Podstrony

• Index
• Microsoft Press Microsoft Encyclopedia of Security
• Windows XP Security guide PL
• Configuring Windows 2000 Server Security
• O'Reilly 802.11 Security
• linux security
• Heinlein Robert A Drzwi do lata (3)
• Alistair Maclean Szatanski Wirus (2)
• Linux podrecznik administratora sieci (2)
• Roger Zelazny Umrzec w Italbarze
• Reymont Chlopi III
• zanotowane.pl
• doc.pisz.pl
• pdf.pisz.pl
• taatry.keep.pl

[ Pobierz całość w formacie PDF ]
.cache file for your DNS Server or pick one from your Red Hat Linux CD-ROM sourcedistribution:244Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (BIND/DNS Network Services) 1CHAPTER 4" To query a new db.cache file for your DNS Server, use the following command:[root@deep /]# dig @.aroot-servers.net.ns > db.cacheDon t forget to copy the  db.cache file to the  /var/named/ directory on your server where you reinstalling DNS server after retrieving it over the Internet.Secondary slave name ServerThe purpose of a slave name server is to share the load with the master server, or handle theentire load if the master server is down.A slave name server loads its data over the network fromanother name server (usually the master name server, but it can load from another slave nameserver too).This process is called a zone transfer.Necessary files to setup a secondary slave name server are:named.confdb.127.0db.cachenamed scriptConfiguration of the  /etc/named.conf file for a slave name serverUse this configuration for the server on your network that acts as a slave name server.You mustmodify the  named.conf file on the slave name server host.Change every occurrence of primaryto secondary except for  0.127.in-addr.arpa and add a masters line with the IP address of themaster server as shown below.Create the named.conf file (touch /etc/named.conf) and add:options {directory "/var/named";fetch-glue no;recursion no;allow-query { 208.164.186/24; 127.0/8; };allow-transfer { 208.164.186.1; };transfer-format many-answers;};// These files are not specific to any zonezone "." in {type hint;file "db.cache";};zone "0.127.in-addr.arpa" in {type master;file "db.127.0";};// These are our slave zone fileszone "openna.com" in {type slave;file "db.openna";masters { 208.164.186.1; };};zone "186.164.208.in-addr.arpa" in {type slave;file "db.208.164.186";masters { 208.164.186.1; };245Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (BIND/DNS Network Services) 1CHAPTER 4};This tells the name server that it is a slave for the zone  openna.com and should track theversion of this zone that is being kept on the host  208.164.186.1.A slave name server doesn t need to retrieve all of its database (db) files over the networkbecause these db files  db.127.0 and  db.cache are the same as on a primary master, so youcan keep a local copy of these files on the slave name server.Copy the  db.127.0 file from master name server to slave name server.Copy the  db.cache file from master name server to slave name server.Configuration of the  /etc/rc.d/init.d/named script file for all type of name serverConfigure your  /etc/rc.d/init.d/named script file to start and stop the BIND/DNS daemon on yourServer.This configuration script file can by used for all type of name server (caching, master orslave).Create the named script file (touch /etc/rc.d/init.d/named) and add:#!/bin/sh## named This shell script takes care of starting and stopping# named (BIND DNS server).## chkconfig: - 55 45# description: named (BIND) is a Domain Name Server (DNS) \# that is used to resolve host names to IP addresses.# probe: true# Source function library./etc/rc.d/init.d/functions# Source networking configuration./etc/sysconfig/network# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0[ -f /usr/sbin/named ] || exit 0[ -f /etc/named.conf ] || exit 0RETVAL=0# See how we were called.case "$1" instart)# Start daemons.echo -n "Starting named: "daemon namedRETVAL=$?[ $RETVAL -eq 0 ] && touch /var/lock/subsys/namedecho;;stop)# Stop daemons.echo -n "Shutting down named: "killproc named246Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (BIND/DNS Network Services) 1CHAPTER 4RETVAL=$?[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/namedecho;;status)/usr/sbin/ndc statusexit $?;;restart)$0 stop$0 start;;reload)/usr/sbin/ndc reloadexit $?;;probe)# named knows how to reload intelligently; we don't want linuxconf# to offer to restart every time/usr/sbin/ndc reload >/dev/null 2>&1 || echo startexit 0;;*)echo "Usage: named {start|stop|status|restart}"exit 1esacexit $RETVALNow, make this script executable and change its default permissions:[root@deep]# chmod 700 /etc/rc.d/init.d/namedCreate the symbolic rc.d links for BIND/DNS with the command:[root@deep]# chkconfig --add namedThe BIND/DNS script will not automatically start the named daemon when you reboot the server.You can change its default by executing the following command:[root@deep]# chkconfig --level 345 named onStart your DNS Server manually with the following command:[root@deep]# /etc/rc.d/init.d/named startStarting named: [ OK ]Securing ISC BIND/DNSRunning ISC BIND/DNS in a chroot jailThis part focuses on preventing ISC BIND/DNS from being used as a point of break-in to thesystem hosting it.Since ISC BIND/DNS performs a relatively large and complex function, thepotential for bugs that affect security is rather high with this software.In fact, there have beenexploitable bugs in the past that allowed a remote attacker to obtain root access to hosts runningISC BIND/DNS.To minimize this risk, ISC BIND/DNS can be run as a non-root user, which will limit any damageto what can be done as a normal user with a local shell.Of course, this is not enough for thesecurity requirements of most DNS servers, so an additional step can be taken - that is, runningISC BIND in a chroot jail.247Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingServer Software (BIND/DNS Network Services) 1CHAPTER 4The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNSdaemon program can see to the root directory of the jail.Additionally, since the jail only needs tosupport DNS, the programs related to ISC BIND/DNS available in the jail can be extremelylimited.Most importantly, there is no need for setuid-root programs, which can be used to gainroot access and break out of the jail.NOTE: The  named binary program must be in a directory listed within your PATH environmentvariable for this to work.For the rest of the documentation, I'll assume the path of your originalnamed program is  /usr/sbin/named.The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:Step 1We must find the shared library dependencies of named (named is the DNS daemon).These willneed to be copied into the chroot jail later [ Pobierz caÅ‚ość w formacie PDF ]