646 Part VIII: Local Services used for the link name is 91. The link name will be S91apache. Be sure to include the sudo command. sudo update-rc.d apache start 91 5 . The stop number is always 100 minus the start number. So the stop number for a service with a start number of 91 would be 09: sudo update-rc.d apache stop 09 6 . The start and stop options can be combined, like so: update-rc.d apache 99 start 5 . stop 09 6 . A defaults option will start and stop the service at a predetermined runlevel. This option can be used to set standard start and stop links for all runlevels. Startup links will be set in runlevels 2, 3, 4, and 5. Stop entries are set in runlevels 0, 1, and 6. update-rc.d apache defaults The following command performs the same operation using the stop and start options: update-rc.d apache 99 start 2 3 4 5 . stop 09 0 1 6 . The multiuser options will start entries at 2, 3, 4 ,5 and stop them at 1: update-rc.d apache multiuser To remove a service you use the remove option. The links will not be removed if the service script is still present in the init.d directory. Use the -f option to force removal of the links without having to remove the service script. The following removes all web service startup and shutdown entries from all runlevels: update-rc.d –f apache remove To turn off a service at a given runlevel that is already turned on, you would first have to remove all its runlevel links and the add in the links you want. So, to turn off the Apache server at runlevel 3, but still have it turned on at runlevels 2, 4, and 5, you would use the following commands: update-rc.d –f apache remove update-rc.d apache 99 start 2 4 5 . stop 09 0 1 3 6 . Keep in mind that the remove option removes all stop links as well as start ones. So you have to restore the stop links for 0, 1, and 6. TIP TIP On Debian and Ubuntu you can use file-rc instead of sysv-rc. The file-rc tool uses a single configuration file instead of links in separate runlevel directories. PART VIII Chapter 28: Managing Services 647 Extended Internet Services Daemon (xinetd) If your system averages only a few requests for a specific service, you don’t need the server for that service to run all the time. You need it only when a remote user is accessing its service. The extended Internet services daemon (xinetd) manages Internet servers, invoking them only when your system receives a request for their services. xinetd checks continuously for any requests by remote users for a particular Internet service; when it receives a request, it then starts the appropriate server daemon. The xinetd program is designed to be a replacement for inetd, providing security enhancements, logging support, and even user notifications. For example, with xinetd you can send banner notices to users when they are not able to access a service, telling them why. xinetd security capabilities can be used to prevent denial-of-service attacks, limiting remote hosts’ simultaneous connections or restricting the rate of incoming connections. xinetd also incorporates TCP, providing TCP security without the need to invoke the tcpd daemon. Furthermore, you do not have to have a service listed in the /etc/services file. xinetd can be set up to start any kind of special-purpose server. Some services on Ubuntu are still configured to use inetd, such as the SWAT configuration tool for CUPS print servers. These will use the openbsd-inetd package. The xinetd and openbsd-inetd packages are incompatible, so you must use one or the other. The inetd daemon will use an /etc/inetd.conf configuration file. Its init script will be /etc/init.d/openbsd-inetd. xinetd and inetd Servers To start the server only when a request for its services is received, you configure it using the xinetd or the older inetd daemons. If you add, change, or delete server entries in the /etc/ xinetd files, you will have to restart the xinetd daemon before these changes can take effect. On distributions that support System V init scripts, you can restart the xinetd daemon using the /etc/init.d/xinetd script with the restart argument, as shown here: sudo /etc/init.d/xinetd restart You can also use the xinetd script to start and stop the xinetd daemon. Stopping effectively shuts down all the servers that the xinetd daemon manages (those listed in the /etc/xinetd.conf file or the xinetd.d directory): sudo /etc/init.d/xinetd stop sudo /etc/init.d/xinetd start For inetd, you would use the openbsd-inetd script: sudo /etc/init.d/openbsd-inetd restart You can also directly restart xinetd by stopping its process directly. To do this, you use the killall command with the -HUP signal and the name xinetd: killall -HUP xinetd xinetd Configuration: xinetd.conf The xinetd.conf file contains settings for your xinetd server, such as logging and security attributes (see Table 28-4 later in this chapter for a listing of attributes). This file can also 648 Part VIII: Local Services contain server configuration entries, or they may be placed into separate configuration files located in the /etc/xinetd.d directory. The includedir attribute specifies this directory: includedir /etc/xinetd.d Logging xinetd Services You can add a variety of other attributes such as logging information about connections and server priority (nice). In the following example, the log_on_success attribute logs the duration (DURATION) and the user ID (USERID) for connections to a service. log_on_ failure logs the users that failed to connect, and nice sets the priority of the service to 10: log_on_success += DURATION USERID log_on_failure += USERID nice = 10 The default attributes defined in the defaults block often set global attributes such as default logging activity and security restrictions: log_type specifies where logging information is to be sent, such as to a specific file (FILE) or to the system logger (SYSLOG); log_on_failure specifies information to be logged when they fail; and log_on_success specifies information to be logged when connections are made: log_type = SYSLOG daemon info log_on_failure = HOST log_on_success = PID HOST EXIT xinetd Network Security For security restrictions, you can