Linux Security: OS & Service Level Security in Linux Part-2

Linux Security > OS & Service Level Security in Linux>Samba Server

Samba Server:

About Samba Server:

Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.

Service:  smb,nmb
Port: 137,138,139,445
Config File: /etc/samba/smb.conf

Embeded security with samba server

Global parameter 

interfaces  = lo eth0 eth1 192.168.0.0/24 <—samba service available on this interfaces only
hosts allow = 127.  192.168.0. <–samba service can be access through these IP Ranges only 

Samba Share parameter

valid users = vikas prabhat   <–only these users can access samba share
veto files  = /*.exe/*.pdf/  <—stop saving .exe  and .pdf files

public = no
writable = yes
browseable = yes
create mask = 0765

DNS Server Securities

Linux Security > OS and Service level Security > DNS Server

About DNS Server :

Domain Name Servers (DNS) are the Internet’s equivalent of a phone book. They maintain a directory of domain names and translate them to Internet Protocol (IP) addresses.

This is necessary because, although domain names are easy for people to remember, computers or machines, access websites based on IP addresses.

Service:  named
Port: 53 UDP
Config FIle:  /etc/named.conf

———————————————————————————–

Basic Configuration  /etc/named.conf

options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; listen-on port 53 { 127.0.0.1;192.168.1.254; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; };

Restricting zone transfers

In order for your slave server(s) to be able to answer queries about your domain, they must be able to transfer the zone information from your primary server. Very few others have a need to do so. Therefore restrict zone transfers using the allow-transfer option, assuming 192.168.1.4 is the IP address of ns.linuxgateway.fake and adding yourself for debugging purposes:

zone “linuxgateway.fake” {
allow-transfer { 192.168.1.4; localhost; };
};

By restricting zone transfers you ensure that the only information available to people is that which they ask for directly – no one can just ask for all the details about your set-up.

——————————————————————–

Protecting against spoofing

Firstly, disable any queries for domains you don’t own, except from your internal/local machines. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server.

Further, disable recursive queries except from internal/local sources. This reduces the risk of cache poisoning attacks (where false data is fed to your server).

3 4 5 6 7 8 9 10 11

options {       allow-query { 192.168.1.0/24; localhost; }; }; zone "linuxgateway.fake" {       allow-query { any; }; }; zone "196.168.2.in-addr.arpa" {       allow-query { any; }; };

---

options { allow-recursion { 192.168.2.0/24; localhost; }; }; —————————————————–

chroot jail

A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s done with security in mind. A nameserver often talks to the outside world, and time has shown that “the public internet” is a very hostile environment. Should a flaw in BIND be discovered, it could be exploited by one located anywhere on the planet: by isolating the process inside a jail, this restricts the harm that can be done to a compromised system.

A jail is created using the chroot() system call (named for “change root”), and it’s given a directory name as a parameter. Once this call is made, the root – the top of the directory tree – for this process is changed from / to the directory given, and there is no way for the process to get outside this area. We typically use /chroot/named to jail our nameservers, but we’ll note that the “chroot” in the directory name is just a convention: this is not required (e.g., “/usr/local/named” would make a fine jail location too).