svn commit: r44601 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Thu Apr 17 20:33:55 UTC 2014
Author: dru
Date: Thu Apr 17 20:33:55 2014
New Revision: 44601
URL: http://svnweb.freebsd.org/changeset/doc/44601
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:16:19 2014 (r44600)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 17 20:33:55 2014 (r44601)
@@ -51,8 +51,8 @@
</listitem>
<listitem>
- <para>How to configure <application>TCP Wrapper</application> for use
- with &man.inetd.8;.</para>
+ <para>How to configure <application>TCP Wrapper</application>
+ for use with &man.inetd.8;.</para>
</listitem>
<listitem>
@@ -877,21 +877,20 @@ Enter secret pass phrase: <userinput><
<indexterm><primary>TCP Wrapper</primary></indexterm>
<para><application>TCP Wrapper</application> is a host-based
- access control system which extends the abilities of
- <xref linkend="network-inetd"/>. It can be configured
- to provide logging support, return messages, and
- connection restrictions for the
- server daemons under the control of
+ access control system which extends the abilities of <xref
+ linkend="network-inetd"/>. It can be configured to provide
+ logging support, return messages, and connection restrictions
+ for the server daemons under the control of
<application>inetd</application>. Refer to &man.tcpd.8; for
more information about
<application>TCP Wrapper</application> and its features.</para>
- <para><application>TCP Wrapper</application> should not be considered a
- replacement for a properly configured firewall.
- Instead, <application>TCP Wrapper</application> should be used in conjunction
- with a firewall and other security enhancements in order to
- provide another layer of protection in the implementation of a
- security policy.</para>
+ <para><application>TCP Wrapper</application> should not be
+ considered a replacement for a properly configured firewall.
+ Instead, <application>TCP Wrapper</application> should be used
+ in conjunction with a firewall and other security enhancements
+ in order to provide another layer of protection in the
+ implementation of a security policy.</para>
<sect2>
<title>Initial Configuration</title>
@@ -903,33 +902,35 @@ Enter secret pass phrase: <userinput><
<programlisting>inetd_enable="YES"
inetd_flags="-Ww"</programlisting>
- <para>Then, properly configure
+ <para>Then, properly configure
<filename>/etc/hosts.allow</filename>.</para>
<note>
<para>Unlike other implementations of
- <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
- deprecated in &os;. All configuration options should be placed
- in <filename>/etc/hosts.allow</filename>.</para>
+ <application>TCP Wrapper</application>, the use of
+ <filename>hosts.deny</filename> is deprecated in &os;. All
+ configuration options should be placed in
+ <filename>/etc/hosts.allow</filename>.</para>
</note>
<para>In the simplest configuration, daemon connection policies
- are set to either permit or block, depending on the
- options in <filename>/etc/hosts.allow</filename>. The default
- configuration in &os; is to allow all connections to the daemons
- started with <application>inetd</application>.</para>
+ are set to either permit or block, depending on the options in
+ <filename>/etc/hosts.allow</filename>. The default
+ configuration in &os; is to allow all connections to the
+ daemons started with <application>inetd</application>.</para>
<para>Basic configuration usually takes the form of
<literal>daemon : address : action</literal>, where
- <literal>daemon</literal> is the daemon which <application>inetd</application>
- started, <literal>address</literal> is a valid hostname,
+ <literal>daemon</literal> is the daemon which
+ <application>inetd</application> started,
+ <literal>address</literal> is a valid hostname,
<acronym>IP</acronym> address, or an IPv6 address enclosed in
brackets ([ ]), and <literal>action</literal> is either
<literal>allow</literal> or <literal>deny</literal>.
<application>TCP Wrapper</application> uses a first rule match
- semantic, meaning that the configuration file is scanned
- from the beginning for a matching rule. When a match is found,
- the rule is applied and the search process stops.</para>
+ semantic, meaning that the configuration file is scanned from
+ the beginning for a matching rule. When a match is found, the
+ rule is applied and the search process stops.</para>
<para>For example, to allow <acronym>POP</acronym>3 connections
via the <package>mail/qpopper</package> daemon, the following
@@ -942,102 +943,100 @@ qpopper : ALL : allow</programlisting>
<para>Whenever this file is edited, restart
<application>inetd</application>:</para>
- <screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
+ <screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
</sect2>
<sect2>
<title>Advanced Configuration</title>
- <para><application>TCP Wrapper</application> provides advanced options
- to allow more control over the way connections are handled.
