wiley publishing suse linux 9 bible phần 9 ppt

Listing 23-1: The Default Filtering Rules bible:~ # iptables -LChain INPUT policy ACCEPTtarget prot opt source destination Chain FORWARD policy ACCEPT target prot opt source destination

Trang 1

482 Part IV ✦ Implementing Network Services in SUSE Linux

The Linux firewalling, as we said, is packet filter–based A packet filter will act upon a work packet, dealing with the parameters that can be queried in the TCP/IP headers Forexample, you can produce a rule that takes into consideration the source of the packet (thesource IP address), the destination (destination IP address), the protocol (for example, TCP),the port (SSH), and the TCP options (SYN)

net-Taking all of these into consideration, you can define a rule that describes a very specific nario for a network connection Putting numerous rules together, you can produce a verypowerful firewall

sce-With the introduction of iptables, we were given the godsend that was stateful firewalls.iptablesis something that most Linux administrators should know, especially when youneed to secure your network or individual machines from a network attack They are rela-tively simple to use and extremely powerful when done correctly All kudos to Rusty Russell(the lead iptables developer) for implementing this feature as it allowed us to produce tightfirewalls with fewer rules We will talk about stateful firewalls and what they do in this chap-ter, as well as a few scenario-based iptables rules

Why Use a Firewall?

A firewall, whether Linux-based or not, should always be used to protect machines connected

to the Internet A firewall, by its very nature, is designed to control what can be accomplishedover the network, and it is very unlikely you want your 200 Windows machines to be connected

to the Internet in full view of any malicious person that comes along (and bare Windowsmachines on the Internet are like drops of blood in a 10-mile radius of a pack of sharks!).Most people think that a firewall is there to stop crackers from the Internet, but the fact of thematter is that your users are untrusted, too It is all well and good to trust your users whenyou have security checked them and have run psychoanalytical tests to see if they have apredisposition for breaking the rules you have imposed on them However, internal situationsaren’t always so simple Take the following example

We had a customer whose firewall was very tight at deterring Internet-based attacks and didn’tlet in anything that did not need to be there For their internal users, there were no restrictions

on connections to the Internet All users were trusted and all good guys Their email and ating system on the other hand were not, and they started receiving emails with viruses thatarbitrarily scanned thousands of hosts on the Internet to carry on propagating throughout theether The customer found this out only because their Internet service provider (ISP) calledthem to say their connection would be closed if the scanning did not stop

oper-This virus came through email to the user, and because Simple Mail Transport Protocol(SMTP) traffic was allowed through to the mail server, there was nothing to stop it This is animportant point A packet filtering firewall does not stop viruses that are transported usingHTTP, SMTP, and so on It stops TCP/IP traffic only on certain ports

We used the logging facilities of iptables to track the source of these problems, and we ceeded to remove the virus (the customer subsequently installed virus scanners on allmachines)

pro-To combat these internal problems in the future, we tightened the security of the tion from a network standpoint We restricted what could be accessed on the Internet fromthe internal network apart from the essentials This stopped port scans from exiting the net-work and stopped most incarnations of virus transmission over Internet protocols

Trang 2

Chapter 23 ✦ Implementing Firewalls in SUSE Linux

Port scanningis when a machine automatically tries to connect to a range of TCP/IP ports on

a machine to see if there are any services listening It is used not only by crackers, but also bylegitimate users who wish to see what services are available on a server You should portscan only hosts that you have been allowed to interrogate Port scanning a machine usuallytriggers alarms on a system, and you may get into trouble depending what the administrator

is feeling like that day

This example fully illustrates that network security must be considered as a whole, not just

as a threat from the Internet

Configuring a Firewall with iptables

To configure a firewall on Linux, you need to get used to the iptables command, which isused to manipulate the kernel packet filtering settings from user space (Refer to Chapter 6for more information on TCP/IP, because an understanding of TCP/IP is needed.)

The terms user space and kernel space are used a lot in the Unix community When

some-thing runs in kernel space, it is under the control and the constraints of the kernel

Something running in kernel space could be a kernel module or the packet filtering code

When something is in user space, it uses the system libraries and is not under the strict trol of the kernel We use iptables (user space) to tell the kernel space filtering code(netfilter) what it needs to do with the TCP/IP packets it receives When a TCP/IP packet

con-is received by the kernel, it con-is passed and acted upon in kernel space by the netfiltercode

The kernel filtering code uses chains to signify where a packet is in the kernel Figure 23-1gives an overview of how the kernel sees a TCP/IP packet This also helps us to see how iptablesinteracts with these packets later in the chapter

Figure 23-1: Overview of the kernel chains

Forward

Kernel/Processes

OutputInput

Note Note

Trang 3

The filtering chains are extremely important to the operation of the filtering code becausethey determine whether or not a packet should be interpreted by the kernel

The chains themselves represent the final destination of the packet:

✦ INPUT — The packet is destined for the firewall itself.

✦ OUTPUT — The packet originated from the firewall.

✦ FORWARD — The packet is passing through the firewall (neither originates from nor is

destined for the firewall)

Consider these examples to show how the chains work in a normal firewall:

✦ My firewall at home is Linux based, and it does a few things that most small firewallsdo: It provides my non-routable addresses with a public Internet address via NetworkAddress Translation (NAT), and runs an SSH server for me to log in remotely to my network

When setting up a firewall appliance, you need to enable IP forwarding IP forwarding allows

packets to be routed from one network interface to another in the Linux machine This is gral to the whole process of routing packets and the Linux machine’s acting as a router Mostiptablesfirewalls that protect a network run on low-cost, low CPU–powered hardware.When a TCP/IP packet leaves my laptop, it is sent to the default route, which is myiptablesfirewall on my router When the firewall receives the packet, it analyzes it tofind its destination As it sees that the packet is not destined for the machine itself, it issent to the FORWARD chain

inte-When in the FORWARD chain, the packet will traverse all firewall rules until it is eitherdropped or is sent to the outbound network interface (my ADSL router) for further processing

The important part of the scenario is that any non-local packets (destined or ing from the machine) are passed to the forward chain (for forwarding!)

originat-✦ When I SSH into my firewall from the Internet, a TCP/IP packet attempts to open an SSHconnection for me In the same way that the packet will reach the firewall as in the for-warding example, the kernel analyzes the packet to see where it is destined As mymachine is the final destination for the packet, it is inserted into the INPUT chain forfurther processing If the packet is allowed through, it is passed over to the kernel to behanded over to user space (which is normal when no firewalling is used)

✦ The OUTPUT chain is slightly different because it does not deal with traffic from thenetwork An OUTPUT chain is triggered only when a packet originates from themachine itself For example, if you are logged into the machine and initiate an FTP con-nection to the outside world, this is considered a packet that traverses the OUTPUTchain

Implementing an iptables firewall

As a general rule of thumb when talking about network security, you should deny all and allowsome This means that by default you should not allow any network traffic at all to a machine,and then enable only what is needed for the operation of your firewall/network/server

