HP UX Internet Express Software manual Network Security Administration, TCP Wrapper Administration

Page 167

9 Network Security Administration

This chapter describes how to manage the following network security components:

TCP Wrapper (Section : TCP Wrapper Administration)

FireScreen Firewall (Section : FireScreen Administration)

Snort Intrusion Detection System (Section : Snort Intrusion Detection System )

FreeRADIUS Server Administration (Section : FreeRADIUS Server Administration)

TCP Wrapper Administration

TCP Wrapper lets you control access to network services. TCP Wrapper intercepts an incoming network connection, and verifies whether the connection is allowed before passing the connection to the actual network daemon. For example, you can restrict access to a network service, such as telnet, to exclude all hosts outside of a local domain. After you modify the access to a service, you can use the Administration utility to test the modification.

Network Services Wrapped by Internet Express

During installation, the TCP service entries in the /etc/inetd.conf file that match the service entries specified in the /usr/internet/security/config.tcp file are modified to include the TCP Wrapper (tcpd) daemon. The syntax of service entries in the /etc/inetd.conf file is:

ServiceName SocketType ProtocolName Wait/NoWait UserName ServerPath ServerArgs

On Tru64 UNIX Version 5.1 or later, the ProtocolName field for TCP services can be tcp or tcp6, depending on the type of socket that the network service is using (that is, AF_INET or AF_INET6). For example, the following entry appears in the /etc/inetd.conf file for the telnetd service after installation:

telnet stream tcp6

nowait root

/usr/bin/tcpd /usr/sbin/telnetd

Notice the placement of the TCP Wrapper daemon, /usr/bin/tcpd, in this entry. Also notice that the ProtocolName field is tcp6. Services that specify tcp6 respond to both IPv4-enabled and IPv6-enabled clients over either network protocol. For more information, see the inetd.conf(4) reference page.

Table 26 lists the network services that are wrapped by the Internet Express installation and the default access setting for each service. (Section explains how to modify access settings.)

To see a list of the services that are wrapped on your system, select Display/Update Configuration from the TCP Wrapper Administration menu. The service name and description on this form are retrieved from the /usr/internet/security/config.tcp file. Depending on which services were installed on your system, you might not see all the services listed in this table.

Table 26 Network Services Wrapped by Internet Express

Network Service

Default Access Setting

bootpd

Allows you to boot a remote system

cfgmgr

Works with the kernel load server, kloadsrv, to manage subsystems that are

 

dynamically configured or loaded

fingerd

Displays information about users on a remote system

ftpd

Transfers files to and from a remote system

imapd

Allows you to run the IMAP (Internet Message Access Protocol Version 4) e-mail

 

server

ntalkd

Notifies a user, or callee, on a remote system that a client, or caller, wants to

 

