Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 33)

using a web proxy like "squid" (http://www.squid−cache.org/), every time we browse to a web site, we would

actually be connecting to our locally running squid server. Squid in turn, would relay our request to the

ultimate, real destination. And then squid would relay the web pages back to us. It is a go−between. Like

"firewalls", a "proxy" can refer to either a specific application, or a dedicated server which runs a proxy

application.

Proxies can perform various duties, not all of which have much to do with security. But the fact that they are

an intermediary, makes them a good place to enforce access control policies, limit direct connections through

a firewall, and control how the network behind the proxy looks to the Internet. So this makes them strong

candidates to be part of an overall firewall strategy. And, in fact, are sometimes used instead of packet

filtering firewalls. Proxy based firewalls probably make more sense where many users are behind the same

firewall. And it probably is not high on the list of components necessary for home based systems.

Configuring and administering proxies can be complex, and is beyond the scope of this document. The

Firewall and Proxy Server HOWTO, http://tldp.org/HOWTO/Firewall−HOWTO.html, has examples of

setting up proxy firewalls. Squid usage is discussed at

http://squid−docs.sourceforge.net/latest/html/book1.htm

5.6. Individual Applications

Some servers may have their own access control features. You should check this for each server application

you run. We'll only look at a few of the common ones in this section. Man pages, and other application

specific documentation, is your friend here. This should be done whether you have confidence in your

firewall or not. Again, layers of protection is always best.

BIND − a very common package that provides name server functionality. The daemon itself is

"named". This only requires full exposure to the Internet if you are providing DNS look ups for one

or more domains to the rest of the world. If you are not sure what this means, you do not need, or

want, it exposed. For the overwhelming majority of us this is the case. It is a very common crack

target.

•

But it may be installed, and can be useful in a caching only mode. This does not require full exposure

to the Internet. Limit the interfaces on which it "listens" by editing /etc/named.conf (random

example shown):

options {

directory "/var/named";

listen−on { 127.0.0.1; 192.168.1.1; };

version "N/A";

};

The "listen−on" statement is what limits where named listens for DNS queries. In this example, only

on localhost and bigcat's LAN interface. There is no port open for the rest of the world. It just is not

there. Restart named after making changes.

X11 can be told not to allow TCP connections by using the −nolisten tcp command line option.

If using startx, you can make this automatic by placing alias startx="startx −−

−nolisten tcp" in your ~/.bashrc, or the system−wide file, /etc/bashrc, with your text

•

Security Quick−Start HOWTO for Red Hat Linux

5.6. Individual Applications 30

1 2 ... 28 29 30 31 32 33 34 35 36 37 38 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 33