#This file was created by LinuxDoc-SGML #(conversion : Frank Pavageau and Jose' Matos) \lyxformat 2.15 \textclass linuxdoc \language default \inputencoding default \fontscheme default \papersize Default \paperfontsize default \spacing single \secnumdepth 3 \tocdepth 3 \paragraph_separation indent \defskip medskip \quotes_language default \quotes_times 2 \paperorientation portrait \papercolumns 1 \papersides 1 \paperpagestyle default \layout Title \added_space_top vfill \added_space_bottom vfill Linux Security HOWTO \layout Author Kevin Fenzi, \family typewriter kevin-securityhowto@tummy.com \family default & Dave Wreski, \family typewriter dave@linuxsecurity.com \family default \layout Date v1.3.1, 11 February 2002 \layout Abstract This document is a general overview of security issues that face the administrator of Linux systems. It covers general security philosophy and a number of specific examples of how to better secure your Linux system from intruders. Also included are pointers to security-related material and programs. Improvements, constructive criticism, additions and corrections are gratefully accepted. Please mail your feedback to both authors, with "Security HOWTO" in the subject. \layout Standard \begin_inset LatexCommand \tableofcontents \end_inset \layout Section Introduction \layout Standard This document covers some of the main issues that affect Linux security. General philosophy and net-born resources are discussed. \layout Standard A number of other HOWTO documents overlap with security issues, and those documents have been pointed to wherever appropriate. \layout Standard This document is \shape italic not \shape default meant to be a up-to-date exploits document. Large numbers of new exploits happen all the time. This document will tell you where to look for such up-to-date information, and will give some general methods to prevent such exploits from taking place. \layout Subsection New Versions of this Document \layout Standard New versions of this document will be periodically posted to comp.os.linux.answers. They will also be added to the various sites that archive such information, including: \layout Standard \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset http://www.linuxdoc.org/ \begin_inset LatexDel }{ \end_inset http://www.linuxdoc.org/ \begin_inset LatexDel } \end_inset \family default \layout Standard The very latest version of this document should also be available in various formats from: \layout Itemize \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset http://scrye.com/~kevin/lsh/ \begin_inset LatexDel }{ \end_inset http://scrye.com/~kevin/lsh/ \begin_inset LatexDel } \end_inset \family default \layout Itemize \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset http://www.linuxsecurity.com/docs/Security-HOWTO \begin_inset LatexDel }{ \end_inset http://www.linuxsecurity.com/docs/Security-HOWTO \begin_inset LatexDel } \end_inset \family default \layout Itemize \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset http://www.tummy.com/security-howto \begin_inset LatexDel }{ \end_inset http://www.tummy.com/security-howto \begin_inset LatexDel } \end_inset \family default \layout Subsection Feedback \layout Standard All comments, error reports, additional information and criticism of all sorts should be directed to: \layout Standard \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset mailto:kevin-securityhowto@tummy.com \begin_inset LatexDel }{ \end_inset kevin-securityhowto@tummy.com \begin_inset LatexDel } \end_inset \family default \layout Standard and \layout Standard \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset mailto:dave@linuxsecurity.com \begin_inset LatexDel }{ \end_inset dave@linuxsecurity.com \begin_inset LatexDel } \end_inset \family default \layout Standard \shape italic Note \shape default : Please send your feedback to \shape italic both \shape default authors. Also, be sure and include "Linux" "security", or "HOWTO" in your subject to avoid Kevin's spam filter. \layout Subsection Disclaimer \layout Standard No liability for the contents of this document can be accepted. Use the concepts, examples and other content at your own risk. Additionally, this is an early version, possibly with many inaccuracies or errors. \layout Standard A number of the examples and descriptions use the RedHat(tm) package layout and system setup. Your mileage may vary. \layout Standard As far as we know, only programs that, under certain terms may be used or evaluated for personal purposes will be described. Most of the programs will be available, complete with source, under \begin_inset LatexDel \url{ \end_inset http://www.gnu.org/copyleft/gpl.html \begin_inset LatexDel }{ \end_inset GNU \begin_inset LatexDel } \end_inset terms. \layout Subsection Copyright Information \layout Standard This document is copyrighted (c)1998-2000 Kevin Fenzi and Dave Wreski, and distributed under the following terms: \layout Standard @itemize@ \layout Itemize Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium, physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the authors would like to be notified of any such distributions. \layout Itemize All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below. \layout Itemize If you have questions, please contact Tim Bynum, the Linux HOWTO coordinator, at \end_deeper \layout Standard \family typewriter \begin_inset LatexDel \htmlurl{ \end_inset mailto:tjbynum@metalab.unc.edu \begin_inset LatexDel }{ \end_inset tjbynum@metalab.unc.edu \begin_inset LatexDel } \end_inset \family default \layout Section Overview \layout Standard This document will attempt to explain some procedures and commonly-used software to help your Linux system be more secure. It is important to discuss some of the basic concepts first, and create a security foundation, before we get started. \layout Subsection Why Do We Need Security? \layout Standard In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, it. