LibCat » Книги » Компьютеры и интернет » ОС и Сети » Andrew Hudson - Fedora™ Unleashed, 2008 edition

Andrew Hudson - Fedora™ Unleashed, 2008 edition

Здесь есть возможность читать онлайн «Andrew Hudson - Fedora™ Unleashed, 2008 edition» весь текст электронной книги совершенно бесплатно (целиком полную версию без сокращений). В некоторых случаях можно слушать аудио, скачать через торрент в формате fb2 и присутствует краткое содержание. Город: Indianapolis, Год выпуска: 2008, ISBN: 2008, Издательство: Sams Publishing, Жанр: ОС и Сети, на английском языке. Описание произведения, (предисловие) а так же отзывы посетителей доступны на портале библиотеки ЛибКат.

Читать книгу

Название:
Fedora™ Unleashed, 2008 edition
Автор:
Andrew Hudson
Издательство:
Sams Publishing
Жанр:
ОС и Сети / на английском языке
Год:
2008
Город:
Indianapolis
ISBN:
978-0-672-32977-7
Рейтинг книги:
5 / 5. Голосов: 1
Избранное:

Добавить в избранное
Отзывы:
Написать комментарий
Ваша оценка:
- 100
- 1
- 2
- 3
- 4
- 5

Fedora™ Unleashed, 2008 edition: краткое содержание, описание и аннотация

Предлагаем к чтению аннотацию, описание, краткое содержание или предисловие (зависит от того, что написал сам автор книги «Fedora™ Unleashed, 2008 edition»). Если вы не нашли необходимую информацию о книге — напишите в комментариях, мы постараемся отыскать её.

Quick Glance Guide
Finding information you need is not always easy. This short index provides a list of common tasks discussed inside this book. Browse the table of contents or index for detailed listings and consult the specified chapter for in-depth discussions about each subject.
left How Do I…?
See…
How Do I…?
See…
left Back up my system?
Chapter 13
Partition a hard drive?
Appendix B, Chapters 1, 35
left Build a new Linux kernel?
Chapter 36
Play MP3s and other music?
Chapter 7
left Burn a CD?
Chapter 7
Print a file?
Chapter 8
left Change a password?
Chapter 4
Read a text file?
Chapter 4
left Change the date and time?
Chapter 32
Read or send email?
Chapter 21
left Compress a file?
Chapter 13
Read or post to newsgroups?
Chapter 5
left Configure a modem?
Chapter 2
Reboot Fedora?
Chapter 1
left Configure a printer?
Chapter 8
Rescue my system?
Chapter 13
left Configure a scanner?
Chapter 7
Set up a DNS server?
Chapter 23
left Configure a sound card?
Chapter 7
Set up a firewall?
Chapter 14
left Configure my desktop settings?
Chapter 3
Set up a web server?
Chapter 15
left Connect to the Internet?
Chapter 5
Set up an FTP server?
Chapter 20
left Control a network interface?
Chapter 14
Set up Samba with SWAT?
Chapter 19
left Copy files or directories?
Chapters 13, 32
Set up wireless networking?
Chapter 14
left Create a boot disk to boot Fedora?
Chapter 1
Shut down Fedora?
Chapter 1
left Create a database?
Chapter 16
Use a spreadsheet?
Chapter 6
left Create a user?
Chapter 4
Use Instant Messaging?
Chapter 5
left Delete a file or directory?
Chapter 32
Watch television on my computer?
Chapter 7
left Get images from a digital camera?
Chapter 7
Edit a text file?
Chapter 4
left Install Fedora?
Chapter 1
Make Fedora more secure?
Chapter 14
left Log in to Fedora?
Chapter 1
Mount a CD-ROM or hard drive?
Chapter 35

Fedora™ Unleashed, 2008 edition — читать онлайн бесплатно полную книгу (весь текст) целиком

Ниже представлен текст книги, разбитый по страницам. Система сохранения места последней прочитанной страницы, позволяет с удобством читать онлайн бесплатно книгу «Fedora™ Unleashed, 2008 edition», без необходимости каждый раз заново искать на чём Вы остановились. Поставьте закладку, и сможете в любой момент перейти на страницу, на которой закончили чтение.

Тёмная тема

Шрифт:

↓

↑

Сбросить

Интервал:

↓

↑

Закладка:

Сделать

When your chrootenvironment is set up, you can start namedwith the -t /usr/local/ bindoption (combined with the -uand -goptions) to instruct it to chrootto the directory you have set up.

You might also want to check your logs and keep track of resource usage. namedmanages a cache of DNS data that can potentially grow very large; it happily hogs CPU and bandwidth also, making your server unusable. This is something that can be exploited by clever attackers, but you can configure BIND to set resource limits. Several such options in the named.conffile are available, including datasize, which limits the maximum size of the data segment and, therefore, the cache. One downside of this approach is that namedmight be killed by the kernel if it exceeds these limits, meaning that you have to run it in a loop that restarts it if it dies or run it from /etc/inittab.

