IPv6 Security: Pembatasan Akses: Difference between revisions

From OnnoCenterWiki
Jump to navigationJump to search
← Older editNewer edit →
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
No edit summary
Onnowpurbo (talk | contribs)
69,477 edits
No edit summary
Line 1: Line 1:
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses.  
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses.  
Library tcp_wrapper dapat menolong kita untuk memproteksi layanan dari penggunaan yang salah.


22.8. tcp_wrapper
==Kemampuan Filtering==


tcp_wrapper is a library which can help you to protect service against misuse.
Kita dapat menggunakan tcp_wrapper untuk
22.8.1. Filtering capabilities


You can use tcp_wrapper for
* Filtering terhadap source address (IPv4 atau IPv6)
* Filtering terhadap pengguna (memerlukan inet daemon di client)


    Filtering against source addresses (IPv4 or IPv6)
==Program mana yang mengunakan tcp_wrapper==
 
    Filtering against users (requires a running ident daemon on the client)
 
22.8.2. Which program uses tcp_wrapper


Following are known:
Following are known:


    Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library)
* Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library) sshd (if compiled using tcp_wrapper)
 
    sshd (if compiled using tcp_wrapper)


22.8.3. Usage
==Penggunaan==


tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see
tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see


$ man hosts.allow
$ man hosts.allow


22.8.3.1. Example for /etc/hosts.allow
===22.8.3.1. Example for /etc/hosts.allow===


In this file, each service which should be positive filtered (means connects are accepted) need a line.
In this file, each service which should be positive filtered (means connects are accepted) need a line.


sshd:          1.2.3. [2001:0db8:100:200::]/64
sshd:          1.2.3. [2001:0db8:100:200::]/64
daytime-stream: 1.2.3. [2001:0db8:100:200::]/64
daytime-stream: 1.2.3. [2001:0db8:100:200::]/64


Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon.
Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon.
22.8.3.2. Example for /etc/hosts.deny
 
===22.8.3.2. Example for /etc/hosts.deny===


This file contains all negative filter entries and should normally deny the rest using
This file contains all negative filter entries and should normally deny the rest using


ALL: ALL
ALL: ALL


If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues.
If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues.


ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`"  
ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`"  
| tee -a /var/log/tcp.deny.log | mail root@localhost)
  | tee -a /var/log/tcp.deny.log | mail root@localhost)


22.8.4. Logging
==22.8.4. Logging==


Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.
Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.
22.8.4.1. Refused connection
 
===22.8.4.1. Refused connection===


A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example
A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example


Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
¬ from=::ffff:1.2.3.4
¬ from=::ffff:1.2.3.4
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap  
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap  
from=2001:0db8:100:200::212:34ff:fe12:3456
  from=2001:0db8:100:200::212:34ff:fe12:3456


A refused connection via IPv4 to an dual-listen sshd produces a line like following example
A refused connection via IPv4 to an dual-listen sshd produces a line like following example


Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
¬ (::ffff:1.2.3.4)
¬ (::ffff:1.2.3.4)
Jan 2 20:39:33 gate sshd[12345]: refused connect  
Jan 2 20:39:33 gate sshd[12345]: refused connect  
from 2001:0db8:100:200::212:34ff:fe12:3456
  from 2001:0db8:100:200::212:34ff:fe12:3456
¬ (2001:0db8:100:200::212:34ff:fe12:3456)
¬ (2001:0db8:100:200::212:34ff:fe12:3456)


22.8.4.2. Permitted connection
===22.8.4.2. Permitted connection===


A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example
A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example


Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
¬ from=::ffff:1.2.3.4  
¬ from=::ffff:1.2.3.4  
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0  
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0  
from=2001:0db8:100:200::212:34ff:fe12:3456
  from=2001:0db8:100:200::212:34ff:fe12:3456


A permitted connection via IPv4 to an dual-listen sshd produces a line like following example
A permitted connection via IPv4 to an dual-listen sshd produces a line like following example


Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
¬ port 33381 ssh2
¬ port 33381 ssh2
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user  
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user  
from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2
  from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2
 
 
 




Revision as of 00:13, 11 July 2013

Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses. Library tcp_wrapper dapat menolong kita untuk memproteksi layanan dari penggunaan yang salah.

Kemampuan Filtering

Kita dapat menggunakan tcp_wrapper untuk

  • Filtering terhadap source address (IPv4 atau IPv6)
  • Filtering terhadap pengguna (memerlukan inet daemon di client)

Program mana yang mengunakan tcp_wrapper

Following are known:

  • Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library) sshd (if compiled using tcp_wrapper)

Penggunaan

tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see 

$ man hosts.allow

22.8.3.1. Example for /etc/hosts.allow

In this file, each service which should be positive filtered (means connects are accepted) need a line. 

sshd:           1.2.3. [2001:0db8:100:200::]/64
daytime-stream: 1.2.3. [2001:0db8:100:200::]/64

Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon.

22.8.3.2. Example for /etc/hosts.deny

This file contains all negative filter entries and should normally deny the rest using 

ALL: ALL

If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. 

ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" 
 | tee -a /var/log/tcp.deny.log | mail root@localhost)

22.8.4. Logging

Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.

22.8.4.1. Refused connection

A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap
¬ from=::ffff:1.2.3.4
Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap 
 from=2001:0db8:100:200::212:34ff:fe12:3456

A refused connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4
¬ (::ffff:1.2.3.4)
Jan 2 20:39:33 gate sshd[12345]: refused connect 
 from 2001:0db8:100:200::212:34ff:fe12:3456
¬ (2001:0db8:100:200::212:34ff:fe12:3456)

22.8.4.2. Permitted connection

A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example 

Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0
¬ from=::ffff:1.2.3.4 
Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 
 from=2001:0db8:100:200::212:34ff:fe12:3456

A permitted connection via IPv4 to an dual-listen sshd produces a line like following example 

Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4
¬ port 33381 ssh2
Jan 2 20:42:19 gate sshd[12345]: Accepted password for user 
 from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2


Referensi

Retrieved from "https://lms.onnocenter.or.id/wiki/index.php?title=IPv6_Security:_Pembatasan_Akses&oldid=37753"