LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/nag2/x7037.html

272 lines
4.7 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>General Security Considerations</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
REL="HOME"
TITLE="Linux Network Administrators Guide"
HREF="index.html"><LINK
REL="UP"
TITLE="The Point-to-Point Protocol"
HREF="x-087-2-ppp.html"><LINK
REL="PREVIOUS"
TITLE="Link Control Options"
HREF="x6968.html"><LINK
REL="NEXT"
TITLE="Authentication with PPP"
HREF="x-087-2-ppp.authentication.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Network Administrators Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x6968.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 8. The Point-to-Point Protocol</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="x-087-2-ppp.authentication.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="AEN7037"
>8.7. General Security Considerations</A
></H1
><P
>&#13;
A misconfigured PPP daemon can be a devastating security breach. It can be as
bad as letting anyone plug their machine into your Ethernet (and that can be
very bad). In this section, we discuss a few measures that should make
your PPP configuration safe.</P
><DIV
CLASS="NOTE"
><BLOCKQUOTE
CLASS="NOTE"
><P
><B
>Note: </B
>Root privilege is required to configure the network
device and routing table. You will usually solve this by running
<B
CLASS="COMMAND"
>pppd</B
> setuid <SPAN
CLASS="SYSTEMITEM"
>root</SPAN
>. However, <B
CLASS="COMMAND"
>pppd</B
>
allows users to set various security-relevant options. </P
></BLOCKQUOTE
></DIV
><P
>&#13;To protect against any attacks a user may launch by manipulating
<B
CLASS="COMMAND"
>pppd</B
> options, you should set a couple of
default values in the global <TT
CLASS="FILENAME"
>/etc/ppp/options</TT
>
file, like those shown in the sample file in <A
HREF="x-087-2-ppp.options.html"
>Section 8.3</A
>,&#8221; earlier in this chapter. Some of them, such as the
authentication options, cannot be overridden by the user, and thus
provide reasonable protection against manipulations. An important
option to protect is the <SPAN
CLASS="SYSTEMITEM"
>connect</SPAN
> option. If you intend to allow
non-root users to invoke <B
CLASS="COMMAND"
>pppd</B
> to connect to the
Internet, you should always add the <TT
CLASS="LITERAL"
>connect</TT
> and
<TT
CLASS="LITERAL"
>noauth</TT
> options to the global options file
<TT
CLASS="FILENAME"
>/etc/ppp/options</TT
>. If you fail to do this, users
will be able to execute arbitrary commands with
<TT
CLASS="LITERAL"
>root</TT
> privileges by specifying the command as their
<SPAN
CLASS="SYSTEMITEM"
>connect</SPAN
> command on the
<B
CLASS="COMMAND"
>pppd</B
> line or in their personal options file.</P
><P
>Another good idea is to restrict which users may execute
<B
CLASS="COMMAND"
>pppd</B
> by creating a group in <TT
CLASS="FILENAME"
>/etc/group</TT
>
and adding only those users who you wish to have the ability to execute
the PPP daemon. You should then change group ownership of the
<B
CLASS="COMMAND"
>pppd</B
> daemon to that group and remove the world execute
privileges. To do this, assuming you've called your group
<SPAN
CLASS="SYSTEMITEM"
>dialout</SPAN
>, you could use something like:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
># <TT
CLASS="USERINPUT"
><B
>chown root /usr/sbin/pppd</B
></TT
>
# <TT
CLASS="USERINPUT"
><B
>chgrp dialout /usr/sbin/pppd</B
></TT
>
# <TT
CLASS="USERINPUT"
><B
>chmod 4750 /usr/sbin/pppd</B
></TT
></PRE
></TD
></TR
></TABLE
></P
><P
>Of course, you have to protect yourself from the systems you speak PPP
with, too. To fend off hosts posing as someone else, you should
always require some sort of authentication from your peer. Additionally, you
should not allow foreign hosts to use any IP address they choose, but
restrict them to at most a few. The following section will deal with
these topics in detail.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x6968.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="x-087-2-ppp.authentication.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Link Control Options</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="x-087-2-ppp.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Authentication with PPP</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink