Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.

Slides:



Advertisements
Similar presentations
DMZ (De-Militarized Zone)
Advertisements

153 Configuring and Securing ARPA/Berkeley Services Version A.01 H3065S Module 13 Slides.
Linux Security An overview notes from Linux Network Security HowTO.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Homework 5b: Samba. Computer Center, CS, NCTU 2 Network-based File Sharing (1)  NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 10 Networking and the Internet ITSC 1458.
system hardening Act of modifying a system to make it more secure Protecting against internal and external threats Usually a balance between security.
Firewall Dave Grizzanti Steve Curti. What is an Internet Firewall? An Internet firewall is most often installed at the point where your protected internal.
Network Services CSCI N321 – System and Network Administration Copyright © 2000, 2007 by Scott Orr and the Trustees of Indiana University.
The Saigon CTT Chapter 16 Remote Connectivity. The Saigon CTT  Objectives  Explain : telnet rsh ssh  Configure FTP.
SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.
Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.
Daemon issue 14 SSH Port Forwarding Yannis Tsopokis Wednesday, April 26 th 2006.
ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.
Chapter 21 Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 
Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.
Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.
Linux Security. See who's logged in 1) w (more information) 2) who (less information)
 FreeBSD firewalls › ipfw -- IP firewall and traffic shaper control program  ipfw(8) › ipf (IP Filter) - alters packet filtering lists for IP packet.
Berkeley R Utilities & the new S Utilities The Unix (or Berkeley) r utilities provide an alternative to IP facilities telnet and ftp. Three programs: rlogin.
System Administration HW2 Shell Script xclin. Computer Center, CS, NCTU 2 Requirements  Xferlog statistics (15%) use one-line command to show FTP transfer.
CIS 192B – Lesson 3 Network Information Services.
REMOTE LOGIN. TEAM MEMBERS AMULYA GURURAJ 1MS07IS006 AMULYA GURURAJ 1MS07IS006 BHARGAVI C.S 1MS07IS013 BHARGAVI C.S 1MS07IS013 MEGHANA N. 1MS07IS050 MEGHANA.
Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories 
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Internet Services.  Basically, an Internet Service can be defined as any service that can be accessed through TCP/IP based networks, whether an internal.
Phil Hurvitz Securing UNIX Servers with the Secure.
1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.
Protocols COM211 Communications and Networks CDA College Olga Pelekanou
How to do NAT + DHCP + IPFW in FreeBSD. Firewalls.
Security. Computer Center, CS, NCTU 2 FreeBSD Security Advisories – (1) 
Daemons Ying Zhang CMSC691X, Summer02. Outline  Introduction  Init and Cron  System daemons  Print daemons and NFS daemons  Time synchronization.
Department of Computer Science Southern Illinois University Edwardsville Spring, 2008 Dr. Hiroshi Fujinoki FTP Protocol Programming.
Unix network Services. Configuring a network interface In Unix there are essentially two commands that are used to enable TCP/IP. ifconfig route.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Application Layer Functionality and Protocols.
Agenda Networking with Linux & UNIX OS –Overview –Setup –Common Utilities.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Unix System Administration Chapter 31 Daemons. Out of the Goo, the Primordial Process l Init l Always the first process to run after system boot l Always.
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
NAT、DHCP、Firewall、FTP、Proxy
FIREWALL configuration in linux
Chapter 9 Router Configuration (Ospf, Rip) Webmin, usermin Team viewer
LINUX ADMINISTRATION
SECURE SHELL MONIKA GUPTA COT 4810.
LINUX ADMINISTRATION 1
Security.
Overview of Unix Jagdish S. Gangolly School of Business
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
Network Services CSCI N321 – System and Network Administration
IIS.
Chapter 27: System Security
Access Control Lists CCNA 2 v3 – Module 11
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Network Services.
Security.
Daemons & inetd Refs: Chapter 12.
Security.
Security.
Security.
Chapter 7 Network Applications
Computer Networks Protocols
Presentation transcript:

Chapter 21 Security

Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit /etc/rc.conf to start firewall  % man rc.conf and search firewall keyword options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT # firewall firewall_enable="YES" firewall_script="etc/firewalls/rules" firewall_quiet="YES"

Computer Center, CS, NCTU 3 Firewall (2) 3.Edit ipfw command script that you specify in rc.conf  Ex: /etc/firewall/rules ipfw command  % sudo ipfw list(show current firewall rules)  % sudo ipfw flush(delete all firewall rules)  % ipfw add {pass|deny} {udp|tcp|all} from where to where

Computer Center, CS, NCTU 4 Firewall (3)  Example (Head part) #!/bin/sh fwcmd="/sbin/ipfw -q“ myip=“ ” ${fwcmd} -f flush ${fwcmd} add pass all from ${myip} to any # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established ${fwcmd} add deny log all from any to any frag echo -n "Established “ # Allow icmp (ping only) ${fwcmd} add pass icmp from any to any icmptypes 0,3,8,11