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as "crackers", who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're wondering what the difference is between a "Hacker" and a "Cracker", see Eric Raymond's document, "How to Become A Hacker", available at \begin_inset LatexDel \htmlurl{ \end_inset http://www.tuxedo.org/~esr/faqs/hacker-howto.html \begin_inset LatexDel }{ \end_inset http://www.tuxedo.org/~esr/faqs/hacker-howto.html \begin_inset LatexDel } \end_inset . \layout Subsection How Secure Is Secure? \layout Standard First, keep in mind that no computer system can ever be completely secure. All you can do is make it increasingly difficult for someone to compromise your system. For the average home Linux user, not much is required to keep the casual cracker at bay. However, for high-profile Linux users (banks, telecommunications companies, etc), much more work is required. \layout Standard Another factor to take into account is that the more secure your system is, the more intrusive your security becomes. You need to decide where in this balancing act your system will still be usable, and yet secure for your purposes. For instance, you could require everyone dialing into your system to use a call-back modem to call them back at their home number. This is more secure, but if someone is not at home, it makes it difficult for them to login. You could also setup your Linux system with no network or connection to the Internet, but this limits its usefulness. \layout Standard If you are a medium to large-sized site, you should establish a security policy stating how much security is required by your site and what auditing is in place to check it. You can find a well-known security policy example at \begin_inset LatexDel \htmlurl{ \end_inset http://www.faqs.org/rfcs/rfc2196.html \begin_inset LatexDel }{ \end_inset http://www.faqs.org/rfcs/rfc2196.html \begin_inset LatexDel } \end_inset . It has been recently updated, and contains a great framework for establishing a security policy for your company. \layout Subsection What Are You Trying to Protect? \layout Standard Before you attempt to secure your system, you should determine what level of threat you have to protect against, what risks you should or should not take, and how vulnerable your system is as a result. You should analyze your system to know what you're protecting, why you're protecting it, what value it has, and who has responsibility for your data and other assets. \begin_deeper \layout Itemize \shape italic Risk \shape default is the possibility that an intruder may be successful in attempting to access your computer. Can an intruder read or write files, or execute programs that could cause damage? Can they delete critical data? Can they prevent you or your company from getting important work done? Don't forget: someone gaining access to your account, or your system, can also impersonate you. \layout Standard Additionally, having one insecure account on your system can result in your entire network being compromised. If you allow a single user to login using a \family typewriter .rhosts \family default file, or to use an insecure service such as \family typewriter tftp \family default , you risk an intruder getting 'his foot in the door'. Once the intruder has a user account on your system, or someone else's system, it can be used to gain access to another system, or another account. \layout Itemize \shape italic Threat \shape default is typically from someone with motivation to gain unauthorized access to your network or computer. You must decide whom you trust to have access to your system, and what threat they could pose. \layout Standard There are several types of intruders, and it is useful to keep their different characteristics in mind as you are securing your systems. \layout Itemize \series bold The Curious \series default - This type of intruder is basically interested in finding out what type of system and data you have. \layout Itemize \series bold The Malicious \series default - This type of intruder is out to either bring down your systems, or deface your web page, or otherwise force you to spend time and money recovering from the damage he has caused. \layout Itemize \series bold The High-Profile Intruder \series default - This type of intruder is trying to use your system to gain popularity and infamy. He might use your high-profile system to advertise his abilities. \layout Itemize \series bold The Competition \series default - This type of intruder is interested in what data you have on your system. It might be someone who thinks you have something that could benefit him, financially or otherwise. \layout Itemize \series bold The Borrowers \series default - This type of intruder is interested in setting up shop on your system and using its resources for their own purposes. He typically will run chat or irc servers, porn archive sites, or even DNS servers. \layout Itemize \series bold The Leapfrogger \series default - This type of intruder is only interested in your system to use it to get into other systems. If your system is well-connected or a gateway to a number of internal hosts, you may well see this type trying to compromise your system. \layout Itemize Vulnerability describes how well-protected your computer is from another network, and the potential for someone to gain unauthorized access. \layout Standard What's at stake if someone breaks into your system? Of course the concerns of a dynamic PPP home user will be different from those of a company connecting their machine to the Internet, or another large network. \layout Standard How much time would it take to retrieve/recreate any data that was lost? An initial time investment now can save ten times more time later if you have to recreate data that was lost. Have you checked your backup strategy, and verified your data