Red Hat Linux 6 security

 TCP Wrappers and Connection Banners

 Displaying a suitable banner when users connect to a service is a good way to let potential attackers know that the system administrator is being vigilant. You can also control what information about the system is presented to users. To implement a TCP Wrappers banner for a service, use the banner option.

 This example implements a banner for vsftpd. To begin, create a banner file. It can be anywhere on the system, but it must have same name as the daemon. For this example, the file is called /etc/banners/vsftpd and contains the following lines:

220-Hello, %c 
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.

 The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.

 For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:

vsftpd : ALL : banners /etc/banners/
2.2.1.1.2. TCP Wrappers and Attack Warnings

 If a particular host or network has been detected attacking the server, TCP Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.

 In this example, assume that a cracker from the 206.182.68.0/24 network has been detected attempting to attack the server. Place the following line in the/etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:

ALL : 206.182.68.0 : spawn /bin/echo `date` %c %d >> /var/log/intruder_alert

 The %d token supplies the name of the service that the attacker was trying to access.

 To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.

TCP Wrappers and Enhanced Logging

 If certain types of connections are of more concern than others, the log level can be elevated for that service using the severity option.

 For this example, assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection.

 

To do this, place the following line in /etc/hosts.deny:

in.telnetd : ALL : severity emerg

 This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

Protect portmap With iptables

 To further restrict access to the portmap service, it is a good idea to add iptables rules to the server and restrict access to specific networks.

 Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost. This is necessary for the sgi_fam service used by Nautilus. All other packets are dropped.

~]# iptables -A INPUT -p tcp -s ! 192.168.0.0/24 --dport 111 -j DROP
~]# iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT

 

To similarly limit UDP traffic, use the following command:

~]# iptables -A INPUT -p udp -s ! 192.168.0.0/24 --dport 111 -j DROP