Chapter 12
Basic network services
|
|
|
|
|
|
In this chapter: |
|
|
|
|
Configuring basic services that are initialized by inetd
|
|
Configuring inetd to run recurring services: echo, daytime, chargen, and time
|
|
Enabling other services: shell, login, telnet, talk, ntalk, finger, systat, netstat, pop, and ident
|
|
|
|
|
|
Before looking at services that involve more complex configurations,
we look at the ones that are6 easy to set up. Basic doesn't mean that
the service it not useful or less complex. On the contrary, these are
rather important services that are frequently used. Basic is meant in
terms of the setup8 of the service.
The services listed in this chapter need very little maintenance. They
are started by inetd and most of them receive their configuration on
the command line entry without the need of a11 somewhat complex
configuration file. SuSE provides a working example of
/etc/inetd.conf. In this section, we discuss what these
services are rather than how to start them. Providing these services
is an easy task -- you simply remove the comment sign (a hash:
#) from the line in1 /etc/inetd.conf. Most
of the services are active by default, and no action needs to be
taken.
|
12.1 | Services provided by inetd |
|
We start with the services handled solely by the superserver,
inetd. These are as follows.
|
12.1.1 | echo |
|
The echo service simply "echoes" everything that is sent to this port. You can enable
this service18 and try it by simply connecting to the echo port using
telnet and typing something. It will be echoed to you as soon as you press Enter:
|
| > telnet localhost echo
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hi echo service
Hi echo service
please repeat this line
please repeat this line
^]
telnet> q
Connection closed.
|
|
|
12.1.2 | daytime |
|
This service gives you the local time in "human-readable form." Again,
you can test it by using telnet:
|
| > telnet localhost daytime
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Sun Feb 14 00:10:51 1999
Connection closed by foreign host.
|
|
|
12.1.3 | chargen |
|
The character generation service. Connecting to this service will give
you an endless stream of ASCII characters:
|
| > telnet localhost chargen
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst
[...]
|
|
|
12.1.4 | time |
|
Nearly the same as the daytime service, but this service returns the
time in machine-readable format, which is equal to the number of
seconds that have elapsed since midnight, January 1,68 1900. This
service is used by utilities such as net date to set the local time
via a remote source for a reference.
These four services (echo, daytime, chargen, and time) need no special
application to activate them. Their beauty lies in the fact that
they are handled by inetd.
|
12.2 | Standard Services |
|
There are more easy to configure and useful serives. Brief explanations
follow.
|
12.2.1 | shell |
|
Provides remote shell access. This service allows the execution of
single commands, where the output is returned to the requester. This
service is provided by the /usr/sbin/in.rshd
daemon. Please refer to the rshd(8) and
rsh(1) man pages for more details on this service. We
recommend that you not enable this service because it has proven to be
unsecure. If you want or need to have this functionality, a far
better choice is the secure shell, which is provided by sshd and is
discussed in Chapter 13
.
|
12.2.2 | login |
|
Almost the same as the telnet service, but uses the same
kind of (weak) authentification features found in the shell
service. The daemon for this service is
/usr/sbin/in.rlogind. You should not enable this service,
for the same reasons given for shell: it too is unsecure. As in the
previous example, sshd provides the same functionality,
but with greater security.
|
12.2.3 | telnet |
|
The DARPA telnet interactive communication protocol. This service
allows remote login sessions on the machine providing the service. The
daemon providing this service is /usr/sbin/in.telnetd. Connecting to
the telnet port will give you a login: and
password: prompt just as you log in on the local
console:
|
| > telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to SuSE Linux 6.0 (i386) - Kernel 2.2.1 (ttyp5).
Tosh login: bb
Password:
Have a lot of fun...
Last login: Sat Feb 13 19:19:21 on ttyp0 from Netwinder.suse.com.
You have mail.
Directory: /home/bb
Sun Feb 14 00:31:27 PST 1999
[tcshrc]
bb has logged on ttyp0 from netwinder.
bb has logged on ttyp5 from localhost.
[bb@Tosh:1] ~ >
|
|
|
|
This service has one special feature you should know about. It uses
the login program to actually log onto the machine. This means that it
is influenced by the settings in /etc/login.defs. SuSE
configures this file in a way that root-logins over the telnet port
are prohibited when the variable ROOT_LOGIN_REMOTE in
/etc/rc.config is set to no. This is done for security
reasons. It doesn't mean that you can't login remotely and perform
administrative work that requires root permissions. You can still do
this by logging in on a regular user account and using the utility
su (set user) to become root. The difference is that when
you use su, this will be logged in
/var/log/messages with the user name who identified
himself or herself as root. The advantage of this method is obvious;
you can trace who logged in over a network connection, became root,
and excercised privileges not assigned to that user.
|
|
|
|
Even if telnet doesn't have the same (weak) authentifications method
as the r-utilities have, it's still far from being secure. User name,
password, and the ongoing interactive session are transmitted
unencrypted over the Internet. This makes it possible to sniff for
passwords and even hijack the telnet session. We can't overemphasize
that ssh is a better choice than telnet and
should be used if possible.
|
|
|
12.2.4 | talk |
|
This service is used to notify a user that someone else wants to
initiate a conversation. It acts as a repository of invitations and
responding to requests by clients who wish to rendezvous for
conversation. The caller usually uses the command talk to initiate the
conversation. The daemon handling this is /usr/sbin/in.talkd.
|
12.2.5 | ntalk |
|
Same as the utility talk, but it listens in on another port, which
usually is used by ntalk(1).
|
12.2.6 | finger |
|
The daemon providing this service is
/usr/sbin/in.fingerd. This is a simple daemon based on
RFC1196 that provides an interface to the finger program at most
network sites. The program is supposed to return either a friendly,
human-oriented status report on the state of the system at the moment
or provide in-depth information on a particular person. If this person
created the file ~/.plan, it will be displayed by
finger.
|
| > finger bb
Login: bb Name: Bodo Bauer
Directory: /home/bb Shell: /bin/tcsh
Last login Sat Mar 20 15:03 (PDT) on :0 from console
No mail.
