Hiding Servers from View

Once you've spotted servers, one approach to making them less of a risk is to hide them from most of the Internet. You can do this in several different ways:

Using External Firewalls If your main concern is with outside access to a server, a separate firewall computer may be the best answer. Using such a firewall can permit local users to access the server while blocking outside access. Chapter 20, "Controlling Network Access," describes firewalls in more detail.

Using Local Firewalls In addition to or instead of running a firewall on a separate computer, you can set up firewall rules on the same computer that runs the server. These rules can block access from any but specified computers. Again, Chapter 20 describes firewall configuration in more detail.

Using TCP Wrappers or xinetd The TCP Wrappers package provides a screening service for incoming connections to servers that can use TCP Wrappers. One important TCP Wrappers-enabled program is inetd, so you can filter connections to any server run through inetd. The xinetd super server provides a similar set of access controls without using TCP Wrappers. Both of these tools are described in more detail in Chapter 20.

Using Server-Specific Controls Some servers provide controls similar to those enabled by TCP Wrappers or xinetd. You should consult your server's documentation to learn what options it provides.

However you do it, hiding servers from view can greatly enhance security if servers should be accessible to some users but not to the world at large. As a general rule, firewalls do a better job of hiding servers than do TCP Wrappers, xinetd, or server-specific rules, but there are exceptions. For instance, if the computer has two network interfaces, xinetd can respond to queries on only one interface; it doesn't even listen for connections on the non-served interface.

Tip If you have a choice of ways to implement a restriction, use them all! A

misconfiguration or bug in one method might let an intruder through, so using redundant restrictions improves your system's security.

0 0

Post a comment