use only_from to restrict access by certain remote hosts. The no_access attribute denies access from the listed hosts, but no others. These controls take IP addresses as their values. You can list individual IP addresses, a range of IP addresses, or a network, using the network address. The instances attribute limits the number of server processes that can be active at once for a particular service. The following examples restrict access to a local network 192.168.1.0 and the localhost, deny access from 192.168.1.15, and use the instances attribute to limit the number of server processes at one time to 60: only_from = 192.168.1.0 only_from = localhost no_access = 192.168.1.15 instances = 60 The xinetd program also provides several internal services, including services, servers, and xadmin. services provides a list of currently active services, and servers provides information about servers; xadmin provides xinetd administrative support. xinetd Service Configuration Files: /etc/xinetd.d Directory Instead of having one large xinetd.conf file for all services, the service configurations are split into several configuration files, one for each service. The directory is specified in the PART VIII Chapter 28: Managing Services 649 xinetd.conf file with an includedir option. The xinetd.d directory holds xinetd configuration files for services such as SWAT. This approach has the advantage of letting you add services by creating a new configuration file for them. Modifying a service involves editing only its configuration file, not an entire xinetd.conf file. Configuring Services: xinetd Attributes Entries in an xinetd service file define the server to be activated when requested along with any options and security precautions. An entry consists of a block of attributes defined for different features, such as the name of the server program, the protocol used, and security restrictions. Each block for an Internet service such as a server is preceded by the keyword service and the name by which you want to identify the service. A pair of braces encloses the block of attributes. Each attribute entry begins with the attribute name, followed by an assignment operator, such as =, and then the value or values assigned. A special block specified by the keyword default contains default attributes for services. The syntax is shown here: service <service_name> { <attribute> <assign_op> <value> <value> } Most attributes take a single value for which you use the standard assignment operator, =. Some attributes can take a list of values. You can assign values with the = operator, but you can also add or remove items from these lists with the =+ and =- operators. Use =+ to add values and =- to remove values. You often use the =+ and =- operators to add values to attributes that may have an initial value assigned in the default block. Certain attributes are required for a service. These include socket_type and wait. For a standard Internet service, you also need to provide the user (user ID for the service), the server (name of the server program), and the protocol (protocol used by the server). With server_args, you can also list any arguments you want passed to the server program (this does not include the server name). If protocol is not defined, the default protocol for the service is used. Attributes are listed in Table 28-4. Disabling and Enabling xinetd Services You can turn services on or off manually by editing their xinetd configuration file. Services are turned on and off with the disable attribute in their configuration file. To enable a service, you set the disable attribute to no, as shown here: disable = no You then have to restart xinetd to start the service: # /etc/init.d/xinetd restart 650 Part VIII: Local Services Attribute Description ids Identifies a service. By default, the service ID is the same as the service name. type Type of service: RPC, INTERNAL (provided by xinetd), or UNLISTED (not listed in a standard system file). flags Possible flags include REUSE, INTERCEPT, NORETRY, IDONLY, NAMEINARGS (allows use of tcpd), NODELAY, and DISABLE (disables the service). See the xinetd.conf man page for more details. disable Specify yes to disable the service. socket_type Specify stream for a stream-based service, dgram for a datagram-based service, raw for a service that requires direct access to IP, and seqpacket for reliable sequential datagram transmission. protocol Specifies a protocol for the service. The protocol must exist in /etc/protocols. If this attribute is not defined, the default protocol employed by the service will be used. wait Specifies whether the service is single-threaded or multithreaded (yes or no). If yes, the service is single-threaded, which means that xinetd will start the server and then stop handling requests for the service until the server stops. If no, the service is multithreaded and xinetd will continue to handle new requests for it. user Specifies the user ID (UID) for the server process. The username must exist in / etc/passwd. group Specifies the group ID (GID) for the server process. The group name must exist in /etc/group. instances Specifies the number of server processes that can be simultaneously active for a service. nice Specifies the server priority. server Specifies the program to execute for this service. server_args Lists the arguments passed to the server. This does not include the server name. only_from Controls the remote hosts to which the particular service is available. Its value is a list of IP addresses. With no value, service is denied to all remote hosts. no_access Controls the remote hosts to which the particular service is unavailable. access_times Specifies the time intervals when the service is available. An interval has the form hour:min-hour:min. log_type Specifies where the output of the service log is sent, either the syslog facility (SYSLOG) or a file (FILE). log_on_success Specifies the information that is logged when a server starts and stops. Information you can specify includes PID (server process ID), HOST (the remote host address), USERID (the remote user), EXIT (exit status and termination