a. The TCP Wrapper program is a network security tool whose main functions are to log connections made to inetd services and restrict certain computers or services from connecting to the tcp-wrapped computer.
b. TCP wrappers works only on programs that are started from inetd. So services such as sshd, apache, and sendmail cannot be “wrapped” with tcp-wrappers.
2. ipchains
a. ipchains is Linux’s built-in IP firewall administration tool. Using ipchains enables you to run a personal firewall to protect your Linux machine.
b. If the Linux machine is a routing gateway for other machines on your network, it can act as a packet filtering network firewall if more than one network interface is installed.
www.myitweb.weebly.com
Configuring the xinetd Server
What is xinetd Server ?
1. Xinetd starts at boot time and waits and listens for connections to come in on the ports to which they are assigned in their conf files.
2. One of the most notable improvements of xinetd over inetd is that anyone can start network services but with inetd only root can start a network service.
3. Xinetd supports encryption plain text services such as the ftp command channel by wrapping them in stunnel.
4. Xinetd also enables you to do access control on all services based on differences criteria, such as remote host address, access time, remote hostname, and remote host domain.
5. Xinetd also takes the extra security step of killing servers that aren’t in the configuration file and those that violate the configuration’s access criteria.
Configuration of xinetd Server :
1. The xinetd.conf file is easier to read through and customize i.e. All the files in the /etc/xinet.d directory are read into the xinetd.conf file as well. 2. Each service started by xinetd gets its own dedicated file in the
www.myitweb.weebly.com
3. This way you can tell with a glance at the xinetd.d file listing, what services are being started by it.
4. xinetd Configuration files #
# Simple configuration file for xinetd #
# Some defaults, and include /etc/xinetd.d/ defaults
{
instances = 60
log_type = SYSLOG authpriv log_on_success = HOST PID log_on_failure = HOST cps = 25 30
}
includedir /etc/xinetd.d
Comparing xinetd and Standalone
1. Which services are stand-alone, and which are started from inetd or xinetd? Sometimes it can get confusing keeping track of how to start a certain service, or keep it from running in the first place.
2. In order to control a service, you need to know what spawns it.
3. xinetd or inetd services are started from inetd, or from xinetd on newer systems. Each of these services should ideally have its own file in the /etc/xinetd.d directory, so you should look in that directory to enable or disable these services.
4. Example of xinetd services:
rlogin — service similar to telnet, but enables trust relationships between machines
www.myitweb.weebly.com
5. Standalone services are started from the rc scripts specifically written for them in the rc directories. You can enable or disable these services from those directories.
6. Example apache — Web server sshd — ssh server
Note :
Stunnel is an open-source multi-platform computer program, used to provide universal TLS/SSL tunneling service.
TLS/SSL : Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), are cryptographic protocols that provide communication security over the Internet.
www.myitweb.weebly.com
Less Secure Services
These are insecure services that should not be used, since they trust that the network is absolutely secure. Their secure equivalents should be used instead.
Using these services should be discouraged, because all their traffic is sent over the network in plain text. This means that anyone with a common sniffer such as tcpdump can see every key stroke that is typed in the session, including your users passwords.
Some of these services are : 1) telnet
i) telnet is a protocol and application that enables someone to have access to a virtual terminal on a remote host. It resembles text-based console access on a Unix machine.
ii) All telnet traffic, including passwords, is sent in plain text, the Secure Shell (ssh) command should be used instead, if at all possible because ssh provides an equivalent interface to telnet, with increased features, and most importantly, encrypted traffic and passwords.
iii) Example :
iv) [terry@terry~]$ telnet xena trying 127.0.0.1..
Connected to xena Welcome
login:
2) ftp
i) ftp is a ubiquitous (Present Everywhere) file transfer protocol that runs over ports 20 and 21. For transferring software packages from
anonymous ftp repositories, such as ftp.redhat. com, ftp is still the standard application to use.
www.myitweb.weebly.com
ii) However, for personal file transfers, you should use scp. scp encrypts the traffic, including passwords.
iii) Once you have successfully logged on to an ftp server, you can type help for a list of available commands. Two important commands to
remember are put to move a file from your machine to the remote machine, and get to pull a file from the remote server to your machine. To send multiple files you can use mput, and to retrieve multiple files you can use mget. ls or dir give you a listing of files available for download from the remote side.
3) rsync
i) Rsync is unencrypted file transfer program that is similar to RCP
ii) It includes the added feature of allowing just the differences between two sets of files on two machines to be transferred across the network. iii) Because it sends traffic unencrypted, it should be tunneled through ssh.
Otherwise don’t use it. The rsync server listens on port 873.
4) rlogin
i) rlogin is a remote login program that connects your terminal to a remote machine’s terminal.
ii) rlogin is an insecure protocol, because it sends all information, including passwords, in plain-text.
5) rsh
i) rsh is an unencrypted mechanism to execute commands on remote hosts.
www.myitweb.weebly.com
ii) Normally you specify a command to be run on the remote host on rsh’s command line, but if no command is given, you are logged into the remote host using rlogin.
iii) rsh’s syntax : rsh remotehostname remotecommand
6) finger
i) finger enables users on remote systems to look up information about users on another system.
ii) Generally finger displays a user’s login name, real name, terminal name, idle time, login time, office location, and phone number.
iii) You should disable finger outside of your local network, because user information gathered from it could be used to compromise your system. The finger daemon listens on port 79.