Chapter 3. Network Access Control
One of your most vital security tasks is to maintain control over incoming network connections. As system administrator, you have many layers of control over these connections. At the lowest level—hardware—you can unplug network cables, but this is rarely necessary unless your computer has been badly cracked beyond all trust. More practically, you have the following levels of control in software, from general to service-specific:
- Network interface
The interface can be brought entirely down and up.
- Firewall
By setting firewall rules in the Linux kernel, you control the handling of incoming (and outgoing and forwarded) packets. This topic is covered in Chapter 2.
- A superdaemon or Internet services daemon
A superdaemon controls the invocation (or not) of specific network services, based on various criteria. Suppose your system receives an incoming request for a Telnet connection. Your superdaemon could accept or reject it based on the source address, the time of day, the count of other Telnet connections open... or it could simply forbid all Telnet access. Superdaemons typically have a set of configuration files for controlling your many services conveniently in one place.
- Individual network services
Any network service, such as sshd or ftpd, may have built-in access control facilities of its own. For example, sshd has its
AllowUsersconfiguration keyword, ftpd has /etc/ftpaccess, and various services require user authentication.
These levels all play ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
