HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_236
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 236   status) /usr/sbin/ndc status  exit $? ;;   restart) $0 stop $0 start ;;   reload) /usr/sbin/ndc reload exit $? ;;     probe) # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/sbin/ndc reload >/dev/null 2>&1 || echo start exit 0 ;;      *)         echo "Usage: named {start|stop|status|restart}"         exit 1 esac exit $RETVAL Now, make this script executable and change its default permission: [root@deep]# chmod 700 /etc/rc.d/init.d/named Create the symbolic rc.d links for BIND/DNS with the command: [root@deep]# chkconfig --add named BIND/DNS script will not start automatically the daemon named when you reboot the server. You can change it default by executing the following command: [root@deep]# chkconfig --level 345 named on Start your DNS Server manually with the following command: [root@deep]# /etc/rc.d/init.d/named start Starting named:                                            [  OK  ] Securing BIND/DNS Running BIND/DNS in a chroot jail This part focuses on preventing BIND/DNS from being used as a point of break-in to the system hosting it. Since BIND/DNS performs a relatively large and complex function, the potential for bugs that affect security is rather high on this software. In fact, there have been exploitable bugs in the pass that allowed a remote attacker to obtain root access to hosts running BIND/DNS. To minimize this risk, BIND/DNS can be run  as a non-root user, which will limit any damage to what can be done as a normal user with a local shell. Of course, this is not enough for the security requirements of most DNS servers, so an additional step can be taken  - that is, running BIND in a chroot jail. The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which, can be used to gain root access and break out of the jail.