lately? \end_deeper \layout Subsection Developing A Security Policy \layout Standard Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding as well as the privacy of the users. Some things to consider adding are: who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system. \layout Standard A generally-accepted security policy starts with the phrase \layout Quote \series bold That which is not permitted is prohibited \series default \layout Standard This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account. Saying, "Ah, I can't figure out this permissions problem, I'll just do it as root" can lead to security holes that are very obvious, and even ones that haven't been exploited yet. \layout Standard \begin_inset LatexDel \htmlurl{ \end_inset ftp://www.faqs.org/rfcs/rfc1244.html \begin_inset LatexDel }{ \end_inset rfc1244 \begin_inset LatexDel } \end_inset is a document that describes how to create your own network security policy. \layout Standard \begin_inset LatexDel \htmlurl{ \end_inset ftp://www.faqs.org/rfcs/rfc1281.html \begin_inset LatexDel }{ \end_inset rfc1281 \begin_inset LatexDel } \end_inset is a document that shows an example security policy with detailed descriptions of each step. \layout Standard Finally, you might want to look at the COAST policy archive at \begin_inset LatexDel \htmlurl{ \end_inset ftp://coast.cs.purdue.edu/pub/doc/policy \begin_inset LatexDel }{ \end_inset ftp://coast.cs.purdue.edu/pub/doc/policy \begin_inset LatexDel } \end_inset to see what some real-life security policies look like. \layout Subsection Means of Securing Your Site \layout Standard This document will discuss various means with which you can secure the assets you have worked hard for: your local machine, your data, your users, your network, even your reputation. What would happen to your reputation if an intruder deleted some of your users' data? Or defaced your web site? Or published your company's corporate project plan for next quarter? If you are planning a network installation, there are many factors you must take into account before adding a single machine to your network. \layout Standard Even if you have a single dial up PPP account, or just a small site, this does not mean intruders won't be interested in your systems. Large, high-profile sites are not the only targets -- many intruders simply want to exploit as many sites as possible, regardless of their size. Additionally, they may use a security hole in your site to gain access to other sites you're connected to. \layout Standard Intruders have a lot of time on their hands, and can avoid guessing how you've obscured your system just by trying all the possibilities. There are also a number of reasons an intruder may be interested in your systems, which we will discuss later. \layout Subsubsection Host Security \layout Standard Perhaps the area of security on which administrators concentrate most is host-based security. This typically involves making sure your own system is secure, and hoping everyone else on your network does the same. Choosing good passwords, securing your host's local network services, keeping good accounting records, and upgrading programs with known security exploits are among the things the local security administrator is responsible for doing. Although this is absolutely necessary, it can become a daunting task once your network becomes larger than a few machines. \layout Subsubsection Local Network Security \layout Standard Network security is as necessary as local host security. With hundreds, thousands, or more computers on the same network, you can't rely on each one of those systems being secure. Ensuring that only authorized users can use your network, building firewalls, using strong encryption, and ensuring there are no "rogue" (that is, unsecured) machines on your network are all part of the network security administrator's duties. \layout Standard This document will discuss some of the techniques used to secure your site, and hopefully show you some of the ways to prevent an intruder from gaining access to what you are trying to protect. \layout Subsubsection Security Through Obscurity \layout Standard One type of security that must be discussed is "security through obscurity". This means, for example, moving a service that has known security vulnerabilities to a non-standard port in hopes that attackers won't notice it's there and thus won't exploit it. Rest assured that they can determine that it's there and will exploit it. Security through obscurity is no security at all. Simply because you may have a small site, or a relatively low profile, does not mean an intruder won't be interested in what you have. We'll discuss what you're protecting in the next sections. \layout Subsection Organization of This Document \layout Standard This document has been divided into a number of sections. They cover several broad security issues. The first, \begin_inset LatexCommand \ref{ \end_inset physical-security \begin_inset LatexDel }{ \end_inset Physical Security \begin_inset LatexDel } \end_inset , covers how you need to protect your physical machine from tampering. The second, \begin_inset LatexCommand \ref{ \end_inset local-security \begin_inset LatexDel }{ \end_inset Local Security \begin_inset LatexDel } \end_inset , describes how to protect your system from tampering by local users. The third, \begin_inset LatexCommand \ref{ \end_inset file-security \begin_inset LatexDel }{ \end_inset Files and Filesystem Security \begin_inset LatexDel } \end_inset , shows you how to setup your file systems and permissions on your files. The next, \begin_inset LatexCommand \ref{ \end_inset password-security \begin_inset LatexDel }{ \end_inset Password Security and Encryption \begin_inset LatexDel } \end_inset , discusses how to use encryption to better secure your machine and network. \begin_inset LatexCommand \ref{ \end_inset kernel-security \begin_inset