第 5 章 增强系统上运行服务的安全性

有两种方式来增强系统中运行的服务的安全性:

• 使其只能通过它们应当所在的访问点(接口)访问.

• 正确配置, 使其只能由合法的用户使用授权方式访问.

Restricting services so that they can only be accessed from a given place can be done by restricting access to them at the kernel (i.e. firewall) level, configure them to listen only on a given interface (some services might not provide this feature) or using some other methods, for example the Linux vserver patch (for 2.4.16) can be used to force processes to use only one interface.

Regarding the services running from inetd (telnet, ftp, finger, pop3…) it is worth noting that inetd can be configured so that services only listen on a given interface (using service@ip syntax) but that’s an undocumented feature. One of its substitutes, the xinetd meta-daemon includes a bind option just for this matter. See ixnetd.conf(5) manual page.

service nntp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = news
        group           = news
        server          = /usr/bin/env
        server_args     = POSTING_OK=1 PATH=/usr/sbin/:/usr/bin:/sbin/:/bin
+/usr/sbin/snntpd logger -p news.info
        bind            = 127.0.0.1
}

以下部分将详细介绍如何根据其用途正确的配置各项服务.