Allowing connections to the SSH service from one IP using APF
You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.
APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.
Login to your server as the root user.
cd /etc/apf
vi /etc/apf/allow_hosts.rules
Add the following in:
tcp:in:d=22:s=IP-ADDRESS
out:d=22:d=IP-ADDRESS
The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.
Save the changes.
vi /etc/apf/deny_hosts.rules
Add the following:
tcp:in:d=22:s=0/0
out:d=22:d=0/0
Save the changes.
Restart APF firewall
Securing Network Information Service
An NIS server has several applications. They include the following:
/usr/sbin/rpc.yppasswdd
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.
/usr/sbin/ypserv
This is the NIS server daemon.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.
NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.
Below is a sample entry from a /var/yp/securenets file:
255.255.255.0 192.168.0.0
This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services
Securing Portmap service
The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
NFSv4 no longer requires it. If you plan to implement a NFSv2 or NFSv3 server, then portmap is required.
It is important to use TCP wrappers to limit which networks or hosts have access to the portmap service since it has no built-in form of authentication.
Further, use only IP addresses when limiting access to the service. Avoid using hostnames, asthey can be forged via DNS poisoning and other methods.
Below are two example IPTables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost. All other packets are dropped.
iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP iptables -A INPUT -p tcp -s
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP
Controlling Server Resources from denial of service using Xinetd
Another important feature of xinetd is its ability to control the amount of resources which services under its control can utilize.
It does this by way of the following directives:
cps = [number_of_connections] [wait_period] — Dictates the connections allowed to the service per second. This directive accepts only integer values.
instances = [number_of_connections] — Dictates the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.
per_source = [number_of_connections] — Dictates the connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.
rlimit_as = [number[K|M]] — Dictates the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.
rlimit_cpu = [number_of_seconds] — Dictates the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.
Using these directives can help prevent any one xinetd service from overwhelming the system, resulting in a denial of service.
Enable service at boot time on debian server
To enable the a service on debian server at boot time you can use the following commands
update-rc.d service_name start NN runlevel . stop NN runlevel
where NN decide which order to run the scripts in the /etc/init.d folder.
Example
update-rc.d httpd start 20 2 3 4 5 . stop 20 0 1 6 .
update-rc.d httpd defaults
Both the command will start httpd service in run-levels 2, 3, 4, and 5, and stop the service in run-levels 0, 1, and 6.
To stop a service from starting on bootup, execute the command
update-rc.d –f service_name remove
Example: update-rc.d -f httpd remove
This command will stop the service httpd from starting when the server is booted.
To manually start a service you can use the command
/etc/init.d/httpd restart
invoke-rc.d httpd restart