DNS Security Considerations

Several configuration options exist for namedthat can make it more resistant to various potential attacks. The most common ones are briefly described next. For more detailed discussions of the syntax and use of these options, refer to the BIND 9 documentation.

TIP

The Security Level Configuration Tool ( system-config-securitylevel) has been updated to make implementation of the firewall simpler. The new on/off choice (rather than levels as used before) allows you to employ a firewall without requiring any special configuration for your DNS server.

Defining Access Control Lists

Specifying network and IP addresses multiple times in a configuration file is tedious and error prone. BIND allows you to define access control lists (ACLs) , which are named collections of network and IP addresses. You use these collections to ease the task of assigning permissions. Four predefined ACLs exist:

► any — Matches anything

► none — Matches nothing

► localhost — Matches all the network interfaces local to your nameserver

► localnets — Matches any network directly attached to a local interface

In addition, you can define your own lists in named.conf, containing as many network and IP addresses as you prefer, using the aclcommand as shown:

----------

acl trusted {

192.0.2.0/29; // Our own network is OK.

localhost; // And so is localhost.

!192.0.2.33/29; // But not this range.

};

----------

Here you see that you can use an exclamation point ( !) to negate members in an ACL. After they are defined, you can use these ACLs in allow-query, allow-transfer, allow-recursion, and similar options, as discussed next.

Controlling Queries

As mentioned before, most nameservers perform recursive resolution for any queries they receive unless specifically configured not to do so. (We suppressed this behavior by using dig +norec.) By repeatedly fetching data from a number of unknown and untrusted nameservers, recursion makes your installation vulnerable to DNS poisoning. (In other words, you get deliberately or inadvertently incorrect lists.) You can avoid this problem by explicitly denying recursion.

You can disable recursive queries by adding a recursion nostatement to the options section of named.conf. It might still be desirable to allow recursive queries from some trusted hosts, however, and this can be accomplished by the use of an allow-recursionstatement. This excerpt would configure namedto disallow recursion for all but the listed hosts:

----------

options {

...

recursion no;

allow-recursion {

192.0.2.0/29;

localnets; // Trust our local networks.

localhost; // And ourselves.

};

----------

You can choose to be still more restrictive and allow only selected hosts to query your nameserver by using the allow-query statement (with syntax similar to allow-recursion, as described previously). Of course, this solution does not work if your server is authoritative for a zone. In that case, you have to explicitly allow-query { all; }in the configuration section of each zone for which you want to serve authoritative data.

Controlling Zone Transfers

You also can use queries to enable only known slave servers to perform zone transfers from your server. Not only do zone transfers consume a lot of resources (they require a named-xferprocess to be forked each time) and provide an avenue for denial-of-service attacks, but also there have been remote exploits via buffer overflows in named-xferthat allow attackers to gain root privileges on the compromised system. To prevent this, add a section such as the following to all your zone definitions:

----------

zone "example.com" {

...

allow-transfer {

192.0.2.96; // Known slave.

localhost; // Often required for testing.

};

----------

Alert namedto Potential Problem Hosts

Despite all this, it might be necessary to single out a few troublesome hosts for special treatment. The serverand blackholestatements in named.confcan be used to tell namedabout known sources of poisoned information or attack attempts. For instance, if the host 203.122.154.1is repeatedly trying to attack the server, the following addition to the options section of named.confcauses the server to ignore traffic from that address. Of course, you can specify multiple addresses and networks in the black-hole list:

----------

options { ...

blackhole { 203.122.154.1; };};

----------

For a known source of bad data, you can do something such as the following to cause your nameserver to stop asking the listed server any questions. This is different from adding a host to the black-hole list. A server marked as bogus is never sent queries, but it can still ask questions. A black-holed host is simply ignored altogether:

----------

server bogus.info.example.com { bogus yes;};

----------

The AUS-CERT advisory AL-1999.004, which discusses denial-of-service attacks against DNS servers, also discusses various ways of restricting access to nameservers and is a highly recommended read. A copy is located at ftp://ftp.auscert.org.au/pub/auscert/_advisory/AL-1999.004.dns_dos. Among other things, it recommends the most restrictive configuration possible and the permanent black-holing of some addresses known to be popular sources of spoofed requests and answers. It is a good idea to add the following ACL to the black-hole list of all your servers:

----------

/* These are known fake source addresses. */

acl "bogon" {

0.0.0.0/8; # Null address

1.0.0.0/8; # IANA reserved, popular fakes

2.0.0.0/8; 192.0.2.0/24; # Test address