Summoning Daemons
Summoning Daemons
4 Summoning daemons
Network services are run by daemons. Having done the deed of configuring a
network service, see section 9.3, by editing textfiles and ritually sacrificing a
few doughnuts, we reach the point where we have to actually start the
daemon in order to see the fruits of those labors. There are two ways to start
network daemons:
translate :
Layanan Jaringan dijalankan oleh Daemons. Setelah melakukan perbuatan
mengkonfigurasi layanan jaringan, lihat bagian 9.3 dengan mengedit
textfiles dan secara otomatis mengorbankan beberapa doughnuts, sehingga
mencapai titik di mana kita harus benar-benar mulai daemon untuk melihat
hasilnya. Ada dua cara untuk menjalankan daemon jaringan:
On demand: that is, only when a network request arrives. We use the inetd
daemon to monitor requests for a new service. It starts the daemon to handle
requests on a one-off basis. Not all services should be started in this way. One
should normally follow the guidelines in the documentation for the service
concerned.
The SVR4 version of the init program is growing in popularity and is used by
several GNU/Linux distributions. The idea with this program is to start the
system in one of a number of run-levels. Run-levels decide how many
services will be started when the system boots. The minimum level of
operation is single-user mode, or run-level s. Full operation is usually runlevel 2 or 3, depending on the type of system. (NB: be sure to check this!)
When entering a run-level, init looks in a directory called /etc/rc?.d and
executes scripts in this directory. For instance, if we are entering run-level 2,
init would look in the directory /etc/rc2.d and execute scripts lying there in
order to start necessary services for this run-level. All one has to do to add a
new service is to make a new file here which conforms to inits simple rules.
The files in these directories are usually labelled according to the following
pattern:
Versi SVR4 init program tumbuh dalam popularitas dan digunakan oleh
beberapa distro Linux. Idenya dengan program ini adalah untuk memulai
S number- function
K number- function
Files beginning with S are for starting services and files beginning with K are
for killing them again when the system is halted. The number is used to
determine the order in which the scripts are read. It does not matter if two
scripts have the same number, as long as it does not matter what order they
are executed. Finally the function tells us what the script does.
File diawali dengan S adalah untuk memulai layanan dan file diawali
dengan K untuk membunuh mereka lagi ketika sistem dihentikan. Nomor ini
1. Determine the correct run-level for the service. Let us suppose that it is
run-level 2.
2. Choose an unused filename, say S99http.
3. Create a script accepting a single argument:
1. Tetapkan tingkat jalan yang benar untuk layanan. Mari kita Misalkan bahwa
itu adalah lari-tingkat 2
2. Pilih nama file yang tidak terpakai, mengatakan S99http.
3.
#!/bin/sh
case $1 in
start) /usr/local/bin/httpd -d /usr/local/lib/httpd ;;
stop) kill cat /usr/local/lib/httpd/logs/httpd.pid ;;
*) echo Syntax error starting http
esac
The advantage of this system is that software packages can be added and
removed transparently just by adding or removing a file. No special editing is
required as is the case for BSD Unix.
Keuntungan dari sistem ini adalah bahwa paket perangkat lunak dapat
ditambahkan dan dihapus secara transparan hanya dengan menambahkan
atau menghapus file. Tidak mengedit khusus diperlukan seperti halnya untuk
BSD Unix.
The BSD style is rather simple. It starts executing a shell script called /etc/rc
which then generally calls other child-scripts. These scripts start important
dae-mons and configure the system. To add our own local modifications, we
have to edit the file /etc/rc.local. This is a Bourne shell script. The BSD
approach has a simpler structure than the system 5 inittab directories, but it is
harder to manipulate package-wise.
Gaya BSD agak sederhana. Itu mulai menjalankan shell script disebut /etc/rc
yang kemudian umumnya panggilan lain anak-script. Script ini mulai daemons penting dan mengkonfigurasi sistem. Untuk menambahkan perubahan
lokal kita sendiri, kita harus mengedit file /etc/rc.local. Ini adalah Bourne
#
# NB wu-ftpd needs -a now
#
ftp
/usr/sbin/in.ftpd
telnet
finger
in.ftpd -a
/usr/sbin/in.telnetd
/local/etc/in.fingerd
in.telnetd
in.fingerd
The first column is the name of the service from /etc/services. The next
column is the type of connection (stream or dgram or tli), then comes the
protocol type (tcp/udp etc). The wait column indicates whether the service is
to be single or multi-transaction, i.e. whether new requests should wait for an
existing request to complete or whether a new daemon should be started in
parallel. The last two columns contain the location of the program which
should handle the request and the actual command line (including options)
which should be executed. Notice that the finger daemon runs as a special
user with no privileges. To add a new service, we edit the file /etc/inetd.conf
and then send the inetd process the HUP signal. To do this, we find the
process id:
Then we type:
untuk memulai daemon lain, kita akan sering melihat pesan kesalahan
This means that another daemon is already running. This error can occur if
two copies of inetd are started, or if we try to start a daemon twice, or indeed
if we try to place a service in inetd and start a daemon at the same time. The
error can also occur within a finite time-window after a service has crashed,
but the problem should right itself within a few minutes.1
Ini berarti bahwa daemon lain sudah berjalan. Kesalahan ini dapat terjadi
jika dua salinan inetd dimulai, atau jika kita mencoba untuk memulai
daemon dua kali, atau memang jika kita mencoba untuk menempatkan
layanan di inetd dan mulai daemon pada waktu yang sama. Kesalahan juga
dapat terjadi dalam jendela waktu terbatas setelah layanan telah jatuh, tapi
masalahnya harus benar sendiri dalam beberapa minutes.1
9.4.5
One of the problems with inetd is that it accepts connections from any host
and passes them to services registered in its configuration file without
question. In todays network climate this is a dangerous step and it is usually
desirable to limit the availability of certain services. For instance, services
which are purely local (like RPC) should never be left open so that outside
users could try to exploit them. In short, services should only be made
available to those who need them. If they are left open to those who do not
need them, we invite attacks on the system.
