os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source 
Sponsored by:	iXsystems
This commit is contained in:
Dru Lavigne 2014-04-17 20:33:55 +00:00
parent 2595184f26
commit 9f6c3b13b1
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=44601
1 changed files with 120 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

240
en_US.ISO8859-1/books/handbook/security/chapter.xml
View file

@ -51,8 +51,8 @@
</listitem>
<listitem>
<para>How to configure <application>TCP Wrapper</application> for use
with &man.inetd.8;.</para>
<para>How to configure <application>TCP Wrapper</application>
for use with &man.inetd.8;.</para>
</listitem>
<listitem>
@ -877,21 +877,20 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
<indexterm><primary>TCP Wrapper</primary></indexterm>
<para><application>TCP Wrapper</application> is a host-based
access control system which extends the abilities of
<xref linkend="network-inetd"/>. It can be configured
to provide logging support, return messages, and
connection restrictions for the
server daemons under the control of
access control system which extends the abilities of <xref
linkend="network-inetd"/>. It can be configured to provide
logging support, return messages, and connection restrictions
for the server daemons under the control of
<application>inetd</application>. Refer to &man.tcpd.8; for
more information about
<application>TCP Wrapper</application> and its features.</para>
<para><application>TCP Wrapper</application> should not be considered a
replacement for a properly configured firewall.
Instead, <application>TCP Wrapper</application> should be used in conjunction
with a firewall and other security enhancements in order to
provide another layer of protection in the implementation of a
security policy.</para>
<para><application>TCP Wrapper</application> should not be
considered a replacement for a properly configured firewall.
Instead, <application>TCP Wrapper</application> should be used
in conjunction with a firewall and other security enhancements
in order to provide another layer of protection in the
implementation of a security policy.</para>
<sect2>
<title>Initial Configuration</title>
@ -903,33 +902,35 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
<programlisting>inetd_enable="YES"
inetd_flags="-Ww"</programlisting>
<para>Then, properly configure
<para>Then, properly configure
<filename>/etc/hosts.allow</filename>.</para>
<note>
<para>Unlike other implementations of
<application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
deprecated in &os;. All configuration options should be placed
in <filename>/etc/hosts.allow</filename>.</para>
<application>TCP Wrapper</application>, the use of
<filename>hosts.deny</filename> is deprecated in &os;. All
configuration options should be placed in
<filename>/etc/hosts.allow</filename>.</para>
</note>
<para>In the simplest configuration, daemon connection policies
are set to either permit or block, depending on the
options in <filename>/etc/hosts.allow</filename>. The default
configuration in &os; is to allow all connections to the daemons
started with <application>inetd</application>.</para>
are set to either permit or block, depending on the options in
<filename>/etc/hosts.allow</filename>. The default
configuration in &os; is to allow all connections to the
daemons started with <application>inetd</application>.</para>
<para>Basic configuration usually takes the form of
<literal>daemon : address : action</literal>, where
<literal>daemon</literal> is the daemon which <application>inetd</application>
started, <literal>address</literal> is a valid hostname,
<literal>daemon</literal> is the daemon which
<application>inetd</application> started,
<literal>address</literal> is a valid hostname,
<acronym>IP</acronym> address, or an IPv6 address enclosed in
brackets ([&nbsp;]), and <literal>action</literal> is either
<literal>allow</literal> or <literal>deny</literal>.
<application>TCP Wrapper</application> uses a first rule match
semantic, meaning that the configuration file is scanned
from the beginning for a matching rule. When a match is found,
the rule is applied and the search process stops.</para>
semantic, meaning that the configuration file is scanned from
the beginning for a matching rule. When a match is found, the
rule is applied and the search process stops.</para>
<para>For example, to allow <acronym>POP</acronym>3 connections
via the <package>mail/qpopper</package> daemon, the following
@ -942,102 +943,100 @@ qpopper : ALL : allow</programlisting>
<para>Whenever this file is edited, restart
<application>inetd</application>:</para>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</sect2>
<sect2>
<title>Advanced Configuration</title>
<para><application>TCP Wrapper</application> provides advanced options
to allow more control over the way connections are handled.
