Lab 2 System Resource Access Controls
Goal: To become familiar with system resource access controls.
Sequence 1: Controlling access to certain hosts
Scenario: For security reasons, you have chosen to restrict your system so that it allows interactive logins only from machines on your local subnet. Some of the systems are only configured with telnet clients and the decision has been made that they will be allowed to use telnet for now, Access to certain xinetd managed services must also have access controls configured.
Deliverable: Use TCP wrappers and xinetd to control access to certain services.
Instructions:
1. Configure your system to fulfill the following criteria (you will need to work with a couple of other partners for testing). Note: you will need to install the telnet-server and openssh-server packages if you have not already done so, and start each of those services.
a. localhost.localdomain (127.0.0.1) should be allowed access to all TCPwrapped services.
• Add the following line to /etc/hosts.allow:
ALL: 127.0.0.1
• Add the following line to /etc/hosts.deny:
ALL: ALL
b. ssh should be available to every host in the local subnet, but no other networks.
• Add the following line to /etc/hosts.allow (it doesn't matter where):
in.telnetd, sshd: 192.168.0.
c. telnet should be available to exactly three of your neighbors, but no one else.
• Install and enable the telner server:
# yum -y install telnet-server
# chkconfig telnet on
• Add the following line to /etc/xinetd.d/telnet. Use the station numbers of three of your classmates for A, B and C:
only_from = 192.168.0.A 192.168.0.B 192.168.0.C
d. No xinetd managed services are accessible from the IP address range for the domain cracker.org. (How might you find the appropriate IP address range?)
• Try doing a reverse lookup on a couple of cracker.org hostnames:
# host server1.cracker.org
server1.cracker.org has address 192.168.1.254
# host station5.cracker.org
station5.cracker.org has address 192.168.1.5
It looks like cracker.org uses the 192.168.1.0/24 network. If you wanted to be even more sure, you could run host -l cracker.org to list every IP in the domain, but keep in mind that this will not work with most real-world domains because most DNS servers will not allow it.
• Add the following line to /etc/xinetd.conf:
no_access = 192.168.1.0/24