OS and Security: PAM, IPTABLES, TCP Wrappers, Kerberos, SSH protocol, Tripwire



OS and Security: PAM, IPTABLES, TCP Wrappers, Kerberos, SSH protocol, Tripwire

Pluggable Authentication Modules (PAM)

The Pluggable Authentication Modules (PAM) is a software library , which is a general programming interface (API) for authentication services provide. PAM was founded in 1995 by Vipin Samar and Charlie Lai at Sun Microsystems developed and has not significantly changed. 1997 published the Open Group a preliminary specification, called X / Open Single Sign-on Service (XSSO). PAM is now on AIX , HP-UX , Solaris , Linux , FreeBSD , NetBSD , Mac OS X and DragonFly BSD available.

Instead of formulating the details of authentication in each new application, the PAM API offers a standardized service in the form of modules to. In a configuration file , the system administrator authentication modules individual services assign without having the software that implements these services, new compile to have (William, 2010).

PAM is in practice often used for connecting a variety of services such as SSH and FTP server with only one authentication service. This allows for the central storage of credentials of these services. If the password is changed at the central location, you can register directly for all services with the new, centrally stored, password. Separate password databases for individual services are not necessary.

TCP Wrapper

TCP Wrapper ("TCP Wrapper") is a set of network ACL working in terminals and used to filter network access to services of Internet protocols that run on operating systems (such UNIX ), such as Linux or BSD . Allows IP addresses , the names of terminals and / or query responses ident terminal or subnets are used as tokens on which to filter for purposes of access control (Claudia, 2006). The original code was written by Wietse Venema of Eindhoven University of Technology , The Netherlands , between 1990 and 1995. From 1 June 2001, the program is released under its own BSD-style license .

The tarball includes a library called libwrap that implements the functionality itself. Initially, only those services that were created from each connection to a super server (as inetd ) were involved (hence its name) using the program 'tcpd'. However, the demons of common network services today can be linked against libwrap directly. The demons that operate without creating a super server descendants use this, or a single process that handles multiple connections. Otherwise, only the first connection attempt would check against their ACLs (Jason, 2003).

Compared with the access control policies of a terminal, commonly found in the configuration files of demons, TCP Wrappers have the benefit of a reconfiguration of ACL in runtime (ie, services need not be loaded or restarted again) and a generic approach to network management. This facilitates its use in anti-worm scripts such as DenyHosts or Fail2ban , to add and remove clients blocking rules, when they produce excessive connection attempts or more errors in the process itself. Although it was written to protect acceptance services TCP and UDP , ...