- In some cases, it may be appropriate to return a comment to
- certain hosts or daemon connections. In other cases, a log
- entry should be recorded or an email sent to the
+ <para><application>TCP Wrapper</application> provides advanced
+ options to allow more control over the way connections are
+ handled. In some cases, it may be appropriate to return a
+ comment to certain hosts or daemon connections. In other
+ cases, a log entry should be recorded or an email sent to the
administrator. Other situations may require the use of a
service for local connections only. This is all possible
- through the use of configuration options known as
- wildcards, expansion characters, and
- external command execution.</para>
-
- <para>Suppose that a situation occurs where a connection
- should be denied yet a reason should be sent to the
- host who attempted to establish that connection. That
- action is possible with <option>twist</option>. When a
- connection attempt is made, <option>twist</option> executes
- a shell command or script. An example exists in
- <filename>hosts.allow</filename>:</para>
+ through the use of configuration options known as wildcards,
+ expansion characters, and external command execution.</para>
- <programlisting># The rest of the daemons are protected.
+ <para>Suppose that a situation occurs where a connection should
+ be denied yet a reason should be sent to the host who
+ attempted to establish that connection. That action is
+ possible with <option>twist</option>. When a connection
+ attempt is made, <option>twist</option> executes a shell
+ command or script. An example exists in
+ <filename>hosts.allow</filename>:</para>
+
+ <programlisting># The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
- <para>In this example, the message <quote>You are not allowed
- to use <replaceable>daemon name</replaceable> from
- <replaceable>hostname</replaceable>.</quote> will be returned for
- any daemon not configured in <filename>hosts.allow</filename>.
- This is useful for sending a reply back to the connection
- initiator right after the established connection is dropped.
- Any message returned <emphasis>must</emphasis> be wrapped in
- quote (<literal>"</literal>) characters.</para>
+ <para>In this example, the message <quote>You are not allowed to
+ use <replaceable>daemon name</replaceable> from
+ <replaceable>hostname</replaceable>.</quote> will be returned
+ for any daemon not configured in
+ <filename>hosts.allow</filename>. This is useful for sending
+ a reply back to the connection initiator right after the
+ established connection is dropped. Any message returned
+ <emphasis>must</emphasis> be wrapped in quote
+ (<literal>"</literal>) characters.</para>
- <warning>
- <para>It may be possible to launch a denial of service
- attack on the server if an attacker
- floods these daemons with connection
- requests.</para>
- </warning>
+ <warning>
+ <para>It may be possible to launch a denial of service attack
+ on the server if an attacker floods these daemons with
+ connection requests.</para>
+ </warning>
- <para>Another possibility is to use <option>spawn</option>.
- Like <option>twist</option>, <option>spawn</option>
- implicitly denies the connection and may be used to run
- external shell commands or scripts. Unlike
- <option>twist</option>, <option>spawn</option> will not send
- a reply back to the host who established the
- connection. For example, consider the following
- configuration:</para>
+ <para>Another possibility is to use <option>spawn</option>.
+ Like <option>twist</option>, <option>spawn</option> implicitly
+ denies the connection and may be used to run external shell
+ commands or scripts. Unlike <option>twist</option>,
+ <option>spawn</option> will not send a reply back to the host
+ who established the connection. For example, consider the
+ following configuration:</para>
- <programlisting># We do not allow connections from example.com:
+ <programlisting># We do not allow connections from example.com:
ALL : .example.com \
: spawn (/bin/echo %a from %h attempted to access %d >> \
/var/log/connections.log) \
: deny</programlisting>
- <para>This will deny all connection attempts from <systemitem
- class="fqdomainname">*.example.com</systemitem> and log
- the hostname, <acronym>IP</acronym> address, and the daemon
- to which access was attempted to
- <filename>/var/log/connections.log</filename>. This example
- uses the substitution characters
- <literal>%a</literal> and <literal>%h</literal>. Refer to
- &man.hosts.access.5; for the complete list.</para>
-
- <para>To match every instance of a daemon, domain, or
- <acronym>IP</acronym> address, use <literal>ALL</literal>. Another wildcard is
- <literal>PARANOID</literal> which may be used to match
- any host which provides an <acronym>IP</acronym> address
- that may be forged because the
- <acronym>IP</acronym> address differs from its resolved
- hostname. In this example, all connection requests to
- <application>Sendmail</application> which have an <acronym>IP</acronym> address
- that varies from its hostname will be denied:</para>
+ <para>This will deny all connection attempts from <systemitem
+ class="fqdomainname">*.example.com</systemitem> and log the
+ hostname, <acronym>IP</acronym> address, and the daemon to
+ which access was attempted to
+ <filename>/var/log/connections.log</filename>. This example
+ uses the substitution characters <literal>%a</literal> and
+ <literal>%h</literal>. Refer to &man.hosts.access.5; for the
+ complete list.</para>
+
+ <para>To match every instance of a daemon, domain, or
+ <acronym>IP</acronym> address, use <literal>ALL</literal>.