Salah satu masalah dengan inetd adalah bahwa hal itu menerima koneksi
dari setiap host dan melewati mereka ke layanan yang terdaftar di file
konfigurasi nya tanpa pertanyaan. Hari ini % u2019s jaringan iklim ini
adalah langkah yang berbahaya dan biasanya diinginkan untuk membatasi
ketersediaan layanan tertentu. Misalnya, Layanan yang murni lokal (seperti
RPC) harus tidak pernah dibiarkan terbuka sehingga di luar pengguna bisa
mencoba untuk mengeksploitasi mereka. Singkatnya, Layanan hanya harus
dibuat tersedia bagi mereka yang membutuhkan mereka. Jika mereka
dibiarkan terbuka bagi mereka yang tidak perlu mereka, kami mengundang
serangan pada sistem.
TCP wrappers is a solution to this problem for IPv4 connections only. In
short, it gives us the possibility of adding Access Control Lists (ACLs) to
network services. TCP wrappers exists in two forms: as the tcpd daemon, and
as a library which stand-alone programs can link to, called libwrap.a.
Services which are not explicitly compiled with the library can use the
daemon as a wrapper, if the services can be started from inetd. TCP wrapper
expects to find the daemons it proxies for in a special directory. It requires
two configuration files, one which grants access to services and which denies
access. If services are not listed explicitly TCP wrappers does nothing to
prevent connection.
Pembungkus TCP adalah solusi untuk masalah ini untuk IPv4 koneksi hanya.
Singkatnya, ini memberi kita kemungkinan menambahkan Access Control
Lists (ACL) untuk layanan jaringan. TCP pembungkus ada dalam dua
bentuk: sebagai tcpd daemon, dan sebagai sebuah perpustakaan yang berdiri
sendiri-program yang dapat link ke, disebut libwrap.a. Layanan yang tidak
secara eksplisit dikompilasi dengan Perpustakaan dapat menggunakan
daemon sebagai pembungkus, jika Layanan dapat dimulai dari inetd.
The file to allow access to a service overrides the file to deny access, thus one
normally denies access to all services as a default measure and opens specific
services one by one (see below).The hosts.allow file contains the names of
daemons followed by a list of hosts or IP addresses, or domains or network
series. The word LOCAL matches any host which has an unqualified host
name. If we are opening a service to our local domain, it is often necessary to
have both the domain suffix and the word LOCAL, since different operating
systems employ different name services in different ways. (LOCAL matches
hostnames without any domain ending.)
File untuk memungkinkan akses ke layanan menimpa file untuk menolak
akses, sehingga satu biasanya menyangkal akses ke semua layanan sebagai
ukuran default dan membuka layanan tertentu satu (lihat bawah).Hosts.allow
file berisi nama-nama daemon-daemon yang diikuti oleh daftar host atau
alamat IP, atau domain atau jaringan seri. Kata setempat pertandingan
setiap host yang memiliki nama host yang tidak memenuhi syarat. Jika kita
membuka layanan untuk domain lokal kita, hal ini sering diperlukan untuk
memiliki akhiran domain dan kata lokal, karena sistem operasi yang berbeda
menggunakan layanan nama yang berbeda dengan cara yang berbeda.
(Setempat sesuai hostname tanpa akhiran domain apapun.)
# hosts.allow
Note how IPv6 addresses must be bracketed. Be warned that not all programs
understand IPv6 addressing, so these entries might cause services to crash
(espe-cially RPC). (See section 2.9.)
The TCP wrapper service works mainly for plain TCP streams, but in
some operating systems (notably GNU/Linux) RPC services can also be
placed under its umbrella. The portmapper and NFS mount daemons are also
subject to TCP wrapper access controls. Note that we have to use IP
addresses here. Hostnames are not accepted.
Apart from those explicitly mentioned above, all other services are
denied access like this in /etc/hosts.deny:
ALL: ALL
Perhatikan bagaimana IPv6 Alamat harus diberi tanda kurung. Berhati-