5.7.1 BSD R Commands

6.5.3 Restricting Host Access
The primary way crackers force access to a machine is by exploiting known bugs in commonly run server software. Many servers permit universal access without authentication, making it easy for a cracker to exploit those bugs. It is possible to restrict these attacks by limiting the hosts that can access your servers. You can do this with the TCP wrappers package, which is distributed as standard Linux software. The TCP wrappers package requires that a daemon be able to treat its standard input and output as a socket connection. By requiring this, the TCP wrappers daemon, tcpd, can accept connections for another daemon, check for authorization, and then invoke the other daemon, turning the socket file descriptor into the daemon's standard input and output. The tcpd daemon is normally invoked by inetd and listed in /etc/inetd.conf in front of each daemon. This is because all daemons that support inetd launching are TCP wrappers compatible. The TCP wrappers package uses the /etc/hosts.deny and /etc/hosts.allow files (see Chapter 4) to decide whether or not to allow a server connection to proceed. You will usually want all Beowulf nodes to trust each other and only restrict outside access to the system. Unless you are providing public services from your cluster, such as web and database access, you will probably only want to deny access to all services except login facilities.
Rather than protecting every single one of your daemons with TCP wrappers, you can shield your entire system behind a firewall, where you can regulate network access at both the packet and protocol levels. This is becoming an increasingly necessary measure as security attacks become more common. Even though an IP masquerading worldly node already has the necessary support to be used as a firewall, you should not configure it as a firewall. Instead, you should place the worldly node directly behind a firewall. Firewalls come in many shapes and sizes, including dedicated hardware running custom ROMs. But the easiest way to set up a firewall, is to use the Linux operating system and a spare PC equipped with two network interface cards. The Linux Documentation Project9 provides information on how to do this in its Firewall HOWTO document. The benefit of securing your Beowulf behind a firewall is that you can implement security policies at a single administrative point and restrict access of arbitrary network packets rather than on a connection attempt basis.
9The Linux Documentation Project pages are mirrored at several different web sites, but the master page is located at: http://metalab.unc.edu/LDP/

 



How to Build a Beowulf
How to Build a Beowulf: A Guide to the Implementation and Application of PC Clusters (Scientific and Engineering Computation)
ISBN: 026269218X
EAN: 2147483647
Year: 1999
Pages: 134

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net