Limiting Outside Access to the Server

Much of this chapter is devoted to a specific class of access restrictions based on the calling system's IP address or related information, such as the hostname or the port number used to initiate the connection. The theory behind these restrictions is that the IP address belongs to a known computer that can be trusted, at least to a limited extent. For instance, to prevent abuse, you might want to keep anybody but computers on your local area network (LAN) from accessing a VNC login server. You'd still implement password protections on this server; however, nobody from outside your LAN has any business even trying to access it, so you block any such attempts before they can even get the chance to enter a password. You can use similar restrictions to block only known troublemaker IP addresses or to grant access to specific systems outside of your LAN—for instance, to enable employees to use the VNC server to work from home if they have broadband Internet connections with static IP addresses. Several methods of implementing IP address restrictions are common:

Firewalls Traditionally, a firewall has been a router that blocks access to a network based on IP addresses and similar criteria. Recently, the term has come to apply to certain programs that can run on a single computer to protect that computer alone. One common type of firewall tool is a packet-filter firewall, which blocks individual TCP/IP packets at a low level in the network stack. The upcoming section, "Blocking IP Addresses with a Firewall," is devoted largely to implementing packet-filter firewall rules.

TCP Wrappers This program provides a means for programs to accept or reject connections based on the calling system's IP address or other criteria. It's frequently used in conjunction with the inetd super server, which mediates connections for many servers. The upcoming section, "Blocking IP Addresses with TCP Wrappers," covers TCP Wrappers in more detail.

xinetd This program can be thought of as roughly equivalent to a combination of inetd and TCP Wrappers, although it's a unique package with its own strengths and weaknesses. Using xinetd can be particularly helpful on computers with multiple network interfaces, because it can listen to one interface but not another on a server-by-server basis. The upcoming section, "Enhanced xinetd Access Restrictions," covers xinetd security features. Chapter 22, "Running Servers," covers xinetd's nonsecurity configuration.

Server-Specific Restrictions Many servers contain their own unique IP-based access restrictions. For many, these restrictions work much like TCP Wrappers restrictions; in fact, some use TCP Wrappers to implement these restrictions. A few servers, such as Network File System (NFS) servers, use IP-based restrictions as their primary security measure, so configuring these systems correctly is critically important.

Note Most of these access restriction tools enable you to specify computers by hostname instead of or in addition to using IP addresses. Some of these tools do a single lookup on the hostname when the program starts, though, making the lookup ineffective at tracking systems whose hostnames remain constant but whose IP addresses change. Using hostnames also opens these tools up to possible compromise of DNS servers. If a miscreant breaks into a network's DNS server and changes its entries, servers that use hostnames for security can be compromised.

0 0

Post a comment