signal), and DURATION (duration of a service session). log_on_failure Specifies the information that is logged when a server cannot be started. Information you can specify includes HOST (the remote host address), USERID (user ID of the remote user), ATTEMPT (logs a failed attempt), and RECORD (records information from the remote host to allow monitoring of attempts to access the server). TABLE 28-4 Attributes for xinetd PART VIII Chapter 28: Managing Services 651 If you want to turn on a service that is off by default, you can set its disable attribute to no and restart xinetd. The entry for the TFTP FTP server, tftpd, is shown here. An initial comment tells you that it is off by default, but then the disable attribute turns it on: service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes per_source = 11 cps = 100 2 flags = IPv4 } Attribute Description rpc_version Specifies the RPC version for an RPC service. rpc_number Specifies the number for an UNLISTED RPC service. env Defines environment variables for a service. passenv The list of environment variables from xinetd’s environment that will be passed to the server. port Specifies the service port. redirect Allows a TCP service to be redirected to another host. bind Allows a service to be bound to a specific interface on the machine. interface Synonym for bind. banner The name of a file to be displayed for a remote host when a connection to that service is established. banner_success The name of a file to be displayed at the remote host when a connection to that service is granted. banner_fail The name of a file to be displayed at the remote host when a connection to that service is denied. groups Allows access to groups the service has access to (yes or no). enabled Specifies the list of service names to enable. include Inserts the contents of a specified file as part of the configuration file. includedir Takes a directory name in the form of includedir /etc/xinetd.d. Every file inside that directory will be read sequentially as an xinetd configuration file, combining to form the xinetd configuration. TABLE 28-4 Attributes for xinetd 652 Part VIII: Local Services NOTE NOTE You can also use xinetd to implement SSH port forwarding, should your system be used to tunnel connections between hosts or services. TCP Wrappers TCP wrappers add another level of security to xinetd-managed servers. In effect, the server is wrapped with an intervening level of security, monitoring connections and controlling access. A server connection made through xinetd is monitored, verifying remote user identities and checking to make sure they are making valid requests. Connections are logged with the syslogd daemon (see Chapter 21) and may be found in syslogd files such as /var/log/secure. With TCP wrappers, you can also restrict access to your system by remote hosts. Lists of hosts are kept in the hosts.allow and hosts.deny files. Entries in these files have the format service:hostname:domain. The domain is optional. For the service, you can specify a particular service, such as FTP, or you can enter ALL for all services. For the hostname, you can specify a particular host or use a wildcard to match several hosts. For example, ALL will match on all hosts. Table 28-5 lists the available wildcards. In the following example, the first entry allows access by all hosts to the web service http. The second entry allows access to all services by the pango1.train.com host. The third and fourth entries allow FTP access to rabbit.trek.com and sparrow.com: http:ALL ALL:pango1.train.com ftp:rabbit.trek.com ftp:sparrow.com The hosts.allow file holds hosts to which you allow access. If you want to allow access to all but a few specific hosts, you can specify ALL for a service in the hosts.allow file but list the hosts to which you are denying access in the hosts.deny file. Using IP addresses instead of hostnames is more secure because hostnames can be compromised through the DNS records by spoofing attacks, where an attacker pretends to be another host. Wildcard Description ALL Matches all hosts or services. LOCAL Matches any host specified with just a hostname without a domain name. Used to match on hosts in the local domain. UNKNOWN Matches any user or host whose name or address is unknown. KNOWN Matches any user or host whose name or address is known. PARANOID Matches any host whose hostname does not match its IP address. EXCEPT An operator that lets you provide exceptions to matches. It takes the form of list1 EXCEPT list2 where those hosts matched in list1 that are also matched in list2 are excluded. T ABLE 28-5 TCP Wrapper Wildcards PART VIII Chapter 28: Managing Services 653 When xinetd receives a request for an FTP service, a TCP wrapper monitors the connection and starts up the in.ftpd server program. By default, all requests are allowed. To allow all requests specifically for the FTP service, you enter the following in your /etc/hosts.allow file: ftp:ALL The entry ALL:ALL opens your system to all hosts for all services. TIP TIP Originally, TCP wrappers were managed by the tcpd daemon. However, xinetd has since integrated support for TCP wrappers into its own program. You can explicitly invoke the tcpd daemon to handle services if you wish. The tcpd man pages (man tcpd) provide more detailed information about tcpd. This page intentionally left blank 29 Print, News, and Database Services P rint services are now integrated into every Linux system and allow you to use any printer on your system or network. Newsgroup severs are more rare and are used for setting up newsgroups for local networks or for supporting the Internet’s Usenet News Service. Database servers are becoming more common for managing large collections of data on local networks as well as for Internet services. Printer Services: CUPS Once treated as devices attached to a system directly, printers are now treated as network resources managed by print servers. In the case of a single printer attached directly to a system, the networking features become transparent and the printer appears as just one more device. On the other hand, you could easily use a print server’s