How to protect one Yum repo’s packages from being replaced by packages from another source?
If we use two different repositories, each holding a different version of the same package, only the latest of the two will be installed if you use yum to update that package. This can lead to problems if the third party repository contains a newer version of a core system package than the Red Hat repository.
The yum-protectbase plugin will protect files of the base repository from being replaced by packages from a third party repository.
To install the plugin, use this command:
yum install yum-protectbase
This will install the plugin and its basic configuration file, /etc/yum/pluginconf.d/protectbase.conf
Setting are stored under /etc/yum/pluginconf.d/rhnplugin.conf with a section name matching the repo.id of the channel. You need to add :
To protect a different repository, go to its configuration file in /etc/yum.repos.d/repository.repo and add this line to its configuration
/etc/yum.repos.d/repository.repo
Add
[repository]
…
protect = 1
You will need to add this for each repository which needs to be protected.
Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.
For instance, consider the following example:
1. # cd /; ln -s / public_html
2. Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:
Order Deny,Allow
Deny from all
Protect a server within a network by using a TCP Wrapper.
The Xinetd super server that comes with most Linux distributions includes a built-in TCP wrapper.
It can be used to explicitly define network services to accept incoming connections from specified servers and networks.
The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny
A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.
To deny everything by default, add the following line to /etc/hosts.deny:
To accept incoming SSH connections from e.g. nodes lab1, lab2 and lab3, add the following line to /etc/hosts.allow
To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow.
For example:
sshd: lab1 lab2 lab3 .subnet.lab.com
To accept incoming ssh connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:
sshd: 192.168.0.1 192.168.5.
You can even tell xinetd to limit the rate of incoming connections. The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions.
