Three-layer security access control for CentOS

Three-layer security access control for CentOS

When a system is used as a public network server, the system becomes the target of the attack. Access control over network services is one of the most important security tasks facing a server administrator. For example, the Linux kernel uses an iptables-based firewall to filter undesirable network packets out of the kernel network. For network services using this firewall, TCP Wrappers adds a layer of protection, which is implemented by defining which hosts are allowed or not allowed to connect to the "wrapped" network service. most modern network service systems, such as SSH, Telnet, and FTP, can be managed using the Xinetd process service. This Xinetd is called a super daemon process. In this service, you can directly set access control, thus, layer-3 protection can be performed at the network layer.

1. iptables network protection

You can add a rule by using commands or directly edit files.

Vim/etc/iptables. firewall. rules

* Filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

-A input-I lo-j ACCEPT

-A input-d 127.0.0.0/8-j REJECT

# Accept all established inbound connections

-A input-m state-state ESTABLISHED, RELATED-j ACCEPT

# Allow all outbound traffic-you can modify this to only allow certain traffic

-A output-j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL ).

-A input-p tcp-dport 80-j ACCEPT

-A input-p tcp-dport 443-j ACCEPT

# Allow SSH connections

#

# The-dport number shocould be the same port number you set in sshd_config

#

-A input-p tcp-m state-state NEW-dport 22-j ACCEPT

# Allow ping

-A input-p icmp-j ACCEPT

# Log iptables denied CILS

-A input-m limit-limit 5/min-j LOG-log-prefix "iptables denied:"-log-level 7

# Drop all other inbound-default deny unless explicitly allowed policy

-A input-j DROP

-A forward-j DROP

COMMIT

Read firewall rules to make them effective:

Iptables-restore </etc/iptables. firewall. rules

These rules allow the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. Other accesses will be rejected.

2. Tcp wrappers Access Control

Tcp wrapper: Also known as The TCPD network resource access controller, which works on the TCP layer. Generally, it can only control some access based on the TCP protocol. In fact, it corresponds to a library file, provided by glibc, it works between user space user requests.

Client> iptables> TCP_wrapper> Service Access Control

If the client IP address wants to access our server resources after it passes the iptables firewall, the following steps will be taken:

When an ip address wants to access a specific service in Linux, the system first checks the/etc/hosts. alllow file,

If not, continue to check/etc/hosts. deny file, if any, is rejected. If not, it is allowed. However, the general method is to directly access/etc/hosts. put the allowed ip address in allow,/etc/hosts. deny.

Check whether a service is controlled by tcp wrapper, such as telent:

# Ldd 'which in. telnetd' | grep "libwrap. so"

Some programs are statically linked to the database during compilation, and use the following command to check:

# Strings 'which in. telnetd' | grep hosts

To control access, edit the/etc/hosts. allow and/etc/hosts. deny files in the format of host network.

For example, telnet allows access from 192.168.1. network segment, except for host 192.168.1.100.

In. telnetd: 192.168.1. Small t 192.168.1.100

Access logs can also be recorded.

In. telnetd: 192.168.1.: spawn echo "connect 'date'">/var/log/tcpwrapper. log

Remember the order in which rules take effect:

/Etc/hosts. allow->/etc/hosts. deny-> default rule (allow)

3. Xinetd super daemon process Access Control

In linux, there are two types of server services: Independent daemon and instantaneous daemon.

Independent Daemon Processes and independent management of themselves are not subject to other restrictions and influences, and the response speed is fast. For example, httpd.

Instantaneous daemon, also known as a non-independent daemon, can be started as needed without shutting down, saving resources. For example, Xinetd.

When the client tries to connect to a network service controlled by xinetd, the Super Service receives the request and checks whether there are TCP-encapsulated access control rules.

Edit two configuration files. Use telnet as an example:

/Etc/xinetd. conf-global configuration file

Ults

{

Instances = 60; Maximum number of concurrent requests that can be processed

Log_type = SYSLOGauthpriv; Log Type

Log_on_success = host pid; record the HOST iP address and process id for successful connection

Log_on_failure = HOST; record the HOST ip address of the failed connection

Cps = 25 30; any given service is allowed to connect 25 times per second. If the limit is exceeded, the service is disabled for 30 seconds.

}

Includedir/etc/xinetd. d

/Etc/xinetd. d/-corresponding service configuration file

Service telnet

{

Disable = no; Enabled

Flags = REUSE; connection attribute is REUSE socket

Socket_type = stream; socket type: strem

Wait = no; the specified service is multithreading, and yes is a single thread.

User = root; specify the service user as root

Server =/usr/sbin/in. telnetd; executable program of the service

Only_from = 172.16.0.0/16; only 176.16 network segments are allowed

Log_on_failure + = USERID; logon Failure Log User ID

No_access = 172.16.45.0/24; Access to CIDR Block 172.16.45 is not allowed

Log_on_success + = pid host exit; The host id and HOST name are logged on successfully until the logout information is logged on.

Access_times =-; Period of access

Bind = 172.16.100.1; only access from ip address 172.16.100.1 is allowed.

Per_source = 1; each ip Address can only access one service at a time

Cps = 10 60; 10 times per second, more than 60 seconds after being disabled, and the global range is smaller

Banner =/etc/telnet. banner; Set login welcome information

}

Through the firewall, namely TCP wrapper access filtering, and The SELinux security control mechanism, coupled with access control such as file permissions, the security of the Linux system is greatly improved!