Boot Loader
The boot loader security means to set password in the GRUB or LILO and single user mode password etc.
TCP - Wrappers
There are two files in /etc directory, one is "hosts.allow" and another is "hosts.deny". The hosts.allow file is always overloaded by hosts.deny file. The file's text format are given below with examples,
[root@localhost root]# vi /etc/hosts.allow
in.telnet : 192.168.10.3 192.168.10.20
vsftpd : .com yahoo.com
sshd : <>
pop3d : <>
portmap: <>
... .... ... ... ... ... ...
... .... ... ... ... ... ...
....... .... ... ... ... …
[root@localhost root]# vi /etc/hosts.deny
in.telnet : 192.168.10.3 192.168.10.20
vsftpd : .com yahoo.com
sshd : <>
pop3d : <>
portmap: <>
... .... ... ... ... ... ...
... .... ... ... ... ... ...
....... .... ... ... ... …
SSH - Secure SHeel
Note: See network page and ssh.
Security for telnet and pop3
You can add two lines in the telnet or ipop3 file to give access permission.
[root@localhost root]# vi /etc/xinetd.d/telnet
Or
[root@localhost root]# vi /etc/xinetd.d/ipop3
only_from = <>
no_access = <>
TRIPWIRE
The necessary rpm is,
[root@localhost root]# rpm -ivh tripwire.rpm
Now, enter the as,
[root@localhost root]# sh /etc/tripwire/twinstall.sh
ð It will ask you, two type’s permission.
1. Site keyfile password.
2. Local keyfile password.
It will ask you password for many times.
[root@localhost root]# vi /etc/tripwire/twpol.text
ð It will store all the current information of the system, file structure etc in this file.
[root@localhost root]# tripwire --init
ð It will create a directory called "tripwire". In this directory, there are some files and a directory. The file name is as like domain name and the directory name is "report".
[root@localhost root]# cd /var/lib/tripwire
[root@localhost tripwire]# ls
report sys3.iiht.com.twd
[root@localhost tripwire]# vi sys3.iiht.com.twd
ð showing all the current information of the computer.
[root@localhost tripwire]# cd /etc/tripwire
[root@localhost tripwire]# tripwire -- check > file1
ð It will store all the information, which are changed currently on the computer.
[root@localhost tripwire]# vi file1
ð After checking, you should give the command as below,
[root@localhost tripwire]# twprint -m r <>
TERMINAL SECURITY
There is a file, where we can mention that which terminal can be used by root. The file is called "securetty".
[root@localhost root]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ð You can edit this file.
There is another file where root can give login permission to normal user.
[root@localhost root]# vi /etc/security/access.conf
# Login access control table.
#
# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) combination, or, in case of non-networked
# logins, the first entry that matches the (user, tty) combination. The
# permissions field of that table entry determines whether the login will
# be accepted or refused.
#
# Format of the login access control table is three fields separated by a
# ":" character:
#
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
# module, you can change the field separation character to be
# '|'. This is useful for configurations where you are trying to use
# pam_access with X applications that provide PAM_TTY values that are
# the display variable like "host:0".]
#
# permission : users : origins
+:root:tty1,tty7
-:root:tty2,tty3,tty4
#
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user@host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches) or LOCAL (matches any string that does not contain a "."
# character).
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
#
##############################################################################
#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.
#
There is another file where root can give to login permission for normal user on the basis of time and date.
[root@localhost root]# vi /etc/security/time.conf
# this is an example configuration file for the pam_time module. Its syntax
# was initially based heavily on that of the shadow package (shadow-960129).
#
# the syntax of the lines is as follows:
#
# services;ttys;users;times
#
# white space is ignored and lines maybe extended with '\\n' (escaped
# newlines). As should be clear from reading these comments,
# text following a '#' is ignored to the end of the line.
#
# the combination of individual users/terminals etc is a logic list
# namely individual tokens that are optionally prefixed with '!' (logical
# not) and separated with '&' (logical and) and '|' (logical or).
#
# services
# is a logic list of PAM service names that the rule applies to.
#
# ttys
# is a logic list of terminal names that this rule applies to.
#
# users
# is a logic list of users to whom this rule applies.
#
# NB. For these items the simple wildcard '*' may be used only once.
#
# times
# the format here is a logic list of day/time-range
# entries the days are specified by a sequence of two character
# entries, MoTuSa for example is Monday Tuesday and Saturday. Note
# that repeated days are unset MoMo = no day, and MoWk = all weekdays
# bar Monday. The two character combinations accepted are
#
# Mo Tu We Th Fr Sa Su Wk Wd Al
#
# the last two being week-end days and all 7 days of the week
# respectively. As a final example, AlFr means all days except Friday.
#
# each day/time-range can be prefixed with a '!' to indicate "anything
# but"
#
# The time-range part is two 24-hour times HHMM separated by a hyphen
# indicating the start and finish time (if the finish time is smaller
# than the start time it is deemed to apply on the following day).
#
# for a rule to be active, ALL of service+ttys+users must be satisfied
# by the applying process.
#
#
# Here is a simple example: running blank on tty* (any ttyXXX device),
# the users 'you' and 'me' are denied service all of the time
#
#blank;tty* & !ttyp*;you|me;!Al0000-2400
# Another silly example, user 'root' is denied xsh access
# from pseudo terminals at the weekend and on mondays.
#xsh;ttyp*;root;!WdMo0000-2400
#
# End of example file.
#
There is another file called "login" in the "/etc/pam.d" directory. In the file, there are three fields.
First Field: Module type
a. auth- In the login time, it checks user's password from "passwd" file.
b. account- It checks user's home directory.
c. session- It checks which command have the using permission for normal user. Example, shutdown, mount, passwd etc.
d. password- It checks password's maximum or minimum validation time for normal users.
Second Field: Control Flag
a required- It will check all the modules and when all the modules are true then login.
b requisite- If first module fails then it will not go to check other modules.
c optional- Any how it will perform his jobs also modules are failed or not.
d sufficient- At list one module should clear.
Third Field: Module path
It shows the modules path.
IP TABLES
We have three types of chain.
1 INPUT CHAIN- Receiving
2 OUTPUT CHAIN- Sending
3 FORWARD CHAIN.
Three are three types of permission for each chain:
a ACCEPT
b REJECT
c DROP
[root@localhost root]# iptables --list
ð It will show iptables list.
[root@localhost root]# iptables -A INPUT -p icmp -j REJECT
[root@localhost root]# iptables -A INPUT -p icmp -d
[root@localhost root]# iptables-save
[root@localhost root]# iptables -F
