Getting Started with Linux network server configuration (ii) _unix Linux

Source: Internet
Author: User
Tags auth ftp imap wrapper

*/etc/inetd.conf File
As we all know, as a server, the more open the service port, the more difficult to guarantee the security stability of the system. So servers that provide specific services should be as open as possible to the ports that provide the service, and the services unrelated to the server will be shut down, for example, a machine that is a WWW and FTP server should open only 80 and 25 ports and turn off other unrelated services such as finger auth. To reduce system vulnerabilities.

And inetd, also called "Super Server", is to monitor some network request daemon, which calls the corresponding service process according to the network request to process the connection request. Inetd.conf is the inetd configuration file. The inetd.conf file tells inetd which network ports to monitor and which service to start for each port. The first thing to do with Linux in any network environment is to find out what services the server is offering. Those services that are not needed should be banned, preferably unloaded, so that hackers are less able to attack the system. Check out the "/etc/inetd.conf" file to find out what services inetd offers. Use the Annotated method (plus the # number at the beginning of a line) to prohibit any unwanted service and send a sighup signal to the inetd process.

First step: Change the permissions of the file to 600.

[root@deep]# chmod 600/etc/inetd.conf

Step two: Be sure that the file owner is root.

[root@deep]# stat/etc/inetd.conf

Step three: Edit the "inetd.conf" file (vi/etc/inetd.conf) to prohibit all unwanted services, such as FTP, Telnet, shell, login, exec, talk, Ntalk, IMAP, POP-2, pop-3, Finger, auth, and so on. If you feel that some services are useful, you may not ban these services. However, by banning these services, the system is less likely to be attacked. The contents of the changed "inetd.conf" file are as follows:

# to re-read this file after the changes, just do a ' killall-hup inetd '

#

#echo Stream TCP nowait root internal

#echo dgram UDP Wait root internal

#discard Stream TCP nowait root internal

#discard dgram UDP Wait root internal

#daytime Stream TCP nowait root internal

#daytime dgram UDP Wait root internal

#chargen Stream TCP nowait root internal

#chargen dgram UDP Wait root internal

#time Stream TCP nowait root internal

#time dgram UDP Wait root internal

#

# These are standard services.

#

#ftp Stream TCP nowait ROOT/USR/SBIN/TCPD in.ftpd-l-A

#telnet Stream TCP nowait ROOT/USR/SBIN/TCPD in.telnetd

#

# Shell, login, exec, Comsat and talk are BSD protocols.

#

#shell Stream TCP nowait ROOT/USR/SBIN/TCPD in.rshd

#login Stream TCP nowait ROOT/USR/SBIN/TCPD in.rlogind

#exec stream TCP nowait ROOT/USR/SBIN/TCPD IN.REXECD

#comsat dgram UDP wait ROOT/USR/SBIN/TCPD in.comsat

#talk dgram UDP wait ROOT/USR/SBIN/TCPD in.talkd

#ntalk dgram UDP wait ROOT/USR/SBIN/TCPD in.ntalkd

#dtalk Stream TCP Wait NOBODY/USR/SBIN/TCPD IN.DTALKD

#

# POP and IMAP mail services et al

#

#pop-2 Stream TCP nowait ROOT/USR/SBIN/TCPD ipop2d

#pop-3 Stream TCP nowait ROOT/USR/SBIN/TCPD ipop3d

#imap Stream TCP nowait ROOT/USR/SBIN/TCPD IMAPD

#

# The Internet UUCP service.

#

#uucp Stream TCP nowait uucp/usr/sbin/tcpd/usr/lib/uucp/uucico-l

#

# TFTP service is provided primarily for booting. Most Sites

# Run this is on machines acting as "boot servers." Do not uncomment

# This unless for you *need* it.

#

#tftp dgram UDP wait ROOT/USR/SBIN/TCPD in.tftpd

#bootps dgram UDP wait ROOT/USR/SBIN/TCPD bootpd

#

# Finger, Systat and netstat give out user information which may

# Valuable to potential "system crackers." Many Sites choose to disable

# Some or all of the services to improve security.

#

#finger Stream TCP nowait ROOT/USR/SBIN/TCPD in.fingerd

#cfinger Stream TCP nowait ROOT/USR/SBIN/TCPD in.cfingerd

#systat Stream TCP nowait guest/usr/sbin/tcpd/bin/ps-auwwx

#netstat Stream TCP nowait guest/usr/sbin/tcpd/bin/netstat-f inet

#

# Authentication

#

#auth Stream TCP nowait nobody/usr/sbin/in.identd in.identd-l-e-o

#
# End of inetd.conf

Note: After changing the "inetd.conf" file, don't forget to send a sighup signal to the inetd process (Killall–hup inetd).

[root@deep/root]# killall-hup inetd

Fourth Step:

To ensure the security of the "inetd.conf" file, you can use the CHATTR command to set it to immutable. To make the file immutable, just use the following command:

[root@deep]# chattr +i/etc/inetd.conf

This avoids any changes to the "inetd.conf" file (unexpected or otherwise). A file with the "I" attribute cannot be changed: cannot delete or rename, cannot create a link to this file, cannot write data to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear the flag that is not allowed to change:

[root@deep]# chattr-i/etc/inetd.conf

However, for services such as SENDMAIL,NAMED,WWW, because they are not like finger,telnet services, the inet daemon initiates the corresponding process to provide services when the request arrives, but runs as a daemon at system startup. For Redhat Linux, a linuxconfig command is provided to interactively set whether to run related services at startup by using the graphical interface. You can also use a command to set whether to start a service when started, such as: [root@deep]# Chkconfig–level named off

Specific commands can refer to the description of the man chkconfig.
*/etc/hosts.allow File
However, for services such as Telnet, FTP, and so on, it will be inconvenient for administrators to manage remotely if they are shut down together. Linux provides another, more flexible and efficient way to implement restrictions on service-requesting users, enabling trusted users to use a variety of services on a secure basis. Linux provides a program called a TCP wrapper. This program is often installed by default in most release versions. Using TCP wrapper You can restrict access to some of the services mentioned earlier. And the TCP wrapper record file records all attempts to access your system's behavior. By using the last command to view the log of the program, the administrator can learn who has or has attempted to connect to your system.

In the/etc directory, there are two files: Hosts.deny Hosts.allow by configuring these two files, you can specify which machines can use these services and which ones are not available.

When a service request arrives at the server, TCP wrapper queries the two files in the following order until a match is encountered:

1. When there is an item in the/etc/hosts.allow that matches the host address entry of the requesting service, the host is allowed to obtain the service

2. Otherwise, if there is an entry in/etc/hosts.deny that matches the host address entry of the requesting service, the host is prohibited from using the service.

3. If the corresponding configuration file does not exist, the access control software is considered an empty file, so you can clear all settings by deleting or removing the configuration file implementation. In a file, a blank line or a line beginning with a # is ignored, and you can implement the annotation function by adding the # before the row.

The configuration of these two files is achieved through a simple access control language, and the basic format of the access control statements is:

List of program names: Host name/IP address lists.

The list of program names specifies the name of one or more programs that provide the appropriate service, separated by commas or spaces, You can view the name of the program that provides the service in the inetd.conf file: As in the previous file example, the last item in the Telent row is the desired program name: IN.TELNETD.

The host name/IP Address list Specifies the identity of one or more hosts that allow or disallow the use of the service. The host name is separated by commas or spaces. 3 Dian  刂 fan to the top of the ㄅ Zhuo Shui  di site award Yie to pay Ǘ not  dice 窈?

Linux offers the following flexible way to specify a process or host list:

1. One with "." The starting domain name string, such as. amms.ac.cn so www.amms.ac.cn matches this one.

2. With the "." End of IP string such as 202.37.152. Then the IP address includes 202.37.152. The host is matched to this one.

3. The format is N.N.N.N/M.M.M.M to represent the network/mask, and if the IP address of the host requesting the service and the bit of the mask is equal to the result of N.N.N.N, then the host matches that item.

4.ALL means match all possibilities

The 5.EXPECT represents the removal of the host defined later. For example: List_1 EXCEPT list_2 indicates that the host listed in the LIST_1 host list is removed from the list_2

6.LOCAL indicates that the "." is not included in all host names. The host

Several of the above are just a few of the ways Linux offers, but it's enough for our general applications. Let's take a few examples to illustrate the problem:

We only want to allow the same LAN machine to use the FTP function of the server, but prohibit the FTP service request above the WAN, local LAN by 202.39.154., 202.39.153. and 202.39.152. Three network segment composition.

In the Hosts.deny file, we define that all machines are prohibited from requesting all services:

All:all

In the Hosts.allow file, we define that only LAN access to FTP functionality is allowed:

in.ftpd-l–a:202.39.154 202.39.153. 202.39.152.

This way, when a non-LAN machine requests an FTP service, it is rejected. And the LAN machine can use the FTP service. In addition, log files in the/var/log directory should be checked regularly to identify logon events that are at risk for system security. The last command is an effective way to view the system logon events and identify the problem.

Finally Tcpdchk is the program that checks the Tcp_wappers configuration. It examines the configuration of the tcp_wappers and reports the problems it can uncover or potential problems. After all the configurations have been completed, run the TCPDCHK program:

[root@deep]# tcpdchk (Source: Network)
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.