Thursday, September 3, 2015

TCP Wrappers

To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files:
/etc/hosts.allow
/etc/hosts.deny

Sequence

When a TCP-wrapped service receives a request:
It references /etc/hosts.allow, it parses sequentially the entries in /etc/hosts.allow and applies the first rule speicified for that service. If it finds a matching rule, it allows the connection, if not it moves the next step.
Next step: it references /etc/hosts.deny. The TCP-warpped service sequentially parses the entries in /etc/hosts.deny, if it finds a matching rule, it denies the connection. If not, it grants access to the service.

Points to Consider

When using TCP Wrappers to protect network servies:
Access rules in hosts.allow are applied first, so they take precedence over rules specified in hosts.deny. Therefore if a service is allowed in hosts.allow and is denied in hosts.deny, the entry in hosts.deny will be igonred
The rules from  each file are read from top, and the first matching rule is  the only applied.
If no rules for the service are found in either files, access to the service is granted.
If both files « hosts.allow » and « hosts.deny » do not exist, then access to the service is granted.
TCP-Wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immeediately without restarting network services.

Formatting Access Rules

The format for both /etc/hosts.allow and /etc/hosts.deny is identical. Each rule must be on its own line. Blank lines or lines that start with a hash (#) are ignored.
Each rule uses the following basic format to control access to network services:
<daemon list>: <client list> [: <option>: <option>: ...]
<daemon list> — A comma-separated list of process names (not service names) or the ALL wildcard. The daemon list also accepts operators (refer to Operator Slide”) to allow greater flexibility.
<client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in Operator Slide to allow greater flexibility.

<option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior

Wildcards

Allows TCP wrappers to more easily match groups of daemons or hosts:
ALL matches everything, it can be used for daemon list and host list
LOCAL matches any host that doesn`t contain a period (.) such as localhost
KNOW , UNKNOWN AND PARANOID rarely used and should be used with DNS (known is a known host or user)

Example of Entries in hosts.allow

ALL : 192.168.128.0/255.255.254.0  Allows access to all daemons for requests that are coming from the network 192.168.128.0/23
ALL : ALL Allows access to all daemons fror requests coming from anywhere
sshd : 172.18. Allows access to sshd process from requests coming from IP addresses that start with 172.18.
ALL : .test.com  Allows access to all daemons from hosts that that have at the end of their fully qualidified domain name .test.com

Tips: To get an ip address for a specific PC in Linux, you can use the command "ifconfig". But for later version like "CentOS 7", ifconfig is not available by default, you can use the command "ip addr"
to get an IP address for a specific PC in windows, you can use the command "ipconfig"
What if you need to allow specific access to your server from an Internet user. Then you need to know his public IP address. If someone needs to know his public/Real IP address, all what he needs is to click on this link http://www.myip.services

Refering to a file

If we want to permit many IP addresses or names, instead of writing them, we reference to a file, but the filename should start from the / so that TCP wrappers file can identify that it is a file and it should find the entries inside that file
In.telnetd : /etc/telnet/hosts
It is more secure to use IP addresses than DNS names

Operator

Access control rules accept one operator EXCEPT which allows exception from a specific matches:
ALL :  .test.com EXCEPT abc.test.com
So it matches all computers that they have their fully qualified domain name ending with test.com except the  PC « abc.example.com »
ALL EXCEPT vsftpd: 192.168.0.
So if it is in hosts.allow it allows the PCs that have ip address starts with 192.168.0 to access all daemons except the vsftpd daemon

Portmap and TCP Wrappers

Portmap`s implementation of TCP wrappers doesn`t support host look-ups, which means portmap cannot use hostnames to identify hosts. Consequently  access contorl rules for portmap in hosts.allow or hosts.deny must use IP addresses or the keyword All ,
Changes to portmap access control rules may not take effect immediately. You may need to restart the portmap service


Are you looking for a part-time job ? 

