telnet and then the IP address or server name to which you want to connect.

Here is an example of someone logging into a remote server named smallfry from server bigboy. The user looks at the routing table and then logs out.

[root@bigboy tmp]# telnet 192.168.1.105
Trying 192.168.1.105...
Connected to 192.168.1.105.
Escape character is '^]'.

Linux 2.4.18-14 (smallfry.my-site.com) (10:35 on Sunday, 05 January 2003)

Login: peter
Password:
Last login: Fri Nov 22 23:29:44 on ttyS0
You have new mail.
[peter@smallfry peter]$
[peter@smallfry peter]$ netstat -nr
Kernel IP routing table
Destination     Gateway       Genmask         Flags  MSS Window irtt Iface
255.255.255.255 0.0.0.0       255.255.255.255 UH     40  0      0    wlan0
192.168.1.0     0.0.0.0       255.255.255.0   U      40  0      0    wlan0
127.0.0.0       0.0.0.0       255.0.0.0       U      40  0      0    lo
0.0.0.0         192.168.1.1   0.0.0.0         UG     40  0      0    wlan0
[peter@smallfry peter]$ exit
logout

Connection closed by foreign host.
[root@bigboy tmp]#

Installing The Telnet Server Software

Older versions of RedHat had the Telnet server installed by default. Fedora Linux doesn't do this and you will have to install it yourself.

Most Linux software products are available in a precompiled package format. Downloading and installing packages isn't hard. If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail.

When searching for the file, remember that the Telnet server RPM's filename usually starts with the word "telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm.

With Debian / Ubuntu, the Telnet server package would have a "telnetd" prefix like this: telnetd_0.17-32_i386.deb.

Setting Up A Telnet Server

Setting up the telnet server is easy to do, but the procedure differs between Linux distributions.

Redhat / Fedora

To set up a Telnet server use the chkconfig command to activate Telnet.

[root@bigboy tmp]# chkconfig telnet on

You can also use the chkconfig --list command to verify that telnet will be started on the next reboot.

[root@bigboy tmp]# chkconfig --list | grep telnet
       telnet: on
[root@bigboy tmp]#

Use the chkconfig command to deactivate telnet, even after the next reboot.

[root@bigboy tmp]# chkconfig telnet off

Debian / Ubuntu

In Debian / Ubuntu, the Telnet server runs using the inetd, not the xinetd daemon, and uses a single /etc/inetd.conf configuration to manage the activation of the daemons it controls.

To stop Telnet you need only to edit the configuration file, comment out the Telnet server line, and restart inetd as seen in this example:

root@u-bigboy:~# vi /etc/inetd.conf 
...
...
...

#
# File: /etc/inetd.conf 
#

#telnet         stream  tcp     nowait  telnetd.telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd

...
...
...

root@u-bigboy:~# /etc/init.d/inetd restart
 * Restarting internet superserver...
   ...done.
root@u-bigboy:~# netstat -a | grep telnet
root@u-bigboy:~#

Note: The xinetd package provides much more flexibility than its inetd equivalent. xinetd allows you to restrict connections to specific source IP addresses and allows you to specify the TCP port and server IP address on which to listen. You may want to convert your system to use the xinetd package for Telnet by installing xinetd and creating your own custom /etc/xinetd.d/telnet configuration file. The rest of the examples in this chapter assume that the more versatile xinetd is being used.

Note: You can test whether the Telnet process is running with the following command which is used to check the TCP/UDP ports on which your server is listening, if it isn't running then there will be no response.

[root@bigboy tmp]# netstat -a | grep telnet
tcp        0        0        *:telnet        *:*        LISTEN 
[root@bigboy tmp]#

Basic Telnet Security

There are a number of things you can do to improve the security of telnet. For example, you should also try to ensure that telnet sessions run over secure internal networks or across VPNs to reduce the risk of exposing sensitive data to unauthorized eyes. Check out some other options.

Let Telnet Listen On Another TCP Port

Letting telnet run on an alternate TCP port doesn't encrypt the traffic, but it makes it less likely to be detected as telnet traffic. Remember that this isn't a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.

1) Edit your /etc/services file and add an entry for a new service. Call it stelnet.

# Local services
stelnet         7777/tcp                        # "secure" telnet

2) Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet:

[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

3) Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777.

# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service stelnet
{
       flags          = REUSE
       socket_type    = stream
       wait           = no
       user           = root
       server         = /usr/sbin/in.telnetd
       log_on_failure += USERID
       disable        = no
       port           = 7777
}

4) Use chkconfig to activate stelnet.

[root@bigboy tmp]# chkconfig stelnet on

5) Check to make sure your server is now listening on port 7777 with the netstat command.

[root@bigboy tmp]# netstat -an | grep 777
tcp   0  0 0.0.0.0:7777       0.0.0.0:*          LISTEN
[root@bigboy tmp]#
You should now be able to log in to the new stelnet server on port 7777. This is done using the telnet command with the TCP port as the second argument.
[root@smallfry tmp]# telnet 192.168.1.100 7777
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Fedora Core release 2 (Tettnang)
Kernel 2.6.8-1.521 on an i686
login:

Let Telnet Allow Connections From Trusted Addresses

You can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. Here's how.

1) Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces:

# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service telnet
{
       flags          = REUSE
       socket_type    = stream
       wait           = no
       user           = root
       server         = /usr/sbin/in.telnetd
       log_on_failure += USERID
       disable        = no
       only_from      = 192.168.1.100 127.0.0.1 192.168.1.200
}

2) Restart telnet.

[root@bigboy tmp]# chkconfig telnet off
[root@bigboy tmp]# chkconfig telnet on

3) Test the telnet session. Servers that are not on the trusted list get the message Connection closed by foreign host.

[root@smallfry tmp]# telnet 192.168.1.100
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
Connection closed by foreign host.
[root@smallfry tmp]#