Linux Lab 18 Securing Hosts
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Linux Lab 18 Securing Hosts as PDF for free.
More details
- Words: 366
- Pages: 1
Linux Workshop
Lab 18 Securing hosts (wrapper,xinetd,logging) Requirements
Quick Reference Objectives to learn
➢ Modern Linux distribution ➢ finger package installed
TCP wrapper
#Check order and examples:
vi /etc/hosts.allow
#See: man 5 hosts_access
in.telnetd : ALL : spawn echo “login from %c to %s ¦ mail -s warn root vi /etc/hosts.deny sshd : ALL EXCEPT 172.28.24.
To Do 1. When your neighbor is finished with ssh, block your neighbor's IP address from using ssh with the /etc/hosts.allow and/or hosts.deny. Test the results. You may also block a Windows host from using putty.exe (the ssh-client). 2. Create your own fake finger daemon:
Super daemon xinetd
#Tip: Use snippetname from /etc/services
vi /etc/xinetd.conf
#Edit general settings
vi /etc/xinetd.d/snippet
#Change settings per snippet
only_from
= 172.28.0.0/16 172.27.200.1
no_access
= 172.28.24.1
access_times
= 9:00-18:00
per_source
=2
/etc/init.d/xinetd restart
#Activate changes
Logging vi /etc/syslog.conf
#Edit syslog logger configuration
#See: man syslog.conf for facilities and priorities vi /etc/sysconfig/syslog
#Edit syslogdaemon -r for remote logging
SYSLOGD_PARAMS=”-r -s my.domain” SYSLOGD_OPTIONS=”-r -m 0”
- Checkout the finger command: finger [email protected] - Create a script file called /usr/local/sbin/fingerd with the following content:
#Generate message for syslogger: logger -i -p kern.emerg -t yourname “Text” vi /etc/logrotate.conf
#Edit maxlog files, logrotate is in crontab
#!/bin/bash echo “Finger is disabled for privacy reasons ...” - Make the new file executable: chmod +x fingerd - Copy an existing snippet to a file called finger and use the following options in the file: wait = no user = nobody protocol = tcp server = /usr/local/sbin/fingerd
Theory Modules LPIC 1 Certification Bible, isbn 0-7645-4772-0 ➢ p. 413-420 System Logging ➢ p. 602-604 Using the Internet Super Server ➢ p. 697-701 Configuring TCP wrappers
- Activate the changes by restarting the super daemon or by using: killall -SIGHUP xinetd - Checkout the finger command again. 3. Make your syslogger available for remote logging (add -r in /etc/sysconfig/syslog). Others may redirect to your host by addressing you with @hostname in the syslog.conf file.
Extra References ➢ www.tldp.org
4. Create a group called loggroup. Add your user as a member. Change the default group owner of the /var/log/messages file to loggroup in the /etc/logrotate.conf.
© October 2, 2005, wiki.novell.com/index.php/Roberts_Quick_References, author of Foundations of Linux networking
Lab 18 Securing hosts (wrapper,xinetd,logging) Requirements
Quick Reference Objectives to learn
➢ Modern Linux distribution ➢ finger package installed
TCP wrapper
#Check order and examples:
vi /etc/hosts.allow
#See: man 5 hosts_access
in.telnetd : ALL : spawn echo “login from %c to %s ¦ mail -s warn root vi /etc/hosts.deny sshd : ALL EXCEPT 172.28.24.
To Do 1. When your neighbor is finished with ssh, block your neighbor's IP address from using ssh with the /etc/hosts.allow and/or hosts.deny. Test the results. You may also block a Windows host from using putty.exe (the ssh-client). 2. Create your own fake finger daemon:
Super daemon xinetd
#Tip: Use snippetname from /etc/services
vi /etc/xinetd.conf
#Edit general settings
vi /etc/xinetd.d/snippet
#Change settings per snippet
only_from
= 172.28.0.0/16 172.27.200.1
no_access
= 172.28.24.1
access_times
= 9:00-18:00
per_source
=2
/etc/init.d/xinetd restart
#Activate changes
Logging vi /etc/syslog.conf
#Edit syslog logger configuration
#See: man syslog.conf for facilities and priorities vi /etc/sysconfig/syslog
#Edit syslogdaemon -r for remote logging
SYSLOGD_PARAMS=”-r -s my.domain” SYSLOGD_OPTIONS=”-r -m 0”
- Checkout the finger command: finger [email protected] - Create a script file called /usr/local/sbin/fingerd with the following content:
#Generate message for syslogger: logger -i -p kern.emerg -t yourname “Text” vi /etc/logrotate.conf
#Edit maxlog files, logrotate is in crontab
#!/bin/bash echo “Finger is disabled for privacy reasons ...” - Make the new file executable: chmod +x fingerd - Copy an existing snippet to a file called finger and use the following options in the file: wait = no user = nobody protocol = tcp server = /usr/local/sbin/fingerd
Theory Modules LPIC 1 Certification Bible, isbn 0-7645-4772-0 ➢ p. 413-420 System Logging ➢ p. 602-604 Using the Internet Super Server ➢ p. 697-701 Configuring TCP wrappers
- Activate the changes by restarting the super daemon or by using: killall -SIGHUP xinetd - Checkout the finger command again. 3. Make your syslogger available for remote logging (add -r in /etc/sysconfig/syslog). Others may redirect to your host by addressing you with @hostname in the syslog.conf file.
Extra References ➢ www.tldp.org
4. Create a group called loggroup. Add your user as a member. Change the default group owner of the /var/log/messages file to loggroup in the /etc/logrotate.conf.
© October 2, 2005, wiki.novell.com/index.php/Roberts_Quick_References, author of Foundations of Linux networking
Related Documents
Linux Lab 18 Securing Hosts
December 2019 9
Hosts
May 2020 12
Installation Securing Voip With Linux
June 2020 0
Linux Lab 21 Firewall
December 2019 21
Securing Optimizing Linux Dns Bind Rc1.0
May 2020 4