Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 30
- Pagina / 82
- Indice
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
/etc/hosts.allow, where specific services are listed, along with the specific host addresses allowed to
access these services. While hostnames can be used here, use of hostnames opens the limited possibility for
name spoofing.
Tcpwrappers is commonly used to protect services that are started via inetd (or xinetd). But also any program
that has been compiled with libwrap support, can take advantage of it. Just don't assume that all programs
have built in libwrap support −− they do not. In fact, most probably don't. So we will only use it in our
examples here to protect services start via inetd. And then rely on our packet filtering firewall, or other
mechanism, to protect non−(x)inetd services.
Below is a small snippet from a typical inetd.conf file:
# Pop and imap mail services et al
#
#pop−2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop−3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
#
The second to last column is the tcpwrappers daemon −− /usr/sbin/tcpd. Immediately after is the daemon it
is protecting. In this case, POP and IMAP mail servers. Your distro probably has already done this part for
you. For the few applications that have built−in support for tcpwrappers via the libwrap library, specifying
the daemon as above is not necessary.
We will use the same principles here: default policy is to deny everything, then open holes to allow the
minimal amount of traffic necessary.
So now with your text editor, su to root and open /etc/hosts.deny. If it does not exist, then create it. It
is just a plain text file. We want the following line:
ALL: ALL
If it is there already, fine. If not, add it in and then save and close file. Easy enough. "ALL" is one of the
keywords that tcpwrappers understands. The format is $SERVICE_NAME : $WHO, so we are denying all
connections to all services here. At least all services that are using tcpwrappers. Remember, this will
primarily be inetd services. See man 5 hosts_access for details on the syntax of these files. Note the
"5" there!
Now let's open up just the services we need, as restrictively as we can, with a brief example:
ALL: 127.0.0.1
sshd,ipop3d: 192.168.1.
sshd: .myworkplace.com, hostess.mymomshouse.com
The first line allows all "localhost" connections. You will need this. The second allows connections to the
sshd and ipop3d services from IP addresses that start with 192.168.1., in this case the private address
range for our hypothetical home LAN. Note the trailing ".". It's important. The third line allows connections
Security Quick−Start HOWTO for Red Hat Linux
5.3. Tcpwrappers (libwrap) 27
- Hal Burgiss 1
- Table of Contents 2
- 1. Introduction 4
- 1.2. Notes 5
- 1.3. Copyright 5
- 1.4. Credits 6
- 1.5. Disclaimer 6
- 1.7. Feedback 7
- 2. Foreword 8
- 2.2. Before We Start 9
- 3.1. System Audit 10
- 3.3. Stopping Services 12
- 3.3.1. Stopping Init Services 13
- 3.3.2. Inetd 14
- 3.3.2. Inetd 12 15
- 3.3.3. Xinetd 16
- 3.3.4. When All Else Fails 17
- 3.4. Exceptions 18
- 4. Step 2: Updating 20
- 4. Step 2: Updating 18 21
- 5.1. Strategy 22
- 5.2.1. ipchains 23
- 5.2.1. ipchains 21 24
- 5.2.2. iptables 26
- 5.2.2. iptables 24 27
- 5.3. Tcpwrappers (libwrap) 29
- 5.3.1. xinetd 31
- 5.4. PortSentry 32
- 5.5. Proxies 32
- 5.6. Individual Applications 33
- 5.7. Verifying 35
- 5.8. Logging 36
- 5.9. Where to Start 37
- 6. Intrusion Detection 39
- # chattr +i /bin/ps 40
- −−−i−−−−−−−−−− /bin/ps 40
- # chattr −i /bin/ps 40
- 7. General Tips 43
- # must exist 44
- root: hal@bigcat 44
- 8. Appendix 46
- 8.2. Common Ports 48
- 8.3. Netstat Tutorial 51
- 8.4. Attacks and Threats 59
- 8.4.2. Rootkits 60
- 8.4.3. Worms and Zombies 60
- 8.4.4. Script Kiddies 61
- 8.4.5. Spoofed IPs 61
- 8.4.6. Targeted Attacks 61
- 8.4.8. Brute Force 62
- 8.5. Links 63
- 8.6. Editing Text Files 65
- 8.7. nmap 68
- 8.8. Sysctl Options 71
- 8.8. Sysctl Options 69 72
- 8.9. Secure Alternatives 73
- 8.9. Secure Alternatives 71 74
- 8.9. Secure Alternatives 72 75
- 8.9. Secure Alternatives 73 76
- 8.10.2. iptables II 77
- 8.10.2. iptables II 75 78
- 8.10.2. iptables II 76 79
- 8.10.2. iptables II 77 80
- 8.10.3. Summary 81
- 8.10.4. iptables mini−me 82
© 2020, manymanuals.it. Tutti i diritti riservati | 0.023 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale