LinuxDevCenter.com

oreilly.comSafari Books Online.Conferences.

We've expanded our Linux news coverage and improved our search! Search for all things Linux across O'Reilly!

Search
Search Tips

advertisement

Listen Print Subscribe to Linux Subscribe to Newsletters

Beyond Firewalls
Pages: 1, 2

Controlling other services

Some programs, like the Apache web server, do not use TCP Wrappers and so the HTTP protocol is not listed in /etc/inetd.conf. Other server programs, notably Exim (a mail server), can be compiled to use the TCP Wrappers or not. These programs use built in security measures that make using TCP Wrappers redundant. However, you need to know what you are installing, what it does, how it does it, and what changes you need to make in the configuration or compilation to make the software secure. If you don't know what a software package does, DO NOT INSTALL IT. Do your research first. Find out if other people are using the software and what their experiences were. Find out if there are any outstanding security advisories for the software (this applies to any piece of software, not just server programs).



Again, watch web sites for updates and other information about security problems and fixes. This is time well spent. Remember, it's your job to know about each program that runs on your computer(s).

Access control

One area often overlooked in security is the use of access control files. Two main files, /etc/hosts.deny and /etc/hosts.allow control who can access a given system, how they can access it, and from where they can access it. These two files are set up as an access pair with hosts.deny being read and used first and then hosts.allow. Simply put, /etc/hosts.deny should be set up to deny everyone from accessing your computer. Then, add the specific hosts that can access your system to hosts.allow. Generally, you only want your internal network to be able to access your system and nothing else.

Here is a typical hosts.deny file:

#
# hosts.deny	This file describes the names 
#       of the hosts which are *not* allowed to 
#       use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to 
# remind you that the new secure portmap uses hosts.deny 
# and hosts.allow.  In particular you should know that 
# NFS uses portmap!

ALL:ALL

The line ALL:ALL means that all services from all hosts are denied access. Now, look at hosts.allow:

#
# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

ALL:LOCAL

The use of LOCAL refers to the loopback interface and to unqualified hostnames; hosts without a dot in their name or hostnames without a domain name. For better security however, it's best to address your internal network specifically like this:

#
# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

ALL:10.0.0.0/24

Once again, if this is a server machine, you might want to allow access to specific services such as SSH or POP3 from specific machines on your network, like this:

# hosts.allow	This file describes the names 
# of the hosts which are allowed to use the 
# local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

sshd: 10.0.0.5
ipop3d: 10.0.0.5

Resources

Web sites:

Security Portal

Linux Administrator's Security Guide

Root Prompt

Linux System Administrator's Guide

Books:

Maximum Linux Security (SAMS) ISBN: 0-672-31670-6

Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2

Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8

Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X

Linux System Security (Prentice Hall) ISBN: 0-13-015897-0

In this example, only the machine with IP address 10.0.0.5 can access SSH and POP3.

You can set up rules that are considerably more complicated and restricted, but the above examples should give you a general idea. Take a look at host_access(5) for more details as well as a good book on system security.

Summary

OK, so you've done everything I've talked about here. You've got a firewall up and you've plugged some common security holes. You're finished with your security checks for all your systems, right? WRONG! There is still much more that can be done. Install Tripwire on your firewall and servers to monitor if anyone tries to break in. Set up a good VPN system such as FreeS/WAN to secure traffic between remote sites or even between two different subnets of your existing network. Upgrade from your existing IPCHAINS firewall to the newer IPTABLES and Netfilter that's part of the 2.4 kernel. Maybe set up a proxy server for all your regular Internet traffic.

I'll explore each of these options in upcoming articles. As to which one is next; you'll just have to stay tuned and watch for them here.

Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.


Return to the Linux DevCenter.




Tagged Articles

Be the first to post this article to del.icio.us

Sponsored Resources

  • Inside Lightroom
Advertisement

Sponsored by:

O'Reilly Media

©2009, O'Reilly Media, Inc.
(707) 827-7000 / (800) 998-9938
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. 		About O'Reilly
Academic Solutions
Authors
Contacts
Customer Service
Jobs
Newsletters
O'Reilly Labs
Press Room
Privacy Policy
RSS Feeds
Terms of Service
User Groups
Writing for O'Reilly
Content Archive
Business Technology
Computer Technology
Google
Microsoft
Mobile
Network
Operating System
Digital Photography
Programming
Software
Web
Web Design
 More O'Reilly Sites
O'Reilly Radar
Ignite
Tools of Change for Publishing
Digital Media
Inside iPhone
O'Reilly FYI
makezine.com
craftzine.com
hackszine.com
perl.com
xml.com

Partner Sites
InsideRIA
java.net
O'Reilly Insights on Forbes.com