Tài liệu Chapter-25-Basic network access-servers ppt
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (265.67 KB, 24 trang )
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 447
25
Basic network
access: servers
In this chapter:
• Running servers from
inetd
• Configur ing ftpd
• Running sshd
• rsyncd
• Setting up a web
ser ver
• NFS server
• Samba
In this chapter:
• Running servers from
inetd
• Configur ing ftpd
• Running sshd
• rsyncd
• Setting up a web
ser ver
• NFS server
• Samba
In the previous chapter,wesaw how touse clients to access other systems. This is only
half the picture, of course. At the other end of the link, we need servers to provide this
service. For each client, there is a server (a daemon) whose name is usually derivedfrom
the client name by adding a d to it:
Table 25-1: Server daemons for basic services
Client Server
ssh sshd
telnet telnetd
sftp sftp-server
ftp ftpd
rsync rsyncd
(browser) httpd
(NFS) nfsd
In addition to these servers, we look at a fewothers in other chapters:
• We’v e already looked at Xservers briefly in Chapter 8, Taking control,and we’ll see
more in Chapter 28, XFree86 in depth.
• Chapter 21 discussed DNS name servers.
netserver.mm,v v4.19 (2003/04/09 20:42:40) 447
448 Chapter 25: Basic networ k access: servers
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 448
• Chapter 27 discusses Mail Transport Agents or MTAs,also referred to as mail
servers.
Some servers don’tneed anyconfiguration, and about all you need to do is to start them.
Others, likeweb servers, can be very complicated. None of the complication is related to
FreeBSD. For example, the issues involved in configuring apache are the same whether
you run it with FreeBSD, NetBSD, Linux or Solaris. There are several good books, each
at least the size of this one, on the detailed setup of some of these servers. In this chapter
we’ll look at howtoget the servers up and running in a basic configuration, and where to
turn for more information.
Running serversfrominetd
If you look at /etc/services,you’ll find that there are over800 services available, most of
which are only supported on a small number of machines. It’snot always the best idea to
start up a daemon for every possible service you may want to offer.IPsupplies an
alternative: inetd,the Internet daemon,sometimes called a super-server,which listens on
multiple ports. When a request arrivesonaspecific port, inetd starts a daemon specific
to the port. Forexample, FreeBSD supports anonymous ftp, but most people don’t
receive enough requests to warrant having the ftp daemon, ftpd,running all the time.
Instead, inetd starts an ftpd when a request comes in on port 21.
At startup, inetd reads a configuration file /etc/inetd.conf to determine which ports to
monitor and what to do when a message comes in. Here’sanexcerpt:
#$FreeBSD: src/etc/inetd.conf,v 1.58 2002/08/09 17:34:13 gordon Exp $
#
#Internet server configuration database
#
#ftp stream tcp nowait root /usr/libexec/lukemftpd ftpd -l -r
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
#ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l
#telnet stream tcp nowait root /usr/libexec/telnetd telnetd
#telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd
#shell stream tcp nowait root /usr/libexec/rshd rshd
#shell stream tcp6 nowait root /usr/libexec/rshd rshd
#login stream tcp nowait root /usr/libexec/rlogind rlogind
#login stream tcp6 nowait root /usr/libexec/rlogind rlogind
#exec stream tcp nowait root /usr/libexec/rexecd rexecd
#shell stream tcp6 nowait root /usr/libexec/rshd rshd
This file has the following format:
• The first column is the service on which inetd should listen. If it starts with a # sign,
it’sacomment, and inetd ignores it. You’ll note in this example that all the listed
services have been commented out. Unless you run the daemon independently of
inetd,arequest for one of these services will be rejected with the message:
Unable to connect to remote host: Connection refused
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Running servers from inetd 449
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 449
• The next three columns determine the nature of the connection, the protocol to use,
and whether inetd should wait for the process to complete before listening for new
connections. In the example, all the services are TCP,but there are entries both for
tcp (the normal TCP protocol for IP Version 4) and tcp6 (the same service for IP
Version 6).
• The next column specifies the user as which the function should be performed.
• The next column is the full pathname of the program (almost always a daemon) to
start when a message comes in. Alternatively,itmight be the keyword internal,
which specifies that inetd should perform the function itself.
• All remaining columns are the parameters to be passed to the daemon.
Older versions of UNIX ran inetd as part of the startup procedure. That isn’talways
necessary,ofcourse, and for security reasons the default installation of FreeBSD no
longer starts it. Youcan change that by adding the following line to your /etc/rc.conf :
inetd_enable="YES" # Run the network daemon dispatcher (YES/NO).
To enable services in /etc/inetd.conf,itmay be enough to remove the comment from the
corresponding line. This applies for most the services in the example above.Insome
cases, though, you may have toperform additional steps. Forexample, lukemftpd,an
alternative ftpd,and nntpd,the Network News Transfer Protocol,are not part of
FreeBSD: they’re in the Ports Collection. Also, nntpd is intended to run as user usenet,
which is not in the base system.
The other daemons are not mentioned in /etc/inetd.conf :
• The preferred way to run sshd is at system startup. As we’ll see, the startup is quite
slow, soit’snot a good idea to run it from /etc/inetd.conf,though it is possible—see
the man page if you really want to.
• sftp-server is the server for sftp.Itgets started from sshd.
• httpd,the Apache Web Server,also has quite a long startup phase that makes it
impractical to start it from /etc/inetd.conf.Note also that httpd requires a
configuration file. We’lllook at that on page 455.
• By contrast, it’sperfectly possible to start rsyncd from inetd.It’snot included in the
standard /etc/inetd.conf file because it’saport. Yes, so are lukemftpd and nntpd.It’s
just a little inconsistent. This is the line you need to put in /etc/inetd.conf to start
rsyncd.
rsync stream tcp nowait root /usr/local/bin/rsync rsync --daemon
The name rsync is not a typo. rsync and rsyncd are the same thing; it’sthe
--daemon option that makes rsync run as a daemon.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
450 Chapter 25: Basic networ k access: servers
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 450
inetd doesn’tnotice alterations to /etc/inetd.conf automatically.After modifying the file,
you must send it a SIGHUP signal:
# killall -HUP inetd
Youcan write -1 instead of -HUP.This causes inetd to re-read /etc/inetd.conf.
Instead of starting daemons via inetd,you can start them at boot time. inetd is
convenient for servers that don’tget run very often, but if you makefrequent connections,
you can save overhead by running the servers continuously.Onthe other hand, it’snot
practical to start rshd, rlogind, re xecd or telnetd at boot time: they’re designed to be
started once for each session, and theyexit after the first connection closes. We’lllook at
starting the other daemons in the following sections, along with their configuration.
Configuring ftpd
Normally you’ll run ftpd from inetd,aswesaw above.Ifyou want to run it directly,
perform the following steps:
• Add the following line in /etc/rc.local:
echo -n ’starting local daemons:’
#put your local stuff here
echo " ftpd" && ftpd -D
The option -D tells ftpd to run as a daemon. Youwill possibly want other options as
well; see the discussion below.
• Comment out the ftp line in /etc/inetd.conf by adding a hash mark (#)infront of it:
# ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
• Either reboot, or cause inetd to re-read its configuration file:
# killall -1 inetd send a SIGHUP
If you don’tperform this step, inetd keeps the ftp port open, and ftpd can’trun.
Forsecurity reasons, you will probably want to add options such as logging and
anonymous ftp.We’ll look at howtodothat in the next twosections.
anonymous ftp
Anonymous ftp givesyou a couple of security options:
• It restricts access to the home directory of user ftp.From the point of viewofthe
remote user, ftp’s home directory is the root directory,and he cannot access anyfiles
outside this directory.Note that this means that you can’tuse symbolic links outside
the ftp directory,either.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Configur ing ftpd 451
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 451
• It restricts access to the machine generally: the user doesn’tlearn anypasswords, so
he has no other access to the machine.
In addition, you can start ftpd in such a manner that it will allowonly anonymous ftp
connections.
There are a number of preparations for anonymous ftp:
• Decide on a directory for storing anonymous ftp files. The location will depend on
the amount of data you propose to store there. By default, it’s /var/spool/ftp.
• Create a user ftp,with the anonymous ftp directory as the home directory and the
shell /dev/null.Using /dev/null as the shell makes it impossible to log in as user ftp,
butdoes not interfere with the use of anonymous ftp. ftp can be a member of group
bin or you can create a newgroup ftp by adding the group to /etc/group.See page
145 for more details of adding users, and the man page group(5) for adding groups.
• Create subdirectories ˜ftp/bin and ˜/ftp/pub.Itisalso possible to create a directory
for incoming data. By convention its name is ˜ftp/incoming.This is a very bad idea
if you’re connected to the global Internet: it won’tbelong before people start using
your system as a server for illicit data. Only use this option if you have some other
method of stopping unauthorized access.
Set the ownership of the directories likethis:
dr-xr-xr-x 2 ftp ftp 512 Feb 28 12:57 bin
drwxrwxrwx 2 ftp ftp 512 Oct 705:55 incoming
drwxrwxr-x 20 ftp ftp 512 Jun 314:03 pub
This enables read access to the pub directory and read-write access to the incoming
subdirectory.
• If you have a lot of files that are accessed relatively infrequently,it’spossible you will
find people on the Net who copyall the files that theysee in the directory.
