Date: Thu, 17 Apr 2014 20:33:55 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44601 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201404172033.s3HKXt6T036125@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Apr 17 20:33:55 2014 New Revision: 44601 URL: http://svnweb.freebsd.org/changeset/doc/44601 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:16:19 2014 (r44600) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:33:55 2014 (r44601) @@ -51,8 +51,8 @@ </listitem> <listitem> - <para>How to configure <application>TCP Wrapper</application> for use - with &man.inetd.8;.</para> + <para>How to configure <application>TCP Wrapper</application> + for use with &man.inetd.8;.</para> </listitem> <listitem> @@ -877,21 +877,20 @@ Enter secret pass phrase: <userinput>< <indexterm><primary>TCP Wrapper</primary></indexterm> <para><application>TCP Wrapper</application> is a host-based - access control system which extends the abilities of - <xref linkend="network-inetd"/>. It can be configured - to provide logging support, return messages, and - connection restrictions for the - server daemons under the control of + access control system which extends the abilities of <xref + linkend="network-inetd"/>. It can be configured to provide + logging support, return messages, and connection restrictions + for the server daemons under the control of <application>inetd</application>. Refer to &man.tcpd.8; for more information about <application>TCP Wrapper</application> and its features.</para> - <para><application>TCP Wrapper</application> should not be considered a - replacement for a properly configured firewall. - Instead, <application>TCP Wrapper</application> should be used in conjunction - with a firewall and other security enhancements in order to - provide another layer of protection in the implementation of a - security policy.</para> + <para><application>TCP Wrapper</application> should not be + considered a replacement for a properly configured firewall. + Instead, <application>TCP Wrapper</application> should be used + in conjunction with a firewall and other security enhancements + in order to provide another layer of protection in the + implementation of a security policy.</para> <sect2> <title>Initial Configuration</title> @@ -903,33 +902,35 @@ Enter secret pass phrase: <userinput>< <programlisting>inetd_enable="YES" inetd_flags="-Ww"</programlisting> - <para>Then, properly configure + <para>Then, properly configure <filename>/etc/hosts.allow</filename>.</para> <note> <para>Unlike other implementations of - <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is - deprecated in &os;. All configuration options should be placed - in <filename>/etc/hosts.allow</filename>.</para> + <application>TCP Wrapper</application>, the use of + <filename>hosts.deny</filename> is deprecated in &os;. All + configuration options should be placed in + <filename>/etc/hosts.allow</filename>.</para> </note> <para>In the simplest configuration, daemon connection policies - are set to either permit or block, depending on the - options in <filename>/etc/hosts.allow</filename>. The default - configuration in &os; is to allow all connections to the daemons - started with <application>inetd</application>.</para> + are set to either permit or block, depending on the options in + <filename>/etc/hosts.allow</filename>. The default + configuration in &os; is to allow all connections to the + daemons started with <application>inetd</application>.</para> <para>Basic configuration usually takes the form of <literal>daemon : address : action</literal>, where - <literal>daemon</literal> is the daemon which <application>inetd</application> - started, <literal>address</literal> is a valid hostname, + <literal>daemon</literal> is the daemon which + <application>inetd</application> started, + <literal>address</literal> is a valid hostname, <acronym>IP</acronym> address, or an IPv6 address enclosed in brackets ([ ]), and <literal>action</literal> is either <literal>allow</literal> or <literal>deny</literal>. <application>TCP Wrapper</application> uses a first rule match - semantic, meaning that the configuration file is scanned - from the beginning for a matching rule. When a match is found, - the rule is applied and the search process stops.</para> + semantic, meaning that the configuration file is scanned from + the beginning for a matching rule. When a match is found, the + rule is applied and the search process stops.</para> <para>For example, to allow <acronym>POP</acronym>3 connections via the <package>mail/qpopper</package> daemon, the following @@ -942,102 +943,100 @@ qpopper : ALL : allow</programlisting> <para>Whenever this file is edited, restart <application>inetd</application>:</para> - <screen>&prompt.root; <userinput>service inetd restart</userinput></screen> + <screen>&prompt.root; <userinput>service inetd restart</userinput></screen> </sect2> <sect2> <title>Advanced Configuration</title> - <para><application>TCP Wrapper</application> provides advanced options - to allow more control over the way connections are handled. - In some cases, it may be appropriate to return a comment to - certain hosts or daemon connections. In other cases, a log - entry should be recorded or an email sent to the + <para><application>TCP Wrapper</application> provides advanced + options to allow more control over the way connections are + handled. In some cases, it may be appropriate to return a + comment to certain hosts or daemon connections. In other + cases, a log entry should be recorded or an email sent to the administrator. Other situations may require the use of a service for local connections only. This is all possible - through the use of configuration options known as - wildcards, expansion characters, and - external command execution.