Note

Trang 4

In the rest of the examples in this chapter, you must be logged in as root because you arechanging memory belonging to the kernel through the iptables command, and thatrequires a privileged user

To make this easier, netfilter provides a default policy for each chain (INPUT, OUTPUT,FORWARD) You can set this policy to drop all packets that do not trigger a rule (that is, arenot explicitly allowed)

The Linux filtering code is always running, but by default, the policy for the chains is ACCEPT(see Listing 23-1)

Listing 23-1: The Default Filtering Rules

bible:~ # iptables -LChain INPUT (policy ACCEPT)target prot opt source destination Chain FORWARD (policy ACCEPT)

target prot opt source destination Chain OUTPUT (policy ACCEPT)

target prot opt source destination

For each chain, the output of iptables -L (list rules) contains information on the target(ACCEPT, DROP, and REJECT are the most common targets), the TCP/IP protocol, and thepacket source and destination

iptables targets

When a TCP/IP packet is analyzed, a decision is made about what to do if that packet matches

a rule If the packet matches a rule, it is sent to a netfilter target, most likely ACCEPT,DROP, or REJECT

We’ll use an incoming SSH connection to a firewall as an example It will be a TCP connection

on port 22 on the INPUT rule at a bare minimum If you have a rule that describes this packet,you need to tell the netfilter system to ACCEPT this packet into the TCP/IP stack for fur-ther processing by the kernel

However, you could tell netfilter to DROP or REJECT the packet:

✦ When a packet is sent to the DROP target, it simply disappears and the sendingmachine does not know this has happened until it times out

✦ When a packet is subject to the REJECT target, the sending machine is notified via anInternet Control Message Protocol (ICMP) message that the port was not reachable(that is, it was stopped)

If you configure the default policy of all chains to DROP/REJECT all non-triggered packets, it

is unlikely you need to use these as targets because any packets that have not been itly ACCEPTed will be subject to the DROP/REJECT target

explic-Tip Note

Trang 5

Stateful firewall

The netfilter firewalling code provides a stateful firewall, and this is a great new feature

of the netfilter code In the past, it was up to the administrator to track all connectionsthrough the firewall, which produced a lot of rules that were difficult to manage With a state-ful firewall, netfilter keeps a record of connection states With this information, netfiltercan track a connection initiation and match up related network traffic

For example, previously, if you wanted to allow an incoming connection to SSH on the wall, you had to first allow the incoming connection and also the return traffic from the SSHserver to the client With stateful firewalls, you can tell the firewall to manage the subsequentoutgoing connection automatically because it is aware that an incoming connection to themachine will produce traffic in the opposite direction It does this by storing the state of aconnection and acting upon it with connection tracking

fire-To enable the stateful connection tracking, you need to enable states in the firewall We cuss this in a small firewall script later in the chapter

dis-Setting your first rules

Before you touch upon setting more specific rules, you need to set the default policy for thefirewall and enable some state rules (see Listing 23-2)

Listing 23-2: Setting Initial Firewall Rules

bible:~ # iptables -P INPUT DROPbible:~ # iptables -P OUTPUT DROPbible:~ # iptables -P FORWARD DROPbible:~ # iptables -A INPUT -m state state ESTABLISHED,RELATED -j ACCEPTbible:~ # iptables -A FORWARD -m state state ESTABLISHED,RELATED -j ACCEPTbible:~ # iptables -A OUTPUT -m state state NEW,ESTABLISHED,RELATED -j ACCEPT

Here, you have set the default policy for all chains to DROP the packets At this moment intime, all network connections, regardless of their originating address, will be dropped

To set or change the policy of a chain, you need to specify that this is a policy edit (-P), thechain (INPUT, OUTPUT, or FORWARD), and also what to do with the packet

It’s a secure feeling knowing that any connection from the Internet that you do not need isdropped and the sender has to wait for a timeout before being notified Imagine someone run-ning a port scan of all 64,000 available ports on a TCP/IP machine If they have to wait for atimeout on each port, it will take them quite a few hours to complete the full scan It provides

a kind of tar pit for any malicious users

This is also true for internal connection, too If your users are interested in what they can andcannot connect to, without reading the network rules, then making them wait will, one hopes,deter them from pushing the network too hard

You have also configured the stateful firewall with the -m state declaration This tells the wall that you will allow any established or related connections on the INPUT chain

fire-This may seem like quite a big security hole, but bear in mind that it will allow only a tion that has been established, not a new connection For the stateful rules to kick in, you would have already had to allow a new connection through the chain.

Trang 6

Depending on how paranoid you are about security, you may not want to allow all new

con-nections from the firewall itself However, when you wish to use the firewall machine as aserver, or want to be able to “bounce” from the machine to other hosts without the burden ofsetting up new rules for every protocol or TCP port you wish to connect to, it is quite useful

At this point, your firewall is locked down with the exception of allowing outgoing connections

Now, suppose you want to allow an incoming SSH connection to the firewall

✦ NEW — This is a new connection; no other traffic is associated with this packet.

✦ ESTABLISHED — This packet is from a machine you already have a connection to

(remember, you both send and receive data when a connection exists)

✦ RELATED — This packet is related to an existing connection The FTP protocol, for

example, makes a connection to the FTP server, and the FTP server actually makes aseparate connection to the client This separate connection from the server to theclient is a RELATED connection

iptables –A INPUT –p tcp –dport ssh –i eth0 –j ACCEPT

In this example, you have told netfilter that you want to append (-A) a rule to the INPUTchain, specifying the TCP protocol (-p tcp), with a destination port (-dport) of ssh (port22), incoming (-i) on the eth0 interface, and finally that you want to ACCEPT the packet (-jACCEPT) The -j parameter means “jump to a target.” Remember that netfilter rules are in

a chain, so you are saying, “Stop processing this chain because you have a match and jump tothe target.” In this case, ACCEPT

The -dport parameter can take either a numerical port number or a service name that isspecified in /etc/services

When setting up a rule for connections, you really need to know how the protocol works Inthe case of SSH, it is well known that it is a TCP protocol, running on port 22 With this inmind, it is relatively easy to write a rule for it

It is up to you as to how you want to write the rule regarding the state of the connection, butbecause the initial INPUT state rule has allowed all ESTABLISHED and RELATED connections,you do not need to explicitly set the state to NEW because you have effectively allowed allconnection types for SSH by not explicitly setting them

When you do not specify something explicitly with an iptables rule, it is assumed that youwant the default setting For example, if you did not set the interface for the incoming con-nection, netfilter would have allowed an SSH connection on all network interfaces This

is indeed the same for the protocol type and the destination port Be very careful how youwrite your rules, and make sure you explicitly set everything you wish to control; otherwiseyou will probably let in more than you think

Caution Note

Trang 7

For any incoming connections you wish to have on a firewall, you can append a rule in thesame way you did with the SSH connection

The order of rules

You must be very conscious of the order you set rules in a chain because netfilter passesthe TCP/IP packet through the rules in the order they are inserted into the kernel If you wish

to insert a rule at the top of the list (that is, making it the first rule that is executed), you canuse the -I (insert) parameter to iptables