Create your CV in the website below

https://www.security-architecture.com/add-cv/

You can also follow our other blogs:

http://www.ftp.services
http://dhcpservices.blogspot.com


 I hope this was helpful, and I would like to thank you for reading



Posted by CCIE consultant at 4:49 AM 0 comments

Wednesday, September 2, 2015

How to allow or deny ssh access

To block or permit remote access to any service in Linux, we can use "hosts.deny" and "hosts.allow"
To allow or deny specific IPs from ssh to the server:
Edit “hosts.deny” File:
sshd:all
Edit “hosts.allow” File:
sshd:192.168.0.102 (where 192.168.0.102 is the address that will be permitted to ssh to the server)
You can also add a network to hosts.allow

sshd:192.168.0.0/255.255.255.0

Are you looking to find a flexible job ? 

check this website


You can also follow our other blogs:


Posted by CCIE consultant at 9:12 PM 0 comments

How to Map network drives in Linux

Map Samba Drive (SMB drive or CIFS)

First create a directory on linux, better to create it under /mnt if /mnt directory exists, because /mnt directory is for mapping drives. you must not write anything in this directory before creating the map.
Second, prepare your share on the windows server:Make sure that you add the appropriate permissions on the shared directory ( in the directory tab and the sharing tab). example the user (jdoe) is the user who must be used to map the drive. So you must have the user jdoe in your windows server (or in Active directory) and you must add this user to the list of users in the security tab and the sharing permissions tab.
To mount the drive you have to execute the command (where winserver is the name of your windows server , linuxshare is the share name of your windows folder, jdoe is windows username)
cifs is the filesystem type, and it should be used when we map drives from windows
mount -t cifs -o username=jdoe //winserver/linuxshare /mnt/linuxshare


To umount: umount /mnt/linuxshare

Map NFS Drive

How to mount nfs
mount testa.domain.com:/myshare /mnt/testnfs/
the name of the server should be exactly the same as the name in exportfs file of the destination server(and it should be the same in hosts)
Depending on the release, you might need to specify the filesystem type

are you looking for a flexible job ? A job that can be done remotely ? Post your CV in this website:
https://www.security-architecture.com/add-cv/

 We invite you also to read our other blogs:
https://www.ftp.services
https://dhcpservices.blogspot.com
Posted by CCIE consultant at 9:09 PM 0 comments

Thursday, August 27, 2015

Bind-Configuration - Named.conf

Named.conf Configuration file example:

acl” is access-control list, a group of networks and/or IP addresses. “ACL” are created to be applied in sections like “allow-recursion”… If an ACL is created but not applied, then it is useless
Named.conf configuration File (continue)
options in "named.conf"
“listen-on port 53 { listenon; }; the name server will listen to reply coming on the interface that has an IP address that is listed in the “listenon” access-list, also the request should have port 53 as destination port number ; instead of an acl name, you can type ip addresses of the interfaces separated by ;
Directory “/var/named” is the directory that contains cache and zone files.
“recursion” allow or disallow recursive lookup.
“forward only” it forward dns lookup and it doesn’t do recursive, “forward first” it tries first to forward and if it doesn’t get a reply, it does a recursive
“forwarders is a list DNS servers dedicated to be forwarders, so the server will send the request to them
blackhole” specify which Network/Ips are not allowed to query the server
"allow-query" specifies the clients that are allowed to request information about this zone. The default is to allow all query requests.
"allow-transfer" specifies the slave DNS servers that are allowed to request a transfer of the zone. Default is to allow all transfer requests. 
"Allow-Update" specifies the hosts that are allowed to dynamically update their information in their zone file. The default is to deny dynamic updates

 Need to find a job as remote system analyst ?
Create your profile in this website:
Posted by CCIE consultant at 4:38 PM 0 comments

