TCPD and Firewalls using IPFWADM

In this article we reviewed at roughly the configuration of the services offered by inetd and IPFWADM use the tool to enhance the security of our system.

Well, for starters, we must be clear what is the inetd, is basically a demon that controls the services we can offer a dedicated server connected to the Internet, but also can not control all default, so have a look at the file / etc / inetd.conf and see which services your dedicated server from the devil inetd (lines, ie without the "

For example, the line:

    ftp stream tcp nowait root / usr / sbin / tcpd-l-a in.ftpd

     * First of all, the service name (in this case "ftp", then look in / etc / services to port it.
     * The second field is the type of socket that is opened and can be of several types: stream (as in the example), dgram, raw, rdm and seqpacket
     * The third field is the protocol used, which must be defined in / etc / protocols (in this case is that TCP)
     * The fourth field is to indicate wait / nowait, this field must always be nowait except for type datagram sockets (dgram). If the server is multi-thread datagrams indicated nowait because the server to receive a call, launched the process in a thread of execution - to be multi-thread:) - and frees the socket so that it can continue inetd receive messages in the socket. If the server is a single thread datagram then wait states, and the server addresses in the same socket and can not launch in separate processes. In addition, you can add one more point in this field, for example written nowait.50 (ie a separate wait / nowait by a point). This number represents the maximum number of demons that can launch (or requests accepted as check) in 1 minutes. The default is 40.
     * The fifth field indicates the user name with which you should run the devil, in this case will be run as super-user (root).
     * The sixth and thereafter, the program is launched followed by the parameters passed to the program. Here you are instructed to launch the daemon tcpd, and the devil in.ftpd arguments as to the parameters-l-a. Now comes the most interesting part of this first piece of the article, which is encompasses TCPD.

Well tcpd is a daemon that filters requests, and makes one thing or another depending on the devil and to launch the IP address requesting the service. This makes it through / etc / hosts.allow and / etc / hosts.deny

In principle, it uses / etc / hosts.deny to tell who has not allowed access, and / etc / hosts.allow to say who already available.

The format of both files is:

DAEMON: IP [: OPTION1 [: OPTION2]]

DAEMON where the devil may be a launch, as in the example given, the in.ftpd, or ALL may be referring to all the demons.

IP can be either an IP or a URL, such as a range of IP addresses (or URLs) as any of the wildcards that later.

To indicate a range of IP addresses, for example, is write: `123.32." This all IPs 123.32.XXX.XXX The same goes for URLs: `. Ml.org 'which represents all of the subdomains ml.org

You can also identify a range of IP for traditional IP / MASCARA So for example, to indicate the range 127.0.0.0 to indicate 127.0.255.255 well: 127.0.0.0/255.255.0.0 Wildcards are:

     * ALL indicates that matches any incoming leadership
     * LOCAL that matches any name that does not have one. "
     * UNKNOWN coinciding with those dedicated servers that are not known or your name or IP
     * KNOWN which coincides with the dedicated servers is known as its name and its IP
     * PARANOID coinciding with those dedicated servers on which his name does not match your IP

the options are:

     * Allow making as indicated in that post was to accept connection, regardless of whether it is in the file hosts.allow or hosts.deny. Should be the last option on the line.
     * Deny it as above, but denying the connection.
     * Spawn a command shell running (if you want to run something every time it establishes a connection to match the line), I for example, when I get out of any connection, I sound like a sound to hear that someone tries to connect my dedicated server
     * Twist is the spawn command, but by cutting the connection after running the command. It should also be the last option on the line.