For example, if you are allowing SSH into your firewall from the Internet, but you knowthat you do not want a certain IP address to have access to SSH, you have to insert theREJECT/DROP rule before the general SSH rule:

iptables –A INPUT –p tcp –dport ssh –i eth0 –j ACCEPTiptables –I INPUT –p tcp –dport ssh –i eth0 –s 10.32.1.4 –j DROP

In this example, using the -s option to specify a source IP address, we have inserted theDROP rule before the general SSH acceptance rule

When a TCP/IP packet has been inserted into a chain, it is checked in order with each rule Ifone of the rules matches the TCP/IP packet, it is then sent to the target specified (ACCEPT,DROP, REJECT) immediately In the case of our inserted SSH DROP rule, it fires off packetsdestined for the SSH port to the DROP target before it gets to the ACCEPT SSH rule

In essence, all the TCP/IP packets sequentially go through every rule in the chain until theyare directed to a target If none of the rules fires off a packet to a target, that packet is dealtwith by the default policy, which is to kill the packet in this case

Network Address Translation

While one of the main uses of netfilter is its packet filtering functions, another very tant aspect of netfilter is its NAT functions

impor-Network Address Translation (NAT) is the process whereby the source or destination IPaddress of a packet is seamlessly changed when it passes through the firewall

Chapter 6 contains some more information about NAT

Source NAT

Source NAT (SNAT) works on packets forwarded through the firewall before a packet leavesfor the outbound network For this to work, you must deal with the packets before any rout-ing decisions have been made, and the POSTROUTING chain must be used to implementSource NAT

The main purpose of SNAT is to hide private networks behind a firewall with a public IPaddress This drastically reduces the cost of acquiring public IP addresses and allows you touse non-routable addresses in your internal network

The POSTROUTING chain deals with any packets that are about to be sent out to the networkcard This includes any packets that are routed onto other destinations In the case of SNAT,this is the only chain that you want to use because, for example, it makes no sense to sourceNAT traffic coming into the firewall INPUT chain

Note Cross-

Reference

Trang 8

Figure 23-2 details a home network that uses netfilter to SNAT our internal network

Figure 23-2: Network using a netfilter firewall

In this scenario, all of the machines are behind a netfilter firewall that not only protectsthe machines, but also provides SNAT for outgoing connections For SNAT to work, IP for-warding must be enabled To do this, enter a “1” into /proc/sys/net/ipv4/ip_forward

bible:~ # echo 1 > /proc/sys/net/ipv4/ip_forwardThis will immediately enable IP forwarding on your Linux machine This is a volatile opera-tion, and once your machine has been rebooted, IP forwarding will be turned off by default

To set IP forwarding on by default, edit the file /etc/sysconfig/sysctl and changeIP_FORWARDfrom no to yes and re-run SuSEconfig While editing the sysctl file, make surethat DISABLE_ECN is set to yes

ECN is Enhanced Congestion Notification This is a new feature of TCP/IP that allowsmachines to notify you that a network route is congested It is a great feature, but unfortu-nately is not in widespread circulation and can stop your network traffic from traversing theInternet correctly if it goes through a router that does not support ECN We have been oncustomer sites where their network just stopped working for certain sites for no reason

Turning off ECN fixed this

When IP forwarding has been enabled, you can insert the SNAT rule into the POSTROUTINGchain

In the home network, you need to source NAT all the internal traffic (192.168.1.0/24) to thefirewall public address of 217.41.132.74 To do this, you need to insert a SNAT rule into theNAT table

Tip

Internet217.41.132.74

eth1192.168.1.1

SUSE 9.1192.168.1.3

AirPort

OSX192.168.1.0/24 DHCP

eth0

Linux Firewall

Trang 9

The NAT table is used specifically for address translation rules This includes source and tination address translation

des-bible:~ # iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –o eth1 –j SNAT –to217.41.132.74

Here, we have told iptables to edit the nat table (-t nat) by appending a rule to thePOSTROUTING chain We have stated that any traffic from the 192.168.1.0/24 network (-s)and destined to leave the firewall through eth1 (-o) should be source address NAT’d to217.41.132.74

In the example, note that we have tried to be as descriptive as possible concerning what fic should be subject to the SNAT, detailing the source IP address (specifying the networkaddress with netmask) and the network adaptor that the traffic will leave on

traf-You know that the traffic you need to be SNAT’d will leave the eth1 interface because youwant to SNAT only traffic that is heading out to the Internet This can be through the eth1interface only

Any traffic that is sent back to the machines behind the firewall (for example, during thethree-way handshake) will be translated back by the firewall (it remembers connectionstates) and the destination address will automatically be set to the address of the machine

on the private network that initiated the connection

Allowing the packets to be forwarded

It is all well and good setting up SNAT, but the astute of you will probably realize that youhave already told netfilter not to allow any forwarded traffic through the firewall (thedefault FORWARD policy is DROP) To correct this, you need to allow the firewall to forwardthese packets before they can be manipulated by the SNAT rule

To do this, you need to enable forwarding for traffic from the private network to the Internet:bible:~ # iptables –A FORWARD –s 192.168.1.0/24 –i eth0 -o eth1 –j ACCEPTHere, iptables is being used to append (-A) to the FORWARD chain (any traffic that entersand then leaves the firewall on separate interfaces) Any traffic from the 192.168.1.0/24 net-work entering the firewall on interface eth0 and leaving on interface eth1 will be allowedthrough

So, in this example, we have told netfilter that any traffic from the 192.168.1.0/24 networkcoming in on eth0 and leaving the firewall on eth1 should be allowed through Again, weare relying on the fact that any traffic coming in on eth0 and leaving on eth1 that is from192.168.1.0/24 will be traffic we want to be allowed out to the Internet

In this example, we have been quite liberal in what we are allowing our users to access onthe Internet It is usually the policy of most companies that IM clients, P2P, and IRC shouldnot be allowed from the corporate network As it stands, users can access anything on theInternet as if they were directly connected For the home network example, this is finebecause the users are trusted However, if you are implementing a corporate firewall, youwill probably need to have quite a few DROP rules in the FORWARD chain, or do the rightthing and deny everything and allow only essential traffic (maybe only HTTP)

Tip Note

Trang 10

Imagine in the example in Figure 23-2 that you had a mail server on your desktop machine Ifyou want to give access to that machine to Internet users, you can’t just tell the firewall thatyou want everyone to access the IP 192.168.1.3 over port 25; because this is a non-routableaddress, Internet users would never be able to reach it To combat this, you can tell netfilterthat any traffic destined for port 25 on the public firewall address should be redirected to themachine 192.168.1.3 Any return traffic to the initiating machine will have the source address

of the firewall, making the connection routable And as far as the initiating machine is cerned, it has no idea that the machine it is actually talking to is hidden behind a firewall and

In this case, all traffic for port 25 (SMTP) on the public network interface of the firewall willhave its destination address changed to 192.168.1.3 The port destination of 25 will beuntouched (we will come to this later)

