[ Pobierz całość w formacie PDF ]
.Attackers attempting to connect for a specific service, such as telnet or FTP, via the Internetconnection may be blocked from connecting to the service while internal users may connectto the service via the NIC connected to the internal network.Theredirectoption, which accepts an IP address or hostname followed by a port number,tells the service to redirect any requests for this service to the specified location.This featurecan be used to point to another port number on the same system, redirect the request todifferent IP address on the same machine, shift the request to a totally different system andport number, or any combination of these options.In this way, a user connecting to certainservice on a system may be rerouted to another system with no disruption.Thexinetddaemon is able to accomplish this redirection by spawning a process that staysalive for the duration of the connection between the requesting client machine and the hostactually providing the service, transferring data between the two systems.The real strength of thebindandredirectoptions can be seen when they are used together.By binding a service to a particular IP address on a system and then redirecting requests forthis service to a second machine that only the first machine can see, you can use an internalsystem to provide services for a totally different network.Alternatively, these options canbe used to limit the exposure of a particular service on a multihomed machine to a knownIP address, as well as redirect any requests for that service to another machine speciallyconfigured for that purpose.For example, consider a system that is used as a firewall with this setting for its telnet service:service telnet{socket_type = streamwait = noserver = /usr/sbin/in.telnetdlog_on_success += DURATION USERIDlog_on_failure += USERIDbind = 123.123.123.123redirect = 10.1.13 21 23}Thebindandredirectoptions in this file will ensure that the telnet service on the machineis bound to the external IP address (123.123.123.123), the one facing the Internet.In addition,any requests for telnet service sent to 123.123.123.123 will be redirected via a second networkadapter to an internal IP address (10.1.13) that only the firewall and internal systems canaccess.The firewall will then send the communication between the two systems, and theconnecting system will think it is connected to 123.123.123.123 when it is actually connectedto a different machine.Chapter 9.TCP Wrappers andxinetd 133This feature is particularly useful for users with broadband connections and only one fixedIP address.When using Network Address Translation (NAT), the systems behind the gate-way machine, which are using internal-only IP addresses, are not available from outside thegateway system.However, when certain services controlled by xinetdare configured withthebindandredirectoptions, the gateway machine can act as a type of proxy between out-side systems and a particular internal machine configured to provide the service.In addition,the various xinetdaccess control and logging options are also available for additional pro-tection, such as limiting the number of simultaneous connections for the redirected service.9.4.Additional ResourcesAdditional information concerning TCP wrappers andxinetdis available on system docu-mentation and on the Web.9.4.1.Installed DocumentationThe bundled documentation on your system is a good place to start looking for additionalTCP Wrappers, xinetd, and access control configuration options." /usr/share/doc/tcp_wrappers- version  Contains a README file that discusseshow TCP wrappers work and the various hostname and host address spoofing risks thatexist." /usr/share/doc/xinetd- version  Includes a READMEfile that discusses aspects ofaccess control and a sample.conf file with various ideas for modifying /etc/xinetd.dservice configurations." For detailed information concerning the creation of TCP wrapper access control rules, readthe hosts_access(5)and hosts_options(5) man pages." The xinetd(8) and xinetd.conf(5) man pages contain additional information for creatingxinetdconfiguration files and a description of howxinetdworks.9.4.2.Useful Websites" http://www.xinetd.org  The home of xinetd, containing sample configuration files, afull listing of features, and an informative FAQ." http://www.macsecurity.org/resources/xinetd/tutorial.shtml  A thorough tutorialthat discusses many different ways to tweak default xinetd configuration files to meetspecific security goals.134 Chapter 9.TCP Wrappers andxinetdChapter 10.SSH ProtocolSSH"! allows users to log into host systems remotely.UnlikerloginortelnetSSH encryptsthe login session, making it impossible for intruders to collect clear-text passwords.SSH is designed to replace common methods for remotely logging into another systemthrough a command shell.A related program calledscpreplaces older programs designed tocopy files between hosts such asftporrcp.Because these older applications do not encryptpasswords between the client and the server, you avoid them whenever possible.Using se-cure methods to remotely log in to other systems will decrease the security risks for bothyour system and the remote system.10.1.IntroductionSSH (or Secure SHell) is a protocol for creating a secure connection between two systems.Inthe SSH protocol, the client machine initiates a connection with a server machine.The following safeguards are provided by SSH:" After an initial connection, the client verifies it is connecting to the same server duringsubsequent sessions." The client transmits its authentication information to the server, such as a username andpassword, in an encrypted format." All data sent and received during the connection is transferred using strong, 128 bit en-cryption, making it extremely difficult to decrypt and read.1" The client has the ability to use X11 applications launched from the shell prompt.Thistechnique, called X11 forwarding, provides a secure means to use graphical applicationsover a network.Because the SSH protocol encrypts everything it sends and receives, it can be used to secureotherwise insecure protocols.Using a technique called port forwarding, an SSH server canbecome a conduit to secure insecure protocols, like POP, increasing overall system and datasecurity.Red Hat Linux 7.3 includes the general OpenSSH package (openssh), the OpenSSH server(openssh-server) and client (openssh-clients) packages.Please see the chapter titledOpenSSH in the Official Red Hat Linux Customization Guide for instructions on installing anddeploying OpenSSH.Also note that the OpenSSH packages require the OpenSSL package(openssl).OpenSSL installs several important cryptographic libraries that help OpenSSHprovide encrypted communications.A large number of client and server programs can use the SSH protocol.Several differentSSH client versions are available for almost every major operating system in use today.Evenif the users connecting to your system are not running Red Hat Linux, they can still find anduse an SSH client native for their operating system.1.X11 refers to the X11R6 windowing display system, traditionally referred to as X [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

wblaskucienia.xlx.pl