第 5 章 增强系统上运行服务的安全性
有两种方式来增强系统中运行的服务的安全性:
使其只能通过它们应当所在的访问点(接口)访问.
正确配置, 使其只能由合法的用户使用授权方式访问.
Restricting services so that they can only be accessed from a given place can be done by restricting access to them at the kernel (i.e. firewall) level, configure them to listen only on a given interface (some services might not provide this feature) or using some other methods, for example the Linux vserver patch (for 2.4.16) can be used to force processes to use only one interface.
Regarding the services running from inetd
(telnet
, ftp
, finger
, pop3
…) it is worth noting that inetd
can be configured so that services only listen on a given interface (using service@ip
syntax) but that’s an undocumented feature. One of its substitutes, the xinetd
meta-daemon includes a bind
option just for this matter. See ixnetd.conf(5) manual page.
- service nntp
- {
- socket_type = stream
- protocol = tcp
- wait = no
- user = news
- group = news
- server = /usr/bin/env
- server_args = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin
- +/usr/sbin/snntpd logger -p news.info
- bind = 127.0.0.1
- }
以下部分将详细介绍如何根据其用途正确的配置各项服务.