Difference between revisions of "IPv6 Security: Pembatasan Akses"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 1: | Line 1: | ||
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses. | Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses. | ||
| + | Library tcp_wrapper dapat menolong kita untuk memproteksi layanan dari penggunaan yang salah. | ||
| − | + | ==Kemampuan Filtering== | |
| − | tcp_wrapper | + | Kita dapat menggunakan tcp_wrapper untuk |
| − | |||
| − | + | * Filtering terhadap source address (IPv4 atau IPv6) | |
| + | * Filtering terhadap pengguna (memerlukan inet daemon di client) | ||
| − | + | ==Program mana yang mengunakan tcp_wrapper== | |
| − | |||
| − | |||
| − | |||
| − | |||
Following are known: | Following are known: | ||
| − | + | * Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library) sshd (if compiled using tcp_wrapper) | |
| − | |||
| − | |||
| − | + | ==Penggunaan== | |
tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see | tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see | ||
| − | $ man hosts.allow | + | $ man hosts.allow |
| − | 22.8.3.1. Example for /etc/hosts.allow | + | ===22.8.3.1. Example for /etc/hosts.allow=== |
In this file, each service which should be positive filtered (means connects are accepted) need a line. | In this file, each service which should be positive filtered (means connects are accepted) need a line. | ||
| − | sshd: 1.2.3. [2001:0db8:100:200::]/64 | + | sshd: 1.2.3. [2001:0db8:100:200::]/64 |
| − | daytime-stream: 1.2.3. [2001:0db8:100:200::]/64 | + | daytime-stream: 1.2.3. [2001:0db8:100:200::]/64 |
Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon. | Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon. | ||
| − | 22.8.3.2. Example for /etc/hosts.deny | + | |
| + | ===22.8.3.2. Example for /etc/hosts.deny=== | ||
This file contains all negative filter entries and should normally deny the rest using | This file contains all negative filter entries and should normally deny the rest using | ||
| − | ALL: ALL | + | ALL: ALL |
If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. | If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues. | ||
| − | ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" | + | ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" |
| − | + | | tee -a /var/log/tcp.deny.log | mail root@localhost) | |
| − | 22.8.4. Logging | + | ==22.8.4. Logging== |
Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure. | Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure. | ||
| − | 22.8.4.1. Refused connection | + | |
| + | ===22.8.4.1. Refused connection=== | ||
A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example | A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example | ||
| − | Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap | + | Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap |
| − | ¬ from=::ffff:1.2.3.4 | + | ¬ from=::ffff:1.2.3.4 |
| − | Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap | + | Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap |
| − | + | from=2001:0db8:100:200::212:34ff:fe12:3456 | |
A refused connection via IPv4 to an dual-listen sshd produces a line like following example | A refused connection via IPv4 to an dual-listen sshd produces a line like following example | ||
| − | Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 | + | Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 |
| − | ¬ (::ffff:1.2.3.4) | + | ¬ (::ffff:1.2.3.4) |
| − | Jan 2 20:39:33 gate sshd[12345]: refused connect | + | Jan 2 20:39:33 gate sshd[12345]: refused connect |
| − | + | from 2001:0db8:100:200::212:34ff:fe12:3456 | |
| − | ¬ (2001:0db8:100:200::212:34ff:fe12:3456) | + | ¬ (2001:0db8:100:200::212:34ff:fe12:3456) |
| − | 22.8.4.2. Permitted connection | + | ===22.8.4.2. Permitted connection=== |
A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example | A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example | ||
| − | Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 | + | Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 |
| − | ¬ from=::ffff:1.2.3.4 | + | ¬ from=::ffff:1.2.3.4 |
| − | Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 | + | Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 |
| − | + | from=2001:0db8:100:200::212:34ff:fe12:3456 | |
A permitted connection via IPv4 to an dual-listen sshd produces a line like following example | A permitted connection via IPv4 to an dual-listen sshd produces a line like following example | ||
| − | Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 | + | Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 |
| − | ¬ port 33381 ssh2 | + | ¬ port 33381 ssh2 |
| − | Jan 2 20:42:19 gate sshd[12345]: Accepted password for user | + | Jan 2 20:42:19 gate sshd[12345]: Accepted password for user |
| − | + | from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2 | |
| − | |||
| − | |||
| − | |||
Revision as of 07:13, 11 July 2013
Banyak layanan menggunakan library tcp_wrapper untuk kontrol akses. Library tcp_wrapper dapat menolong kita untuk memproteksi layanan dari penggunaan yang salah.
Kemampuan Filtering
Kita dapat menggunakan tcp_wrapper untuk
- Filtering terhadap source address (IPv4 atau IPv6)
- Filtering terhadap pengguna (memerlukan inet daemon di client)
Program mana yang mengunakan tcp_wrapper
Following are known:
- Each service which is called by xinetd (if xinetd is compiled using tcp_wrapper library) sshd (if compiled using tcp_wrapper)
Penggunaan
tcp_wrapper is controlled by two files name /etc/hosts.allow and /etc/hosts.deny. For more information see
$ man hosts.allow
22.8.3.1. Example for /etc/hosts.allow
In this file, each service which should be positive filtered (means connects are accepted) need a line.
sshd: 1.2.3. [2001:0db8:100:200::]/64 daytime-stream: 1.2.3. [2001:0db8:100:200::]/64
Note: there are broken implementations around, which uses following broken IPv6 network description: [2001:0db8:100:200::/64]. Hopefully, such versions will be fixed soon.
22.8.3.2. Example for /etc/hosts.deny
This file contains all negative filter entries and should normally deny the rest using
ALL: ALL
If this node is a more sensible one you can replace the standard line above with this one, but this can cause a DoS attack (load of mailer and spool directory), if too many connects were made in short time. Perhaps a logwatch is better for such issues.
ALL: ALL: spawn (echo "Attempt from %h %a to %d at `date`" | tee -a /var/log/tcp.deny.log | mail root@localhost)
22.8.4. Logging
Depending on the entry in the syslog daemon configuration file /etc/syslog.conf the tcp_wrapper logs normally into /var/log/secure.
22.8.4.1. Refused connection
A refused connection via IPv4 to an xinetd covered daytime service produces a line like following example
Jan 2 20:40:44 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap ¬ from=::ffff:1.2.3.4 Jan 2 20:32:06 gate xinetd-ipv6[12346]: FAIL: daytime-stream libwrap from=2001:0db8:100:200::212:34ff:fe12:3456
A refused connection via IPv4 to an dual-listen sshd produces a line like following example
Jan 2 20:24:17 gate sshd[12345]: refused connect from ::ffff:1.2.3.4 ¬ (::ffff:1.2.3.4) Jan 2 20:39:33 gate sshd[12345]: refused connect from 2001:0db8:100:200::212:34ff:fe12:3456 ¬ (2001:0db8:100:200::212:34ff:fe12:3456)
22.8.4.2. Permitted connection
A permitted connection via IPv4 to an xinetd covered daytime service produces a line like following example
Jan 2 20:37:50 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 ¬ from=::ffff:1.2.3.4 Jan 2 20:37:56 gate xinetd-ipv6[12346]: START: daytime-stream pid=0 from=2001:0db8:100:200::212:34ff:fe12:3456
A permitted connection via IPv4 to an dual-listen sshd produces a line like following example
Jan 2 20:43:10 gate sshd[21975]: Accepted password for user from ::ffff:1.2.3.4 ¬ port 33381 ssh2 Jan 2 20:42:19 gate sshd[12345]: Accepted password for user from 2001:0db8:100:200::212:34ff:fe12:3456 port 33380 ssh2