Linux Patch Management: Keeping Linux Systems Up To Date
The following are some of the key points from the certification objectives in Chapter 15.
Using tcp_wrappers to Secure Services
| ❑ | Red Hat Enterprise Linux comes with a package known as tcp_wrappers. This package, which is enabled by default, allows you to limit access to various services. |
| ❑ | You configure the access rules for tcp_wrappers through the /etc/hosts.allow and /etc/hosts.deny configuration files. |
| ❑ | Clients listed in /etc/hosts.allow are allowed access; clients listed in /etc/hosts.deny are denied access. |
| ❑ | Services can also be configured in /etc/hosts.allow and /etc/hosts.deny. Remember to use the actual executable name of the daemon, normally in /usr/sbin, such as in.tftpd. |
Firewalls and Packet Filtering Using netfilter
| ❑ | Firewalls can secure an internal network as a packet filter that controls the information that comes in, goes out, and is forwarded through the internal network. |
| ❑ | The current firewall configuration utility is iptables. |
| ❑ | The iptables directives are sets of rules, chained together, that are compared and then applied to each network packet. |
| ❑ | Each rule sets conditions required to match the rule and then specifies the action taken if the packet matches the rule. |
| ❑ | Use the service iptables save command to save any chains that you configure in the /etc/sysconfig/iptables configuration file. |
Network Address Translation
| ❑ | NAT modifies the header in packets coming from a LAN. It replaces the source address with the public address of the firewall computer, with a random port number. |
| ❑ | Linux supports a variation of NAT called IP masquerading. |
| ❑ | IP masquerading allows you to provide Internet access to multiple computers with a single officially assigned IP address. |
| ❑ | To enable IP forwarding immediately, type the echo 1 > /proc/sys/net/ipv4/ip_forward command. To enable it upon reboot, set net.ipv4.ip_forward = 0 in /etc/sysctl.conf. |
Security Enhanced Linux
| ❑ | Security Enhanced Linux (SELinux) provides a different level of security. Basic settings are shown in the /etc/sysconfig/selinux file. |
| ❑ | If you're just experimenting with SELinux, configure it in permissive mode. |
| ❑ | SELinux is relatively easy to configure with the SELinux Management Tool. |
| ❑ | Any changes you make with the SELinux Management Tool are reflected in boolean settings in the /selinux/booleans/ directory. |
| ❑ | The Setroubleshoot Browser can help you decipher related errors. |