Module 11

n
o
Set Up Host Securityati
c
i
f
m
i
o
t
c
r d.
e
C aca
x bk
u
.
n
w
i
w
L
w
I
//
:
P
t tp
L
h

Objectives

Objective 2: Set Up Host Security

I
P
L

i
t
er

n
o
i
t
a
c
fi

a
x
k
u
b
.
n
ww
Li
w

//
:
tp
t
h

d
a
c

.c o

Set Up Host Security

The Super-Server
Years ago, when hardware was more, the amount of system
resources, especially memory, that each process consumed was of
n
great importance.
o
i
t
a
The problem was that administrators wanted to consolidate
a lot
c
i
m
if butcowere
of their network services on one Linux machine,
t
r d.
e
running into memory limitations.
a
C
c
a or super The solution was to come up with a listening
x
service,
k
u and.bstarted the correct
n
server that handled incoming connections
w
i
w
L
networking service to handle them. IThus the
w inetd service was
/
/
:
P
p
born.
t
L ht

Set Up Host Security

The Super-Server
The inetd service has two important characteristics:
It is a single process that can listen on multiple ports for incoming
connections, starting the appropriate service when a connection comes
in and connecting the inbound connection with the service.
Also, inetd supports a sophisticated security scheme for allowing and
disallowing access to these simpler networking services, many of
which dont have advanced access controls built into them.m

n
o
i
t
a
c
fi

i
o
t
c
r
.
So the creation of inetd solved two problems:elimitedd memory was
a
C
c
conserved, and administrators gained a finer
level
a of control over
x
k
u services.
b
.
what systems or networks could access
their
n
w
i
w
L
I
/w
/
:
LP http

Set Up Host Security

The Super-Server
The main configuration file for inetd is /etc/inetd.conf
Xinetd
The original inetd service is seldom seen in more recent Linux
distributions. It has been replaced with xinetd, the Extended Internet
Daemon
xinetd improves upon the original goals of inetd by:

i
t
er

n
o
i
t
a
c
fi

m managed
o Increasing the logging and access control ability around the
o
c
.
services
d
a
c
o In addition to adding defense mechanisms to protect
a against attacks,
k
such as port scanners or denial of service
.b

x
u
n
w
i
The xinetd configuration file is /etc/xinetd.conf
w
L
I
/w
/
:
L P t tp
h

Set Up Host Security

Security with TCP_WRAPPERS
Like a firewall, it is usually good practice to adopt either
a block everything, only open what you need mentality
OR an open everything, block only what you dont need
mentality when it comes to TCP_WRAPPERS
on

i
t
a
TCP_WRAPPERS is configured in two files,
c
i
f
m
i
o
/etc/hosts.allow and /etc/hosts.deny. rt
c
.
e
d
C aca
x bk
u
.
n
w
i
w
L
w
I
//
:
P
L http