IPv6 Security: Pembatasan Akses: Difference between revisions
Onnowpurbo (talk | contribs) New page: 19.2. Access limitations Many services uses the tcp_wrapper library for access control. Below is described the use of tcp_wrapper. More to be filled... |
Onnowpurbo (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses. | |||
22.8. tcp_wrapper | |||
tcp_wrapper is a library which can help you to protect service against misuse. | |||
22.8.1. Filtering capabilities | |||
You can use tcp_wrapper for | |||
Filtering against source addresses (IPv4 or IPv6) | |||
Filtering against users (requires a running ident daemon on the client) | |||
22.8.2. Which program uses tcp_wrapper | |||
Following are known: | |||
Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library) | |||
sshd (if compiled using tcp_wrapper) | |||
22.8.3. Usage | |||
tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see | |||
$ man hosts.allow | |||
22.8.3.1. Example for /etc/hosts.allow | |||
In this file, each service which should be positive filtered (means connects are accepted) need a line. | |||
sshd: 1.2.3. [2001:0db8:100:200::]/64 | |||
daytime-stream: 1.2.3. [2001:0db8:100:200::]/64 | |||
Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon. | |||
22.8.3.2. Example for /etc/hosts.deny | |||
This file contains all negative filter entries and should normally deny the rest using | |||
ALL: ALL | |||
If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. | |||
ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" | |||
| tee -a /var/log/tcp.deny.log | mail root@localhost) | |||
22.8.4. Logging | |||
Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure. | |||
22.8.4.1. Refused connection | |||
A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example | |||
Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap | |||
¬ from=::ffff:1.2.3.4 | |||
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap | |||
from=2001:0db8:100:200::212:34ff:fe12:3456 | |||
A refused connection via IPv4 to an dual-listen sshd produces a line like following example | |||
Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 | |||
¬ (::ffff:1.2.3.4) | |||
Jan 2 20:39:33 gate sshd[12345]: refused connect | |||
from 2001:0db8:100:200::212:34ff:fe12:3456 | |||
¬ (2001:0db8:100:200::212:34ff:fe12:3456) | |||
22.8.4.2. Permitted connection | |||
A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example | |||
Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 | |||
¬ from=::ffff:1.2.3.4 | |||
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 | |||
from=2001:0db8:100:200::212:34ff:fe12:3456 | |||
A permitted connection via IPv4 to an dual-listen sshd produces a line like following example | |||
Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 | |||
¬ port 33381 ssh2 | |||
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user | |||
from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2 | |||
==Referensi== | |||
* http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/hints-daemons-tcpwrapper.html | |||
Revision as of 23:57, 10 July 2013
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses.
22.8. tcp_wrapper
tcp_wrapper is a library which can help you to protect service against misuse. 22.8.1. Filtering capabilities
You can use tcp_wrapper for
Filtering against source addresses (IPv4 or IPv6)
Filtering against users (requires a running ident daemon on the client)
22.8.2. Which program uses tcp_wrapper
Following are known:
Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library)
sshd (if compiled using tcp_wrapper)
22.8.3. Usage
tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see
$ man hosts.allow
22.8.3.1. Example for /etc/hosts.allow
In this file, each service which should be positive filtered (means connects are accepted) need a line.
sshd: 1.2.3. [2001:0db8:100:200::]/64 daytime-stream: 1.2.3. [2001:0db8:100:200::]/64
Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon. 22.8.3.2. Example for /etc/hosts.deny
This file contains all negative filter entries and should normally deny the rest using
ALL: ALL
If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues.
ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`"
| tee -a /var/log/tcp.deny.log | mail root@localhost)
22.8.4. Logging
Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure. 22.8.4.1. Refused connection
A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example
Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap ¬ from=::ffff:1.2.3.4 Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
from=2001:0db8:100:200::212:34ff:fe12:3456
A refused connection via IPv4 to an dual-listen sshd produces a line like following example
Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 ¬ (::ffff:1.2.3.4) Jan 2 20:39:33 gate sshd[12345]: refused connect
from 2001:0db8:100:200::212:34ff:fe12:3456
¬ (2001:0db8:100:200::212:34ff:fe12:3456)
22.8.4.2. Permitted connection
A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example
Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 ¬ from=::ffff:1.2.3.4 Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
from=2001:0db8:100:200::212:34ff:fe12:3456
A permitted connection via IPv4 to an dual-listen sshd produces a line like following example
Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 ¬ port 33381 ssh2 Jan 2 20:42:19 gate sshd[12345]: Accepted password for user
from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2
