securing redhat

[ Pobierz całość w formacie PDF ]
.This is very powerful and reactsexceedingly quickly for port scanners.It also uses very little CPU time.For UDP mode I choose:-sudp - "Stealth" UDP scan detection modeWith the Stealth" UDP scan detection mode -sudp protocol mode type, the UDP ports will belisted and then monitored." To start PortSentry in the two modes selected above, use the commands:[root@deep /]# /usr/psionic/portsentry/portsentry -atcp[root@deep /]# /usr/psionic/portsentry/portsentry -sudpNOTE: You can add the above lines to your /etc/rc.d/rc.local script file and PortSentry softwarewill be automatically started if you reboot your system.Installed files> /usr/psionic> /usr/psionic/portsentry> /usr/psionic/portsentry/portsentry.conf> /usr/psionic/portsentry/portsentry.ignore> /usr/psionic/portsentry/portsentry180Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture � and OpenDocs PublishingChapter 11 Securities Software (Network Services)In this ChapterLinux OpenSSH Client/ServerConfigurationsConfigure OpenSSH to use TCP-Wrappers inetd super serverOpenSSH Per-User ConfigurationOpenSSH Users ToolsLinux SSH2 Client/ServerConfigurationsConfigure sshd2 to use tcp-wrappers inetd super serverSsh2 Per-User ConfigurationSSH2 Users Tools181Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture � and OpenDocs PublishingSecurities Software (Network Services) 1CHAPTER 1Linux OpenSSH Client/ServerOverviewAs illustrated in Chapter 2, Installation of your Linux Server , many network services including,but not limited, to telnet, rsh, rlogin, or rexec are vulnerable to electronic eavesdropping.As aconsequence, anyone who has access to any machine connected to the network can listen in ontheir communication and get your password, as well as any other private information that goesover the network in plain text.Currently the Telnet program is indispensable for dailyadministration task, but is insecure since it transmits your password in plain text over the networkand allows any listener to thereby use your account to do any evil he likes.To solve this problemwe must find another way, or program, to replace it.Fortunately OpenSSH is a truly seamlessand secure replacement of old, insecure and obsolete remote login programs such as telnet,rlogin, rsh, rdist, or rcp.According to the official OpenSSH README file:Ssh (Secure Shell) is a program to log into another computer over a network, to executecommands in a remote machine, and to move files from one machine to another.It providesstrong authentication and secure communications over insecure channels.It is intended as areplacement for rlogin, rsh, rcp, and rdist.In our configuration we have configured OpenSSH to support tcp-wrappers (the inetd superserver) to improve the security of this already secure program and to avoid always running itsdaemon in the background of the server.In this way, the program will run only when clientconnections arrive and will redirect them through the TCP-WRAPPERS daemon forauthentication and authorization before allowing the connection in the server.OpenSSH is a freereplacement and improvement of SSH1 with all patent-encumbered algorithms removed (toexternal libraries), all known security bugs fixed, new features reintroduced and many otherclean-ups.It is recommended that you use OpenSSH (free and security bugs fixed) instead ofSSH1 (free, buggy, and old) or SSH2 that was originally free but now under a commercial license.For peoples that use SSH2 from Datafellows Company, we ll provide in this book both versions,beginning with OpenSSH, as it is the new SSH program which everyone must move to in thefuture.These installation instructions assumeCommands are Unix-compatible.The source path is /var/tmp (other paths are possible).Installations were tested on Red Hat Linux 6.1 and 6.2.All steps in the installation will happen in super-user account root.OpenSSH version number is 1.2.3PackagesOpenSSH Homepage: http://violet.ibs.com.au/openssh/You must be sure to download: openssh-1.2.3.tar.gzPrerequisitesOpenSSH requires that the zlib-devel package, which contains the header files and librariesneeded to develop programs that use the zlib compression and decompression library, be alreadyinstalled on your system.If this is not the case, you must install it from your Red Hat Linux 6.1 or6.2 CD-ROM.182Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture � and OpenDocs PublishingSecurities Software (Network Services) 1CHAPTER 1" To verify that the zlib-devel package is installed on your Linux system, use the followingcommand:[root@deep /]# rpm -qi zlib-develpackage zlib-devel is not installed" To install the zlib-devel package on your Linux system, use the following command:[root@deep /]# mount /dev/cdrom /mnt/cdrom/[root@deep /]# cd /mnt/cdrom/RedHat/RPMS/[root@deep RPMS]# rpm -Uvh zlib-devel-version.i386.rpmgd ##################################################[root@deep RPMS]# rpm -Uvh gd-devel-version.i386.rpmzlib-devel ##################################################[root@deep RPMS]# cd /; umount /mnt/cdrom/OpenSSL, which enables support for SSL functionality, must already be installed on yoursystem to be able to use the OpenSSH software.NOTE: For more information on OpenSSL server, see its related chapter in this book.Even if youdon t need to use OpenSSL software to create or hold encrypted key files, it s important to notethat OpenSSH program require its libraries files to be able to work properly on your system.TarballsIt is a good idea to make a list of files on the system before you install OpenSSH, and oneafterwards, and then compare them using diff to find out what files it placed where.Simply run find /* > OpenSSH1 before and find /* > OpenSSH2 after you install the software, and use diff OpenSSH1 OpenSSH2 > OpenSSH-Installed to get a list of what changed.CompilationDecompress the tarball (tar.gz).[root@deep /]# cp openssh-version.tar.gz /var/tmp[root@deep /]# cd /var/tmp[root@deep tmp]# tar xzpf openssh-version.tar.gzCompile and OptimizeStep 1Move into the new OpenSSH directory and type the following commands on your terminal:CC="egcs" \CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \./configure \--prefix=/usr \--sysconfdir=/etc/ssh \--with-tcp-wrappers \--with-ipv4-default \--with-ssl-dir=/usr/include/opensslThis tells OpenSSH to set itself up for this particular hardware setup with:- Compiled-in libwrap and enabled TCP Wrappers (/etc/hosts.allow|deny) support.- Disabled long delays in name resolution under Linux/glibc-2.1.2 to improve connection time.- Specified locations of OpenSSL libraries required by OpenSSH program to work [ Pobierz całość w formacie PDF ]

Tematy