Linux Security--selinux,tcp_wrappers,iptables Use

First, Linux security

Security is primarily the configuration of ports and services

1.1 Linux security is mainly reinforced by the following three

• Selinux----primarily control access to the kernel
• Tcp_wrappers---To some extent restricting access to a service
• Iptables---is primarily a firewall that sets up software

1.2 Ping's Forbidden

• The command to temporarily allow the ping operation is: #echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all
• Permanently allow ping configuration methods

Add a row to the/etc/sysctl.conf            net.ipv4.icmp_echo_ignore_all=1

• /etc/rc.d/rc.loacl

echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

• Settings for Iptables

Iptables-a input-p ICMP--icmp-type 8-s 0/0-j DROP

Ii. introduction of SELinux

• Mandatory secure access control for the kernel
• can use Getenforce to get the current SELinux status
• Vi/etc/sysconfig/selinux setting SELinux

Iii. introduction of Tcp_wrappers

Not all services are managed by tcp_wrappers, only services that use the LibWrap library are managed

3.1 Inspection of the service

(1) Check whether the service is managed

LDD $ (which domainname) | grep libwrap
Domainname=sshd httpd SMB xinetd .....

If you have this link, it means that a service accepts Tcp_wrappers management

(2) Managed Services

• • Process-owned XINETD management
  • A number of independent processes

SendMail slapd sshd stunnel xinetd GDM gnone-session vsftpd portmap

(3) Some processes are not managed by tcp_wrappers

httpd SMB squid, etc.

3.2 Configuration Management

/etc/hosts.allow
/etc/hosts.deny

3.3 Working principle

A. When a request arrives from the remote to the local machine

First check the/etc/hosts.allow
If there is a match, the default is to allow access, skip/etc/hosts.deny this file
If there is no match, go to match the/etc/hosts.deny file, and if there is a match, then deny this access

B. If there are no matches in these two files, the default is to allow access to the

C. two file formats

List of services: Address List: Options

A. Service list format: If you have multiple services, separate them with commas
B. Address List format:
1. Standard IP Address: For example: 192.168.0.254,192.168.0.56 If more than one is used, separate
2. Host Name: For example: www.baidu.com,. Example.con Match entire domain
3. Use mask: 192.168.0.0/255.255.255.0 to specify the entire network segment
Note: The tcp_wrappers mask only supports long formats and cannot be used: 192.168.0.0/24
4. Network Name: for example @mynetwork

D. Examples

Hosts.allow  sshd:192.168.  0.1: Allowhosts.deny     

Iv. Introduction to Iptables 4.1

Iptables is made up of ip+tables, which is made up of multiple tables, each with different functions, and each table is composed of multiple chains (chain), and we can set rules and policies on the chain.

4.2 Tables and chains

(1) Generally by three kinds of table

• • Filter----Manage access to native data
  • NAT---network address translation
  • Mangle---Packets for tagging advanced routes, changing different packages and headers

(2) Filter

Filter table

Chain	Describe
FORWARD	To pass an external packet to the internal server
INPUT	It is mainly the information filtering of the external data into the internal data
OUTPUT	It is mainly the information filtering of internal data sent to external data

(3) NAT

Nat

Chain	Describe
OUTPUT	Change the destination address of the locally generated package
Postrouting	Change the destination address of the data return source, SNAT, block LAN internal source host information
Prerouting	Change the destination address of the access, DNAT, that is, the internal host can only restrict firewall access

(3) mangle not used

4.3 iptables Internal composition

As you can see, a number of routing rules (rule) and preset rules (policy) make up a function chain (chain), multiple chains form a table, and multiple tables form a firewall. The most common use is the filter table, which is used in the address mapping aspect of the NAT table.

4.4 Iptables Execution Process

Iptables is a combination of multiple routing rules, satisfies a rule, other rules are not validated, all rules are not satisfied, the default rules are executed.

Setting rules requires attention to order

Use of 4.5 iptables

(1) Iptables [-t table name] option [link name] [condition] [-j control type] Parameter

-P Set Default policy: Iptables-p INPUT (drop| ACCEPT)-F Empty Rule chain-l View rule chain-a adds a new rule at the end of the rule chain-I num adds a new rule to the header of the rule chain-D num Deletes a rule-s to match the source address Ip/mask, plus the exclamation point "!" Represents the exception of this IP. -D Match Destination Address-I NIC name matches data from this Nic-o NIC name matches data flowing out of this NIC-P match protocol, such as Tcp,udp,icmp--dport num matches destination port number--sport num matches source port number

(2) Preset rules

Iptables  [-t  tables]-p[input output  FORWARD]  [ACCEPT  DROP]

(3) Filtering rules for IP networks and network interfaces

Iptables  [-t  tables] [-ai chain]  [-io  network Interface][-p tcp| udp| ICMP] [-s  Source network] [-D target Network] [-j ACCEPT | DROP]

(4) Filtering rules for TCP and UDP

Iptables  [  -T tables] [-ai chain]  [-io  network Interface][-p TCP,UDP] [  -s Source network][--sport port Range] [-d Target Network] [-- Dport port range][-j ACCEPT | DROP]

　　

Security--selinux,tcp_wrappers,iptables use of Linux