Monday, 5 March 2018

Protection Mechanism



Protection Mechanism
1) Packet filtering ------- a)IP tables firewalls
                                           b)squid
2) TCP-Wrapper

3 )xinetd
4) PAM
5)SELinux
6) service configuration file
7)other security.
basic illustration of how these tools work together to protect network services.
                         

https://access.redhat.com/site/documentation/resources/docs/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/figs/tcp-wrappers/tcp_wrap_diagram.png
Packet structure
Packet filtering firewalls
Firewalls are designed to catch packets on the way in and out of network. There are two types of
Firewalls, packet filters and proxy.
Packet filters are low level filters that look at headers of packet going through a mechines kernel.
It only check ip and mac.
Drawback :- data is not checking. It can be allow spam viruses worms and like that.
Squid proxy filter
Checks data in network filters
Tcp-Wrapper
Two types of services
Self services :-httpd, vsftpd, named -----------depend on demon or controlled by demon
Xinetd services :- telnet, rlogin, tftp, swat--------------controled by xinetd
IP / host base security
Tcp wrapper  are Apply on those services which are bind with libwrap.so
 How to check service is bind with libwrap.so?
#which sshd
/usr/sbin/sshd
[root@myserver ~]# ldd /usr/sbin/sshd | grep libwrap
        
                  libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00655000)
 
Tcp wrapper configuration files :
#vim /etc/hosts.allow
#vim /etc/hosts.deny
Working of Tcp – wrapper
  It checks the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If no rule is found, it moves on to step 2.
  It checks the /etc/hosts.deny file and if a matching rule is found, it deny's the connection.
Syntax
daemon : client [:option1:option2:...]



Wildcards
  • ALL - Matches everything
  • LOCAL - Matches any host that does not contain a dot (.) like localhost.
  • KNOWN - Matches any host where the hostname and host addresses are known or where        the user is known.
  • UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.
  • PARANOID - Matches any host where the hostname does not match the host address.
Patterns
You can also use patterns in the client section of the rule . Some examples are as follows:

ALL : .xyz.com

Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.

ALL : 123.12.

Matches  all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule.

ALL : 192.168.0.1/255.255.255.0

IP address/Netmask can be used in the rule.


ALL : *.xyz.com

Asterisk * matches entire groups of hostnames or IP addresses.

sshd : /etc/sshd.deny

If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP

wrappers looks up the file sshd.deny for all SSH connections.

sshd : ALL EXCEPT 192.168.0.15

If the above rule is included in the /etc/hosts.deny file, then it will allow ssh connection for only the machine with the IP address 192.168.0.15 and block all other connections. Here EXCEPT is an operator.

Note: If you want to restrict use of NFS and NIS then you may include a rule for portmap . Because NFS and NIS depend on portmap for their successful working. In addition, changes to portmap rules may not take effect immediately.

Suppose I want to log all connections made to SSH with a priority of emergency. See my previous post to know more on logging. I could do the following:

sshd : .xyz.com : severity emerg

Note: You can use the options allow or deny to allow or restrict on a per client basis in either of the files hosts.allow and hosts.deny

in.telnetd : 192.168.5.5 : deny
in.telnetd : 192.168.5.6 : allow

Shell Commands
As mentioned above, you can couple the rules to certain shell commands by using the following two options.

spawn - This option launches a shell command as a child process. For example, look at the following rule:

sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny

Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.

twist - This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.

sshd : client1.xyz.com : twist /bin/echo "You are prohibited from accessing this service!!" : deny

When using spawn and twist, you can use a set of expressions. They are as follows :
%a — The client's IP address.
%A — The server's IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client's hostname (or IP address, if the hostname is unavailable).
%H — The server's hostname (or IP address, if the hostname is unavailable).
%n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
%N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client's username. If unavailable, unknown is printed.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)