When enabling DNAT, you have to insert the rules into the PREROUTING chain because arouting decision has to be made on the final destination of the packet At this point in thenetfilter processing in the PREROUTING chain, the final destination address has notbeen inserted into the packet, so the routing decision is still yet to be made after this for suc-cessful delivery

In the same regard as SNAT, you still need to allow traffic destined on port 25 to 192.168.1.3 to

be forwarded through the firewall

bible:~ # iptables –A FORWARD –p tcp –dport 25 –d 192.168.1.3 –i eth1 –o eth0 –jACCEPT

Here, iptables will append to the FORWARD chain, allowing through any TCP traffic that isdestined for the SMTP port on 192.168.1.3 entering the firewall on eth1 and leaving on eth0

Once set, all traffic destined for port 25 on the firewall public interface is successfully warded to 192.168.1.3

for-Redirecting Traffic

What if you want to redirect traffic to a different port on the firewall? This is very commonwhen you are setting up a transparent HTTP proxy with something like Squid or another con-tent proxy

Note

Trang 11

A redirection rule does not redirect to an IP, only a port This makes it a local rule to the wall only With this in mind, any redirect rules must have a matching INPUT rule allowing thetraffic to be accepted on the redirected port

fire-bible:~ # iptables –t nat –A PREROUTING –p tcp -–dport 80 –i eth0 –s192.168.1.0/24 –j REDIRECT -–to-port=3128

bible:~ # iptables –A INPUT –p tcp -–dport 3128 –s 192.168.1.0/24 –j ACCEPT

In the first instance, we have told iptables to append to the PREROUTING chain in the NATtable Any traffic that is TCP-based, destined for port 80 (HTTP), entering the firewall in eth0from 192.168.1.0/24 should be redirected to port 3128 on the firewall itself

In the second instance, we have appended to the INPUT chain (traffic destined for the firewallitself), allowing TCP traffic destined for port 3128 (the standard Squid proxy port number)from the 192.168.1.0/24 network

So, any outbound traffic (to the Internet) that is for port 80 (HTTP) will be redirected to port

3128 Assuming that you have Squid running and properly configured as a transparent proxy,all of your web traffic will be automatically cached

For more information on Squid, see Chapter 25

Allowing ICMP Traffic

It is all well and good having a secure firewall, but you still need to be able to receive ICMPtraffic so that your users, you, and other Internet users are aware if there is a problem.Internet Control Message Protocol (ICMP) is integral to the working of the Internet ICMP isused to send status and error messages about the state of the network to interested parties.For example, when you ping a machine, the ping packet and its echo are sent over ICMP Ifyou cannot access a machine because its network connectivity is not working, you are toldthis over ICMP, which your application interprets and tells you “Destination Unreachable.”One traditional cracker attempt to subvert your network is by issuing an ICMP redirect mes-sage This tells a server that a route is unavailable and traffic for that destination should berouted through another destination

As a minimum, you should allow destination unreachable, source quench (when you need tosend smaller packets), and Time to Live (TTL) errors, which is when the packet has traveledthrough too many routers without reaching its destination It is up to you if you want to allowpingrequests or not Traditionally, you do not enable these as it gives malicious users anothertool during initial investigation for an attack

To allow these types of ICMP traffic, you need to allow inbound ICMP and some outboundICMP packets:

bible:~ # iptables -I INPUT -p icmp icmp-type destination-unreachable -jACCEPT

bible:~ # iptables -I INPUT -p icmp icmp-type source-quench -j ACCEPTbible:~ # iptables -I INPUT -p icmp icmp-type time-exceeded -j ACCEPTFor each ICMP protocol type you have allowed, you are accepting incoming (that is, destinedfor the firewall) ICMP traffic that reports destination unreachable, source quench, and TTLexceeded

Cross-Reference

Trang 12

bible:~ # iptables –A INPUT –i lo –j ACCEPTbible:~ # iptables –A OUTPUT –o lo –j ACCEPT

In this example, by appending to the INPUT chain you accept any type of traffic that is tined for (-i) or sent out (-o) of the loopback (lo) device

des-As the loopback device is not capable of forwarding packets, you do not need to enable fic through the FORWARD chain

traf-Logging Dropped Packets

When your firewall has been configured to your liking, you will want to log any traffic that hasnot been explicitly sanctioned by you To do this, you need a final rule before the packet hitsthe default policy for the chain that uses a target of LOG

The LOG target interprets the TCP/IP packet and logs it via the syslog facility for you to itor unauthorized traffic

mon-Just logging raw, unauthorized traffic is quite difficult to manage, and thankfully the LOG get allows you to specify a log prefix to distinguish the entry based on the chain it originatedfrom:

tar-bible:~ # iptables –A INPUT –j LOG -–log-prefix=INPUT:

bible:~ # iptables –A OUTPUT –j LOG -–log-prefix=OUTPUT:

bible:~ # iptables –A FORWARD –j LOG -–log-prefix=FORWARD:

In this example, for each chain that a packet traverses, you have appended a rule that willsend all packets to the LOG target (-j LOG) The -log-prefix parameter will make sure eachpacket that is logged is prefixed by INPUT:, OUTPUT:, or FORWARD: (depending on the chainthe rule has been appended to)

Any traffic that does not get triggered by a rule will be logged using the LOG target before hitting the default policy For each chain, you are logging the packet details, with a prefixrelating to the chain it originated from

The location of the LOG rules is of paramount importance If the LOG target were “inserted”

at the beginning of the chain, all traffic, whether it is allowed or not, would be logged Youwill find your logs filling up very quickly if you make this mistake

Using SuSEfirewall2

SUSE includes its own sysconfig-based firewall script called SuSEfirewall2 The SuSEfirewallscript has come a long way since its conception many years ago and provides a robust fea-ture set that can be configured through YaST

Caution

Trang 13

For new users who need to set up a quick firewall, this is the perfect option We would havesuggested in years gone by that you should write your own firewall script, but if you do notfeel the need to be able to control your rules explicitly, SuSEfirewall produces a robust securefirewall for most environments

To configure a small firewall for use at home using the YaST management system, follow thesesteps:

1 In YaST, select Users and Security ➪ Firewall (see Figure 23-3) When the module is

loaded, you can continue with the firewall configuration

Figure 23-3: Loading the Firewall YaST module

Trang 14

2 You are asked to select the interfaces that you wish to protect It is very important that

you get this right; otherwise, your configuration will be the wrong way round and willnot work as you expect In the sample network configuration previously in the chapter,you had eth0 as the internal network interface and eth1 as the external public inter-face, so set that here as well (see Figure 23-4)

Figure 23-4: Selecting the protected interfaces

Trang 15

3 You need to select what services are allowed into the firewall (see Figure 23-5) This is

the same as defining an INPUT chain rule Be very careful what you want to allow intothe firewall because if any of these services are compromised, a cracker will haveaccess to your first line of defense

Figure 23-5: Selecting available firewall services

Trang 16

4 You need to enable certain security features of the firewall itself (see Figure 23-6):

• Because this is going to be a NAT box for your internal network, you need toenable Forward Traffic and Do Masquerading

• As you have explicitly stated that you want access to the SSH protocol, and ing else, you want to protect all other running services, so you need to selectProtect All Running Services

noth-• If you like to run traceroutes when you want to test network connectivity, turn onAllow Traceroute as well

Figure 23-6: Enabling firewall features

Trang 17

5 It is always a good idea to log any malicious packets that hit the firewall, and you can

choose how verbose you want to be In Figure 23-7, you can see that we’ve chosen tosee all traffic that we have not explicitly allowed onto our network

Figure 23-7: Enabling logging

6 When you are happy with the configuration, click Next to save and continue to commit

your firewall (see Figure 23-8)

Figure 23-8: Saving your configuration

Once saved, your firewall configuration will be implemented If you notice any strange ior on your network after this, check the logs on your firewall for dropped packets

Trang 18

✦ The first and most important rule of firewall building is to design it first! Sit down withthe relevant departments in your organization to see what is needed and then come upwith a conceptual diagram that describes what you need to do before typing a singlerule.

✦ And remember, deny all, and then enable specific services that are needed Better thatthan leave a massive backdoor in your firewall

iptablesis a huge topic, and we’ve given you the best bits to help you move forward

However, the best way to learn is to set up a small network and test out some rules to seehow it works For more information, the iptables man page is excellently written, andthe iptables team has some great documentation on the iptables web site at www.netfilter.org/

Trang 20

Working with LDAP in SUSE

Back in the day, the only way to centrally manage your users andservices was to use NIS (Network Information System) NIS was

an endeavor by Sun to help Unix administrators manage their userswithout having to locally create user accounts on all machines

NIS is capable of maintaining user account information, user groups,services, hosts, and many more pieces of information that, histori-cally, needed to be managed on a local level

NIS was great for what it did at the time, but it had a few ings; one problem, in particular, was that it wasn’t great at dealingwith very large amounts of data We don’t mean the physical size ofthe data, but the management of that data NIS uses flat files as input

shortcom-to the NIS database, which does not bode well in large tures One other major drawback of NIS was that it could not storeany other information apart from account and systems data

infrastruc-One way around this management problem is to use a tree to nize data in a manageable fashion This is where LDAP comes to therescue

orga-Lightweight Directory Access Protocol (LDAP) organizes data in a

hier-archical structure, allowing you to organize information based ondepartments, or any other distinguishing method

When introducing people to LDAP, we have always found that it is not

an easy concept to explain because it is not easily compared to anyexisting technology In this chapter, we give you an overview of whatLDAP is, its uses, how to populate an LDAP server with information,and also a scenario that is common to the use of LDAP, including configuration

What Is LDAP?

LDAP is not a specific server Much in the same way that DomainName System (DNS) and Simple Mail Transport Protocol (SMTP) areconceptual protocols, LDAP describes organization of data, access tothe data, and the protocol used to talk to an LDAP server

The Linux LDAP implementation is the extremely popular OpenLDAPserver It has been around for a very long time and uses the LDAPspecification as a base to implement new features

Trang 21

LDAP is a part of many organizations although many people in those organizations aren’teven aware of its use The Active Directory service from Microsoft is heavily based on theLDAP protocol, as is Novell’s eDirectory implementation

The main distinguishing factor of LDAP is in the way it “stores” its information All data in anLDAP database is stored in a tree LDAP is an inverse tree in the same way that your filesys-tem is At the top of the LDAP tree, you have the base object, usually the organization Belowthis, you then have objects that are part of the LDAP tree, or you can also have a further splitusing subtrees

Figure 24-1 puts this structure into a diagram

Figure 24-1: Conceptual overview of LDAP

When thinking about LDAP, try to think not on a technology level, but on an organizationallevel LDAP design should follow the organization of what you are storing data about For ourexample, we will take the organization of a fictional company called Acme Technology Acme,like many organizations, has departments that deal with certain parts of the business (Sales,Marketing, HR, IT, the Board, and so on), and we will model this in our LDAP server

We have taken the IT department and expanded it slightly to include job title and also somepeople in the organization You may be thinking that this looks a lot like a standard Org chartthat you see when you start a company, and this is how you should view it

All the people in the organization belong to a department, which belongs to the organization,and this methodology is how you should see LDAP You can see that the tree structure lendsitself very well to organizational data, whether it is just for an address book or user accounts

LDAP objects

LDAP uses objects to store data Take the user object as an example You can store a lot of

information about a user: first and last name, location, telephone, fax, pager, mobile, andmaybe a picture of that person LDAP uses classes to define what information can be storedabout that object, commonly known as object attributes

Objects can be a business, a car, a person, a stock item, or a desk Any data about theseobjects can be defined and stored in an LDAP server

AcmeTechnology

Helpdesk Architects Administrators

MichaelArmstrong Aimee Davies

JamesFarnsworth Jane Dadswell

Note

Trang 22

Chapter 24 ✦ Working with LDAP in SUSE

LDAP is very particular about what information you store in the LDAP server because itneeds to maintain the integrity of all data To do this, an object is specifically defined so that

it must include certain data, may contain other data about an object, and will include nothing

else This may seem restrictive, but it stops any data that does not concern the object beingstored

For example, take the employee Jane Dadswell; the record must contain her first, middle, and

last name; employee ID; Social Security number; telephone number; email address; date ofbirth; and her location (the list is not exhaustive, and we expect you can come up with more)

One the other hand, her record may contain information about her car (if she has one), pager

number (if she has one), picture, and home telephone number

Any other data will not be allowed because the object is strictly defined to store only certaininformation The object definitions are in the LDAP schema, which we talk about later in thechapter At this stage, you just need to be aware that there are very tight restrictions on whatdata is associated with an object, and that many object definitions exist for many situations

LDAP works the same way If a person called John Doe joins Acme as an HR assistant andanother John Doe (it is a popular name!) joins IT as an architect, their locations in the treemean that their information is uniquely identified by the path to that data See Figure 24-2 foranother diagram of Acme with some LDAP thrown in to explain how LDAP uses the treedesign

Figure 24-2: Acme organization in LDAP

ou=Sales ou=Marketing ou=IT

o=Acme, c=UK

ou=HR ou=Services

ou=Helpdesk ou=Architects ou=Administrators

cn=MichaelArmstrong cn=Aimee Daviescn=James

Farnsworth cn=Jane Dadswell

Trang 23

We have replaced the Org chart with an LDAP structure Reading back from Jane Dadswell,much like you read back from the finances_2004.xml file, you can uniquely identify thisperson in the organization In the case of Jane Dadswell, her unique entry is cn=”JaneDadswell”, ou=Helpdesk, ou=IT, o=Acme,c=UK

Notice the quotes around Jane Dadswell in the entry above This is to make sure the space isincluded in the cn for Jane

From this information, you see that Jane Dadswell is in the organization Acme (in the UK), thedepartment of IT, and the subdepartment of Helpdesk

The person Jane Dadswell is unique in the organization, working on the Helpdesk, and isunique in the LDAP directory This unique identifier is called the Distinguished Name (dn),and we will refer to this throughout the rest of the chapter

