Thursday, September 3, 2015

TCP Wrappers

To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files:
/etc/hosts.allow
/etc/hosts.deny

Sequence

When a TCP-wrapped service receives a request:
It references /etc/hosts.allow, it parses sequentially the entries in /etc/hosts.allow and applies the first rule speicified for that service. If it finds a matching rule, it allows the connection, if not it moves the next step.
Next step: it references /etc/hosts.deny. The TCP-warpped service sequentially parses the entries in /etc/hosts.deny, if it finds a matching rule, it denies the connection. If not, it grants access to the service.

Points to Consider

When using TCP Wrappers to protect network servies:
Access rules in hosts.allow are applied first, so they take precedence over rules specified in hosts.deny. Therefore if a service is allowed in hosts.allow and is denied in hosts.deny, the entry in hosts.deny will be igonred
The rules from  each file are read from top, and the first matching rule is  the only applied.
If no rules for the service are found in either files, access to the service is granted.
If both files « hosts.allow » and « hosts.deny » do not exist, then access to the service is granted.
TCP-Wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immeediately without restarting network services.

Formatting Access Rules

The format for both /etc/hosts.allow and /etc/hosts.deny is identical. Each rule must be on its own line. Blank lines or lines that start with a hash (#) are ignored.
Each rule uses the following basic format to control access to network services:
<daemon list>: <client list> [: <option>: <option>: ...]
<daemon list> — A comma-separated list of process names (not service names) or the ALL wildcard. The daemon list also accepts operators (refer to Operator Slide”) to allow greater flexibility.
<client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in Operator Slide to allow greater flexibility.

<option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior

Wildcards

Allows TCP wrappers to more easily match groups of daemons or hosts:
ALL matches everything, it can be used for daemon list and host list
LOCAL matches any host that doesn`t contain a period (.) such as localhost
KNOW , UNKNOWN AND PARANOID rarely used and should be used with DNS (known is a known host or user)

Example of Entries in hosts.allow

ALL : 192.168.128.0/255.255.254.0  Allows access to all daemons for requests that are coming from the network 192.168.128.0/23
ALL : ALL Allows access to all daemons fror requests coming from anywhere
sshd : 172.18. Allows access to sshd process from requests coming from IP addresses that start with 172.18.
ALL : .test.com  Allows access to all daemons from hosts that that have at the end of their fully qualidified domain name .test.com

Tips: To get an ip address for a specific PC in Linux, you can use the command "ifconfig". But for later version like "CentOS 7", ifconfig is not available by default, you can use the command "ip addr"
to get an IP address for a specific PC in windows, you can use the command "ipconfig"
What if you need to allow specific access to your server from an Internet user. Then you need to know his public IP address. If someone needs to know his public/Real IP address, all what he needs is to click on this link http://www.myip.services

Refering to a file

If we want to permit many IP addresses or names, instead of writing them, we reference to a file, but the filename should start from the / so that TCP wrappers file can identify that it is a file and it should find the entries inside that file
In.telnetd : /etc/telnet/hosts
It is more secure to use IP addresses than DNS names

Operator

Access control rules accept one operator EXCEPT which allows exception from a specific matches:
ALL :  .test.com EXCEPT abc.test.com
So it matches all computers that they have their fully qualified domain name ending with test.com except the  PC « abc.example.com »
ALL EXCEPT vsftpd: 192.168.0.
So if it is in hosts.allow it allows the PCs that have ip address starts with 192.168.0 to access all daemons except the vsftpd daemon

Portmap and TCP Wrappers

Portmap`s implementation of TCP wrappers doesn`t support host look-ups, which means portmap cannot use hostnames to identify hosts. Consequently  access contorl rules for portmap in hosts.allow or hosts.deny must use IP addresses or the keyword All ,
Changes to portmap access control rules may not take effect immediately. You may need to restart the portmap service


For more information about our IT Serviceshttps://http-cloud.com/it-services/


Are you looking for a part-time job ? 

Create your CV by going tohttps://cv-cloud.com/

You can also follow our other blog:

http://https-cloud.blogspot.com


I hope this was helpful, and I would like to thank you for reading



Wednesday, September 2, 2015

How to allow or deny ssh access

To block or permit remote access to any service in Linux, we can use "hosts.deny" and "hosts.allow"
To allow or deny specific IPs from ssh to the server:
Edit “hosts.deny” File:
sshd:all
Edit “hosts.allow” File:
sshd:192.168.0.102 (where 192.168.0.102 is the address that will be permitted to ssh to the server)
You can also add a network to hosts.allow

sshd:192.168.0.0/255.255.255.0

Are you looking to find a flexible job ? 

check this website


You can also follow our other blogs:


How to Map network drives in Linux

Map Samba Drive (SMB drive or CIFS)

First create a directory on linux, better to create it under /mnt if /mnt directory exists, because /mnt directory is for mapping drives. you must not write anything in this directory before creating the map.
Second, prepare your share on the windows server:Make sure that you add the appropriate permissions on the shared directory ( in the directory tab and the sharing tab). example the user (jdoe) is the user who must be used to map the drive. So you must have the user jdoe in your windows server (or in Active directory) and you must add this user to the list of users in the security tab and the sharing permissions tab.
To mount the drive you have to execute the command (where winserver is the name of your windows server , linuxshare is the share name of your windows folder, jdoe is windows username)
cifs is the filesystem type, and it should be used when we map drives from windows
mount -t cifs -o username=jdoe //winserver/linuxshare /mnt/linuxshare


To umount: umount /mnt/linuxshare

Map NFS Drive

How to mount nfs
mount testa.domain.com:/myshare /mnt/testnfs/
the name of the server should be exactly the same as the name in exportfs file of the destination server(and it should be the same in hosts)
Depending on the release, you might need to specify the filesystem type

are you looking for a flexible job ? A job that can be done remotely ? Post your CV in this website:
https://www.security-architecture.com/add-cv/

We invite you also to read our other blogs:
https://www.ftp.services
https://dhcpservices.blogspot.com