initiate a conversation with talk

TCP Wrapper Administration 167

Page 166 Page 168
Image 167
Page 166 Page 168
Contents Abstract Internet Express for Tru64 Unix VersionPage Contents User Authentication Mail Delivery Administration Mail Access Administration 132 Network Security Administration 167 Web Services Administration 155XML Component Administration 164 Ldap Directory Server Administration 195 Proxy Services Administration 190Samba File and Print Server Administration 216 OpenSLP Administration 207FTP Server Administration 213 Internet Relay Chat Administration 248 InterNetNews Server Administration 225Twiki 266 PostgreSQL Database and MySQL Administration 249Bind Domain Name Server Administration 260 Jabber 265Document Organization About This DocumentIntended Audience User input CommandTypographic Conventions Computer outputReading the Documentation Reading Documentation Using the Administration UtilityReading Documentation Using the Public Web Server Related InformationOn a PC Reading Documentation from the Internet Express CD-ROMReading Reference Pages for Internet Express Components On a Tru64 Unix SystemInternet electronic mail readerscomment@zk3.dec.com Readers CommentsReading the Open Source Software Component Documentation # man -M /usr/news/man active.5Readers Comments Using the Administration Utility Using the Administration UtilityAdministration Utility Menu Options and Tasks Using the Administration Utility Main MenuRegister Online Registering Your Internet Express InstallationNavigating the Administration Utility Using Administration Utility FormsSample Administration Utility Form 8081 Internet Express Accessing Administration ServersInternet Express Accounts and Ports Port Number DescriptionManaging Internet Express in a TruCluster Environment Accessing the Internet Express Login AccountAccessing and Managing the Internet Monitor TruCluster Impact on Internet Express Administration Installing and Removing ComponentsUsing Internet Express Services in a Cluster Port number from the current Web server Installing and Removing ComponentsKeywords for URL Line Hostname of the local hostPerforming Web-Based System Management Accessing Web-Based System Management ToolsAccessing Web-Based System Management Tools Tuning Kernel Attribute ValuesUsing the Administration Utility Open Source Software Web Sites Where to Find More InformationInternet Express and AlphaServer Products Web Sites GnuPG ExpectFirefox FreeRADIUSMajordomo Automated Internet Mailing Lists Manager IRC ServerJabber Lynx Web BrowserPerl MySQLOpenLDAP OpenSLPSamba File and Print Server PostgreSQL Relational Database Management SystemProcmail Mail Filtering Language Pure-FTP ServerSystem Security Web Sites Microsoft Other Useful Web SitesApplications InterNICEncompass Manage Users Menu User AdministrationOverview of User Accounts User AdministrationOverview of User Accounts Assigning Passwords to User AccountsPurging Obsolete Passwords Specifying User NamesSearching for User Accounts Searching for User AccountsSelecting User Accounts Assigning Users to GroupsShows the Create Named User Account form Creating Captive Accounts for Named UsersCreating a Named User Account Creating Captive Accounts for Generic UsersCreating Generic User Accounts Creating a Noncaptive Account for a Unix System UserCreating a Noncaptive Account for a Unix System User To create a group, see Section Creating GroupsCreating a System User Account Creating GroupsCreating Groups Displaying User Account InformationDisplaying User Account Information Deleting User AccountsChanging Groups for User Accounts Changing Groups for User AccountsUser Administration Changing the Password for an Account Changing the Password for an AccountChanging Mail Services for Users Changing Mail Services for Users Assigning Regular Delivery Mail ServiceAssigning POP with Password Mail Service Assigning Cyrus Imap with Password Mail Service Assigning the Cyrus Imap Mail ServiceManaging the .users.list File Assigning Apop with Password Mail ServiceManaging the iass Account Changing the iass Account Forwarding AddressRemoving the .users.list File Managing the User Self-Administration FeatureListing User Accounts and Passwords Purging Passwords for User AccountsManaging