This is a quick introduction to how LDAP stores its data, and throughout the rest of the ter, you will learn by example about using LDAP in the Acme organization, taking the Orgchart as a basis for its design

chap-Designing an LDAP directory is something that has to be done correctly If you have an date Org chart that effectively represents your organization, your life will be a lot easier

up-to-Implementing the LDAP Server

When you have installed the OpenLDAP server using YaST, you need to do some initial uration The LDAP server is configured in the file /etc/openldap/slapd.conf and is heavilycommented The two very important parts you need to configure before even starting to pop-ulate the server are the basedn and the administrator account

config-Configuring the administrator

The basedn is the very top of the LDAP tree In the base of Acme, the basedn will beo=Acme,c=uk The o component means Organization, whereas the c component refers to thecountry As with everything in LDAP, there are strict rules on naming the basedn The mostcommon elements are the o= and c= definitions, but also the general domain component (dc)

is used to refer to the fully qualified domain name (FQDN) of the organization In the case ofAcme, you could use a basedn of dc=Acme,dc=co,dc=uk However, as we are designing theLDAP structure from an Org chart, we will use the organizational terms To edit the LDAP configuration files, you must be root When you have set the username and password for theadministrator, you can be any user as long as you can authenticate as the administrator whenconnecting to OpenLDAP

1 In the slapd.conf file, find the entry for the suffix and the rootdn (the administrator

user) and change it to reflect your organization

suffix “o=Acme,c=UK”

rootdn “cn=admin,o=Acme,c=UK”

The rootdn should reflect your basedn with a user component In this case, we haveused the cn definition for the user (Common Name)

2 When the suffix and the rootdn have been defined, you need to configure the

admin-istrator password There are a few ways to do this — insecure and secure Obviously,you want to securely set up the password

Note

Trang 24

The rootdn is not an entry in the LDAP directory but the account information for the LDAPadministrator

To produce an encrypted password, you need to use the slappasswd command:

bible:/etc/openldap # slappasswd New password:

Re-enter new password:

{SSHA}F13k4cAbh0IAxbpKNhH7uVcTL4HGzsJ+

bible:/etc/openldap # You can define the password using cleartext (the password is just entered into theslapd.conf) if you wish to do a quick and dirty implementation, but it is highly advisable

to insert the encrypted form of the password

3 After you enter the password you wish to use twice, the slappasswd command returns

an encrypted password that can be used in slapd.conf

4 When you have the encrypted password, you need to find the rootpw entry in

slapd.confand enter it there

rootpw {SSHA}F13k4cAbh0IAxbpKNhH7uVcTL4HGzsJ+

Testing the LDAP server

When the initial slapd.conf configuration has taken place, you need to start the LDAPserver with rcldap:

bible:/etc/openldap # rcldap startStarting ldap-server doneOnce started, you can use the ldapsearch command to bind (connect to) the LDAP serverwith the administrator account (see Listing 24-1) Unlike an anonymous bind, we are authenti-cating to the LDAP server

To automatically start OpenLDAP when the system boots, use chkconfig: chkconfig -aldap

You can connect to the LDAP server with an anonymous bind, which means you have not sented authentication credentials to the LDAP server, and you are limited in what you canread and write to the server based on the default access control list (ACL) settings

pre-Listing 24-1: Authenticating to the LDAP Server

bible:/etc/openldap # ldapsearch -x -D “cn=admin,o=Acme,c=UK” -WEnter LDAP Password:

Trang 25

# numResponses: 1

As you do not have anything in the LDAP server, you will not receive any responses back.The ldapsearch command is extremely powerful, not only for diagnostic purposes but alsofor viewing data in the LDAP server In Listing 24-1, we used the -D option to specify thebindDN to connect to the LDAP server with, as well as the -W option to tell ldapsearch toask us for the bind password

We also used the -x option to tell ldapsearch to do a simple bind to the LDAP server Ifyou do not specify -x, you need to bind using a Simple Authentication and Security Layer(SASL) mechanism We will not discuss SASL authentication in this chapter because this isjust an introduction to LDAP For more information on configuring OpenLDAP with SASL,refer to the OpenLDAP documentation in /usr/share/doc/packages/openldap2

Adding information

When the LDAP server is up and running, you can populate the server with your information.Some tools available for LDAP help with the initial population of LDAP data, as well as migrat-ing existing users on the system to the LDAP directory Here, we will populate the server withinformation using an LDIF (LDAP Data Interchange Format) file

PADL (the reverse of LDAP) provides some infrastructure tools that integrate into LDAP, viding a much easier environment for an administrator to work in They have also designedthe Pluggable Authentication Modules (PAM) LDAP and NSS (name switch service) LDAPmodules that allow a Unix machine to query the LDAP server for user information We dis-cuss PAM/NSS LDAP integration later in the chapter Download the PADL migration toolsfrom www.padl.com/download/MigrationTools.tgz

pro-LDIF

An LDIF file is a text file containing LDAP data in a protocol defined fashion You need to ate an LDIF file that defines not only the data to be stored, but also the structure of the LDAPserver Use your favorite text editor to create the LDIF file In Listing 24-2, we have createdone you can work from that reflects the Acme organization

cre-Note Note

Trang 26

Listing 24-2: LDIF File for Acme

dn: o=Acme,c=UKo: Acme

objectClass: topobjectClass: organizationdn: ou=Sales,o=Acme,c=UKou: Sales

objectClass: topobjectClass: organizationalUnitdn: ou=Marketing,o=Acme,c=UKou: Marketing

objectClass: topobjectClass: organizationalUnitdn: ou=IT,o=Acme,c=UK

ou: ITobjectClass: topobjectClass: organizationalUnitdn: ou=HR,o=Acme,c=UK

ou: HRobjectClass: topobjectClass: organizationalUnitdn: ou=Services,o=Acme,c=UKou: Services

objectClass: topobjectClass: organizationalUnitdn: ou=Helpdesk,ou=IT,o=Acme,c=UKou: Helpdesk

objectClass: topobjectClass: organizationalUnitdn: ou=Architects,ou=IT,o=Acme,c=UKou: Architects

objectClass: topobjectClass: organizationalUnitdn: ou=Administrators,ou=IT,o=Acme,c=UKou: Administrators

objectClass: topobjectClass: organizationalUnit

Trang 27

It is of paramount importance when constructing an LDIF file that there are no trailing spacesafter any data in a record It is a common mistake when people create an LDIF entry thatthere is a trailing space, and in the case of an LDIF entry, this will create havoc with datawhen it is inserted into the LDAP server Data that looks correct in the LDIF file will not be thesame once it is in the LDAP server Also, the order of the LDIF entries is important

Most of the entries are identical apart from the ou (Organizational Unit) they are defining Wewill go through the file to help you understand what the entries mean

