Loading
Paranoid Penguin: Using iptables for Local Security
Mick explains how to use the owner match extension for iptables to prevent local users from violating your network's security protocols.
As you can see, the uses of --uid-owner and --gid-owner are pretty straightforward. One thing I haven't mentioned yet is that both options accept names, as I've shown in the examples, or numeric IDs.
Another issue I've dodged is TCP Wrappers-style access controls. On any system that uses TCP Wrappers (or whose stunnel binary was compiled with support for libwrapper), you must add appropriate entries to /etc/hosts.allow for Stunnel to work properly, whether you run Stunnel in client mode or dæmon mode on that host. This is a good thing; rather than being one more thing capable of preventing Stunnel from working, you should think of it as another layer of your security onion.
Finally, I'm leaving it to you to tinker with --pid-owner and --sid-owner. I will give you a hint, though. Many dæmons write their parent PID in a predictable place on startup, that is, /var/run/sshd.pid. By reading such a PID file into a variable in your iptables startup script, you can match packets originating from a specific process. Good luck!
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- Designing Electronics with Linux
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Validate an E-Mail Address with PHP, the Right Way
- Why Python?
- Tech Tip: Really Simple HTTP Server with Python
- Build a Skype Server for Your Home Phone System
- Linux Systems Administrator
- Dynamic DNS
26 min 15 sec ago - Reply to comment | Linux Journal
1 hour 24 min ago - Reply to comment | Linux Journal
2 hours 15 min ago - Not free anymore
6 hours 16 min ago - Great
10 hours 4 min ago - Reply to comment | Linux Journal
10 hours 12 min ago - Understanding the Linux Kernel
12 hours 26 min ago - General
14 hours 56 min ago - Kernel Problem
1 day 59 min ago - BASH script to log IPs on public web server
1 day 5 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
A misteak
The code after Next, we need to allow Stunnel itself to connect to strudel: calls
stunnelinstead ofiptables.Also: should the very first rule for
-P DROPchains be-m state --state ESTABLISHED,NEWor should it be-m state --state ESTABLISHED,RELATED? Perhaps I am mistaken, but I believe--state NEWpermits all new connections.Thank you!
This is the first article I have read that ended up being a truly step-by-step tutorial on setting up iptables in relation to local host network/port restrictions. A while ago I noticed that iptables had started to support user/group based restrictions, but after my first attempt at setting it up, I threw it on a back burner.
Having read through your article today, I decided to try once again to implement user based restrictions. I found that by following your instructions I was able to get a similar example working on my own machine. This in turn gave me a good grasp of the commands and their usage, so my later attempt to create custom restrictions was a resounding success.
Thank you for making an easy to follow, well thought out, and well explained/summarized article.