In some cases, it may be appropriate to return a comment to
certain hosts or daemon connections. In other cases, a log
entry should be recorded or an email sent to the
<para><application>TCP Wrapper</application> provides advanced
options to allow more control over the way connections are
handled. In some cases, it may be appropriate to return a
comment to certain hosts or daemon connections. In other
cases, a log entry should be recorded or an email sent to the
administrator. Other situations may require the use of a
service for local connections only. This is all possible
through the use of configuration options known as
wildcards, expansion characters, and
external command execution.</para>
through the use of configuration options known as wildcards,
expansion characters, and external command execution.</para>
<para>Suppose that a situation occurs where a connection
should be denied yet a reason should be sent to the
host who attempted to establish that connection. That
action is possible with <option>twist</option>. When a
connection attempt is made, <option>twist</option> executes
a shell command or script. An example exists in
<filename>hosts.allow</filename>:</para>
<para>Suppose that a situation occurs where a connection should
be denied yet a reason should be sent to the host who
attempted to establish that connection. That action is
possible with <option>twist</option>. When a connection
attempt is made, <option>twist</option> executes a shell
command or script. An example exists in
<filename>hosts.allow</filename>:</para>
<programlisting># The rest of the daemons are protected.
<programlisting># The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
<para>In this example, the message <quote>You are not allowed
to use <replaceable>daemon name</replaceable> from
<replaceable>hostname</replaceable>.</quote> will be returned for
any daemon not configured in <filename>hosts.allow</filename>.
This is useful for sending a reply back to the connection
initiator right after the established connection is dropped.
Any message returned <emphasis>must</emphasis> be wrapped in
quote (<literal>"</literal>) characters.</para>
<para>In this example, the message <quote>You are not allowed to
use <replaceable>daemon name</replaceable> from
<replaceable>hostname</replaceable>.</quote> will be returned
for any daemon not configured in
<filename>hosts.allow</filename>. This is useful for sending
a reply back to the connection initiator right after the
established connection is dropped. Any message returned
<emphasis>must</emphasis> be wrapped in quote
(<literal>"</literal>) characters.</para>
<warning>
<para>It may be possible to launch a denial of service
attack on the server if an attacker
floods these daemons with connection
requests.</para>
</warning>
<warning>
<para>It may be possible to launch a denial of service attack
on the server if an attacker floods these daemons with
connection requests.</para>
</warning>
<para>Another possibility is to use <option>spawn</option>.
Like <option>twist</option>, <option>spawn</option>
implicitly denies the connection and may be used to run
external shell commands or scripts. Unlike
<option>twist</option>, <option>spawn</option> will not send
a reply back to the host who established the
connection. For example, consider the following
configuration:</para>
<para>Another possibility is to use <option>spawn</option>.
Like <option>twist</option>, <option>spawn</option> implicitly
denies the connection and may be used to run external shell
commands or scripts. Unlike <option>twist</option>,
<option>spawn</option> will not send a reply back to the host
who established the connection. For example, consider the
following configuration:</para>
<programlisting># We do not allow connections from example.com:
<programlisting># We do not allow connections from example.com:
ALL : .example.com \
: spawn (/bin/echo %a from %h attempted to access %d &gt;&gt; \
/var/log/connections.log) \
: deny</programlisting>
<para>This will deny all connection attempts from <systemitem
class="fqdomainname">*.example.com</systemitem> and log
the hostname, <acronym>IP</acronym> address, and the daemon
to which access was attempted to
<filename>/var/log/connections.log</filename>. This example
uses the substitution characters
<literal>%a</literal> and <literal>%h</literal>. Refer to
&man.hosts.access.5; for the complete list.</para>
<para>This will deny all connection attempts from <systemitem
class="fqdomainname">*.example.com</systemitem> and log the
hostname, <acronym>IP</acronym> address, and the daemon to
which access was attempted to
<filename>/var/log/connections.log</filename>. This example
uses the substitution characters <literal>%a</literal> and
<literal>%h</literal>. Refer to &man.hosts.access.5; for the
complete list.</para>
<para>To match every instance of a daemon, domain, or
<acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is
<literal>PARANOID</literal> which may be used to match
any host which provides an <acronym>IP</acronym> address
that may be forged because the
<acronym>IP</acronym> address differs from its resolved
hostname. In this example, all connection requests to
<application>Sendmail</application> which have an <acronym>IP</acronym> address
that varies from its hostname will be denied:</para>
<para>To match every instance of a daemon, domain, or
<acronym>IP</acronym> address, use <literal>ALL</literal>.
Another wildcard is <literal>PARANOID</literal> which may be
used to match any host which provides an <acronym>IP</acronym>
address that may be forged because the <acronym>IP</acronym>
address differs from its resolved hostname. In this example,
all connection requests to <application>Sendmail</application>
which have an <acronym>IP</acronym> address that varies from
its hostname will be denied:</para>
<programlisting># Block possibly spoofed requests to sendmail:
<programlisting># Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny</programlisting>
<caution>
<para>Using the <literal>PARANOID</literal> wildcard will
result in denied connections if the client or server has a
broken <acronym>DNS</acronym> setup.</para>
</caution>
<caution>
<para>Using the <literal>PARANOID</literal> wildcard will
result in denied connections if the client or server has a
broken <acronym>DNS</acronym> setup.</para>
</caution>
<para>To learn more about wildcards and their associated
functionality, refer to &man.hosts.access.5;.</para>
<para>To learn more about wildcards and their associated
functionality, refer to &man.hosts.access.5;.</para>
<note>
<para>When adding new configuration lines, make sure that any
unneeded entries for that daemon are commented
out in <filename>hosts.allow</filename>.</para>
unneeded entries for that daemon are commented out in
<filename>hosts.allow</filename>.</para>
</note>
</sect2>
</sect1>
@ -1772,15 +1771,16 @@ kadmind5_server_enable="YES"</programlisting>
<para><application>OpenSSL</application> is an open source
implementation of the <acronym>SSL</acronym> and
<acronym>TLS</acronym> protocols.
It provides an encryption transport layer on top of the normal
communications layer, allowing it to be intertwined with many
network applications and services.</para>
<acronym>TLS</acronym> protocols. It provides an encryption
transport layer on top of the normal communications layer,
allowing it to be intertwined with many network applications and
services.</para>
<para>The version of <application>OpenSSL</application> included
in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and
Transport Layer Security v1 (TLSv1) network security protocols
and can be used as a general cryptographic library.</para>
in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3)
and Transport Layer Security v1 (TLSv1) network security
protocols and can be used as a general cryptographic
library.</para>
<!--
This patent expired in 2012, is the note still needed?
<note>
@ -1793,32 +1793,32 @@ This patent expired in 2012, is the note still needed?
</note>
-->
<para><application>OpenSSL</application> is often used to
encrypt authentication of mail clients and to secure web based
<para><application>OpenSSL</application> is often used to encrypt
authentication of mail clients and to secure web based
transactions such as credit card payments. Some ports, such as
<package>www/apache24</package> and
<package>databases/postgresql91-server</package>, include a compile option for
building with <application>OpenSSL</application>. If selected,
the port will add support using the
<package>security/openssl</package> port. To instead have the
port compile against the built in version of
<package>databases/postgresql91-server</package>, include a
compile option for building with
<application>OpenSSL</application>. If selected, the port will
add support using the <package>security/openssl</package> port.
To instead have the port compile against the built in version of
<application>OpenSSL</application>, include
<varname>WITH_OPENSSL_BASE</varname> when compiling
in <application>OpenSSL</application> support.</para>
<varname>WITH_OPENSSL_BASE</varname> when compiling in
<application>OpenSSL</application> support.</para>
<para>Another common use of
<application>OpenSSL</application> is to provide certificates
for use with software applications. Certificates can be used to verify
the credentials of a company or individual.
If a certificate has not
been signed by an external <firstterm>Certificate Authority</firstterm>
<para>Another common use of <application>OpenSSL</application> is
to provide certificates for use with software applications.
Certificates can be used to verify the credentials of a company
or individual. If a certificate has not been signed by an
external <firstterm>Certificate Authority</firstterm>
(<acronym>CA</acronym>), such as <link
xlink:href="http://www.verisign.com">http://www.verisign.com</link>,
the application that uses the certificate will produce a warning.
There is a cost associated with obtaining a signed certificate and using a
signed certificate is not mandatory as certificates can be
self-signed. However, using an external authority will prevent warnings and can put
users at ease.</para>
the application that uses the certificate will produce a
warning. There is a cost associated with obtaining a signed
certificate and using a signed certificate is not mandatory as
certificates can be self-signed. However, using an external
authority will prevent warnings and can put users at
ease.</para>
<para>This section demonstrates how to create and use certificates
on a &os; system. Refer to <xref linkend="ldap-config"/> for an