For the latter two commands, you can use the expansions allows tcpd. These are:

     *% To address the client dedicated server
     C% * Customer Information (can be user @ host, or whatever, depending on the client)
     *% D name of the devil
     % H * name or IP address for the client, as available
     *% N behalf of the client dedicated server
     *% P PID of the devil
     *% S server information (daemon @ single dedicated server or demon, depending)
     *% U client user name
     *%%% It is a simple character

With these expansions and the two options you can do many things, for example I know of one who ever tried to get into by telnet, it automatically sent a "teardrop" the lucky intruder:)

NOTE: A teardrop is a DoS (Denial of Service attack to a dedicated server or cause to restart the system) to take advantage of the bug in the defragmentation of the TCP packets that have (now had as many are have already patched) much of OSes. The information is sent over the Internet by the TCP / IP (which is also used in other networks besides the Internet, such as intranets), TCP is responsible for fragmenting the information packet that after the protocol IP is responsible for getting to your destination, and once there, the TCP protocol checks that all the packages and the board to recover the original information. This attack (and many based on it) it does is take advantage of that in many operating systems are not checked whether the size of the package before the Board was very small, and if so the dedicated server was a mess at the time together . That I am not sure that is so obviously I accept any kind of input and criticism, both positive and negative. After this short explanation, let's ...

Examples:

# Cat / etc / hosts.allow

ALL: 127.0.0.1 localhost # leaves for entering

in.ftpd: ALL: spawn (wavplay / usr / share / sounds / & intruder.wav)
# Let anyone enter via ftp, but it launches a
# Wav sound (so I know)

in.telnetd: ALL: twist (teardrop%% h h)
# Send a teardrop who try
# Enter telnet


# Cat / etc / hosts.deny


ALL: `. Bsa.org '# do not let anybody domain bsa.org

in.fingerd: ALL # finger service closed to all:)

# end

Well, this is all I have to say about the tcpd already told you that my knowledge was not great. Test, test and read the manual pages (tcpd host_access (5)). Surely well learn more than I can teach you. Let us now use the tool IPFWADM

The first thing is to have support in the kernel IP Firewalling (Networking -> Network firewalls + IP: firewalling). Then, after recompiling the kernel and rebooting the computer, we are ready to use this tool.

This tool allows among other things (will be the only ones I will focus) manage the input and output packet TCP, UDP and ICMP. In short, it's what we should be allowed to enter packages can specify whether you come from a group of IPs or IP specific to a particular port, with a specific protocol, and all mixtures of options that can be done, and the same with packages that are out.

ipfwadm has several key parameters:

     *-A specifies the accounting rules.
     * I specifies the rules for incoming packets.
     * O-specific rules for outgoing packets.
     *-F specifies the rules for forwarding packets.
     *-M is for the administration of IP masquerading.

In this article I will only discuss the parameters and I-O. Both follow the same syntax. For these parameters are:

     * Adds to-one or more rules at the end of the list.
     * I-add one or more rules on top of the list.
     * D-erase one or more rules from the list.
     *-L displays a list of rules.
     * F-erase the rules of the list.
     *-P to indicate whether the packages have been accepted (a) refuse (d) or reject (r).
     * C-check what kind of rules would be followed by a package.
     * H-help.

The 'important' parameters are:

     * P-specifies the protocol which is to apply the rule, this may be TCP, UDP, ICMP, or all (to indicate any protocol)
     * S-source specifies the address of the package. The format is:

    ADDRESS [/ MASK] [PORT]

For example, a valid address is:

    123.32.34.0/255.255.255.250 25

to indicate the range of IP addresses from 123.32.34.0 to 123.32.34.5

-D specifies the destination address. It has the same format as-S

Basically these are the basic parameters and to allow frames to reach my dedicated server, all of my dedicated server, add the rule:

    ipfwadm-I-S-i 127.0.0.1

and to discard packets coming from 123.34.22.XXX:

    ipfwadm-I-d-S 123.34.22.0/255.255.255.0

and then if I want to deny access to the port of ALL netbios, except for the IP 111.222.123.221 well:

    ipfwadm-I-A-S-P tcp 111,222,123,221 139
    ipfwadm-I-d-P tcp-D 0.0.0.0 / 0 139

Well, I think that my article is a bit poor, but not come to my knowledge or more:)

Navigation

• Crtunnel
• etc passwd
• Redundant dedicated server
• TCPD and Firewalls

• Browsing files
• cd as an expert
• Change the permissions
• Configuration of PostgreSQL
• Introduction to PostgreSQL
• Recovering deleted files
• Self units in Linux

• Green Hosting
• The world of web hosting

All Rights Reserved by Adding Security to Linux Distribution

Adding Security to Linux Distribution

protecting your server from the malicious