2.2. Server Security
- Keep all services current, to protect against the latest threats.
- Use secure protocols whenever possible.
- Serve only one type of network service per machine whenever possible.
- Monitor all servers carefully for suspicious activity.
2.2.1. Securing Services With TCP Wrappers and xinetd
xinetd, a super server that provides additional access, logging, binding, redirection, and resource utilization control.
xinetdto create redundancy within service access controls. Refer to Section 2.8, “Firewalls” for more information about implementing firewalls with iptables commands.
18.104.22.168. Enhancing Security With TCP Wrappers
hosts_optionsman page for information about the TCP Wrapper functionality and control language. Refer to the
xinetd.confman page available online at http://linux.die.net/man/5/xinetd.conf for available flags, which act as options you can apply to a service.
22.214.171.124.1. TCP Wrappers and Connection Banners
vsftpd. To begin, create a banner file. It can be anywhere on the system, but it must have same name as the daemon. For this example, the file is called
/etc/banners/vsftpdand contains the following lines:
220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Inappropriate use will result in your access privileges being removed.
%ctoken supplies a variety of client information, such as the user name and hostname, or the user name and IP address to make the connection even more intimidating.
vsftpd : ALL : banners /etc/banners/
126.96.36.199.2. TCP Wrappers and Attack Warnings
/etc/hosts.denyfile to deny any connection attempts from that network, and to log the attempts to a special file:
ALL : 188.8.131.52 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert
%dtoken supplies the name of the service that the attacker was trying to access.
spawndirective in the
spawndirective executes any shell command, it is a good idea to create a special script to notify the administrator or execute a chain of commands in the event that a particular client attempts to connect to the server.
184.108.40.206.3. TCP Wrappers and Enhanced Logging
emergflag in the log files instead of the default flag,
info, and deny the connection.
in.telnetd : ALL : severity emerg
authprivlogging facility, but elevates the priority from the default value of
emerg, which posts log messages directly to the console.
220.127.116.11. Enhancing Security With xinetd
xinetdto set a trap service and using it to control resource levels available to any given
xinetdservice. Setting resource limits for services can help thwart Denial of Service (DoS) attacks. Refer to the man pages for
xinetd.conffor a list of available options.
18.104.22.168.1. Setting a Trap
xinetdis its ability to add hosts to a global
no_accesslist. Hosts on this list are denied subsequent connections to services managed by
xinetdfor a specified period or until
xinetdis restarted. You can do this using the
SENSORattribute. This is an easy way to block hosts attempting to scan the ports on the server.
SENSORis to choose a service you do not plan on using. For this example, Telnet is used.
/etc/xinetd.d/telnetand change the
flagsline to read:
flags = SENSOR
deny_time = 30
deny_timeattribute are FOREVER, which keeps the ban in effect until
xinetdis restarted, and NEVER, which allows the connection and logs it.
disable = no
SENSORis a good way to detect and stop connections from undesirable hosts, it has two drawbacks:
- It does not work against stealth scans.
- An attacker who knows that a
SENSORis running can mount a Denial of Service attack against particular hosts by forging their IP addresses and connecting to the forbidden port.
22.214.171.124.2. Controlling Server Resources
xinetdis its ability to set resource limits for services under its control.
cps = <number_of_connections> <wait_period>— Limits the rate of incoming connections. This directive takes two arguments:
<number_of_connections>— The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).
<wait_period>— The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.
instances = <number_of_connections>— Specifies the total number of connections allowed to a service. This directive accepts either an integer value or
per_source = <number_of_connections>— Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or
rlimit_as = <number[K|M]>— Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or
rlimit_cpu = <number_of_seconds>— Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or
xinetdservice from overwhelming the system, resulting in a denial of service.