LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Beyond Firewalls
Pages: 1, 2

Controlling other services

Some programs, like the Apache web server, do not use TCP Wrappers and so the HTTP protocol is not listed in /etc/inetd.conf. Other server programs, notably Exim (a mail server), can be compiled to use the TCP Wrappers or not. These programs use built in security measures that make using TCP Wrappers redundant. However, you need to know what you are installing, what it does, how it does it, and what changes you need to make in the configuration or compilation to make the software secure. If you don't know what a software package does, DO NOT INSTALL IT. Do your research first. Find out if other people are using the software and what their experiences were. Find out if there are any outstanding security advisories for the software (this applies to any piece of software, not just server programs).



Again, watch web sites for updates and other information about security problems and fixes. This is time well spent. Remember, it's your job to know about each program that runs on your computer(s).

Access control

One area often overlooked in security is the use of access control files. Two main files, /etc/hosts.deny and /etc/hosts.allow control who can access a given system, how they can access it, and from where they can access it. These two files are set up as an access pair with hosts.deny being read and used first and then hosts.allow. Simply put, /etc/hosts.deny should be set up to deny everyone from accessing your computer. Then, add the specific hosts that can access your system to hosts.allow. Generally, you only want your internal network to be able to access your system and nothing else.

Here is a typical hosts.deny file:

#
# hosts.deny	This file describes the names 
#       of the hosts which are *not* allowed to 
#       use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to 
# remind you that the new secure portmap uses hosts.deny 
# and hosts.allow.  In particular you should know that 
# NFS uses portmap!

ALL:ALL

The line ALL:ALL means that all services from all hosts are denied access. Now, look at hosts.allow:

#
# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

ALL:LOCAL

The use of LOCAL refers to the loopback interface and to unqualified hostnames; hosts without a dot in their name or hostnames without a domain name. For better security however, it's best to address your internal network specifically like this:

#
# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

ALL:10.0.0.0/24

Once again, if this is a server machine, you might want to allow access to specific services such as SSH or POP3 from specific machines on your network, like this:

# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

sshd: 10.0.0.5
ipop3d: 10.0.0.5

Resources

Web sites:

Security Portal

Linux Administrator's Security Guide

Root Prompt

Linux System Administrator's Guide

Books:

Maximum Linux Security (SAMS) ISBN: 0-672-31670-6

Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2

Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8

Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X

Linux System Security (Prentice Hall) ISBN: 0-13-015897-0

In this example, only the machine with IP address 10.0.0.5 can access SSH and POP3.

You can set up rules that are considerably more complicated and restricted, but the above examples should give you a general idea. Take a look at host_access(5) for more details as well as a good book on system security.

Summary

OK, so you've done everything I've talked about here. You've got a firewall up and you've plugged some common security holes. You're finished with your security checks for all your systems, right? WRONG! There is still much more that can be done. Install Tripwire on your firewall and servers to monitor if anyone tries to break in. Set up a good VPN system such as FreeS/WAN to secure traffic between remote sites or even between two different subnets of your existing network. Upgrade from your existing IPCHAINS firewall to the newer IPTABLES and Netfilter that's part of the 2.4 kernel. Maybe set up a proxy server for all your regular Internet traffic.

I'll explore each of these options in upcoming articles. As to which one is next; you'll just have to stay tuned and watch for them here.

Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.



Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: