Linux Network Administratoramp;#039;s Guide (3rd Edition) [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Linux Network Administratoramp;#039;s Guide (3rd Edition) [Electronic resources] - نسخه متنی

Tony Bautts, Terry Dawson, Gregor N. Purdy

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Section 9.5. More About Network Address Translation

Chapter 10. Important Network Features

Section 10.1. The inetd Super Server

Section 10.2. The tcpd Access Control Facility

Section 10.3. The xinetd Alternative

Section 10.4. The Services and Protocols Files

Section 10.5. Remote Procedure Call

Section 10.6. Configuring Remote Login and Execution

Chapter 11. Administration Issues with Electronic Mail

Section 11.1. What Is a Mail Message?

Section 11.2. How Is Mail Delivered?

Section 11.3. Email Addresses

Section 11.4. How Does Mail Routing Work?

Section 11.5. Mail Routing on the Internet

Chapter 12. sendmail

Section 12.1. Installing the sendmail Distribution

Section 12.2. sendmail Configuration Files

Section 12.3. sendmail.cf Configuration Language

Section 12.4. Creating a sendmail Configuration

Section 12.5. sendmail Databases

Section 12.6. Testing Your Configuration

Section 12.7. Running sendmail

Section 12.8. Tips and Tricks

Section 12.9. More Information

Chapter 13. Configuring IPv6 Networks

Section 13.1. The IPv4 Problem and Patchwork Solutions

Section 13.2. IPv6 as a Solution

Chapter 14. Configuring the Apache Web Server

Section 14.1. Apache HTTPD ServerAn Introduction

Section 14.2. Configuring and Building Apache

Section 14.3. Configuration File Options

Section 14.4. VirtualHost Configuration Options

Section 14.5. Apache and OpenSSL

Section 14.6. Troubleshooting

Chapter 15. IMAP

Section 15.1. IMAPAn Introduction

Section 15.2. Cyrus IMAP

Chapter 16. Samba

Section 16.1. SambaAn Introduction

Chapter 17. OpenLDAP

Section 17.1. Understanding LDAP

Section 17.2. Obtaining OpenLDAP

Chapter 18. Wireless Networking

Section 18.1. History

Section 18.2. The Standards

Section 18.3. 802.11b Security Concerns

Appendix A. Example Network: The Virtual Brewery

Section A.1. Connecting the Virtual Subsidiary Network

Colophon

Index

SYMBOL

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z
توضیحات
افزودن یادداشت جدید







10.2. The tcpd Access Control Facility








Since opening a computer to network
access involves many security risks, applications are designed to
guard against several types of attacks. Some security features,
however, may be flawed (most drastically demonstrated by the RTM
Internet worm, which exploited a hole in a number of programs,
including old versions of the sendmail mail
daemon), or do not distinguish between secure hosts from which
requests for a particular service will be accepted and insecure hosts
whose requests should be rejected. We've already
briefly discussed the finger and
tftp services. A network administrator would
want to limit access to these services to "trusted
hosts" only, which is impossible with the usual
setup, for which inetd provides this service
either to all clients or not at all.

A
useful tool for managing host-specific access is
tcpd, often called the daemon
"wrapper." For TCP services you
want to monitor or protect, it is invoked instead of the server
program. tcpd checks whether the remote host is
allowed to use that service, and only if this succeeds will it
execute the real server program. tcpd also logs
the request to the syslog daemon. Note that this does not work with
UDP-based services.

For
example, to wrap the finger daemon, you have to
change the corresponding line in inetd.conf from
this:

# unwrapped finger daemon
finger    stream tcp nowait bin    /usr/sbin/fingerd in.fingerd

to this:

# wrap finger daemon
finger  stream  tcp     nowait  root    /usr/sbin/tcpd   in.fingerd

Without
adding any access control, this will appear to the client as the
usual finger setup, except that any requests are logged to
syslog's auth facility.


Two files
called .allow and
.deny implement access control. They
contain entries that allow and deny access to certain services and
hosts. When tcpd handles a request for a service
such as finger from a client host named
biff.foobar.com, it scans
hosts.allow and hosts.deny
(in this order) for an entry matching both the service and client
host. If a matching entry is found in
hosts.allow, access is granted and tcpd
doesn't consult the hosts.deny
file. If no match is found in the hosts.allow
file, but a match is found in hosts.deny, the
request is rejected by closing down the connection. The request is
accepted if no match is found at all.

Entries in the access files look like this:

servicelist: hostlist [:shellcmd]

servicelist
is a list of service names from /etc/services,
or the keyword ALL. To match all services except
finger and tftp, use
ALL EXCEPT
finger, tftp.

hostlist



is
a list of hostnames, IP addresses, or the keywords
ALL, LOCAL,
UNKNOWN, or PARANOID.
ALL matches any host, while
LOCAL matches hostnames that
don't contain a dot.[1] UNKNOWN matches any hosts whose name
or address lookup failed. PARANOID matches any
host whose hostname does not resolve back to its IP
address.[2] A
name starting with a dot matches all hosts whose domain is equal to
this name. For example, .foobar.com
matches biff.foobar.com, but not
nurks.fredsville.com. A pattern that
ends with a dot matches any host whose IP address begins with the
supplied pattern, so 172.16. matches
172.16.32.0, but not 172.15.9.1. A pattern of the form
n.n.n.n/m.m.m.m
is treated as an IP address and network mask, so we could specify our
previous example as 172.16.0.0/255.255.0.0 instead. Lastly, any
pattern beginning with a "/"
character allows you to specify a file that is presumed to contain a
list of hostname or IP address patterns, any of which are allowed to
match. So a pattern that looked like
/var/access/trustedhosts would cause the
tcpd daemon to read that file, testing if any of
the lines in it matched the connecting
host.

[1] Usually only
local hostnames obtained from lookups in [2] While its name suggests it is an extreme
measure, the PARANOID keyword is a good default,
as it protects you against mailicious hosts pretending to be someone
they are not. Not all tcpd are supplied with
PARANOID compiled in; if yours is not, you need to
recompile tcpd to use it.


To deny access to the
finger and tftp services to
all but the local hosts, put the following in
.deny and leave
.allow empty:

in.tftpd, in.fingerd: ALL EXCEPT LOCAL, .your.domain

The optional
shellcmd field may contain a shell command
to be invoked when the entry is matched. This is useful to set up
traps that may expose potential attackers. The following example
creates a logfile listing the user and host connecting, and if the
host is not vlager.vbrew.com, it
will append the output of a finger to that host:

in.ftpd: ALL EXCEPT LOCAL, .vbrew.com : echo "request from %d@%h: >> /var/log/finger.log; if [ %h != "vlager.vbrew.com:" ]; then \ 
finger -l @%h >> /var/log/finger.log fi

The %h and
%d arguments are expanded by
tcpd to the client hostname and service name,
respectively. Please refer to the
hosts_access(5) manpage for details.


/ 121