Pages: 1, 2
Controlling other services
Some programs, like the Apache web server, do not use TCP Wrappers and so the HTTP protocol is not listed in
/etc/inetd.conf. Other server programs, notably Exim (a mail server), can be compiled to use the TCP Wrappers or not. These programs use built in security measures that make using TCP Wrappers redundant. However, you need to know what you are installing, what it does, how it does it, and what changes you need to make in the configuration or compilation to make the software secure. If you don't know what a software package does, DO NOT INSTALL IT. Do your research first. Find out if other people are using the software and what their experiences were. Find out if there are any outstanding security advisories for the software (this applies to any piece of software, not just server programs).
Again, watch web sites for updates and other information about security problems and fixes. This is time well spent. Remember, it's your job to know about each program that runs on your computer(s).
One area often overlooked in security is the use of access control files. Two main files,
/etc/hosts.allow control who can access a given system, how they can access it, and from where they can access it. These two files are set up as an access pair with
hosts.deny being read and used first and then
hosts.allow. Simply put,
/etc/hosts.deny should be set up to deny everyone from accessing your computer. Then, add the specific hosts that can access your system to
hosts.allow. Generally, you only want your internal network to be able to access your system and nothing else.
Here is a typical
# # hosts.deny This file describes the names # of the hosts which are *not* allowed to # use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to # remind you that the new secure portmap uses hosts.deny # and hosts.allow. In particular you should know that # NFS uses portmap! ALL:ALL
ALL:ALL means that all services from all hosts are denied access. Now, look at
# # hosts.allow This file describes the names # of the hosts which are allowed to use the # local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL:LOCAL
The use of
LOCAL refers to the loopback interface and to unqualified hostnames; hosts without a dot in their name or hostnames without a domain name. For better security however, it's best to address your internal network specifically like this:
# # hosts.allow This file describes the names # of the hosts which are allowed to use the # local INET services, as decided # by the '/usr/sbin/tcpd' server. # ALL:10.0.0.0/24
Once again, if this is a server machine, you might want to allow access to specific services such as SSH or POP3 from specific machines on your network, like this:
# hosts.allow This file describes the names # of the hosts which are allowed to use the # local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: 10.0.0.5 ipop3d: 10.0.0.5
Maximum Linux Security (SAMS) ISBN: 0-672-31670-6
Linux Network Administrator's Guide, 2nd Edition (O'Reilly) ISBN: 1-56592-400-2
Practical Unix and Internet Security (O'Reilly) ISBN: 1-56592-148-8
Running Linux, 3rd Edition (O'Reilly) ISBN: 1-56592-469-X
Linux System Security (Prentice Hall) ISBN: 0-13-015897-0
In this example, only the machine with IP address 10.0.0.5 can access SSH and POP3.
You can set up rules that are considerably more complicated and restricted, but the above examples should give you a general idea. Take a look at
host_access(5) for more details as well as a good book on system security.
OK, so you've done everything I've talked about here. You've got a firewall up and you've plugged some common security holes. You're finished with your security checks for all your systems, right? WRONG! There is still much more that can be done. Install Tripwire on your firewall and servers to monitor if anyone tries to break in. Set up a good VPN system such as FreeS/WAN to secure traffic between remote sites or even between two different subnets of your existing network. Upgrade from your existing IPCHAINS firewall to the newer IPTABLES and Netfilter that's part of the 2.4 kernel. Maybe set up a proxy server for all your regular Internet traffic.
I'll explore each of these options in upcoming articles. As to which one is next; you'll just have to stay tuned and watch for them here.
Carl Constantine works for Open Source Solutions, Inc. (www.os-s.com) as a Linux Trainer and Programmer.
Return to the Linux DevCenter.