While running services on a server, you should consider binding services to the loopback interface. Loopback interfaces have following specific:s
- Loopback interfaces are always up
- Loopback is a Virtual interface
- Active as long as the IP/TCP stack active
As long as the TCP/IP stack is alive the bound daemon will be running even if a physical interface has been shut down. Some daemons run on 0.0.0.0 which is "all interfaces" in IPv4. The loopback interface is a bit differenth it has a IP address 127/8 or just 127.0.0.1
The gentoo OpenRC scripts use a concept of provide, need in the init scripts.
Init scripts can provide a service that other init scripts need. The OpenRC default is that net.lo does not provide net. This can be changed if editing the /etc/conf.d/net.lo file and addint rc_provide="net" to that file.
Below a example for a OpenRC script showing a dependency need net
...
depend() {
need net
}
...
This setting can be changed to:
...
depend() {
need net.lo
}
.
The information is emitted when you emerge OpenRC, and should be in the ebuild for you. The general process on servers is to minimise if not eliminate interface changes altogether. They are set up during boot and run for as long as the kernel does, months if not years.
For daemons that need outbound connectivity, like say a DNS server, you want that interface to be configured before the service comes up or it will not bootstrap correctly.
Additionally a gentoo developer "flameeyes" has written a article about that particular issue in the year 2012. At this year a major default setting in gentoo or OpenRC has been changed.
Flameeyes - May I have a connection please
At the end you might say "it is more complicted than you think" that is what once can conclude judging the OpenRC "need net" setting. While talking about "reinventing the wheel" the same problem occured while implementing systemd. Apparently it depends how the "need net" might be understood.
Some daemons need outbound connectivity to start properly f.e. DNS, sometimes DHCP. Some damons need only a working IP interface without the need to connect an outbound peer f.e. privoxy
Securing linux hosts,
while Windows host have mostly some kind of virus scanners for malicious software. UNIX hosts mostly do not have such a software at default.
There are 3 software packages that scan UNIX hosts for rootkits and malicious software
[I] app-forensics/chkrootkit
Available versions: [M]0.49 0.50{tbz2} {+cron}
Homepage: http://www.chkrootkit.org/
Description: Tool to locally check for signs of a rootkit
[I] app-forensics/rkhunter
Available versions: 1.4.2{tbz2}
Homepage: http://rkhunter.sf.net/
Description: Rootkit Hunter scans for known and unknown rootkits, backdoors, and sniffers
[I] app-forensics/lynis
Available versions: 1.6.4{tbz2} (~)2.1.0 (~)2.1.1{tbz2}
Homepage: http://cisofy.com/lynis/
Description: Security and system auditing tool
While the chkrootkit only scans for rootkits on localhost. The 2nd software in list (rkhunter) additionally is verifying the consistency of configuration, malicious symlinks in the file system, open TCP sockets on localhost, also installed crypto-software like OpenSSH, GnuPG or OpenSSL.
The report after a scan is stored in the local file system and looks like here:
...
Checking application versions...
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]
Checking version of OpenSSH [ OK ]
System checks summary
=====================
File properties checks...
Files checked: 149
Suspect files: 5
Rootkit checks...
Rootkits checked : 379
Possible rootkits: 0
Applications checks...
Applications checked: 3
Suspect applications: 0
The system checks took: 5 minutes and 26 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
The 3-rd application in the list (lynis) is a security auditing tool, that scans the local host for available * system tools * boot managers * kernel configuration * processes running at the moment * users, groups * shells, filesystems, * services running (daemons) * installed packages, etc.
There are around 30 modules in lynis that verify the configuration of localhost Lynis is available for: - BSD - OSX - UNIX - Linux The final report with suggestions is stored in the local filessystem and might look like this:
================================================================================
-[ Lynis 2.1.1 Results ]-
Warnings:
----------------------------
- None found
Follow-up:
----------------------------
- Check the logfile for more details (less /var/log/lynis.log)
- Read security controls texts (https://cisofy.com)
- Use --upload to upload data (Lynis Enterprise users)
================================================================================
Lynis security scan details:
Hardening index : 100 [####################]
Tests performed : 174
Plugins enabled : 0
Quick overview:
- Firewall [X] - Malware scanner [V]
Lynis Modules:
- Heuristics Check [NA] - Security Audit [V]
- Compliance Tests [X] - Vulnerability Scan [V]
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Exceptions found
None exceptional events or information was found!
What to do:
You can help improving Lynis by providing your report file.
Go to https://cisofy.com/contact/ and send your file to the e-mail address listed
================================================================================
Tip: Disable all tests which are not relevant or are too strict for the
purpose of this particular machine. This will remove unwanted suggestions
and also boost the hardening index. Each test should be properly analyzed
to see if the related risks can be accepted, before disabling the test.
================================================================================
Lynis 2.1.1
Auditing, hardening and compliance for BSD, Linux, Mac OS and Unix
Copyright 2007-2015 - CISOfy, https://cisofy.com
Enterprise support and plugins available via CISOfy
================================================================================
lynis -c 10.62s user 2.77s system 6% cpu 3:14.07 total
This 3 tools might improve the security of the scanned linux box. However nothing can replace a sane configuration and a sharp eye. They will point out where to look or which service configuration could be made more robust, or easier.
At the end nothing can replace a sane configuration of a *NIX host that can be only verified by yourself. Continous improvement of the configuration, using best current practices where it applies, patching security holes, keeping things easy, automating configuration tasks, these are only a few examples howto minimise security risks.
Enabling MPLS on IOS routers is quite forward. Assuming here LDP is the preferred protocol. On directly connected hosts this should be enough to enable MPLS:
conf t
!
mpls ip
mpls label protocol ldp
!
interface Gi0/0
ip 192.0.2.10 255.255.255.0
mpls ip
!
end
On not directly connected hosts following configuration is needed, if they should establish a neighborship.
conf t
!
mpls ldp discovery targeted-hello accept
!
exit
Verifying mpls ldp neighbourship
sh mpls ldp discovery
The output will reveal something like this:
Local LDP Identifier: 192.0.2.101:0 Discovery Sources: Interfaces: FastEthernet3/0 (ldp): xmit/recv LDP Id: 192.0.2.102:0 FastEthernet3/2 (ldp): xmit/recv LDP Id: 192.0.2.4:0; no route FastEthernet3/3 (ldp): xmit/recv LDP Id: 192.0.2.3:0; no route
This is all one need to know about enabling MPLS on IOS routers. Funny fact is MPLS is enabled per interface, and globally for functionality.
While working with linux kernel sometimes it happens the only stable kernel is the currently running kernel, and this configuration is needed.
To exctract the current running kernel configuration use following command:
or a bit shorter, here using zcat: