You may be lucky. You may be administering a network that isn t connected to any other network, especially the Internet. Your servers and network components could be secure in locked rooms. And you may be able to trust your users. In this case, you might not need to secure your Linux network.
However, most LANs are connected to other networks. Many users need Internet connections to be productive. Unfortunately, any Internet access can expose your LAN to crackers who want to break into your systems.
There are best practices associated with network security, such as providing various levels of physical security for your computers and network components; configuring different levels of firewalls for your web server and internal LAN; encrypting communications with various protocols such as Kerberos and GPG; encrypting your passwords using MD5 and shadow passwords; and providing different levels of password security on your BIOS and Linux bootloader.
Pluggable Authentication Modules (PAM) let you limit access to specific applications, as defined in the /etc/pam.d directory. The files in this directory are associated with different applications. The four types of PAM modules are password, session, account, and auth. Each module is associated with one of four control flags: optional , required , requisite , and sufficient . These control flags drive the response to the module.
The main Red Hat Linux firewall utility is iptables . Various iptables commands can be connected in chains for data in three directions: INPUT , OUTPUT , and FORWARD . You can configure iptables to match different patterns: IP addresses, TCP/IP ports, even patterns that can prevent the ping of death. When a firewall command matches a pattern, you can set iptables to ACCEPT , DROP , REJECT , or LOG the occurrence.
You can also configure iptables for IP Masquerading. This is a form of Network Address Translation that hides the address of the computers on your LAN requesting access to an outside network such as the Internet. Each outgoing packet is associated with an unused port number; when the LAN gets an answer, that number is used to identify the requesting computer.
There are a number of ways to detect attempted break-ins to your Linux computer. One is to check logins to /var/log/wtmp . Another is to use the Tripwire RPM package. It s also useful to check your traffic with Ethereal; it tells you if users are sending their passwords over the network in clear text.
Of course, it is possible to have too much security. Any measure that keeps your users from needed services may be too strong. The way you configure iptables can confuse your users.
In the next chapter , we ll examine other ways to access computers through the network. Some are not secure such as the Remote Shell and Telnet. On the other hand, the Secure Shell is quite secure, because it encrypts communication with passphrases and more. You can also help protect even insecure services using the tcp_wrappers access control files.