Computer Center, CS, NCTU 5 Firewall (4)  Example (service part) # Allow SMB ${fwcmd} add pass tcp from /24 to ${myip} setup # Allow HTTP/HTTPS ${fwcmd} add pass tcp from any to ${myip} 80 setup ${fwcmd} add pass tcp from any to ${myip} 443 setup echo -n "HTTP/HTTPS " # SSH access control ${fwcmd} add pass tcp from any to any 22 setup echo -n "SSH " # open any system port that your system provide

Computer Center, CS, NCTU 6 Firewall (5)  Example (Tail part) # Default to deny ${fwcmd} add reset log tcp from any to any ${fwcmd} add reject udp from any to any ${fwcmd} add reject log icmp from any to any ${fwcmd} add deny log all from any to any

Computer Center, CS, NCTU 7 Firewall (6)  Manual reset firewall rules Edit the script and % sudo sh /etc/firewall/rules  When you install new service and wondering why it can not use … % sudo ipfw flush Delete all firewall rules to remove problems caused by firewall

Computer Center, CS, NCTU 8 Firewall (7)  Debug your system via log file /var/log/security Dec 25 11:25:36 sabsd last message repeated 2 times Dec 25 11:45:06 sabsd kernel: ipfw: Reset TCP : :5554 in via fxp0 Dec 25 11:45:07 sabsd kernel: ipfw: Reset TCP : :5554 in via fxp0 Dec 25 11:45:07 sabsd kernel: ipfw: Reset TCP : :1023 in via fxp0 Dec 25 11:45:08 sabsd kernel: ipfw: Reset TCP : :1023 in via fxp0 Dec 25 11:45:09 sabsd kernel: ipfw: Reset TCP : :9898 in via fxp0 Dec 25 12:05:44 sabsd kernel: ipfw: Reset TCP : :445 in via fxp0 Dec 25 12:05:45 sabsd last message repeated 2 times

Computer Center, CS, NCTU 9 /etc/hosts.equiv and ~/.rhosts  Trusted remote host and user name DB Allow user to login (via rlogin) and copy files (rcp) between machines without passwords Format:  Simple: hostname [username]  Complex: Example  bar.com foo(trust user “ foo ” from host “ bar.com ” )  all from amd_cs_cc group)   Do not use this

Computer Center, CS, NCTU 10 /etc/hosts.allow (1)  TCP Wrapper Provide support for every server daemon under its control

Computer Center, CS, NCTU 11 /etc/hosts.allow (2) To see what daemons are controlled by inetd, see /etc/inetd.conf TCP wrapper should not be considered a replacement of a good firewall. Instead, it should be used in conjunction with a firewall or other security tools #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind

Computer Center, CS, NCTU 12 /etc/hosts.allow (3)  To use TCP wrapper 1.inetd daemon must start up with “-Ww” option (default) Or edit /etc/rc.conf Edit /etc/hosts.allow  Format:daemon:address:action –daemon is the daemon name which inetd started –address can be hostname, IPv4 addr, IPv6 addr –action can be “ allow ” or “ deny ” –Keyword “ ALL ” can be used in daemon and address fields to means everything inetd_enable="YES" inetd_flags="-wW"

Computer Center, CS, NCTU 13 /etc/hosts.allow (4) First rule match semantic  Meaning that the configuration file is scanned in ascending order for a matching rule  When a match is found, the rule is applied and the search process will stop  example ALL : localhost, : allow ptelnetd @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : ALL : allow sendmail : ALL : allow rpc.rstatd : allow rpc.rusersd : allow ALL : ALL : deny

Computer Center, CS, NCTU 14 /etc/hosts.allow (5)  Advance configuration External commands (twist option)  twist will be called to execute a shell command or script External commands (spawn option)  spawn is like twist, but it will not send a reply back to the client # The rest of the daemons are protected. telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." # We do not allow connections from example.com: ALL :.example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny

Computer Center, CS, NCTU 15 /etc/hosts.allow (6) Wildcard (PARANOID option)  Match any connection that is made from an IP address that differs from its hostname  See man 5 hosts_access man 5 hosts_options # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny

Computer Center, CS, NCTU 16 FreeBSD Security Advisories (1)  Advisory Security information  Where to find it freebsd-security-notifications Mailing list  Web page (Security Advisories Channel) 

Computer Center, CS, NCTU 17 FreeBSD Security Advisories (2)  Advisory content core  core OS contrib  Software for FreeBSD project Ports  Add on software Solution  Workaround  Solution

Computer Center, CS, NCTU 18 FreeBSD Security Advisories (3)  Example proc filesystem advisory

Computer Center, CS, NCTU 19 FreeBSD Security Advisories (4)  Example workaround

Computer Center, CS, NCTU 20 FreeBSD Security Advisories (5)  Example solution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.