From owner-svn-doc-head@FreeBSD.ORG Thu Apr 17 20:33:55 2014 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A47DA9FD; Thu, 17 Apr 2014 20:33:55 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9050210B2; Thu, 17 Apr 2014 20:33:55 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s3HKXtVc036126; Thu, 17 Apr 2014 20:33:55 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s3HKXt6T036125; Thu, 17 Apr 2014 20:33:55 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201404172033.s3HKXt6T036125@svn.freebsd.org> From: Dru Lavigne Date: Thu, 17 Apr 2014 20:33:55 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44601 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2014 20:33:55 -0000 Author: dru Date: Thu Apr 17 20:33:55 2014 New Revision: 44601 URL: http://svnweb.freebsd.org/changeset/doc/44601 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:16:19 2014 (r44600) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:33:55 2014 (r44601) @@ -51,8 +51,8 @@ - How to configure TCP Wrapper for use - with &man.inetd.8;. + How to configure TCP Wrapper + for use with &man.inetd.8;. @@ -877,21 +877,20 @@ Enter secret pass phrase: < TCP Wrapper TCP Wrapper is a host-based - access control system which extends the abilities of - . It can be configured - to provide logging support, return messages, and - connection restrictions for the - server daemons under the control of + access control system which extends the abilities of . It can be configured to provide + logging support, return messages, and connection restrictions + for the server daemons under the control of inetd. Refer to &man.tcpd.8; for more information about TCP Wrapper and its features. - TCP Wrapper should not be considered a - replacement for a properly configured firewall. - Instead, TCP Wrapper should be used in conjunction - with a firewall and other security enhancements in order to - provide another layer of protection in the implementation of a - security policy. + TCP Wrapper should not be + considered a replacement for a properly configured firewall. + Instead, TCP Wrapper should be used + in conjunction with a firewall and other security enhancements + in order to provide another layer of protection in the + implementation of a security policy. Initial Configuration @@ -903,33 +902,35 @@ Enter secret pass phrase: < inetd_enable="YES" inetd_flags="-Ww" - Then, properly configure + Then, properly configure /etc/hosts.allow. Unlike other implementations of - TCP Wrapper, the use of hosts.deny is - deprecated in &os;. All configuration options should be placed - in /etc/hosts.allow. + TCP Wrapper, the use of + hosts.deny is deprecated in &os;. All + configuration options should be placed in + /etc/hosts.allow. In the simplest configuration, daemon connection policies - are set to either permit or block, depending on the - options in /etc/hosts.allow. The default - configuration in &os; is to allow all connections to the daemons - started with inetd. + are set to either permit or block, depending on the options in + /etc/hosts.allow. The default + configuration in &os; is to allow all connections to the + daemons started with inetd. Basic configuration usually takes the form of daemon : address : action, where - daemon is the daemon which inetd - started, address is a valid hostname, + daemon is the daemon which + inetd started, + address is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and action is either allow or deny. TCP Wrapper uses a first rule match - semantic, meaning that the configuration file is scanned - from the beginning for a matching rule. When a match is found, - the rule is applied and the search process stops. + semantic, meaning that the configuration file is scanned from + the beginning for a matching rule. When a match is found, the + rule is applied and the search process stops. For example, to allow POP3 connections via the mail/qpopper daemon, the following @@ -942,102 +943,100 @@ qpopper : ALL : allow Whenever this file is edited, restart inetd: - &prompt.root; service inetd restart + &prompt.root; service inetd restart Advanced Configuration - TCP Wrapper provides advanced options - to allow more control over the way connections are handled. - In some cases, it may be appropriate to return a comment to - certain hosts or daemon connections. In other cases, a log - entry should be recorded or an email sent to the + TCP Wrapper provides advanced + options to allow more control over the way connections are + handled. In some cases, it may be appropriate to return a + comment to certain hosts or daemon connections. In other + cases, a log entry should be recorded or an email sent to the administrator. Other situations may require the use of a service for local connections only. This is all possible - through the use of configuration options known as - wildcards, expansion characters, and - external command execution. - - Suppose that a situation occurs where a connection - should be denied yet a reason should be sent to the - host who attempted to establish that connection. That - action is possible with . When a - connection attempt is made, executes - a shell command or script. An example exists in - hosts.allow: + through the use of configuration options known as wildcards, + expansion characters, and external command execution. - # The rest of the daemons are protected. + Suppose that a situation occurs where a connection should + be denied yet a reason should be sent to the host who + attempted to establish that connection. That action is + possible with . When a connection + attempt is made, executes a shell + command or script. An example exists in + hosts.allow: + + # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." - In this example, the message You are not allowed - to use daemon name from - hostname. will be returned for - any daemon not configured in hosts.allow. - This is useful for sending a reply back to the connection - initiator right after the established connection is dropped. - Any message returned must be wrapped in - quote (") characters. + In this example, the message You are not allowed to + use daemon name from + hostname. will be returned + for any daemon not configured in + hosts.allow. This is useful for