S o n o m a U s e r M a n u a l
42
C H A P T E R F I V E
43
S o n o m a U s e r M a n u a l
S E C U R I T Y
• Direct root logins are only permitted on the local RS-232 console or via SSH.
• The secure copy utility, scp, eliminates the need to use the insecure FTP protocol for transferring
program updates to the Sonoma.
• ΗTTP access for system monitoring only, is allowed only via SSL, so passwords and session data
are encrypted on the wire. Access via HTTPS may be restricted or completely disabled. See Restrict
Access - HTTPS and Disable SNMP, SSH and HTTPS below.
• SNMP access for system monitoring only, is congurable to provide the security of the latest ver-
sion 3 Internet standard which supports both view-based access control and user-based security using
modern encryption techniques. Previous versions v1 and v2c supported access control essentially
via passwords transmitted over the network in plain text. Refer to Chapter 6 - SNMP and Restrict
Access - Telnet, SSH and SNMP (below) for details. SNMP may also be completely disabled. See
Disable SNMP, SSH and HTTPS below.
• Individual host access to protocol server daemons in.telnetd, snmpd or sshd are controlled by
directives contained in the les /etc/hosts.allow and /etc/hosts.deny, which are congured using the
interactive script accessconfig. See Restrict Access - Telnet, SSH and SNMP below.
• Insecure protocols like Time, Daytime and Telnet may be completely disabled by conguration of
the inetd super-server daemon using the interactive script inetdconfig. See Disable Telnet, Time
and Daytime below.
Restrict Access
The following paragraphs describe how to restrict SNMP, SSH, Telnet and HTTPS access to specic
hosts. Also described is how to restrict NTP query access.
Restrict Access - Telnet, SSH and SNMP
By default, the Sonoma is congured to allow access by all users via Telnet, SSH and SNMP. To
ensure security and to protect against denial-of-service attacks, you should restrict access by using the
accessconfig command.
accessconfig modies two les, /etc/hosts.allow and /etc/hosts/deny, which are used by tcpd and
the standalone daemons, snmpd and sshd, to determine whether or not to grant access to a request-
ing host. These two les may contain conguration information for a number of protocol servers, but
in the Sonoma only access control to the protocol server daemons in.telnetd, sshd and snmpd is
congured.
As shipped from the factory, these two les are empty. When you run accessconfig, these lines
are added to the /etc/hosts.deny le:
in.telnetd: ALL
sshd: ALL
snmpd: ALL
To Next Page
Loading...