Each entry has a specific DN that is unique across the tree For example, the Architects’ outells us that the Architects are in the ou of IT, in the Acme organization Referring back to theOrg chart of Acme, we can see this is reflected correctly (We hope you see how easy it is tocompile the initial population of the LDAP server when you have access to the Org chart!)Each entry defines the structure of the LDAP server and does not actually enter informationthat you are interested in at this point Apart from the first entry, you are creating an ou thatwill hold data about people in that department

Dissecting an object

An entry is composed of the DN, the object being created (in this case, the ou), and twoobject class definitions We talked about objects and restrictions on what can be stored ineach object, and the objectClass entry is what defines this

The top objectClass is very special as it says that all objects should be defined by anobjectClass It may seem bizarre that there is an object class that defines that an objectmust have a class, but it means that the LDAP structure is totally modular and not hard-coded

The organizationalUnit objectClass defines the object to be an Organizational Unit (anou) There are many other objectClasses that define a massive set of objects that can beused to describe anything that would traditionally fit into an LDAP server We will comeacross more throughout the chapter

An object may be defined by multiple object classes to be able to provide a large breadth ofinformation We will see this in practice when dealing with people, but for now, understandthat it is not just one object class, one object

Inserting the LDIF file

When the LDIF file that contains an organizational structure has been created, you need toenter that information into the LDAP server First, make sure your LDAP server is running:bible:~ # rcldap status

Checking for service ldap: runningWhen the LDAP server is running, you need to add the entries (see Listing 24-3)

Note Caution

Trang 28

Listing 24-3: Inserting LDIF Entries into LDAP

bible:~ # ldapadd -D “cn=admin,o=Acme,c=UK” -x -W -f /tmp/top.ldif Enter LDAP Password:

adding new entry “o=Acme,c=UK”

adding new entry “ou=Sales,o=Acme,c=UK “adding new entry “ou=Marketing,o=Acme,c=UK”

adding new entry “ou=IT,o=Acme,c=UK”

adding new entry “ou=HR,o=Acme,c=UK”

adding new entry “ou=Services,o=Acme,c=UK”

adding new entry “ou=Helpdesk,ou=IT,o=Acme,c=UK”

adding new entry “ou=Architects,ou=IT,o=Acme,c=UK”

adding new entry “ou=Administrators,ou=IT,o=Acme,c=UK”

The ldapadd command is similar in use to the ldapsearch command You need to bind (-D)

as the administrator, with a simple bind (-x) and get ldapadd to ask you for the password (-W) The only difference is the -f parameter to specify the location of the LDIF file we havecreated All being well, the entries defined in the LDIF file will be added to the LDAP server

Now that you have the organizational structure in the LDAP server, you need to populate itwith some objects

Adding user data to the LDAP server

You need to define what information you will hold about users before you create the LDIFfiles As you are going to use this information to hold user accounts as well as informationabout users, you will use the inetOrgPerson, person, posixAccount, shadowAccount, andorganizationalPersonobject classes

You can find more information about the data you can use in an LDIF file and also in an LDAPserver in the OpenLDAP schemas These are located in /etc/openldap/schema

Referring to the schema in /etc/openldap/schema, you can see that the person object classcan contain the information shown in Table 24-1

Note

Trang 29

Table 24-1: person Object Class

Element Description

UserPassword PasswordTelephoneNumber Contact numberSeeAlso Freeform referral entryDescription Description of the user

*Must be in the object data

Each object class defines what each object can contain, and this information is defined in theLDAP schema files For more information on what is included in an object class, view theschema files in /etc/openldap/schema

You now need to construct an LDIF file for the users In Listing 24-4, we detail one of the users

so that you can see how her profile would look in this organization

Listing 24-4: LDIF Listing for Aimee Davies

dn: uid=aimee,ou=Administrators,ou=IT,o=Acme,c=UKuid: aimee

cn: Aimee DaviesgivenName: Aimeesn: DaviesobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPerson

objectClass: posixAccountobjectClass: top

objectClass: shadowAccountuserPassword: {crypt}ESLp8vFJWpVEEshadowLastChange: 12572

shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1000gidNumber: 100homeDirectory: /home/aimeetelephoneNumber: 555-1027o: Acme UK

gecos: Aimee Davies

Trang 30

We have constructed an LDIF file for the administrator Aimee Davies, including account mation allowing her to use the LDAP data as a Unix authentication source

infor-To construct the initial LDIF file, we used the PADL migration tools to transfer a standard useraccount from /etc/passwd to an LDIF format file, editing this file to add the extra informationabout the organization and also her telephone number

You can add each user in the organization to the specific ou that reflects the Org chart Usingthe ldapsearch command, you can now view the data in the LDAP server (see Listing 24-5)

You use the -b option to tell ldapsearch that it should search from the o=Acme,c=UK base

of the LDAP tree This allows you to search a certain portion of the LDAP tree, not the wholetree

Listing 24-5: Output of ldapsearch for the Entire LDAP Database

bible:/etc/openldap/schema # ldapsearch -x -b “o=Acme,c=UK”

objectClass: topobjectClass: organization

# Sales, Acme, UKdn: ou=Sales,o=Acme,c=UKou: Sales

# Marketing, Acme, UKdn: ou=Marketing,o=Acme,c=UKou: Marketing

# IT, Acme, UKdn: ou=IT,o=Acme,c=UKou: IT

Continued

Trang 31

Listing 24-5 (continued)

# HR, Acme, UKdn: ou=HR,o=Acme,c=UKou: HR

# Services, Acme, UKdn: ou=Services,o=Acme,c=UKou: Services

# Helpdesk, IT, Acme, UKdn: ou=Helpdesk,ou=IT,o=Acme,c=UKou: Helpdesk

# Architects, IT, Acme, UKdn: ou=Architects,ou=IT,o=Acme,c=UKou: Architects

# Administrators, IT, Acme, UKdn: ou=Administrators,ou=IT,o=Acme,c=UKou: Administrators

# aimee, Administrators, IT, Acme, UKdn: uid=aimee,ou=Administrators,ou=IT,o=Acme,c=UKuid: aimee

cn: Aimee DaviesgivenName: Aimeesn: DaviesobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPerson

objectClass: posixAccountobjectClass: top

objectClass: shadowAccountuserPassword:: e2NyeXB0fUVTTHA4dkZKV3BWRUU=shadowLastChange: 12572

shadowMax: 99999shadowWarning: 7loginShell: /bin/bashuidNumber: 1000gidNumber: 100

Trang 32

homeDirectory: /home/aimeetelephoneNumber: 555-1027o: Acme UK

gecos: Aimee Davies

# search resultsearch: 2result: 0 Success

Listing 24-6: Searching for a Specific User and Filtering

bible:/etc/openldap/schema # ldapsearch -x -b “o=Acme,c=UK” “uid=aimee”

