Linux Server Security (2nd Edition( [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Linux Server Security (2nd Edition( [Electronic resources] - نسخه متنی

Michael D. Bauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Section 6.1. DNS Basics

Section 6.2. DNS Security Principles

Section 6.3. Selecting a DNS Software Package

Section 6.4. Securing BIND

Section 6.5. djbdns

Section 6.6. Resources

Chapter 7. Using LDAP for Authentication

Section 7.1. LDAP Basics

Section 7.2. Setting Up the Server

Section 7.3. LDAP Database Management

Section 7.4. Conclusions

Section 7.5. Resources

Chapter 8. Database Security

Section 8.1. Types of Security Problems

Section 8.2. Server Location

Section 8.3. Server Installation

Section 8.4. Database Operation

Section 8.5. Resources

Chapter 9. Securing Internet Email

Section 9.1. Background: MTA and SMTP Security

Section 9.2. Using SMTP Commands to Troubleshootand Test SMTP Servers

Section 9.3. Securing Your MTA

Section 9.4. Sendmail

Section 9.5. Postfix

Section 9.6. Mail Delivery Agents

Section 9.7. A Brief Introduction to Email Encryption

Section 9.8. Resources

Chapter 10. Securing Web Servers

Section 10.1. Web Security

Section 10.2. The Web Server

Section 10.3. Web Content

Section 10.4. Web Applications

Section 10.5. Layers of Defense

Section 10.6. Resources

Chapter 11. Securing File Services

Section 11.1. FTP Security

Section 11.2. Other File-Sharing Methods

Section 11.3. Resources

Chapter 12. System Log Management and Monitoring

Section 12.1. syslog

Section 12.2. Syslog-ng

Section 12.3. Testing System Logging with logger

Section 12.4. Managing System Logfiles with logrotate

Section 12.5. Using Swatch for Automated Log Monitoring

Section 12.6. Some Simple Log-Reporting Tools

Section 12.7. Resources

Chapter 13. Simple Intrusion Detection Techniques

Section 13.1. Principles of Intrusion Detection Systems

Section 13.2. Using Tripwire

Section 13.3. Other Integrity Checkers

Section 13.4. Snort

Section 13.5. Resources

Colophon
توضیحات
افزودن یادداشت جدید







6.2. DNS Security Principles


DNS security can be distilled into
two maxims: always run the latest version of your chosen DNS software
package, and never provide unnecessary information or services to
strangers. Put another way, keep current and be stingy!

This translates into a number of specific techniques. The first is to
limit or even disable
recursion,
since recursion is easily abused in DNS attacks such as
cache poisoning. Limiting recursion is
easy to do using configuration-file parameters; disabling recursion
altogether may or may not be possible, depending on the
nameserver's role.

If, for example, the server is an external DNS
server whose sole purpose is to answer queries regarding its
organization's public servers, there is no reason
for it to perform lookups of nonlocal hostnames (which is the very
definition of recursion). On the other hand, if a server provides DNS
resolution to end users on a local area network (LAN), it definitely
needs to recurse queries from local hosts but can probably be
configured to refuse recursion requests, if not all requests, from
nonlocal addresses.

Another way to limit DNS activity is to use split DNS services
(Figure 6-2). Split DNS, an example of the
split services concept I introduced in Chapter 2 in the section "Deciding
What Should Reside on the DMZ," refers to the
practice of maintaining both public and
private databases of each local name domain
(zone). The public-zone database contains as little as possible: it
should have NS
records for publicly accessible nameservers, MX records of external SMTP (email)
gateways, A records (aliases) of
public web servers, and entries pertinent to any other hosts that one
wishes the outside world to know about.


Figure 6-2. Split DNS

The private-zone database may be a superset of the public one, or it
may contain entirely different entries for certain categories or
hosts.

The other aspect to DNS
"stinginess" is the content of zone
files themselves. Even public-zone databases often contain more
information than they need to. Hosts may have needlessly descriptive
names (e.g., you may be telling the wrong people which server does
what), or too granular contact information may be given. Some
organizations even list the names and versions of the hardware and
software of individual systems! Such information is almost invariably
more useful to prospective crackers than to its intended audience.

Maintaining current software and keeping abreast of known DNS
exposures is at least as important as protecting actual DNS data.
Furthermore, it's easier: the latest version of BIND
can always be downloaded for free from djbdns
from http://cr.yp.to. Information
about general DNS security issues and specific BIND and djbdns
vulnerabilities is disseminated via a number of mailing lists and
newsgroups (some of which are listed at the end of this chapter).

There are actually third and fourth maxims for DNS security, but
they're hardly unique to DNS: take the time to
understand and use the security features of your software, and,
similarly, know and use security services provided by your
DNS-registration
provider. Network Solutions and other top-level
domain registrars all offer several change-request security options,
including PGP. Make sure that your provider requires at least email
verification of all change requests for your name domains!


/ 94