Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
41424344454647484950
Chapter 2. Securing Your Network
40
2.2.1.1.2. TCP Wrappers and Attack Warnings
If a particular host or network has been detected attacking the server, TCP Wrappers can be used to
warn the administrator of subsequent attacks from that host or network using the spawn directive.
In this example, assume that a cracker from the 206.182.68.0/24 network has been detected
attempting to attack the server. Place the following line in the /etc/hosts.deny file to deny any
connection attempts from that network, and to log the attempts to a special file:
ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert
The %d token supplies the name of the service that the attacker was trying to access.
To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.
Note
Because the spawn directive executes any shell command, it is a good idea to create a special
script to notify the administrator or execute a chain of commands in the event that a particular
client attempts to connect to the server.
2.2.1.1.3. TCP Wrappers and Enhanced Logging
If certain types of connections are of more concern than others, the log level can be elevated for that
service using the severity option.
For this example, assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP
server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag,
info, and deny the connection.
To do this, place the following line in /etc/hosts.deny:
in.telnetd : ALL : severity emerg
This uses the default authpriv logging facility, but elevates the priority from the default value of info
to emerg, which posts log messages directly to the console.
2.2.1.2. Enhancing Security With xinetd
This section focuses on using xinetd to set a trap service and using it to control resource levels
available to any given xinetd service. Setting resource limits for services can help thwart Denial of
Service (DoS) attacks. Refer to the man pages for xinetd and xinetd.conf for a list of available
options.
2.2.1.2.1. Setting a Trap
One important feature of xinetd is its ability to add hosts to a global no_access list. Hosts on this
list are denied subsequent connections to services managed by xinetd for a specified period or until
xinetd is restarted. You can do this using the SENSOR attribute. This is an easy way to block hosts
attempting to scan the ports on the server.
The first step in setting up a SENSOR is to choose a service you do not plan on using. For this
example, Telnet is used.