Archive for June, 2009

SBDavid

Protect portmap With iptables

Protect portmap With iptables

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.

Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and the following section applies.

Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost.

Example:

iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 –dport 111 -j ACCEPT

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP
SBDavid

Shared Libraries

Shared Libraries

Shared libraries are units of code, such as glibc, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
To determine which running applications link against a particular library, use the lsof command as in the following example:

Example

$ lsof /lib/libnsl.so.1

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dbus-laun 3337 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
dbus-daem 3338 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xscreensa 3343 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xfce4-ses 3347 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so

Verifying Signed Packages using GNU Privacy Guard

GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)

rpm –import /mnt/cdrom/RPM-GPG-KEY

To verify all the downloaded packages at once, issue the following command:

rpm -K /tmp/updates/*.rpm

For each package, if the GPG key verifies successfully, the command returns gpg OK.

SBDavid

Kernel Modules

To find out what a particular driver/module does, the modinfo command can be used in many cases:

root@:~# modinfo -d i915
Intel Graphics

modinfo — program to show information about a Linux Kernel module

root@:~# modinfo -d soundcore
Core sound module

modinfo extracts information from the Linux Kernel modules given on the command line. If the module name is not a filename, then the /lib/modules/version directory is searched, as done by modprobe(8).

root@:~# modinfo -d ext3
Second Extended Filesystem with journaling extensions

To set parameters during module loads, you can add entries to /etc/modprobe.conf on RHEL or /etc/modprobe.conf.local on SLES.

SBDavid

Retrieving Hardware Information

Retrieving Hardware Information

To retrieve information on system’s hardware like vendor, manufacturer, product, S/N, etc. the following command can be used:

dmidecode

The dmidecode command reads the information from the system BIOS, see also

There are a few other commands you might want to check out which list installed hardware components:

dmesg
lsdev
lshal
lspci
lsusb
lsscsi

« Prev - Next »