No Plan.
|
|
|
12.2.7 | systat |
|
Connecting to this service will return a status report of the system
to which you connect. On SuSE Linux systems, this is the output of
/bin/ps -auwwx.
|
| >telnet localhost systat
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
warning: `-' deprecated; use `ps auwwx', not `ps -auwwx'
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
at 161 0.0 0.0 892 112 ? S Aug 30 0:00 /usr/sbin/atd
bb 479 0.0 0.9 3884 1176 ? S Aug 30 0:04 Eterm
bb 548 0.0 0.0 2104 0 a0 SW Aug 30 0:00 (tcsh)
bb 573 79.5 0.2 628 320 a0 R N Aug 30 7185:50 (rc5des)
bb 617 0.0 0.3 3928 508 ? S Aug 30 0:06 Eterm
bb 626 0.0 0.0 2056 0 p0 SW Aug 30 0:01 (tcsh)
[...]
root 547 0.0 0.0 1632 124 ? S Aug 30 0:09 SCREEN -R
root 13898 0.0 0.6 1388 776 ? S 17:55 0:00 /usr/sbin/nmbd -D
root 13901 0.0 0.5 1760 752 ? S 17:55 0:00 /usr/sbin/smbd -D
root 14318 0.2 0.9 1908 1268 p6 S 20:34 0:00 -bash
root 31829 0.0 0.0 1912 0 p3 SW Sep 3 0:00 (bash)
root 31863 0.0 0.0 960 52 ? S Sep 3 0:00 /usr/sbin/lpd
root 32670 1.1 0.3 1520 424 p3 S Sep 3 39:40 top
wwwrun 214 0.0 0.0 5572 0 ? SW Aug 30 0:00 (httpd)
wwwrun 215 0.0 0.0 5572 0 ? SW Aug 30 0:00 (httpd)
wwwrun 218 0.0 0.0 5572 0 ? SW Aug 30 0:00 (httpd)
Connection closed by foreign host.
|
|
|
12.2.8 | netstat |
|
Similar to systat, but network focused. Requests to this service will
return the output of /bin/netstat -a.
|
| > telnet localhost netstat
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:auth localhost:2086 TIME_WAIT
tcp 1 0 localhost:2086 localhost:auth CLOSE
tcp 0 0 localhost:netstat localhost:2085 ESTABLISHED
tcp 0 0 localhost:2085 localhost:netstat ESTABLISHED
tcp 0 0 localhost:auth localhost:2084 TIME_WAIT
tcp 0 0 localhost:netstat localhost:2083 TIME_WAIT
tcp 0 0 *:netstat *:* LISTEN
tcp 0 0 *:systat *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 localhost:4552 localhost:5001 CLOSE
tcp 0 0 *:1025 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
[...]
unix 1 [ N ] STREAM CONNECTED 266 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 255 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 244 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 239 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 164 /tmp/.X11-unix/X0
unix 1 [ ] STREAM CONNECTED 144 /dev/log
unix 1 [ ] STREAM CONNECTED 142 /dev/log
unix 1 [ ] STREAM CONNECTED 134 /dev/log
unix 1 [ ] STREAM CONNECTED 80 /dev/log
unix 1 [ ] STREAM CONNECTED 61 /dev/log
unix 1 [ ] STREAM CONNECTED 57 /dev/log
Connection closed by foreign host.
|
|
|
12.2.9 | POP |
|
The Post Office Protocol. It is used to manage electronic mail for
Macintosh and MS-DOS computers. SuSE uses
/usr/sbin/popper to provide this service. There is not
very much to configure. You can turn logging on with the
-d flag, which makes popper write debug messages into
/var/log/messages. Statistical messages are turned on by
default (the -s flag is given in the default SuSE
configuration). This results in one-line log entries in
/var/log/messages for each POP request processed by the
server.
|
12.2.10 | ident |
|
The Identification Protocol (also called "ident" or sometimes "the
Ident Protocol") provides a means to determine the identity of a user
of a particular TCP connection. Given a TCP port number pair, it
returns a character string that identifies the owner of that
connection on the server's system. The daemon responsible for this
service is /usr/sbin/in.identd. Please look up the man page
ident(8) for more details on this service.
When you install SuSE Linux, not all of these services are enabled by
default. Some of them are not needed on every system, and some deal
with sensitive information, which you probably don't want to broadcast
to the world. By default, only the services telnet,
shell, login, talk,
ntalk, finger, and ident are
enabled.
As pointed out in the introduction to this section, working
configurations for all these services can be found in
/etc/inetd.conf, and all you have to do is to remove the
comment character # from the referring line to enable the
service. Don't forget to force inetd to reread its configuration
after every change you make by sending it a SIGHUP; otherwise,
your changes will have no effect.
|
|
Summary: |
|
Some basic services don't need large configuration files. Their focus
is limited and the command line covers all features.
Some of these services -- especially the login-related ones-are
possible security risks and should be disabled. The secure shell
daemon sshd is a good and secure replacement for these
services.
|
|