Sometimes you’ll find multiple connections from one system copying all the files in
parallel, which can cause bandwidth problems. In some cases, you might find it more
appropriate to distribute the names individually,and to limit access to reading the
directories. You can do this by setting the permissions of pub and its subdirectories
likethis:
d--x--x--x 20 ftp ftp 512 Jun 314:03 pub
This allows access to the files, but not to the directory,sothe remote user can’tfind
the names of the files in the directory.
• Copythe following files to ˜ftp/bin: /usr/bin/compress, /usr/bin/gzip, /usr/bin/gunzip,
/bin/ls, /usr/bin/tar and /usr/bin/uncompress.The viewofanonymous ftp users is
restricted to the home directory,soall programs that are to be executed must also be
in this directory.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
452 Chapter 25: Basic networ k access: servers
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 452
Youcan (‘‘hard’’) link the files if you want (and if the directory is on the same file
system), but symbolic links will fail, since theycontain path names that do not point
to the correct place when running in the anonymous ftp environment.
Restricting access and logging
Anumber of ftpd options makeiteasier to control and monitor ftp access:
• The -l option logs each session, whether successful or not, to syslogd with the
facility LOG_FTP.Toenable this logging, your /etc/syslog.conf should contain a line
like
ftp.* /var/log/ftpd
In addition, the file /var/log/ftpd must exist. If it doesn’t, create it with:
# touch /var/log/ftpd
The -l option has twolev els: if you specify it once, it logs connections only.Ifyou
specify it twice, it also lists the files that are transferred.
• The -S option logs all anonymous transfers to the file /var/log/ftpd.
• Youcan restrict access to only anonymous ftp with the -A option.
There are a number of other options; see the man page ftpd(8) for further details.
In addition to these options, when a real user establishes a connection, ftpd checks the
user’sshell. If it is not listed in /etc/shells, ftpd will denythe connection. This can be
useful if you don’twant specific users to access the system: give them a different shell,
such as /usr/bin/sh instead of /bin/sh,and ensure that /usr/bin/sh is not in /etc/shells.
Log file format
The format of the log files is a little unusual. You’ll see things like:
Oct 12 16:32:04 freebie ftpd[8691]: ANONYMOUS FTP LOGIN FROM adam.adonai.net, leec@a
donainet
Oct 12 18:33:32 freebie ftpd[9007]: connection from gateway.smith.net.au
Oct 12 18:33:37 freebie ftpd[9007]: ANONYMOUS FTP LOGIN FROM gateway.smith.net.au, m
ike
Oct 12 21:36:28 freebie ftpd[9369]: connection from grisu.bik-gmbh.de
Oct 12 21:36:29 freebie ftpd[9369]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv
est@
Oct 12 21:36:37 1997!harvest@!grisu.bik-gmbh.de!/pub/cfbsd/README!9228!1
Oct 12 21:37:05 freebie ftpd[9371]: connection from grisu.bik-gmbh.de
Oct 12 21:37:06 freebie ftpd[9371]: ANONYMOUS FTP LOGIN FROM grisu.bik-gmbh.de, harv
est@
Oct 13 09:38:19 freebie ftpd[13514]: connection from 151.197.101.46
Oct 13 09:38:21 freebie ftpd[13514]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho
vercraft.willscreek.com
Oct 13 09:38:58 1997!!151.197.101.46!/pub/cfbsd/dear-re
viewer!8890!1
Oct 13 09:41:42 1997!!151.197.101.46!/pub/cfbsd/txt/26-
netdebug.txt.gz!12188!1
Oct 13 09:42:05 1997!!151.197.101.46!/pub/cfbsd/txt/C-p
netserver.mm,v v4.19 (2003/04/09 20:42:40)
Configur ing ftpd 453
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 453
ackages.txt.gz!37951!1
Oct 13 09:59:07 freebie ftpd[14117]: connection from 151.197.101.46
Oct 13 09:59:08 freebie ftpd[14117]: ANONYMOUS FTP LOGIN FROM 151.197.101.46, bmc@ho
vercraft.willscreek.com
Oct 13 09:59:24 1997!!151.197.101.46!/pub/cfbsd/txt/D-b
iblio.txt.gz!1815!1
This log excerpt shows three kinds of message:
• The messages starting with the text connection from occur when an ftp connection
is made. Theydon’tmean that anypermission to access has been given. These
messages are logged by the -l option.
• The ANONYMOUS FTP LOGIN messages showthat somebody has logged in
anonymously.The name follows, not always in the required username format. The
standard ftpd does not enforce this requirement; you may find something that does in
the Ports Collection. These messages are logged by the -S option.
• The lines full of ! marks showfiles being transferred. The ! marks delimit the
fields, which are:
• The year,asanextension of the timestamp.
• The user ID.
• The IP address of the system to which the data is transferred.
• The name of the file transferred.
