now sure about now, but it was 5.1 in jan 2009.


This is what I like about redhat hands-on exam. Like the lengthy iptables discussion, we know there are a few ways to achieve the same result. As long as you can get it to work, you are fine.

In regards to the iptables configuration I wonder if you had it configured correctly. If I remember right the default config of iptables (during install) is to allow all localhost packets. Then, the last line will deny all packets if not specifically allowed. This is from the config file /etc/sysconfig/iptables. If the exam does not specifically ask to deny all packets then I'd remove that last line for sanity sake.

Also, I would not use tcp_wrappers at all. Just stick with iptables. It makes it so you only have one thing to learn and it is more secure since it is at the kernel level. You would need to know the ports (from /etc/services), but that shouldn't be too tough.

Michael

Interesting thought...I'm not sure if I would just ignore tcp_wrappers all together, although you can most certainly accomplish a lot with iptables without the use of tcp_wrappers.

Since I'm no guru in iptables, forgive the ignorance in my question. But can iptables do user based ACLs?

What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?

Yes, but...
AFAIK, this doesn't work for incoming (unrelated) tcp/udp packets, since they're not associated with any UID or GID on the local system. I'm sure someone has written an application-layer inspection module for iptables, but even in that case openssh encrypts the traffic anyway.

I think you will be stuck using e.g. AllowUsers in sshd_config.

Maybe Michael Jang book is not good for the RHCE part of the test.

I think it is good...

But I've learned in the past that you should never study from only one source...

-C

custangro, I see Anomie gave some insight, but you bring up an interresting question for me. From what you are asking it makes me wonder if tcp_wrappers can do what you ask. Is it true tcp_wrappers can do ACL down to user level? It would be nice.

Now, I'm feeling ignorant, but that's ok. It creates a learning opportunity.

Michael

I don't think you can use iptables for user level restriction. I would also use the SSH Configuration file in addition to the iptables firewall if it specified to allow ONLY mary.

vi sshd_config
AllowUsers mary

This will only allow mary to access the ssh

Would it screw up the system if I also used tcp-wrappers? My guess is not.

vi /etc/hosts.deny
sshd:ALL EXCEPT .whatever.com

You can use the user@host syntax...

/etc/hosts.allow
-C

Thanks custango, I didn't know that - or I forgot it. I guess I'll go back to using tcp_wrappers now that I have a good reason.

Good point rhel5. Either way we tighten things down.

Michael

Interested this thread have became a tcp_wrapper and iptables tutorial.

nice

You can be more granular in sshd_config, so

DenyUsers hacker@192.168.1.*
AllowUsers *@127.0.0.* *@192.168.1.* brad@192.168.2*

etc.

thanks billymayday

Didn't know that we can do so much with sshd_config file.

Also thanks Custangro

I didn't know that we can filter by user with tcp_wrappers. I always thought that tcp_wrappers were host-based security.

Have a scan through man sshd_config - you'll find all sorts of interesting stuff.

I don't deny tcp_wrappers can be handy. but as pointed out earlier, got to becareful though. apps that do not implement libwrap.so cannot be controlled by tcpwrappers. So you have to be familiar with it and not spend time troubleshooting problems that you create for yourself in the exams. say for eg,

oops httpd is running ant not in the list.

I got my rhce without using tcp_wrappers. I believe custango got his with tcp_wrappers. everyone works differently and it is the result that matters in the exam. But as a good sys admin and looking beyond the certificate, we have to know all possible methods of achieving certain result, or at least know how things work in the backend. I know sysadm who just keep using yum or apt-get. When dealing with extreme scenario like rescue environment, the rpm command line mastery becomes important.