Php5 Hosting, Mysql, Java, Jsp, Servlet, Tomcat, Ssh, Http Web Server Blog

Chapter 6 . Securing Linux 207 matches the address of nearly every host on the Eindhoven University of Technology network (131.155.x.x). . A string that begins with an at sign (@)is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names. . An expression of the form n.n.n.n/m.m.m.m is interpreted as a net/mask pair. A host address is matched if net is equal to the bitwise and of the address and the mask. For example, the net/mask pattern 131.155.72.0/255.255.254.0 matches every address in the range 131.155.72.0 through 131.155.73.255. The example host.allow contains the first two types of client specification. The entry 199.170.177. will match any IP address that begins with that string, such as 199.170.177.25. The client entry .linuxtoys.net will match host names such as jukebox.linuxtoys.net or picframe.linuxtoys.net. Take a look at what happens when a host named jukebox.linuxtoys.net (with IP address 199.170.179.18) connects to your Linux system using the Telnet protocol: 1. Xinetd receives the connection request. 2. Xinetd begins comparing the address and name of jukebox.linuxtoys.net to the rules listed in /etc/hosts.allow. It starts at the top of the file and works its way down the file until finding a match. Both the daemon (the program handling the network service on your Linux box) and the connecting client s IP address or name must match the information in the hosts.allow file. In this case, the second rule that is encountered matches the request: in.telnetd: 199.170.177., .linuxtoys.net 3. The jukebox host is not in the 199.170.177 subnet, but it is in the linuxtoys. net domain. Xinetd stops searching the file as soon as it finds this match. What if jukebox connects to your box using the IMAP protocol? Requests from jukebox for the IMPA service matches none of the rules in hosts.allow; the only line that refers to the imapd daemon does not refer to the 199.170.179 subnet or to the linuxtoys.net domain. Xinetd continues on to the hosts.deny file. The entry ALL: ALL matches anything, so tcpd denies the connection. The ALL wildcard was also used in the hosts.allow file, telling xinetd to permit absolutely any host to connect to the FTP service on the Linux box. This is appropriate for running an anonymous FTP server that anyone on the Internet can access. If you are not running an anonymous FTP site, you probably should not use the ALL flag. A good rule of thumb is to make your hosts.allow and hosts.deny files as restrictive as possible and to explicitly enable only those services that you really need. Also, grant access only to those systems that really need access. Using the ALL flag
If you are in need for chaep and reliable webhost to host your website, our recommendation is http web server services.

206 Part II . Running the Show It is not necessary (or even possible) to list every single address that may connect to your computer. The hosts.allow and hosts.deny files enable you to specify entire subnets and groups of addresses. You can even use the keyword ALL to specify all possible addresses. You can also restrict specific entries in these files so they only apply to specific network services. Take a look at an example of a typical pair of hosts.allow and hosts.deny files. Here s the /etc/hosts.allow file: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the /usr/sbin/tcpd server. # cups-lpd: 199.170.177. in.telnetd: 199.170.177., .linuxtoys.net vsftpd: ALL Here s the /etc/hosts.deny file: # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as # decided by the /usr/sbin/tcpd server. # ALL: ALL This example is a rather restrictive configuration. It allows connections to the cupslpd and telnet services from certain hosts, but then denies all other connections. It also allows connections to the FTP service (vsftp) to all hosts. Let s examine the files in detail. As usual, lines beginning with a # character are comments and are ignored by xinetd when it parses the file. Each noncomment line consists of a comma-separated list of daemons followed by a colon (:) character and then a comma-separated list of client addresses to check (for example, tftpd,fingerd: .linuxtoys.net, .fedora trouble.com.) In this context, a client is any computer that attempts to access a network service on your system. A client entry can be a numeric IP address (such as 199.170.177.25) or a host name (such as jukebox.linuxtoys.net) but is more often a wildcard variation that specifies an entire range of addresses. A client entry can take four different forms. The online manual page for the hosts.allow file describes them as follows: . A string that begins with a dot character (.). A host name is matched if the last components of its name match the specified pattern. For example, the pattern .tue.nl matches the host name wzv.win.tue.nl. . A string that ends with a dot character (.). A host address is matched if its first numeric fields match the given string. For example, the pattern 131.155.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

Chapter 6 . Securing Linux 205 The rsync service is a nice one to turn on if your machine is an FTP server. It enables people to use an rsync client (which includes a checksum-search algorithm) to download files from your server. With that feature, users can restart a disrupted download without having to start from the beginning. Because most services are disabled by default, your computer is only as insecure as you make it. You can double-check that insecure services, such as rlogin and rsh (which are included in the rsh-server package), are also disabled by making sure that disabled = yes is set in the /etc/xinetd.d/rlogin and rsh files. You can make the remote login service active but disable the use of the /etc/ host.equiv and .rhosts files, requiring rlogin to always prompt for a password. Rather than disabling the service, locate the server line in the rsh file (server = /usr/sbin/in.rshd) and add a space followed by -L at the end. You now need to send a signal to the xinetd process to tell it to reload its configuration file. The quickest way to do that is to restart the service. As the root user, type the following from a shell: # service xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] That s it you have enabled the ipop3 service. Provided that you have properly configured your mail server, clients should now be able to get their mail from your computer. Using TCP Wrappers Completely disabling an unused service is fine, but what about the services that you really need? How can you selectively grant and deny access to these services? With most current Linux distributions, TCP wrapper support has been integrated into the xinetd daemon. Xinetd will look at the /etc/hosts.allow and /etc/hosts. deny files to determine when a particular connection should be granted or refused for services such as rlogin, rsh, telnet, finger, and talk. When a service that relies on TCP wrappers is requested, the hosts.allow and hosts.deny files are scanned and checked for an entry that matches the IP address of the connecting machine. The following checks are made when connection attempts occur: . If the address is listed in the hosts.allow file, the connection is allowed, and hosts.deny is not checked. . Otherwise, if the address is in hosts.deny, the connection is denied. . Finally, if the address is in neither file, the connection is allowed. Tip Tip
From our experience, we can recommend PHP Web Hosting services, if you need affordable webhost to host and run your web application.

204 Part II . Running the Show Disabling Network Services Although there are hundreds of services potentially available and subject to attack on your Linux system, in reality only a few dozen services are installed, and only a handful of those are on by default. Most network services are started by either the xinetd process (named inetd on some Linux distributions) or by a startup script in the /etc/init.d directory. Xinetd is a daemon that listens on a great number of network port numbers. When a connection is made to a particular port number, xinetd automatically starts the appropriate program for that service and hands the connection to it. The configuration file /etc/xinetd.conf is used to provide default settings for the xinetd server. (If the daemon is called inetd, look for an /etc/inetd.conf file instead.) The directory /etc/xinetd.d contains files telling xinetd what ports to listen on and what programs to start. Each file contains configuration information for a single service, and the file is usually named after the service it configures. For example, to enable the rsync service, edit the rsync file in the /etc/xinetd.d directory and look for a section similar to the following: service rsync { disable = yes socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = –daemon log_on_failure += USERID } The first line of this example identifies the service as rsync, which exactly matches the service name listed in the /etc/services file, causing the service to listen on port 873 for TCP and UDP protocols. You can see that the service is off by default (disable = yes). To enable the rsync services, change the line to read disable = no: service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = –daemon log_on_failure += USERID }
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

Chapter 6 . Securing Linux 203 # /etc/services: # service-name port/protocol [aliases …] [# comment] chargen 19/tcp ttytst source chargen 19/udp ttytst source ftp-data 20/tcp ftp-data 20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp # SSH Remote Login Protocol telnet 23/tcp telnet 23/udp # 24 - private mail system smtp 25/tcp mail There are three columns of information after comment lines. The left column contains the name of each service, the middle column defines the port number and protocol type used for that service, and the right column contains an optional alias or list of aliases for the service. The last entry in this example, for instance, describes the SMTP (Simple Mail Transfer Protocol) service, which is the service used for delivering e-mail over the Internet. The middle column tells you that the SMTP protocol uses port 25 and uses the Transmission Control Protocol (TCP) as its protocol type. What exactly is a port number? It is a unique number that s been set aside for a particular network service. It allows network connections to be properly routed to the software that handles that service. For example, when an e-mail message is delivered from some other computer to your Linux box, the remote system must first establish a network connection with your system. Your computer receives the connection request, examines it, sees it labeled for port 25, and knows that the connection should be handed to the program that handles e-mail (which happens to be sendmail). A program that runs quietly in the background handling service requests (such as sendmail) is called a daemon. Daemons are usually started automatically when your system boots up, and they keep running until your system is shut down. Daemons may also be started on an as-needed basis by xinetd, a special daemon that listens on a large number of port numbers, and then launches the service that is registered with that port number. SMTP uses the TCP protocol; some other services use UDP, the User Datagram Protocol. For this security discussion, all you really need to know about TCP and UDP is that they provide different ways of packaging the information sent over a network connection. A TCP connection provides error detection and retransmission of lost data. UDP doesn t check to ensure that the data arrived complete and intact; it is meant as a fast way to send noncritical information. Note
Please visit Domain Name Hosting services for high quality webhost to host and run your jsp applications.

202 Part II . Running the Show Table 6-2 (continued) State Description LAST_ACK The remote end has shut down, and the socket is closed, waiting for acknowledgment. LISTEN Socket is waiting for an incoming connection. CLOSING Both sides of the connection are shut down, but not all of your data has been sent. UNKNOWN The state of the socket is unknown. During a DoS attack, the foreign address is usually the same for each connection, in which case it s a simple matter of typing the foreign IP address into the search form at www.arin.net/whois/ so you can alert your ISP. During a DDoS attack, the foreign address is likely to be different for each connection, which makes it impossible to track down all the offenders because there are probably thousands of them. The best way to defend yourself is to contact your ISP to see if it can filter the traffic at its border routers. Protecting Against Intrusion Attacks Crackers have a wide variety of tools and techniques to assist them in breaking into your computer. Intrusion attacks focus on exploiting weaknesses in your security, so crackers can take more control of your system (and potentially do more damage) than they could from the outside. Fortunately, there are many tools and techniques for combating intrusion attacks. Let s explore some of the most common break-in methods and the tools available to protect your system. Evaluating Access to Network Services Linux systems provide many network services and therefore many avenues for cracker attacks. You should know these services and how to limit access to them. What is a network service? Basically, it s any task that the computer performs that requires it to send and receive information over the network using some predefined set of rules. Routing e-mail is a network service. So is serving Web pages. Your Linux box has the potential to provide thousands of services. Many of them are listed in the /etc/services file. Look at a snippet of that file:
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

Chapter 6 . Securing Linux 201 The following is an example of what the output might look like: Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 65.213.7.96:22 13.29.132.19:12545 ESTABLISHED 32376/sshd tcp 0 224 65.213.7.96:22 13.29.210.13:29250 ESTABLISHED 13858/sshd tcp 0 0 65.213.7.96:6667 13.29.194.190:33452 ESTABLISHED 1870/ircd tcp 0 0 65.213.7.96:6667 216.39.144.152:42709 ESTABLISHED 1870/ircd tcp 0 0 65.213.7.96:42352 67.113.1.99:53 TIME_WAIT - tcp 0 0 65.213.7.96:42354 83.152.6.9:113 TIME_WAIT - tcp 0 0 65.213.7.96:42351 83.152.6.9:113 TIME_WAIT - tcp 0 0 127.0.0.1:42355 127.0.0.1:783 TIME_WAIT - tcp 0 0 127.0.0.1:783 127.0.0.1:42353 TIME_WAIT - tcp 0 0 65.213.7.96:42348 19.15.11.1:25 TIME_WAIT - The output is organized into columns defined as follows: . Proto Protocol used by the socket. . Recv-Q The number of bytes not yet copied by the user program attached to this socket. . Send-Q The number of bytes not acknowledged by the host. . Local Address Address and port number of the local end of the socket. . Foreign Address Address and port number of the remote end of the socket. . State Current state of the socket. Table 6-2 provides a list of socket states. . PID/Program name Process ID and program name of the process that owns the socket. Table 6-2 Socket States State Description ESTABLISHED Socket has an established connection. SYN_SENT Socket actively trying to establish a connection. SYN_RECV Connection request received from the network. FIN_WAIT1 Socket is closed and the connection is shutting down. FIN_WAIT2 Socket is waiting for remote end to shut down. TIME_WAIT Socket is waiting after closing to handle packets still in the network. CLOSED Socket is not being used. CLOSE_WAIT The remote end has shut down, waiting for the socket to close. Continued
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

200 Part II . Running the Show The r flag denotes that the server machine will be the receiver. The s flag, in conjunction with the r flag, tells ttcp to ignore any received data. Have someone outside your data link, with a network link close to the same speed as yours, set up a ttcp sending process: # ttcp -ts server.example.com ttcp-t: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp -> server.example.com ttcp-t: socket ttcp-t: connect Let the process run for a few minutes and then press Ctrl+C on the transmitting side to stop the testing. The receiving side will then take a moment to calculate and present the results: # ttcp -rs ttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp ttcp-r: socket ttcp-r: accept from 64.223.17.21 ttcp-r: 2102496 bytes in 70.02 real seconds = 29.32 KB/sec +++ ttcp-r: 1226 I/O calls, msec/call = 58.49, calls/sec = 17.51 ttcp-r: 0.0user 0.0sys 1:10real 0% 0i+0d 0maxrss 0+2pf 0+0csw In this example, the average bandwidth between the two hosts was 29.32 kilobytes per second. On a link suffering from a DDoS, this number would be a fraction of the actual bandwidth for which the data link is rated. If the data link is indeed saturated, the next step is to determine where the connections are coming from. A very effective way of doing this is with the netstat command. Type the following to see connection information: # netstat tupn Table 6-1 describes each of the netstat parameters used here. Table 6-1 netstat Parameters Parameter Description -t, –tcp Shows TCP socket connections. -u, –udp Shows UDP socket connections. -p, –program Shows the PID and name of the program to which each socket belongs. -n, –numeric Shows numerical address instead of trying to determine symbolic host, port, or usernames.
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