</para> - - <para>Suppose that a situation occurs where a connection - should be denied yet a reason should be sent to the - host who attempted to establish that connection. That - action is possible with <option>twist</option>. When a - connection attempt is made, <option>twist</option> executes - a shell command or script. An example exists in - <filename>hosts.allow</filename>:</para> + through the use of configuration options known as wildcards, + expansion characters, and external command execution.</para> - <programlisting># The rest of the daemons are protected. + <para>Suppose that a situation occurs where a connection should + be denied yet a reason should be sent to the host who + attempted to establish that connection. That action is + possible with <option>twist</option>. When a connection + attempt is made, <option>twist</option> executes a shell + command or script. An example exists in + <filename>hosts.allow</filename>:</para> + + <programlisting># The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h."</programlisting> - <para>In this example, the message <quote>You are not allowed - to use <replaceable>daemon name</replaceable> from - <replaceable>hostname</replaceable>.</quote> will be returned for - any daemon not configured in <filename>hosts.allow</filename>. - This is useful for sending a reply back to the connection - initiator right after the established connection is dropped. - Any message returned <emphasis>must</emphasis> be wrapped in - quote (<literal>"</literal>) characters.</para> + <para>In this example, the message <quote>You are not allowed to + use <replaceable>daemon name</replaceable> from + <replaceable>hostname</replaceable>.</quote> will be returned + for any daemon not configured in + <filename>hosts.allow</filename>. This is useful for sending + a reply back to the connection initiator right after the + established connection is dropped. Any message returned + <emphasis>must</emphasis> be wrapped in quote + (<literal>"</literal>) characters.</para> - <warning> - <para>It may be possible to launch a denial of service - attack on the server if an attacker - floods these daemons with connection - requests.</para> - </warning> + <warning> + <para>It may be possible to launch a denial of service attack + on the server if an attacker floods these daemons with + connection requests.</para> + </warning> - <para>Another possibility is to use <option>spawn</option>. - Like <option>twist</option>, <option>spawn</option> - implicitly denies the connection and may be used to run - external shell commands or scripts. Unlike - <option>twist</option>, <option>spawn</option> will not send - a reply back to the host who established the - connection. For example, consider the following - configuration:</para> + <para>Another possibility is to use <option>spawn</option>. + Like <option>twist</option>, <option>spawn</option> implicitly + denies the connection and may be used to run external shell + commands or scripts. Unlike <option>twist</option>, + <option>spawn</option> will not send a reply back to the host + who established the connection. For example, consider the + following configuration:</para> - <programlisting># We do not allow connections from example.com: + <programlisting># We do not allow connections from example.com: ALL : .example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny</programlisting> - <para>This will deny all connection attempts from <systemitem - class="fqdomainname">*.example.com</systemitem> and log - the hostname, <acronym>IP</acronym> address, and the daemon - to which access was attempted to - <filename>/var/log/connections.log</filename>. This example - uses the substitution characters - <literal>%a</literal> and <literal>%h</literal>. Refer to - &man.hosts.access.5; for the complete list.</para> - - <para>To match every instance of a daemon, domain, or - <acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is - <literal>PARANOID</literal> which may be used to match - any host which provides an <acronym>IP</acronym> address - that may be forged because the - <acronym>IP</acronym> address differs from its resolved - hostname. In this example, all connection requests to - <application>Sendmail</application> which have an <acronym>IP</acronym> address - that varies from its hostname will be denied:</para> + <para>This will deny all connection attempts from <systemitem + class="fqdomainname">*.example.com</systemitem> and log the + hostname, <acronym>IP</acronym> address, and the daemon to + which access was attempted to + <filename>/var/log/connections.log</filename>. This example + uses the substitution characters <literal>%a</literal> and + <literal>%h</literal>. Refer to &man.hosts.access.5; for the + complete list.</para> + + <para>To match every instance of a daemon, domain, or + <acronym>IP</acronym> address, use <literal>ALL</literal>. + Another wildcard is <literal>PARANOID</literal> which may be + used to match any host which provides an <acronym>IP</acronym> + address that may be forged because the <acronym>IP</acronym> + address differs from its resolved hostname. In this example, + all connection requests to <application>Sendmail</application> + which have an <acronym>IP</acronym> address that varies from + its hostname will be denied:</para> - <programlisting># Block possibly spoofed requests to sendmail: + <programlisting># Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny</programlisting> - <caution> - <para>Using the <literal>PARANOID</literal> wildcard will - result in denied connections if the client or server has a - broken <acronym>DNS</acronym> setup.</para> - </caution> + <caution> + <para>Using the <literal>PARANOID</literal> wildcard will + result in denied connections if the client or server has a + broken <acronym>DNS</acronym> setup.</para> + </caution> - <para>To learn more about wildcards and their associated - functionality, refer to &man.hosts.access.5;.</para> + <para>To learn more about wildcards and their associated + functionality, refer to &man.hosts.access.5;.</para> <note> <para>When adding new configuration lines, make sure that any - unneeded entries for that daemon are commented - out in <filename>hosts.allow</filename>.</para> + unneeded entries for that daemon are commented out in + <filename>hosts.allow</filename>.</para> </note> </sect2> </sect1> @@ -1772,15 +1771,16 @@ kadmind5_server_enable="YES"</programlis <para><application>OpenSSL</application> is an open source implementation of the <acronym>SSL</acronym> and - <acronym>TLS</acronym> protocols. - It provides an encryption transport layer on top of the normal - communications layer, allowing it to be intertwined with many - network applications and services.</para> + <acronym>TLS</acronym> protocols. It provides an encryption + transport layer on top of the normal communications layer, + allowing it to be intertwined with many network applications and + services.</para> <para>The version of <application>OpenSSL</application> included - in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and - Transport Layer Security v1 (TLSv1) network security protocols - and can be used as a general cryptographic library.</para> + in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) + and Transport Layer Security v1 (TLSv1) network security + protocols and can be used as a general cryptographic + library.</para> <!-- This patent expired in 2012, is the note still needed? <note> @@ -1793,32 +1793,32 @@ This patent expired in 2012, is the note </note> --> - <para><application>OpenSSL</application> is often used to - encrypt authentication of mail clients and to secure web based + <para><application>OpenSSL</application> is often used to encrypt + authentication of mail clients and to secure web based transactions such as credit card payments. Some ports, such as <package>www/apache24</package> and - <package>databases/postgresql91-server</package>, include a compile option for - building with <application>OpenSSL</application>. If selected, - the port will add support using the - <package>security/openssl</package> port. To instead have the - port compile against the built in version of + <package>databases/postgresql91-server</package>, include a + compile option for building with + <application>OpenSSL</application>. If selected, the port will + add support using the <package>security/openssl</package> port. + To instead have the port compile against the built in version of <application>OpenSSL</application>, include - <varname>WITH_OPENSSL_BASE</varname> when compiling - in <application>OpenSSL</application> support.</para> + <varname>WITH_OPENSSL_BASE</varname> when compiling in + <application>OpenSSL</application> support.</para> - <para>Another common use of - <application>OpenSSL</application> is to provide certificates - for use with software applications. Certificates can be used to verify - the credentials of a company or individual. - If a certificate has not - been signed by an external <firstterm>Certificate Authority</firstterm> + <para>Another common use of <application>OpenSSL</application> is + to provide certificates for use with software applications. + Certificates can be used to verify the credentials of a company + or individual. If a certificate has not been signed by an + external <firstterm>Certificate Authority</firstterm> (<acronym>CA</acronym>), such as <link xlink:href="http://www.verisign.com">http://www.verisign.com</link>, - the application that uses the certificate will produce a warning. - There is a cost associated with obtaining a signed certificate and using a - signed certificate is not mandatory as certificates can be - self-signed. However, using an external authority will prevent warnings and can put - users at ease.</para> + the application that uses the certificate will produce a + warning. There is a cost associated with obtaining a signed + certificate and using a signed certificate is not mandatory as + certificates can be self-signed. However, using an external + authority will prevent warnings and can put users at + ease.</para> <para>This section demonstrates how to create and use certificates on a &os; system. Refer to <xref linkend="ldap-config"/> for an
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404172033.s3HKXt6T036125>