the User Self-Administration Feature Enabling and Disabling the User Self-Administration FeatureManage User Self-Administration Menu Configure Web Server for Self-Administration Form Modifying the Web Server ConfigurationModify Web Server Configuration Enabling and Disabling Login DelaysAdding Groups Managing User Self-Administration GroupsAdding Groups Deleting and Modifying GroupsEnabling and Disabling Groups Customizing the User Self-Administration FeatureUser Administration Managing the Ldap Module for System Authentication User AuthenticationManaging the Ldap Module for System Authentication User Authentication Example 1 Security Matrix Enabled for LdapLdap Caching Daemon Example 2 Ldap Caching Daemon Configuration File Value of searchbase Value of machinedn Value of machinepass Creating BranchesUserbranch ou=accounts,searchbase Extended Ldap Schema for Unix Account InformationIndexing Attributes for the Directory Servers Ldap Database Index Types Configuring the Ldap Module for System AuthenticationAdding Indices for OpenLDAP Defining Ldap System Parameters Modifying the Ldap Module ConfigurationConfiguring the Ldap Module for System Authentication Configuring Ldap Password Attributes Configuring Ldap Group Attributes Enabling and Disabling the Ldap Module Testing the Ldap Module ConfigurationImporting and Exporting Users from /etc/passwd Adding an Ldap User in a C2 Environment Importing Users into the Directory ServerImporting Users from NIS Exporting Users from the Directory ServerAccess Control Ldap Database Utilities Authentication mechanism Remove login names from specified groupRemove login names from all groups File in which to store search results the default isAdding a User Entry Checking the Ldap Server ConfigurationExtracting Users from the /etc/passwd File Retrieving a User Entry Deleting a User EntryLdapsyncuser -b branch filename Synchronizing with a Password FileAdding a Group Entry Deleting a Group Entry Maintaining Group MembershipLdapgetgroup -b branch -f input-file Setting a Users Password in the Ldap Directory ServerRetrieving a Group Entry Starting the ldapcd DaemonModifying Entries in an Ldap Database Maintaining the Ldap Directory Server Using Ldap CommandsStopping the ldapcd Daemon Adding Entries to an Ldap DatabaseActions Performed by the Ldap Client Authentication Actions PerformedFiles Modified by theLDAP Module for System Authentication Overview of the Ldap ClientEtc/ldapusers.allow Operation of login/suBehavior of the the ldapdc Daemon Debugging ldapdc# su user1 Bogofilter to filter spam Section Bogofilter Spam Filter Mail Delivery AdministrationSendmail Server Administration Mail Delivery AdministrationLdap see Section Configuring Ldap Configuring the System as a Standalone Mail SystemConfiguring the System as a Mail Client Configuring the System as a Mail ServerCreating and Deleting Host Aliases for a Mail Server Sendmail Server Administration Changing the Sendmail Server ConfigurationCreating and Deleting Pseudo Domain Aliases Configuring Mail ProtocolsPSInet see Section Configuring the X.25 Protocol Through Section Configuring the X.25 ProtocolConfiguring the DECnet Phase IV Protocol Configuring the MTS ProtocolConfiguring the DECnet/OSI Protocol Configuring the X.25 Protocol Configuring the Uucp ProtocolAccessing the Configure Masquerading Form Configuring MasqueradingRoot Postmaster News Uucp Mailer-daemon Rdist Nobody Daemon Pop Imap Configuring Your System for MasqueradingExample 4 Sample Virtual Domain Table Configuring Virtual Domains# makemap btree virtusertable virtusertable Enabling Anti-Virus Enabling Procmail as a Local MailerConfiguring Relaying Configuring Anti-SpamExample 5 Sample Access Database for the Sendmail Server Configuring the Access DatabaseConfiguring an Access Database Configuring Checking on Senders Information Configuring LdapShows the Configure Ldap form Configuring Mail Filters MilterSocket inet1066@myhost.com,T=C5mS10sR10sE5m Socket local/var/run/f1.sockSocket inet1099@remotehost.com Socket inet61066@myhost.comSample -p local/var/run/example1.sock Adding a Queue Configuring QueuesDeleting a Queue Group # sendmail -bt -q queue-nameModifying a Queue Group General Queue Properties Configuring Queue PerformanceQueue