|
|
196.
|
|
|
Tools
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
C/network-applications.xml:440(title)
|
|
|
197.
|
|
|
There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined, <application>Firestarter</application> is quite popular and easy to use, and <application>fwbuilder</application> is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1. If you prefer a command-line tool with plain-text configuration files, <application>Shorewall</application> is a very powerful solution to help you configure an advanced firewall for any network. If your network is relatively simple, or if you don't have a network, <application>ipkungfu</application> should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files. Another interesting tool is <application>fireflier</application>, which is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
C/network-applications.xml:441(para)
|
|
|
198.
|
|
|
Logs
|
|
|
|
|
Protokolle
|
|
Translated and reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/security.xml:787(title)
|
|
|
199.
|
|
|
Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT). For example: <screen>sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "</screen> A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
C/network-applications.xml:462(para)
|
|
|
200.
|
|
|
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
|
|
|
|
|
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
|
|
Translated and reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/security.xml:815(programlisting)
|
|
|
201.
|
|
|
The above log will also appear in <filename>/var/log/messages</filename>, <filename>/var/log/syslog</filename>, and <filename>/var/log/kern.log</filename>. This behavior can be modified by editing <filename>/etc/syslog.conf</filename> appropriately or by installing and configuring <application>ulogd</application> and using the ULOG target instead of LOG. The <application>ulogd</application> daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a <application>PostgreSQL</application> or <application>MySQL</application> database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as <application>fwanalog</application>, <application> fwlogwatch</application>, or <application>lire</application>.
|
|
|
|
|
Der obige Protokolleintrag erscheint auch in <filename>/var/log/messages</filename>, <filename>/var/log/syslog</filename>, und <filename>/var/log/kern.log</filename>. Dieses Verhalten kann durch eine geeignete Bearbeitung der Datei <filename>/etc/syslog.conf</filename> oder durch die Installation und Konfiguration von <application>ulogd</application> und die Benutzung des »ULOG«-Ziels anstatt »LOG« verändert werden. Der <application>ulogd</application>-Dienst ist ein im Userspace laufender Server, der die Firewall-spezifischen Aufzeichnungsbefehle des Betriebssystemkerns abhört. Er kann diese dann in einer beliebigen von Ihnen bestimmten Datei, oder selbst in einer <application>PostgreSQL</application>- oder <application>MySQL</application>-Datenbank aufzeichnen. Das Verständnis der Firewallprotokolle kann durch Analysewerkzeuge, wie <application>fwanalog</application>, <application> fwlogwatch</application>, oder <application>lire</application> vereinfacht werden.
|
|
Translated and reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/security.xml:817(para)
|
|
|
202.
|
|
|
OpenSSH Server
|
|
|
|
|
OpenSSH Server
|
|
Translated by
Steffen Eibicht
|
|
Reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/virtualization.xml:834(para) serverguide/C/remote-administration.xml:20(title)
|
|
|
203.
|
|
|
This section of the <phrase>Ubuntu</phrase> Server Guide introduces a powerful collection of tools for the remote control of networked computers and transfer of data between networked computers, called <emphasis>OpenSSH</emphasis>. You will also learn about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system.
|
|
|
|
|
(no translation yet)
|
|
|
|
Located in
C/network-applications.xml:495(para)
|
|
|
204.
|
|
|
OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling a computer or transferring files between computers. Traditional tools used to accomplish these functions, such as <application>telnet</application> or <application>rcp</application>, are insecure and transmit the user's password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.
|
|
|
|
|
OpenSSH ist eine frei erhältliche Version von Werkzeugen die das Secure Shell (SSH) Protokoll benutzen, um damit einen Rechner fernzusteuern oder Dateien zwischen Rechnern in einem Netzwerk zu übertragen. Früher verwendete Werkzeuge mit den gleichen Funktionen, wie zum Beispiel, <application>telnet</application> oder <application>rcp</application>, übertragen alle Daten - und damit auch Benutzernamen und Passwörter - im Klartext, weshalb sie ein großes Sicherheitsrisiko darstellen. OpenSSH verschlüsselt die gesamte Verbindung zwischen zwei Rechnern und ersetzt vor allem deshalb die früheren Werkzeuge.
|
|
Translated and reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/remote-administration.xml:30(para)
|
|
|
205.
|
|
|
The OpenSSH server component, <application>sshd</application>, listens continuously for client connections from any of the client tools. When a connection request occurs, <application>sshd</application> sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the <application>ssh</application> client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with <application>scp</application>, the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and <application>Kerberos</application> tickets.
|
|
|
|
|
Die OpenSSH Serverkomponente <application>sshd</application> wartet auf eingehende Verbindungen von anderen Rechnern im Netzwerk. Wenn eine Verbindungsanfrage über das Netzwerk eingeht, prüft <application>sshd</application> und die gewünschte Verbindungsart. Wenn beispielsweise der Client (also der anfragende Rechner) eine Verbindung mit <application>ssh</application> aufbaut, stellt <application>sshd</application> eine Shell-Umgebung mit Befehlszeile zur Verfügung, mit der alle auch lokal auf dem Server verwendbaren Befehle benutzt werden können. Wenn der Benutzer des Client-Rechners die Verbindung mit der <application>scp</application>-Anwendung aufbaut, startet <application>sshd</application> eine sichere Datenübertragung zwischen dem Server und dem Client. OpenSSH kann mehrere Verifizierungsmethoden zur Feststellung der Identität des Benutzers verwenden, unter anderem einfache Kennwörter, öffentliche Schlüssel, und <application>Kerberos</application>-Tickets.
|
|
Translated and reviewed by
Jochen Skulj
|
|
|
|
Located in
serverguide/C/remote-administration.xml:39(para)
|