Monday, August 24, 2015

DNS Queries

Queries:
Recursive lookup: If a PC needs to access www.http-cloud.com he will ask his DNS server (the DNS server that he has statically or he received from the DHCP server with the DHCP lease), if the DNS server is authoritative for the zone “http-cloud.com”, it will fetch the IP address of the record “www” and it will give to the clientPC. The clientPC will cache this resolution and it will use the IP address received to communicate with the www.http-cloud.com server
Forward Query:
•If there is a user who has an address in hotmail. The Client-PC needs to access www.hotmail.com he will ask his server for the IP address of this hostname. In case the DNS server is not authoritative for the zone “hotmail.com”, and in case the DNS server have an IP address of a forwader ( example an ISP server), he will forward the query  to the IP address of the ISP-DNS server. The ISP-DNS server will be responsible for finding the record for www.hotmail.com and send it to the DNS server of the client. The DNS server of the Client will cache this record and will return the record to the client-PC.
Recursive Query:
If a client PC query his DNS server for the IP of www.centos.org and if DNS server is not authoritative for the zone “centos.org” and if that DNS-server doesn’t have the IP of a forwarder. The DNS server will do a recursive query:
The DNS-Server will ask the root name servers for the NS records (name servers records) of the “.org” zone
Once the DNS-Server have the an IP address of a Name server of the “.org” zone, he will query it for the NS records (name servers records) of the zone centos
Once the DNS-Server get an IP address of a name server of the “centos.org” zone, he will query that  name server for the hostname “www”.
Once the DNS-Server will get the reply, he will cache it and send it back to the client.

As the root zone is the parent zone of the zone “org”, so the root zone should have NS records for the “org” zone. As well as the “org” zone is the parent zone for the “centos”, the “org” zone will have the NS records for the “centos” zone
Using the dig utility:
Dig utility is a command line tool that allows to perform DNS lookups and debug a nameserver configuration.:
To lookup a nameserver for a particular domain name  (means to know the DNS server responsible for  that particular domain name):
Dig name NS
  Example: DIG http-cloud.com ns
To get root servers in the world “dig . NS”
To get the com servers “dig com NS”
To lookup for the IP address of a specific A record:
Dig name A
   Example: Dig www.http-cloud.com A
The PTR lookup: to lookup for a hostname if we have the IP address:
Dig –x address
  Example: Dig –x 192.168.10.10
If you want to get a short answer:
Dig www.http-cloud.com +short
Dig get1get.com mx +short
Another DNS client tool “nslookup” is used by windows and Linux. Dig utility is more recent.

 Looking for a flexible part-time job ? Check these opportunities:
https://www.cv-cloud.com/job/

 You can our IT services on http://www.http-cloud.com


I hope this was helpful, and I would like to thank you for reading
Posted by CCIE consultant at 7:07 PM 0 comments

DNS or Bind in Linux -1

DNS Domain Name System is a hierarchical  distributed naming system for computers services, or any resource connected to the internet or private network. Mostly, It associates information from domain names with the IP addresses. Also Domain name systems are used for obtaining email servers in a specific domain.
Domain Name Space:
A domain name space consists of a tree of domain names. Each node in the tree has  zero or more resoruce records associated with this domain name. The tree sub-divides into zones beginning at the root zone.
DNS root zone is the top-level DNS zone in the hierachical namespace of the DNS of the itnernet. The root zone is managed by the IANA and ICANN.
NS records are the DNS servers ( or name servers) records  for a zone.
Root zone is “.” is the root of the DNS tree on the internet. It is the zone that contains the zones: com, net,gov, org, in, nl….
The root name servers are the DNS servers that are authoritative for the root zone.
DNS Records:
DNS servers are used to resolve name to IP addresses. We have different types of records that can be resolved:
A record is the record for a host name and it can be used to resolve the IP address from the name
NS record is a record for a domain name and it can be used to get the list of DNS servers that are authoritiative for this domain.
MX is a record for the email servers of a specific domain name, it maps your domain name to one or more of FQDN of email servers.  These records will have different metrics. The one with the lowest metric is the best

Follow us in our next Blog for more about DNS.
I hope this was helpful, and I would like to thank you for reading
Posted by CCIE consultant at 6:19 PM 0 comments
Subscribe to: Posts (Atom)