# search resultsearch: 2result: 0 Success

Trang 33

multi-514 Part IV ✦ Implementing Network Services in SUSE Linux

Pluggable Authentication Modules

Before Pluggable Authentication Modules (PAM) came along, any application that needed

to authenticate a user had to read the /etc/passwd and /etc/shadow files directly Thisrestricted how data about users was stored because the data always had to be in a text file.PAM provides authentication modules that can obtain user accounts from numerous sources,

an LDAP server, an SQL database, or a Windows Active directory, for example

PAM works by having a configuration file for each service that needs to authenticate users Forexample, the login process has a separate PAM configuration file, as does the imap service.These service configuration files are stored in /etc/pam.d and contain information abouthow the process gets information about the user, their account data, and passwords Each filecan contain four types of entries, discussed in Table 24-2

Table 24-2: PAM Configuration Entries

Entry Description

account Used to check if the user is allowed to log in, what the account expiry is, and so on.password Used to change the user’s password

auth Used to check the user’s password

session Used to enable or disable features of the user’s session once he or she has

authenticated This can be used to mount the user’s home directory automatically

PAM is not just used for usernames and passwords; it is a general authentication library andcan be used to check a smart card owned by the user to authenticate or maybe in the future

to read biometric data from the user, such as facial recognition

For each entry type, you can specify a PAM module to handle the account, password, auth, orsession data related to a user account

For example, if you just want to allow the imap service to authenticate user data to the tem /etc/passwd and /etc/shadow, you need at minimum an account and auth entry Thisallows the user to log in if their account is active and to also check if the password provided

sys-by the user is correct

auth required /lib/security/pam-unix.so nullokaccount required /lib/security/pam-unix.so

This file has quite a bit of information in it, and you can see an entry for auth and account.The second, third, and fourth fields are also very important when configuring PAM for yourservice

The second field determines how the data received back from the PAM module (specified infield three) is acted upon When a PAM module is used, it returns either a success or a failureback to the process (in this case imap) that tried to authenticate the user It is this failurethat will stop you from logging in for one reason or another if there is a problem with youraccount (expiry, for example) or your authentication credentials (incorrect username orpassword)

Note

Trang 34

The second field can be one of the following:

✦ required — If a failure is encountered by the module, it results in an overall failure ofthe PAM system for the service (imap) Even if the authentication fails, execution of theremaining definitions in the service configuration continues

✦ requisite — If a failure occurs, PAM returns a failure immediately and stops executingthe rest of the modules in the configuration file

✦ sufficient — If this PAM module returns a success from the system, it returns anoverall success even if a previous PAM module returned a failure (useful to use withthe required action)

✦ optional — If authentication succeeds or fails, it is enforced only if this is the onlyentry for this type of service (account, password, auth, or session)

The third and fourth fields are the location of the PAM module on the filesystem and also anyparameters you need to pass to the module For example, if you want to authenticate usersagainst a MySQL database (using pam_mysql), you need to pass the database name, tablename, the user and password column, and also the username and password of the MySQLuser that can connect to the database

In the example we have for the imap service, we have said that for the auth and accountauthentication methods, the authentication must succeed in both entries (which makes sensebecause if the user and password are incorrect or the account has been disabled, we do notwant the user to log in) Both of these entries use the pam-unix.so module, which queriesthe standard Unix authentication database (/etc/passwd and /etc/shadow) And finally forthe auth entry, we have told the pam-unix module that it is okay if the user provides us with

an empty password (if the user has a blank password for example — bad idea!)

Integrating LDAP into Linux

When you have user accounts stored in LDAP, you can authenticate your users against them

Three things need to take place to make this happen:

1 When the system needs to find information about a user (UID, home directory, or so

on), it queries the name switch service The NSS is a core component that allows glibc

to find information from the system This includes user, group, and host data

The NSS is controlled via the /etc/nsswitch.conf file, and you need to change itsdefault lookup of files (explicitly checking /etc/passwd and so on) to query the LDAPserver defined in /etc/ldap.conf

passwd: files ldapgroup: files ldapOnce set, restart the Name Service Cache Daemon (NSCD) with rcnscd restart

NSCD is the bane of an LDAP user’s life NSCD caches NSS lookups on the system so thatsubsequent lookups do not need to query the original NSS source If bizarre things are hap-pening when you use LDAP to authenticate users, try restarting the NSCD cache and see ifthat fixes the problem

Tip

Trang 35

2 Tell your LDAP system to use a specific LDAP to source its data To do this, you need to

edit the file /etc/ldap.conf This file defines certain LDAP client information, mostimportantly the LDAP server and the default search base (as we used previously withthe -b command-line option) In this environment, the ldap.conf file contains a serverspecification of localhost because this is where the LDAP data is, and also a base ofo=Acme,c=UK

host 127.0.0.1base o=Acme,c=UK

3 Configure PAM to use the LDAP server This has been greatly simplified in recent times

with the use of the /etc/security/pam_unix2.conf file

Edit the pam_unix2.conf file and edit the auth, password, and account entries.auth: use_ldap nullok

account: use_ldappassword: use_ldap nullokThis instructs any PAM entries using pam_unix2 to try the LDAP server for information.When PAM and NSS have been configured, run SuSEconfig to commit your configurationchanges You should now be able to log into the system as a user stored in LDAP Becauseyou have told NSS to use files and then LDAP for information, the root account that is stored

in /etc/passwd is safe

If you are having a problem authenticating as a normal user, check what /var/log/messagessays about it You will usually see a good description of the problem

Setting the ACL on the LDAP Server

You finally need to configure the access controls for the LDAP server so that users canchange their password using the passwd command

The default access control list (ACL) in SUSE 9.1 allows all people (authenticated and mous) to read all data in the LDAP server When storing passwords, even encrypted ones,this is not a good security model You need to tell OpenLDAP to allow only authenticatedusers to view their encrypted password (both read and write), as well as the administrator,but not any other user

anony-To do this, set a specific ACL on the userPassword entry in an object in the /etc/

As you are not using the default ACL (because you have triggered your own), you also need

to give users access to all other data in the LDAP server

Trang 36

As with the design of the LDAP server, you should also take great care when designing yourACL scheme We have only a small ACL scheme here to keep the amount of information youhave to manage to a minimum, but on a corporate system, there is a lot of data that shouldnot be viewable by all users For example, you do not want your coworker to see what yoursalary is, do you?

When setting an ACL for all users to read the rest of the information in an object, it is ary to set the ACL for the administrator user to clarify the desired outcome of the ACL Bydefault, the administrator has full control over all data in the LDAP server

custom-access to *

by dn=”cn=admin,o=Acme,c=UK” write

by * read

How Can LDAP Help You?

In this chapter, we have just scratched the surface of what you can do with LDAP, but you cansee it provides a good structure to mirror an organization Let’s face it — the better your sys-tems mirror the organizational structure of the company, the better they will work with yourworkflow

LDAP is extremely good at storing and retrieving data; it can search through extremely largedata sets in a very short amount of time LDAP should not be used as an online transactionprocessing (OLTP) database because it is not great at writing data to the directory Given that

95 percent of transactions taking place on an LDAP server are retrievals of stored information(How often will your salary be updated? Likely not as often as you would like!), this is to beexpected

We are great fans of LDAP since working with it, and if designed correctly, it will save you a lot

of time in the long run

Caution

Định dạng
Số trang	72
Dung lượng	1,65 MB