networking capability to let several systems access the same printer. Although printer installation is almost automatic on most Linux distributions, your understanding the underlying process can be helpful. Printing sites and resources are listed in Table 29-1. The Common Unix Printing System (CUPS) provides printing services and is freely available under the GNU Public License. Although CUPS is now included with most distributions, you can also download the most recent source-code version from http://cups.org, which provides detailed documentation on installing and managing printers. CUPS is based on the Internet Printing Protocol (IPP), which was designed to establish a printing standard for the Internet. Whereas the older line printer (LPD)–based printing systems focused primarily on line printers, an IPP-based system provides networking, PostScript, and web support. CUPS works like an Internet server and employs a configuration setup much like that of the Apache web server. Its network support lets clients directly access printers on remote servers, without having to configure the printers themselves. Configuration needs to be maintained only on the print servers. CUPS is the primary print server for most Linux distributions. With libgnomecups, GNOME now provides integrated support for CUPS, allowing GNOME-based applications to directly access CUPS printers. 655 CHAPTER Copyright © 2009 by The McGraw-Hill Companies. Click here for terms of use. [...]... enter the name for the class, any comments, and the location (your hostname is entered by default) The next screen lists available printers and the printers you assigned to the class Use the arrow button to add or remove printers to the class Click Apply when finished The class will appear under the Local Classes heading on the main system-config-printer window Panels for a selected class are much the. .. also has a Probe button for detecting the printer A Windows Printer Via Samba is a printer located on a Windows network You need to specify the Windows server (hostname or IP address), the name of the share, the name of the printer’s workgroup, and the username and password if required The format of the printer SMB URL is shown on the SMP Printer panel The SMB URL is the hostname and PART VIII # Printer... or UNIX printer, select either Internet Printing Protocol (IPP), which is used for newer systems, or LPD/LPR Host or Printer, which is used for older systems Both panels display entries for the Host Name and the Printer Name For the Host Name, enter the hostname for the system that controls the printer For the Printer Name, enter the device name on that host for the printer The LPD/LPR dialog also has... Windows network The Server is the computer where the printer is located The Username and Password can be for the printer resource itself or for access by a particular user The panel will display a field at the top where you can enter the share host and printer name as an SMB URL Instead of typing in the URL, you can click the Browse button to open an SMB Browser window, where you can select the printer... Windows printer Click the Forward button to start the New Printer wizard, first selecting the manufacturer and then the model on the following screen Then enter a name and location for the printer Once you finish the wizard, the new printer will appear as an installed printer in system-config-printers To access an SMB-shared remote printer, you need to install Samba and have the Server Message Block... on the Administration page and enter the name of the class You can then add printers to it CUPS Configuration Files CUPS configuration files are placed in the /etc/cups directory (see Table 29-2) The classes.conf, printers.conf, and client.conf files can be managed by the web interface The printers.conf file contains the configuration information for the different printers you have installed Any of these... a job, and lpd then takes it in turn and places it on the appropriate print queue; lpr takes as its argument the name of a file If no printer is specified, the default printer is used The -P option lets you specify a particular printer In the next example, the user first prints the file preface and then prints the file report to the printer with the name myepson: $ lpr preface $ lpr -P myepson report... removes the job printing currently The following command removes the first print job in the queue (use lpq to obtain the job number): # lprm 1 CUPS Command Line Administrative Tools lpadmin You can use the lpadmin command either to set the default printer or configure various options for a printer You can use the -d option to specify a particular printer as the default destination Here myepson is made the. .. of the printer as their extension For example, the myepson printer has the files control.myepson, which provides printer queue control, and active.myepson for the active print job, as well as log.myepson, which is the log file 658 Part VIII: FIGURE 29-1 Local Services The Ubuntu system-config-printer tool can be assigned to different classes To create a class, click the New Class button to open the. .. Digest forms of authentication, specified in the AuthType directive Basic authentication uses a user and password For example, to use the Web interface, you are prompted to enter the root user and the root user password Digest authentication makes use of user and password information kept in the CUPS /etc/cups/passwd.md5 file, using MD5 versions of a user and password for authentication The AuthClass directive . the Printer Name. For the Host Name, enter the hostname for the system that controls the printer. For the Printer Name, enter the device name on that host for the printer. The LPD/LPR dialog also. Services printer name in the SMB URL format, //workgroup/server/printername. The Workgroup is the workgroup name for the Windows network. The Server is the computer where the printer is located. The Username. printer. Click the Forward button to start the New Printer wizard, first selecting the manufacturer and then the model on the following screen. Then enter a name and location for the printer.