Timers Sendmail Tunable Parameters Configuring Trusted Layer SecuritySendmail Timers Certicate Authority Abbreviation Certificate Authority Certificate DefaultsCertificate Issuer One that issues certificates a CA TLS Certificate ValuesEnabling Support Using the Access Database Side VERIFYbits CIname Sendmail Server AdministrationMarked as permanent Failure marked as temporaryRelay or Subject Configuring Mailbox AccessControlling the Sendmail Server Creating a Majordomo Mailing List Majordomo Mailing List AdministrationMajordomo Mailing List Administration Viewing the Sendmail Server LogChanging List Owner or Charter Changing a Majordomo Mailing List ConfigurationChanging Subscription Parameters Changing Administration ParametersChanging Message Content Parameters Changing Digest Parameters Changing Command Access ParametersChanging List Restriction Parameters Changing Moderated List ParametersMailman MailmanDeleting a Majordomo List Changing Address Processing ParametersManaging Mailman Creating the Initial Mailman List Using a ScriptCreate a Mailing List Deleting a Mailing ListMailman Mailing List Administration Menu Training Bogofilter Bogofilter Spam FilterMailman Scripts Mailman Log FilesBogofilter/wordlist.db Using Bogofilter with procmailFiltering with Bogofilter Filter Integration with Other ToolsMail Transport Agent MTA Integration with Bogofilter Mutt Integration with BogofilterPine Integration with Bogofilter Bogofilter Spam Filter Controlling the POP2 Server Mail Access AdministrationPOP Mail Server Administration Controlling the POP3 ServerViewing the POP Mail Server Log Imap Mail Server AdministrationImap Mail Server Administration Converting Imap Mail Folders Setting Up a Unix User Account for UW ImapSetting Up a Unix User Account for Cyrus Imap Usr/dt/bin/mailcv -I -t -f ./bar duke Controlling the Cyrus Imap ServerControlling the UW Imap Server Usr/dt/bin/mailcv -evdt -I -f foldername directoryname userViewing the Imap Server Log Configuring SSL for UW-IMAPIMP Webmail Administration IMP Webmail AdministrationEnabling and Disabling IMP Webmail Accessing the IMP Webmail Administration MenuEnable/Disable IMP Webmail Managing Mail Server SettingsAdding a Mail Server IMP Mail Server SettingsModifying the Mail Server List IMP Mail Server List Settings Deleting a Mail Server Managing Mailbox SettingsModifying a Mail Server IMP Mailbox Settings Managing Compose SettingsPreference settings Managing Message SettingsIMP Compose Settings IMP Message Settings Managing Logging SettingsIMP Logging Settings Preference Driver Settings Managing Preference Driver SettingsSetting Description Allow usage of folders Managing Miscellaneous IMP SettingsManaging Horde Settings Miscellaneous IMP SettingsHorde Settings Managing Turba Settings Have access to their addressbook Using IMP Upgrade ToolsIMP Turba Settings Setting Description EnabledUpgrading IMP Databases Upgrading IMP ConfigurationsIMP Database Upgrade Settings New Preference Table Accessing IMP WebmailAdditional Webmail Documentation Secure Web Server Administration Web Services AdministrationSecure Web Server Administration Internet Express Ports and URLs Accessing the Secure Web ServersServer Changing Configuration ParametersConfiguration Files for Secure Web Servers Web Server ManagementHttpd.conf Srm.conf Access.conf Changing the Password for the Administration Web ServerCreating the Search Index Ht//Dig Search Tool AdministrationHt//Dig Search Tool Administration Ht//Dig Indexing and Search Administration Link to Ht//Dig Search Index Updated Ht//Dig Configuration File Message Http//hostname/htdig/search.html Searching the IndexDocumentation Directories and Subsets for XML Components XML Component AdministrationDirectories and Subsets for XML Components Managing the Apache Axis Server Apache Axis Server AdministrationApache Cocoon Servlet Administration Apache Axis Server AdministrationViewing the Cocoon Log Files Managing the Apache Cocoon ServletEnabling and Disabling the Cocoon Servlet Network Services Wrapped by Internet Express Network Security AdministrationTCP Wrapper Administration Network Services Wrapped by Internet ExpressModifying Access to a Wrapped Network Service Controlling Access to Other Network ServicesNetwork