RHCE: Access control – marsh.network blog

Access control is one of the most prevelant things I found reading through sample RHCE questions. “Setup a NFS server that exports /home/directory, but only to …’.

The setting up is never particularly difficult, but sometimes you may struggle with the restriction – do you do it in the application, do you do it at the network, or do you do it somewhere in between?

I’ve ran through a few scenarios here for my own benefit, but you may find them useful too:

SSH Access: Restrict access to a domain

Sample question I found: “Natasha should have remote “SSH” access to your machine within example.com. clients within remote.test should not “SSH” your system.”

So firstly I thought about network restriction, but obviously a domain can traverse many subnets, so that would be cumbersome.

Next, I looked at the application itself – sshd_config, but I couldnt find any specific lines in there either. So we need to say “Allow anyone in example.com access, and deny anyone in remote.test”.

The one I found that would work here is TCP Wrappers. We can edit the files “/etc/hosts.allow” and “/etc/hosts.deny” appropriately:

/etc/hosts.allow
sshd : .example.com EXCEPT .remote.test

This should allow anything in .example.com access via SSHD, but deny anything in .remote.test.

SSH Access: Restrict access to a subnet

This is fairly simple, we just use iptables:

iptables -I INPUT 4 -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 5 -p tcp --dport 22 -j REJECT

This allows only users in the 192.168.0.0/24 to access the server via SSH, and rejects inbound connections from other subnets.

FTP Access: Restrict access to a domain

Sample question: ” Clients within the example.com domain should have anonymous download access. Clients outside example.com domain should not have any access to ftp service.”

Similar to SSH, this time just check in vsftpd.conf [/etc/vsftpd/vsftpd.conf] that the line “tcp_wrappers=YES” is in there, so that we can use TCP Wrappers again to restrict access.

What we need to do in this question, is allow anyone in example.com anonymous download access, and restrict FTP access for everybody else.

Firstly, ensure nothing funky in FTP is enabled in SE Linux:

[root@Server1 ec2-user]# getsebool -a | grep ftp
<strong>allow_ftpd_anon_write --> off</strong>
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> on
tftp_anon_write --> off

Seems legit to me. Next, we need to ensure that anonymous access is enabled in vsftpd.conf:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES

Again, all looks good here! Next, we need to enter an iptables rule:

iptables -I INPUT 5 -p tcp --dport 21 -j ACCEPT

Finally, we need to enter our TCP wrappers information for vsftpd:

/etc/hosts.deny
vsftpd : ALL EXCEPT .example.com

This basically says, deny anyone access to FTP except example.com domain users.

NFS Exports: Restrict to a single domain

Sample question: “Export your “/common” (created Default) directory via NFS to the example.com domain.”

So basically what we need to do here, is create our /common folder, export it via NFS, open the firewall for port 2049, and then use TCP wrappers to restrict access:

mkdir /common
yum install nfs-utils
man nfsd_selinux # looking for the SE Linux commands for NFS!
semanage fcontext -a -t nfsd_rw_t /common
restorecon -RFvv /common
ls -dZ /common
iptables -I INPUT 3 -p tcp --dport 2049 -j ACCEPT
echo "mountd : ALL EXCEPT .example.com" >> /etc/hosts.deny

Here we have installed NFS tools, set SE Linux on the folder (rw), opened the firewall, and allowing nobody except .example.com hosts to use NFS (mountd) using TCP wrappers.

SMB Shares: Restrict to a single domain and user/workgroup

Sample question: “Share the directory “/common1” via samba. Your Samba server must be a member of “SAMBAGRP” workgroup. The share name must be “common” The shared must be available to example.com clients only. The user “natasha” should have read access to the share with samba password “redhat””.

So we need to configure Samba, restrict access to .example.com clients, and set the user Natasha to have access to the directory with the pwd “redhat”.

First, lets edit smb.conf as below (change workgroup and create a share):

workgroup = SAMBGRP
[common]
comment = "Share here"
path = /common1
valid users = natasha
browseable = no

Next, the rest:

yum install samba
chkconfig smb on
iptables -I INPUT 2 -p tcp --dport 445 -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 137 -j ACCEPT
chcon -t samba_share_t /common1
semanage fcontext -a -t&nbsp;samba_share_t /common1
smbpasswd -a natasha
echo "smbd : ALL EXCEPT .example.com" >> /etc/hosts.deny
service smb start

So, we first configured smb.conf (ships without samba being installed – dont ask), changed the workgroup name and then set the path and valid users.

Then we installed samba, set it to start on boot, added iptables rules for CIFS and Netbios, did the SE Linux bits, added a password in SMB for natasha, and then set the tcp wrappers entry to deny all to smbd except .example.com users.

[In testing, TCP Wrappers isnt working for smbd / xinetd – so at the moment i’m unsure as to how to satisfy the only .example.com clients element].

Update: I cracked it – you do it inside the smb.conf file, using the line:

hosts allow = ALL EXCEPT .example.com

Huzzah!

Press ESC to close

Share Article:

sam

RHCE: Web server – authentication

RHCE: Sample Exam

Leave a Reply Cancel reply