tailieunhanh - Designing Security Architecture Solutions phần 7

Quá trình máy chủ được gọi là daemon sử dụng giao thức cụ thể để giao tiếp trên các cổng mạng cụ thể với khách hàng để cung cấp các dịch vụ mạng UNIX. Daemon phải được sở hữu bởi root để xử lý lưu lượng truy cập trên các cổng đặc quyền đặc lợi (số thấp hơn 1024). | Application and OS Security 259 Server processes called daemons use specific protocols to communicate on specific network ports with clients to provide UNIX network services. Daemons must be owned by root to handle traffic on privileged ports numbered lower than 1024 . Higher port numbers are available for non-privileged user processes. Some operating systems Solaris for example allow the redefinition of the range of privileged and non-privileged port numbers to protect additional services or to restrict the range of port numbers available to user processes. Servers can be automatically started or can be awakened by the UNIX inetd daemon that listens on multiple ports and launches the appropriate server when a request arrives. The inetd daemon represents a chokepoint for network service access and tools such as tcpwrapper exploit this single point of entry to add authorization checks on incoming service requests. Vulnerabilities in server programs that run as root can allow access to the host and therefore require more care in configuration. The future might bring to light flaws in either the server or the protocol that it uses and unless promptly patched the host is vulnerable to attack. Applications should run the absolute minimum set of services required for operations. Many services are available in secure mode where the connection itself is encrypted and protected against tampering and stronger modes of user authentication are allowed. For example solutions that use secure shell ssh exist for FTP Telnet and rlogin services. Examples of popular services include the following. FTP. FTP enables hosts to exchange files. FTP uses port 21 for sending commands and port 20 sometimes for sending data. The server requires a login and a password unless anonymous FTP is enabled but as the password is sent in the clear we recommend using a version of FTP that uses encryption. Applications should disable anonymous access. Telnet. The Telnet service on port 23 using TCP .