Service Access Options Testing TCP Security ModificationsFireScreen Administration Menu FireScreen AdministrationFireScreen Administration Installing FireScreenEtc/rc.config file Checking FireScreen Installation PrerequisitesFireScreen Administration Install FireScreen Page with Gateway Screening Enabled Configuring FireScreen Configure FireScreen Menu Setting Command-Line OptionsSet Options Confirmation Adding a Screening Rule Setting the Screening ModeAdd New Screening Rule Form Deleting a Screening Rule Checking Syntax of Screening RulesStarting FireScreen Starting and Stopping FireScreenStopping FireScreen Start/Stop FireScreen Form with Restart Option EnabledViewing the FireScreen Log Viewing FireScreen StatusViewing FireScreen Screening Rules Usr/internet/docs/snort Snort documentation Snort Intrusion Detection SystemViewing FireScreen Statistics Snort -vd -l ./log Configuring Snort DecoderConfiguring Snort Preprocessor Option Disable Decode AlertViewing Alert Messages FreeRADIUS Server AdministrationRunning Snort Users File Considerations While Installing FreeRADIUSUnderstanding FreeRADIUS Configuration Files Starting and Stopping the FreeRADIUS ServerRadiusd.conf file Configure --disable-shared make make installClients.conf file Viewing FreeRADIUS Log File Controlling the Dante Socks Server Proxy Services AdministrationDante Socks Server Administration Proxy Services AdministrationSquid Proxy/Caching Server Administration Squid Proxy/Caching Server AdministrationConfiguring the Dante Socks Server Accessing Dante Socks InformationManaging the Squid Proxy/Caching Server Configuring the Squid Proxy/Caching ServerReinitializing the Disk Cache Rotating Log Files Displaying Access StatisticsControlling the Squid Proxy/Caching Server Understanding the Ldap Directory Schema Ldap Directory Server AdministrationUnderstanding the Ldap Directory Schema Example 6 Ldap Standard Object Class Definition for Person Using the Ldap BrowserLdap Directory Server Administration Creating or Editing Frequently Used Connections Installing and Running the Ldap BrowserConnecting to an Ldap Server Managing Frequently Used ConnectionsConnecting to an Ldap Server using SSL Reconnecting to an Ldap Server Using the Main Browsing WindowDisconnecting from an Ldap Server Viewing a Directory Entry in a Separate Window Controlling Client-Side Schema CheckingOpening a New Main Window Closing a Main WindowCopying a Directory Entry Adding a New Directory EntryModifying a Directory Entry Deleting a Directory EntryModifying Attributes Renaming a Directory EntryMoving a Directory Entry Adding AttributesModifying Entry Templates Deleting AttributesManaging Directory Entry Templates Creating Entry TemplatesSearching the Directory Viewing the Object Class SchemaViewing the Attribute Schema Managing the OpenLDAP Directory Server Managing and Using the OpenLDAP Directory ServerUser Configuration File Configuring the OpenLDAP Directory ServerLdap Directory Server Administration OpenSLP Overview OpenSLP AdministrationConfiguration Files and Examples Configuring Optional Security Configuring OpenSLPUsing the OpenSLP Configuration and Registration Files Configuring OpenSLP Running the ServicesConsiderations for Using SLP APIs Running the Example ConfigurationDocumentation DocumentationOpenSLP Administration Creating or Modifying an Anonymous Pure-FTP User Account FTP Server AdministrationAdministering Pure-FTP Server Administering Pure-FTP ServerUpload /data/ftp /pub yes ftp daemon Enabling or Disabling Anonymous Pure-FTP AccessFTP Server Administration Enabling or Disabling chrootEnabling or Disabling Pure-FTP server Displaying Active Pure-FTP UsersSamba File and Print Server Administration Samba File and Print Server AdministrationOptions for Modifying the smb.conf Configuration File Understanding the smb.conf Configuration FileWorkgroup Understanding the smb.conf Configuration FileAdd the following value Administering the Samba Server Using the Swat Program Administering the Samba Server Using the Swat ProgramConfiguring the Samba Server Using the Swat Program Samba File and Print Server Administration Configure the Samba Server Menu Manage passwords see Section Administering Passwords Configuring Global VariablesConfiguring