Paranoid Penguin: Using iptables for Local Security
As you can see, the uses of --uid-owner and --gid-owner are pretty straightforward. One thing I haven't mentioned yet is that both options accept names, as I've shown in the examples, or numeric IDs.
Another issue I've dodged is TCP Wrappers-style access controls. On any system that uses TCP Wrappers (or whose stunnel binary was compiled with support for libwrapper), you must add appropriate entries to /etc/hosts.allow for Stunnel to work properly, whether you run Stunnel in client mode or dæmon mode on that host. This is a good thing; rather than being one more thing capable of preventing Stunnel from working, you should think of it as another layer of your security onion.
Finally, I'm leaving it to you to tinker with --pid-owner and --sid-owner. I will give you a hint, though. Many dæmons write their parent PID in a predictable place on startup, that is, /var/run/sshd.pid. By reading such a PID file into a variable in your iptables startup script, you can match packets originating from a specific process. Good luck!
Mick Bauer (firstname.lastname@example.org) is a network security consultant for Upstream Solutions, Inc., based in Minneapolis, Minnesota. He is the author of the upcoming O'Reilly book Building Secure Servers With Linux, composer of the “Network Engineering Polka” and a proud parent (of children).
|SUSE Linux Enterprise High Availability Extension||Mar 29, 2017|
|Hybrid Cloud Storage Delivers Performance and Value||Mar 29, 2017|
|smbclient Security for Windows Printing and File Transfer||Mar 28, 2017|
|How to Calculate Flash Storage TCO||Mar 27, 2017|
|Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!||Mar 27, 2017|
|Three EU Industries That Need HPC Now||Mar 25, 2017|
- smbclient Security for Windows Printing and File Transfer
- SUSE Linux Enterprise High Availability Extension
- Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!
- Returning Values from Bash Functions
- Hybrid Cloud Storage Delivers Performance and Value
- How to Calculate Flash Storage TCO
- Preseeding Full Disk Encryption
- Two Ways GDPR Will Change Your Data Storage Solution
- Hodge Podge
- Chemistry on the Desktop