Chapter 6 . Securing Linux 199 # ping www.example.com PING www.example.com (192.0.34.166): from 10.0.0.11: 56(84)bytes of data 64 bytes from 192.0.34.166: icmp_seq=1 ttl=62 time=1252 ms 64 bytes from 192.0.34.166: icmp_seq=2 ttl=62 time=1218 ms 64 bytes from 192.0.34.166: icmp_seq=3 ttl=62 time=1290 ms 64 bytes from 192.0.34.166: icmp_seq=4 ttl=62 time=1288 ms 64 bytes from 192.0.34.166: icmp_seq=5 ttl=62 time=1241 ms — www.example.com ping statistics — 6 packets transmitted, 5 received, 0% loss, time 5032ms rtt min/avg/max/mdev = 1218.059/1258.384/1290.861/28.000 ms In this example, a ping packet took, on average, 1.3 seconds to make the round trip. From the first example to the second example, latency increased by a factor of 31! A data link that goes from working normally to slowing down by a factor of 31 is a clear sign that link utilization should be investigated. For a more accurate measure of data throughput, a tool such as ttcp can be used. To test your connection with ttcp, you must have installed the ttcp package on machines inside and outside your network. If you are not sure if the package is installed, simply type ttcp at a command prompt. You should see something like the following: # ttcp Usage: ttcp -t [-options] host [ < in ] ttcp -r [-options > out] Common options: -l ## length of bufs read from or written to network (default 8192) -u use UDP instead of TCP -p ## port number to send to or listen at (default 5001) -s -t: source a pattern to network -r: sink (discard) all data from network -A align the start of buffers to this modulus (default 16384) -O start buffers at this offset from the modulus (default 0) -v verbose: print more statistics -d set SO_DEBUG socket option -b ## set socket buffer size (if supported) -f X format for rate: k,K = kilo{bit,byte}; m,M = mega; g,G = giga Options specific to -t: -n## number of source bufs written to network (default 2048) -D don t buffer TCP writes (sets TCP_NODELAY socket option) Options specific to -r: -B for -s, only output full blocks as specified by -l (for TAR) -T touch : access each byte as it s read The first step is to start up a receiver process on the server machine: # ttcp -rs ttcp-r: buflen=8192, nbuf=2048, align=16384/0, port=5001 tcp ttcp-r: socket
You want to have a cheap webhost for your apache application, then check apache web hosting services.

198 Part II . Running the Show With the advent of DSL and cable modems, millions of people are enjoying Internet access with virtually no speed restrictions. In their rush to get online, many of those people neglect even the most basic security. Because the vast majority of these people run Microsoft operating systems, they tend to get hit with worms and viruses rather quickly. Until very recently, it was common practice for Microsoft systems to have many services open to the network of which users were unaware and very little emphasis placed on using firewall features to block intruders. After a machine has been infiltrated, quite often the worm or virus installs a program on the victim s machine that instructs it to quietly call home and announce that it is now ready to do the master s bidding. At the whim of the master, the infected machines can now be used to focus a concentrated stream of garbage data at a selected host. In concert with thousands of other infected machines, an attacker now has the power to take down nearly any site on the Internet. Detecting a DDoS is similar to detecting a DoS attack. One or more of the following signs are likely to be present: . Sustained saturated data link . No reduction in link saturation during off-peak hours . Hundreds or even thousands of simultaneous network connections . Extremely slow system performance Pinging an outside host can tell you a lot about your data link saturation: Much higher than usual latency is a dead giveaway. Normal ping latency (that is, the time it takes for a ping response to come back from a remote host) looks like the following: # ping www.example.com PING www.example.com (192.0.34.166) from 10.0.0.11: 56(84) bytes of data 64 bytes from 192.0.34.166: icmp_seq=1 ttl=49 time=40.1 ms 64 bytes from 192.0.34.166: icmp_seq=2 ttl=49 time=42.5 ms 64 bytes from 192.0.34.166: icmp_seq=3 ttl=49 time=39.5 ms 64 bytes from 192.0.34.166: icmp_seq=4 ttl=49 time=38.4 ms 64 bytes from 192.0.34.166: icmp_seq=5 ttl=49 time=39.0 ms — www.example.com ping statistics — 5 packets transmitted, 5 received, 0% loss, time 4035ms rtt min/avg/max/mdev = 38.472/39.971/42.584/1.432 ms In this example, the average time for a ping packet to make the round trip was about 39 thousandths of a second. A ping to a nearly saturated link will look like the following:
Check Tomcat Web Hosting services for best quality webspace to host your web application.