Share Parameters Viewing the Status of the Server Viewing the Current ConfigurationAdministering Passwords Controlling PrintersSamba File and Print Server Administration 225 InterNetNews Server AdministrationINN Daemons Specifying INN Configuration DataInterNetNews Server Administration Configuring an External Newsfeed Configuring an External NewsfeedDays 12 GB Displaying an External NewsfeedRecommended Spool Space for News Articles Article Retention PeriodAdding an External Newsfeed Typically, a newsfeed has the following flags set Removing an External Newsfeed Modifying Newsfeed DefaultsModifying an External Newsfeed Updating the Local Active File Managing Client AccessAccess Groups Form Fields Displaying Client Access GroupsAdding a Client Access Group Removing a Client Access Group Modifying an Existing Client Access GroupClient Authentication Groups Menu Fields Displaying Client Authentication GroupsManaging Client Authentication Groups Adding Client Authentication GroupsUsr/bin/news/auth/passwd Modifying Client Authentication GroupsConfiguring Storage Options Configuring Storage OptionsConfiguring Storage Method Entries Deleting Client Authentication GroupsModifying a Storage Method Class Options on the Configure Storage MenuAdding a New Storage Method Class Adding New Cnfs Entries Configuring the Cnfs Storage MethodDeleting a Storage Method Class Displaying Cnfs EntriesModifying Cnfs Entries Managing Article Expiration Managing Article ExpirationDisplaying Article Expiration Definitions Deleting Cnfs EntriesSpecific newsgroup for example, rec.photo Adding an Article Expiration DefinitionManaging Article Expiration Specifying an Article Expiration Definition Modifying an Article Expiration DefinitionManaging Local Newsgroups Managing Local NewsgroupsDeleting an Article Expiration Definition Modifying the Retention Period for Expired ArticlesDeleting Local Newsgroups Viewing INN Log FilesCreating Local Newsgroups Controlling the INN Server Controlling the INN ServerControlling the IRC Server Internet Relay Chat AdministrationConfiguring IRC Internet Relay Chat AdministrationStarting and Stopping PostgreSQL Server PostgreSQL Database and MySQL AdministrationInstalling PostgreSQL Installing PostgreSQLViewing the PostgreSQL Log File PostgreSQL Database and MySQL AdministrationImportant Files and Directories Administering PostgreSQL AccountsAdministering PostgreSQL Accounts PostgreSQL Files and Directories Setting up a Crontab Entry for Vacuuming DatabasesUsing Existing PostgreSQL Accounts Running the Postmaster Startup ScriptSetting up a Crontab Entry for Vacuuming Databases PostgreSQL Database and MySQL Administration Setup Vacuum Crontab Form #/sbin/init.d/postgres start Scaling PostgreSQL#/sbin/init.d/postgres stop Scaling PostgreSQL #/sbin/sysconfig -q ipc#ps -ef grep postmaster MySQL Directories Administering MySQLDirectories and Files Established by MySQL Installation Starting and Stopping MySQLMySQL Log Files Starting and Stopping the MySQL Server Using a Command LineMySQL Configuration Files Viewing the MySQL Error LogBind Files and Directories Bind Domain Name Server AdministrationBind Overview Important Bind Files and DirectoriesBind Binary File Directories Enabling Bind Running the Bind Startup Script Running the Bind Startup ScriptBind Documentation Enter /sbin/init.d/named start Enter /sbin/rcinet startHttp//ops.ietf.org/dns/dynupd/secure-ddns-howto.html Controlling the Jabber Server JabberControlling the Jabber Server Twiki TwikiStarting TWiki Stunnel Sample client server configurationSample client server configuration Sample mail filter Section Mail Filter Example Sendmail Supplemental InformationCreating a Certificate of Authority Background OpenSSL Certificate CreationMail Filter Example Mail Filter ExampleSendmail Supplemental Information Smfiversion Glossary Glossary273 FTPSee also Https 275 See TCP/IPIndex SymbolsIndex 277 Decus see Encompass deinstall.sh scriptWeb site, 30 external newsfeed adding Index 279 Ldap client, 87 Ldap commandsLog file FireScreen viewing, 183 login account Index 281 OpenLDAP Project Web sitePoppassd server controlling Screening mode, 178 screening rule FireScreen 283 TIN
Related manuals
Manual 34 pages 37.15 Kb
Top Page Image Contents