+ Another wildcard is <literal>PARANOID</literal> which may be
+ used to match any host which provides an <acronym>IP</acronym>
+ address that may be forged because the <acronym>IP</acronym>
+ address differs from its resolved hostname. In this example,
+ all connection requests to <application>Sendmail</application>
+ which have an <acronym>IP</acronym> address that varies from
+ its hostname will be denied:</para>
- <programlisting># Block possibly spoofed requests to sendmail:
+ <programlisting># Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny</programlisting>
- <caution>
- <para>Using the <literal>PARANOID</literal> wildcard will
- result in denied connections if the client or server has a
- broken <acronym>DNS</acronym> setup.</para>
- </caution>
+ <caution>
+ <para>Using the <literal>PARANOID</literal> wildcard will
+ result in denied connections if the client or server has a
+ broken <acronym>DNS</acronym> setup.</para>
+ </caution>
- <para>To learn more about wildcards and their associated
- functionality, refer to &man.hosts.access.5;.</para>
+ <para>To learn more about wildcards and their associated
+ functionality, refer to &man.hosts.access.5;.</para>
<note>
<para>When adding new configuration lines, make sure that any
- unneeded entries for that daemon are commented
- out in <filename>hosts.allow</filename>.</para>
+ unneeded entries for that daemon are commented out in
+ <filename>hosts.allow</filename>.</para>
</note>
</sect2>
</sect1>
@@ -1772,15 +1771,16 @@ kadmind5_server_enable="YES"</programlis
<para><application>OpenSSL</application> is an open source
implementation of the <acronym>SSL</acronym> and
- <acronym>TLS</acronym> protocols.
- It provides an encryption transport layer on top of the normal
- communications layer, allowing it to be intertwined with many
- network applications and services.</para>
+ <acronym>TLS</acronym> protocols. It provides an encryption
+ transport layer on top of the normal communications layer,
+ allowing it to be intertwined with many network applications and
+ services.</para>
<para>The version of <application>OpenSSL</application> included
- in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and
- Transport Layer Security v1 (TLSv1) network security protocols
- and can be used as a general cryptographic library.</para>
+ in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3)
+ and Transport Layer Security v1 (TLSv1) network security
+ protocols and can be used as a general cryptographic
+ library.</para>
<!--
This patent expired in 2012, is the note still needed?
<note>
@@ -1793,32 +1793,32 @@ This patent expired in 2012, is the note
</note>
-->
- <para><application>OpenSSL</application> is often used to
- encrypt authentication of mail clients and to secure web based
+ <para><application>OpenSSL</application> is often used to encrypt
+ authentication of mail clients and to secure web based
transactions such as credit card payments. Some ports, such as
<package>www/apache24</package> and
- <package>databases/postgresql91-server</package>, include a compile option for
- building with <application>OpenSSL</application>. If selected,
- the port will add support using the
- <package>security/openssl</package> port. To instead have the
- port compile against the built in version of
+ <package>databases/postgresql91-server</package>, include a
+ compile option for building with
+ <application>OpenSSL</application>. If selected, the port will
+ add support using the <package>security/openssl</package> port.
+ To instead have the port compile against the built in version of
<application>OpenSSL</application>, include
- <varname>WITH_OPENSSL_BASE</varname> when compiling
- in <application>OpenSSL</application> support.</para>
+ <varname>WITH_OPENSSL_BASE</varname> when compiling in
+ <application>OpenSSL</application> support.</para>
- <para>Another common use of
- <application>OpenSSL</application> is to provide certificates
- for use with software applications. Certificates can be used to verify
- the credentials of a company or individual.
- If a certificate has not
- been signed by an external <firstterm>Certificate Authority</firstterm>
+ <para>Another common use of <application>OpenSSL</application> is
+ to provide certificates for use with software applications.
+ Certificates can be used to verify the credentials of a company
+ or individual. If a certificate has not been signed by an
+ external <firstterm>Certificate Authority</firstterm>
(<acronym>CA</acronym>), such as <link
xlink:href="http://www.verisign.com">http://www.verisign.com</link>,
- the application that uses the certificate will produce a warning.
- There is a cost associated with obtaining a signed certificate and using a
- signed certificate is not mandatory as certificates can be
- self-signed. However, using an external authority will prevent warnings and can put
- users at ease.</para>
+ the application that uses the certificate will produce a
+ warning. There is a cost associated with obtaining a signed
+ certificate and using a signed certificate is not mandatory as
+ certificates can be self-signed. However, using an external
+ authority will prevent warnings and can put users at
+ ease.</para>
<para>This section demonstrates how to create and use certificates
on a &os; system. Refer to <xref linkend="ldap-config"/> for an
More information about the svn-doc-head
mailing list