sending + a reply back to the connection initiator right after the + established connection is dropped. Any message returned + must be wrapped in quote + (") characters. - - It may be possible to launch a denial of service - attack on the server if an attacker - floods these daemons with connection - requests. - + + It may be possible to launch a denial of service attack + on the server if an attacker floods these daemons with + connection requests. + - Another possibility is to use . - Like , - implicitly denies the connection and may be used to run - external shell commands or scripts. Unlike - , will not send - a reply back to the host who established the - connection. For example, consider the following - configuration: + Another possibility is to use . + Like , implicitly + denies the connection and may be used to run external shell + commands or scripts. Unlike , + will not send a reply back to the host + who established the connection. For example, consider the + following configuration: - # We do not allow connections from example.com: + # We do not allow connections from example.com: ALL : .example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny - This will deny all connection attempts from *.example.com and log - the hostname, IP address, and the daemon - to which access was attempted to - /var/log/connections.log. This example - uses the substitution characters - %a and %h. Refer to - &man.hosts.access.5; for the complete list. - - To match every instance of a daemon, domain, or - IP address, use ALL. Another wildcard is - PARANOID which may be used to match - any host which provides an IP address - that may be forged because the - IP address differs from its resolved - hostname. In this example, all connection requests to - Sendmail which have an IP address - that varies from its hostname will be denied: + This will deny all connection attempts from *.example.com and log the + hostname, IP address, and the daemon to + which access was attempted to + /var/log/connections.log. This example + uses the substitution characters %a and + %h. Refer to &man.hosts.access.5; for the + complete list. + + To match every instance of a daemon, domain, or + IP address, use ALL. + Another wildcard is PARANOID which may be + used to match any host which provides an IP + address that may be forged because the IP + address differs from its resolved hostname. In this example, + all connection requests to Sendmail + which have an IP address that varies from + its hostname will be denied: - # Block possibly spoofed requests to sendmail: + # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny - - Using the PARANOID wildcard will - result in denied connections if the client or server has a - broken DNS setup. - + + Using the PARANOID wildcard will + result in denied connections if the client or server has a + broken DNS setup. + - To learn more about wildcards and their associated - functionality, refer to &man.hosts.access.5;. + To learn more about wildcards and their associated + functionality, refer to &man.hosts.access.5;. When adding new configuration lines, make sure that any - unneeded entries for that daemon are commented - out in hosts.allow. + unneeded entries for that daemon are commented out in + hosts.allow. @@ -1772,15 +1771,16 @@ kadmind5_server_enable="YES"OpenSSL is an open source implementation of the SSL and - TLS protocols. - It provides an encryption transport layer on top of the normal - communications layer, allowing it to be intertwined with many - network applications and services. + TLS protocols. It provides an encryption + transport layer on top of the normal communications layer, + allowing it to be intertwined with many network applications and + services. The version of OpenSSL included - in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and - Transport Layer Security v1 (TLSv1) network security protocols - and can be used as a general cryptographic library. + in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) + and Transport Layer Security v1 (TLSv1) network security + protocols and can be used as a general cryptographic + library. - OpenSSL is often used to - encrypt authentication of mail clients and to secure web based + OpenSSL is often used to encrypt + authentication of mail clients and to secure web based transactions such as credit card payments. Some ports, such as www/apache24 and - databases/postgresql91-server, include a compile option for - building with OpenSSL. If selected, - the port will add support using the - security/openssl port. To instead have the - port compile against the built in version of + databases/postgresql91-server, include a + compile option for building with + OpenSSL. If selected, the port will + add support using the security/openssl port. + To instead have the port compile against the built in version of OpenSSL, include - WITH_OPENSSL_BASE when compiling - in OpenSSL support. + WITH_OPENSSL_BASE when compiling in + OpenSSL support. - Another common use of - OpenSSL is to provide certificates - for use with software applications. Certificates can be used to verify - the credentials of a company or individual. - If a certificate has not - been signed by an external Certificate Authority + Another common use of OpenSSL is + to provide certificates for use with software applications. + Certificates can be used to verify the credentials of a company + or individual. If a certificate has not been signed by an + external Certificate Authority (CA), such as http://www.verisign.com, - the application that uses the certificate will produce a warning. - There is a cost associated with obtaining a signed certificate and using a - signed certificate is not mandatory as certificates can be - self-signed. However, using an external authority will prevent warnings and can put - users at ease. + the application that uses the certificate will produce a + warning. There is a cost associated with obtaining a signed + certificate and using a signed certificate is not mandatory as + certificates can be self-signed. However, using an external + authority will prevent warnings and can put users at + ease. This section demonstrates how to create and use certificates on a &os; system. Refer to for an