FOSS security features
While there are so many distros available with various built-in features, I will concentrate on those features that are found in almost all versions. Some of the features mentioned below are actually open source projects that became integral parts of distros, over time.
Iptables: All Linux distros support iptables, which is essentially a truth- table sort of database containing information that lets the net- filter algorithm decide on how to treat a packet. It is a kernel module, requiring elevated privileges to configure. The working operation of iptables is very simple. Each packet is stripped into various fields, and the rules from the table are applied to make a decision in terms of letting it go ahead, blocking it, or dropping it. For a given server role, iptables can be written only once, by taking into account all the packet acceptance and rejection scenarios, and would rarely be needed to change. While many production farms use iptables to introduce an additional layer of security, it is important to note that it puts an additional burden on the server’s resources. Since every packet is stored temporarily and checked against a set of rules, it needs a considerable amount of computational power. Hence, iptables rules should not be very elaborate, but just adequate for the given network or application scenario. You can learn how to set up iptables on Ubuntu Linux, at https:// help. ubuntu. com/ community/ IptablesHowTo
ConnTrack: This is another kernel-based module that IDOOV undHU WhH nHW-fiOWHU IUDPHwoUN. AV Dn HxWHnVLon Wo iptables, ConnTrack essentially tracks the connection for all network sessions. It further tries to relate packets that formed a sensible and successful connection. ConnTrack operates at Layers 3 and 4, and creates useful information DEouW HDFh SDFNHW Ey UHDdLng LWV YDULouV fiHOdV. ThLV FDn optionally be used further by iptables, to improve its effectiveness. For example, if the high-level protocol is HTTP, the packets are found to contain HTTP headers, as well as the session-based source and destination IP address, and service port information. If this data is made available by ConnTrack, it becomes easy for iptables to allow those packets without delving deep into them, thus saving precious (server) computational resources. The right approach is to have iptables and ConnTrack together.
Source address verification: One of the serious security attacks is packet spoofing, whereby attackers modify the source IP address to fool the destination host. As a result, it is rather difficult to detect and stop the spoofing attack.