Solaris安裝
一、相關信息: 1、 說明:
xinetd取代了inetd+tcp_wrappers,並且提供了訪問控制、加強的日志和資源管理功能,已經成了Internet標准超級守護進程。但是現在還沒有在solaris上的完整安裝配置手冊,我希望寫一個關於在solaris上的傻瓜安裝配置手冊。
2、 基本信息
服務器基本信息:Sun-Fire-280R
操作系統:SunOS 5.8 Generic_117350-02
3、 Xinetd軟件信息
軟件版本:2.3.10
下載地址:
ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/xinetd-2.3.10-sol8-sparc-local.gz
軟件包說明:該軟件包已經添加了--with-libwrap、--with-loadavg、--with-inet6編譯模塊選項。
4、 系統默認使用xinetd的服務可以分為如下幾類:
標准internet服務:telnet ftp
信息服務:finger netstat systat
郵件服務:imap imaps pop2 pop3 pops
RPC服務:rquotad rstatd rusersd sprayd walld
BSD服務:comsat exec login ntalk shell talk
內部服務:chargen daytime echo servers services time
安全服務:irc
其他服務:name tftp uucp
5、 更多支持信息:
http://www.xinetd.org/
二、安裝配置xinetd 1、安裝過程
1)#gzip –d xinetd-2.3.10-sol8-sparc-local.gz
2)#pkgadd –d xinetd-2.3.10-sol8-sparc-local
沒有報錯的話,安裝完畢。
2、xinetd軟件安裝後的基本信息
1)文檔位置:/usr/local/doc/xinetd
裡面有安裝說明和配置文件文檔。
2)命令位置:/usr/local/sbin/
Xinetd、xconv.pl、itox
3、配置過程:
說明:配置主要涉及倆個文件:/etc/init.d/inetsvc(需要修改)和/etc/xinetd.conf(需要生成)
1)生成/etc/xinetd.conf文件:
a) 說明:/etc/xinetd.conf這個文件是由/etc/inetd.conf文件轉換生成的!主要是xinetd替代inetd以後的配置文件
b) 生成命令:
# /usr/local/sbin/xconv.pl < /etc/inetd.conf > /etc/xinetd.conf
c) 注意:
在/etc/inetd.conf裡面可以事先去掉不必要的端口,如finger、login等,在/etc/xinetd.conf可以得到比較簡潔的配置文。(我在轉換前在/etc/inetd.conf文件裡只保留了telnet和ftp)需要別的服務如ssh等可以自己添加。
2)修改/etc/init.d/inetsvc文件:
主要有倆個地方需要修改:
a) 修改一:(建議注釋掉舊的配置,添加新的配置)
修改前:/usr/bin/pkill -x -u 0 'in.named|inetd'
修改後:/usr/bin/pkill -x -u 0 'in.named|xinetd'
b) 修改二:
修改前/usr/sbin/inetd -s &
修改後:/usr/local/sbin/xinetd -s &
3)測試:
停止原來的服務:# /etc/init.d/inetsvc stop
啟動新的服務:# /etc/init.d/inetsvc start
檢查進程:#ps –ef|grep inetd
殺掉得到的進程號:#kill -9 ***
查看xinetd的進程:#ps –ef|grep xinetd
顯示如下xinetd配置正常:
root 158 1 0 15:41:50 ? 0:00 /usr/local/sbin/xinetd –s
備注:
Xinetd啟動過程有問題,一般是/etc/xinetd.conf配置文件的原因。
三、用xinetd限制ssh登陸配置過程: 1、測試方法:
1)編輯/etc/xinetd.conf:
添加如下:
service ssh
{
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/sshd
port = 22
server_args = -i
only_from = 192.0.0.109
}
2、測試過程:
重新啟動機器,查看xinetd加載是否正常。
從內網192.0.0.109 ssh登陸服務器可以登陸為正常。
別的IP ssh登陸服務器不可以登陸為正常。
3、注意:
SSH安裝以後,不用在/etc/rc2.d下面添加S99sshd,因為xinetd已經可以啟動ssh進程了。否則達不到限制ip的作用。
四、備注: 安裝完成以後服務器狀態:
#nmap -P0 127.0.0.1
22/tcp open ssh
只留了ssh端口,而且可以限制ssh登陸的IP地址為:內網的192.0.0.109
-----------------------------------------------------
完整的/etc/init.d/inetsvc文件:
# more /etc/init.d/inetsvc
#!/sbin/sh
#
# Copyright (c) 1995, 1997-1999 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)inetsvc 1.24 99/03/21 SMI"
#
# This is third phase of TCP/IP startup/configuration. This script
# runs after the NIS/NIS+ startup script. We run things here that may
# depend on NIS/NIS+ maps.
#
case "$1" in
'start')
;; # Fall through -- rest of script is the initialization code
'stop')
# /usr/bin/pkill -x -u 0 'in.named|inetd'
/usr/bin/pkill -x -u 0 'in.named|xinetd'
exit 0
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
# If boot variables are not set, set variables we use
[ -z "$_INIT_UTS_NODENAME" ] && _INIT_UTS_NODENAME=`/usr/bin/uname -n`
if [ -z "$_INIT_PREV_LEVEL" ]; then
set -- `/usr/bin/who -r`
_INIT_PREV_LEVEL="$9"
fi
#
# wait_nis
# Wait up to 5 seconds for ypbind to obtain a binding.
#
wait_nis ()
{
for i in 1 2 3 4 5; do
server=`/usr/bin/ypwhich 2>/dev/null`
[ $? -eq 0 -a -n "$server" ] && return 0 || sleep 1
done
return 1
}
#
# We now need to reset the netmask and broadcast address for our network
# interfaces. Since this may result in a name service lookup, we want to
# now wait for NIS to come up if we previously started it.
#
domain=`/usr/bin/domainname 2>/dev/null`
[ -z "$domain" ] || [ ! -d /var/yp/binding/$domain ] || wait_nis || echo "WARNING: Timed out waiting for NIS to come up" >& 2
#
# Re-set the netmask and broadcast addr for all IP interfaces. This ifconfig
# is run here, after waiting for name services, so that "netmask +" will find
# the netmask if it lives in a NIS map. The 'D' in -auD tells ifconfig NOT to
# mess with the interface if it is under DHCP control
#
/usr/sbin/ifconfig -auD4 netmask + broadcast +
# Uncomment these lines to print complete network interface configuration
# echo "network interface configuration:"
# /usr/sbin/ifconfig -a
#
# If this machine is configured to be an Internet Domain Name System (DNS)
# server, run the name daemon. Start named prior to: route add net host,
# to avoid dns gethostbyname timout delay for nameserver during boot.
#
if [ -f /usr/sbin/in.named -a -f /etc/named.conf ]; then
echo 'starting internet domain name server.'
/usr/sbin/in.named &
fi
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
dnsdomain=`/sbin/dhcpinfo DNSdmain`
else
dnsdomain=
fi
if [ -n "$dnsdomain" ]; then
dnsservers=`/sbin/dhcpinfo DNSserv`
if [ -n "$dnsservers" ]; then
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' /etc/resolv.conf >/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
for name in $dnsservers; do
echo nameserver $name >>/tmp/resolv.conf.$$
done
else
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf >/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
fi
#
# Warning: The umask is 000 during boot, which requires explicit
# setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf
# Add dns to the nsswitch file, if it isn't already there.
/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/awk ' $1 ~ /^hosts:/ {
n = split($0, a);
newl = a[1];
if ($0 !~ /dns/) {
printf("#%s # Commented out by DHCP\n", $0);
updated = 0;
for (i = 2; i <= n; i++) {
if (updated == 0 && ind