• The number of bytes transferred.
Running sshd
Normally you start sshd from the system configuration file /etc/rc.conf :
sshd_enable="YES" # Enable sshd
That’sall you need to do for sshd.You can also start it simply with:
#sshd
sshd reads a configuration file /etc/ssh/sshd_config.Likeits companion
/etc/ssh/ssh_config,itcontains mainly commented-out lines showing the default values.
Most of them don’trequire change, but the following entries may be of interest:
• Protocol states which ssh protocols to use, and in which order.Bydefault, sshd
tries protocol 2 first, and falls back to protocol 1 if protocol 2 fails. You might
consider setting it to use only protocol 2.
• When PermitRootLogin is set to yes,you can log in as root via ssh.Normally
it’sdisabled.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
454 Chapter 25: Basic networ k access: servers
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 454
• Set PasswordAuthentication to no if you want all access to be via key exchange
(see page 420 for more details).
• If you want to run sftp-server,add the following line to /etc/ssh/sshd_config:
Subsystem sftp /usr/libexec/sftp-server
It should be present by default.
rsyncd
As we’ve seen, rsyncd is just another name for rsync.You don’tneed to do anyspecific
configuration to start it: it gets started from sshd,soall you need to do is to ensure that
sshd gets started.
Starting rsyncd isn’tenough, though: it needs configuration. Create a file /usr/lo-
cal/etc/rsyncd.conf with contents something likethis:
motd file = /usr/local/etc/rsyncd.txt
log file = /var/log/rsyncd.log
transfer logging = true
[groggy]
path = /home/grog/public_html
uid = grog
read only = yes
list = yes
comment = Greg’s web pages
hosts allow = 223.147.37.0/24
[tivo]
path = /var/tivo
uid = grog
read only = no
list = yes
comment = TiVo staging area
hosts allow = tivo.example.org
This is the configuration file used in the server examples in Chapter 24. It consists of two
parts: a global part at the beginning, with settings that apply to all modules, and one or
more module parts describing files that the server will supply.
The global options here specify the motd file,afile whose contents are printed when you
list modules (the ‘‘be gentle’’message in the examples), and that transfers should be
logged to /var/log/rsyncd.log.The log output looks something likethis:
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash
dot/topicscience.gif 1083
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash
dot/topicsecurity.gif 3034
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slash
dot/topictv.jpg 951
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () slide
.pdf 40470
2002/10/24 13:31:49 [16398] send presto.example.org [192.109.197.74] groggy () stock
whip.html 1602
netserver.mm,v v4.19 (2003/04/09 20:42:40)
rsyncd 455
10 April 2003, 06:13:07 The Complete FreeBSD (netserver.mm), page 455
The next part of the configuration file describes modules,directory hierarchies that
rsyncd makes available. If you’re used to Microsoft-style configuration files, this will
seem relatively familiar.The module names are enclosed in square brackets ([]), and
theydon’thav e to have any relationship with the name of the directory.Inthis case we
have two modules. Both have a comment,adescriptive textprinted out when you list the
modules, and both allowlisting the name of the module (list = yes). In addition:
• Module groggy makes available the directory /home/grog/public_html,myweb
pages, for read-only access. rsyncd accesses the module as user grog.Any host on
the 256 address block starting with 223.147.37.0 can access the data.
• Module tivo makes available the directory /var/tivo for read-write access, but only
to the host tivo.example.org.Again rsyncd accesses the data as user grog.
There are a large number of other options for rsyncd,but this example shows the most
important ones. See the man page rsyncd.conf(5) for more information.
Setting up a web server
FreeBSD is a system of choice for running web servers, so it’snot surprising that a large
number are available. Probably the most popular is apache,which is available in the
Ports Collection. Install with:
# cd /usr/ports/www/apache13
# make install
In future versions, the name apache13 will change. Apache comes with a lot of
documentation in HTML format (of course), which is installed in /usr/lo-
cal/share/doc/apache/manual.You might find it useful to put a symbolic link to it in
your web home directory:
# cd /usr/local/www/data
# ln -s /usr/local/share/doc/apache/manual apachedoc
After this, you can access the documentation at (for example) m-
ple.org/apachedoc/.
Configuring apache
The Apache port uses the following directories:
• The configuration files are in the directory hierarchy /usr/local/etc/apache.The port
installs prototype configuration files, but theyneed to be modified.
• By default, the web pages are in /usr/local/www/data.This is the ‘‘root’’directory
for the web pages: the file /usr/local/www/data/foo.html on www.example.org will
have the URL may find it a good idea to
change the directory to the /var file system in a location such as /var/www/data.
We’lllook at howtodothat with the DocumentRoot entry in the configuration file.
netserver.mm,v v4.19 (2003/04/09 20:42:40)
