|< Day Day Up >|| |
The following are some of the key points from the certification objectives in Chapter 10.
NIS allows you to configure one centrally managed username and password database with other Linux and Unix systems on your LAN.
With NIS, you maintain one password database on an NIS server and configure the other systems on the network to be NIS clients.
You can configure NIS to share other configuration files, including many of those in the /etc directory.
The NIS server stores the centralized NIS database files, which are also known as maps.
You can have only one NIS master server per NIS domain.
Password security requires good passwords from your users.
You can check for suspicious login activity with the utmpdump /var/log/wtmp command.
Many security updates are available through Red Hat errata releases.
The best way to promote security is to delete the packages associated with services that you do not need.
Red Hat Enterprise Linux uses the Pluggable Authentication Modules (PAM) system to check for authorized users.
PAM modules are called by configuration files in the /etc/pam.d directory. These configuration files are usually named after the service or command that they control.
There are four types of PAM modules: authentication, account, password, and session management.
PAM configuration files include lines that list the module_type, the control_flag, the path to the actual module, followed by arguments such as system-auth.
PAM modules are well documented in the /usr/share/doc/pam-0.75/txts directory.
Red Hat Enterprise Linux includes two logging daemons: klogd for kernel messages and syslogd for all other process activity. Both are activated by the syslog service script.
You can use log files generated by the syslogd daemon to track activities on your system.
Most log files are stored in /var/log.
You can configure what is logged through the syslog configuration file, /etc/syslog.conf.
xinetd is the Extended Internet Services Daemon, which acts as a 'super-server' for a number of other network services, such as IMAP, POP, and Telnet.
Individual services have their own management scripts in the /etc/xinetd.d directory.
Most xinetd services are disabled by default.
You can activate an xinetd service with the appropriate chkconfig command, or by directly editing its xinetd script.
xinetd listens for connection requests from client applications.
When xinetd receives a connection request, it starts the server associated with the TCP/IP port, then waits for other connection requests.
Red Hat Enterprise Linux comes with a package known as libwrap or tcp_wrappers. This package, which is enabled by default, allows you to limit access to various xinetd services.
You configure the access rules for tcp_wrappers through the /etc/hosts.allow and /etc/hosts.deny configuration files.
Clients listed in /etc/hosts.allow are allowed access; clients listed in /etc/hosts.deny are denied access.
Services can also be configured in /etc/hosts.allow and /etc/hosts.deny. Remember to use the actual name of the daemon, such as telnetd.
Firewalls can secure an internal network as a packet filter that controls the information that comes in, goes out, and is forwarded through the internal network.
The current firewall configuration utility is iptables, which has replaced ipchains.
The iptables utility retains a number of elements of ipchains. iptables directives are sets of rules, chained together, which are compared and then applied to each network packet.
Each rule sets conditions required to match the rule, and then specifies the action taken if the packet matches the rule.
Use the service iptables save command to save any chains that you configure in the /etc/sysconfig/iptables configuration file.
NAT modifies the header in packets coming from a LAN. It replaces the source address with the public address of the firewall computer, with a random port number.
Linux supports a variation of NAT called IP masquerading.
IP masquerading allows you to provide Internet access to multiple computers with a single officially assigned IP address.
With IP masquerading, messages for the network are sorted by the random port number. The original source address is taken from the cache and added to the packet, so the message gets to the right computer.
A firewall computer needs at least two network cards: one on the LAN, and the other on an external network such as the Internet.
IP forwarding is more commonly known as routing.
Routing is critical to the operation of the Internet or any IP network.
To enable IP forwarding, edit /etc/sysctl.conf and change the line net.ipv4.ip_forward = 1.
To enable IP forwarding immediately, type the echo 1 > /proc/sys/net/ipv4/ip_forward command.
|< Day Day Up >|| |