Table of Content

110.2 Setup host security

Weight: 3

Description: Candidates should know how to set up a basic level of host security.

Key Knowledge Areas:

Awareness of shadow passwords and how they work
Turn off network services not in use
Understand the role of TCP wrappers

Terms and Utilities:

/etc/nologin
/etc/passwd
/etc/shadow
/etc/xinetd.d/
/etc/xinetd.conf
/etc/inetd.d/
/etc/inetd.conf
/etc/inittab
/etc/init.d/
/etc/hosts.allow
/etc/hosts.deny

+++ inetd/xinet.d
Linux employ security checks in the super daemon to protect the servers it manages, two primary super daemons:
inetd – TCP wrappers, legacy, deprecated
xinetd – built into xinetd itself

root@dclab:/etc/init.d# ll /etc/xinetd.conf
-rw-r–r– 1 root root 289 Oct 26 2013 /etc/xinetd.conf

root@dclab:/etc/init.d# /etc/init.d/xinetd restart
Restarting xinetd (via systemctl): xinetd.service.

systemctl status xinetd

[0m xinetd.service – LSB: Starts or stops the xinetd daemon.
Loaded: loaded (/etc/init.d/xinetd)
Active: active (running) since Sun 2016-03-13 18:12:49 EDT; 21min ago
Docs: man:systemd-sysv-generator(8)
Process: 3989 ExecStop=/etc/init.d/xinetd stop (code=exited, status=0/SUCCESS)
Process: 3998 ExecStart=/etc/init.d/xinetd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/xinetd.service
4010 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6

+++ inetd config

Services that launched via inetd were controlled through the /etc/inetd.conf file or files in /etc/inetd.d/.

ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd -l

Service Name – same in /etc/services
cat /etc/services |grep ftp
ftp 21/tcp

Socket Type
reliable two-way connection (stream)
a less reliable connection with less overhead (dgram)
a low-level connection to the network (raw)

Protocol – tcp/udp

Wait/No Wait
nowait – dgram socket types, the server connected to its client and freed the socket
wait – processed all of its packets and then timed out
Servers that used other socket types would specify nowait

User – who run the server

Server Name – This was the server’s filename

Parameters – Everything after the server name

# /etc/init.d/inetd restart

+++ control access

root@dclab:~# ll /etc/hosts*
-rw-r–r– 1 root root 411 Apr 22 2015 /etc/hosts.allow
-rw-r–r– 1 root root 711 Apr 22 2015 /etc/hosts.deny

hosts.deny sample

[…]: 192.168.7. EXCEPT 192.168.7.105
block all computers in the 192.168.7.0/24 exception for 192.168.7.105