LatexDel }{ \end_inset Kernel Security \begin_inset LatexDel } \end_inset discusses what kernel options you should set or be aware of for a more secure system. \begin_inset LatexCommand \ref{ \end_inset network-security \begin_inset LatexDel }{ \end_inset Network Security \begin_inset LatexDel } \end_inset , describes how to better secure your Linux system from network attacks. \begin_inset LatexCommand \ref{ \end_inset secure-prep \begin_inset LatexDel }{ \end_inset Security Preparation \begin_inset LatexDel } \end_inset , discusses how to prepare your machine(s) before bringing them on-line. Next, \begin_inset LatexCommand \ref{ \end_inset after-breakin \begin_inset LatexDel }{ \end_inset What To Do During and After a Break-in \begin_inset LatexDel } \end_inset , discusses what to do when you detect a system compromise in progress or detect one that has recently happened. In \begin_inset LatexCommand \ref{ \end_inset sources \begin_inset LatexDel }{ \end_inset Security Resources \begin_inset LatexDel } \end_inset , some primary security resources are enumerated. The Q and A section \begin_inset LatexCommand \ref{ \end_inset q-and-a \begin_inset LatexDel }{ \end_inset Frequently Asked Questions \begin_inset LatexDel } \end_inset , answers some frequently-asked questions, and finally a conclusion in \begin_inset LatexCommand \ref{ \end_inset conclusion \begin_inset LatexDel }{ \end_inset Conclusion \begin_inset LatexDel } \end_inset . \layout Standard The two main points to realize when reading this document are: \begin_deeper \layout Itemize Be aware of your system. Check system logs such as \family typewriter /var/log/messages \family default and keep an eye on your system, and \layout Itemize Keep your system up-to-date by making sure you have installed the current versions of software and have upgraded per security alerts. Just doing this will help make your system markedly more secure. \end_deeper \layout Section Physical Security \begin_inset LatexCommand \label{physical-security} \end_inset \layout Standard The first layer of security you need to take into account is the physical security of your computer systems. Who has direct physical access to your machine? Should they? Can you protect your machine from their tampering? Should you? \layout Standard How much physical security you need on your system is very dependent on your situation, and/or budget. \layout Standard If you are a home user, you probably don't need a lot (although you might need to protect your machine from tampering by children or annoying relatives). If you are in a lab, you need considerably more, but users will still need to be able to get work done on the machines. Many of the following sections will help out. If you are in an office, you may or may not need to secure your machine off-hours or while you are away. At some companies, leaving your console unsecured is a termination offense. \layout Standard Obvious physical security methods such as locks on doors, cables, locked cabinets, and video surveillance are all good ideas, but beyond the scope of this document. :) \layout Subsection Computer locks \layout Standard Many modern PC cases include a "locking" feature. Usually this will be a socket on the front of the case that allows you to turn an included key to a locked or unlocked position. Case locks can help prevent someone from stealing your PC, or opening up the case and directly manipulating/stealing your hardware. They can also sometimes prevent someone from rebooting your computer from their own floppy or other hardware. \layout Standard These case locks do different things according to the support in the motherboard and how the case is constructed. On many PC's they make it so you have to break the case to get the case open. On some others, they will not let you plug in new keyboards or mice. Check your motherboard or case instructions for more information. This can sometimes be a very useful feature, even though the locks are usually very low-quality and can easily be defeated by attackers with locksmithing. \layout Standard Some machines (most notably SPARC's and macs) have a dongle on the back that, if you put a cable through, attackers would have to cut the cable or break the case to get into it. Just putting a padlock or combo lock through these can be a good deterrent to someone stealing your machine. \layout Subsection BIOS Security \layout Standard The BIOS is the lowest level of software that configures or manipulates your x86-based hardware. LILO and other Linux boot methods access the BIOS to determine how to boot up your Linux machine. Other hardware that Linux runs on has similar software (Open Firmware on Macs and new Suns, Sun boot PROM, etc...). You can use your BIOS to prevent attackers from rebooting your machine and manipulating your Linux system. \layout Standard Many PC BIOSs let you set a boot password. This doesn't provide all that much security (the BIOS can be reset, or removed if someone can get into the case), but might be a good deterrent (i.e. it will take time and leave traces of tampering). Similarly, on S/Linux (Linux for SPARC(tm) processor machines), your EEPROM can be set to require a boot-up password. This might slow attackers down. \layout Standard Another risk of trusting BIOS passwords to secure your system is the default password problem. Most BIOS makers don't expect people to open up their computer and disconnect batteries if they forget their password and have equipped their BIOSes with default passwords that work regardless of your chosen password. Some of the more common passwords include: \layout Standard j262 AWARD_SW AWARD_PW lkwpeter Biostar AMI Award bios BIOS setup cmos AMI!SW1 AMI?SW1 password hewittrand shift + s y x z \layout Standard I tested an Award BIOS and AWARD_PW worked. These passwords are quite easily available from manufacturers' websites and \begin_inset LatexDel \htmlurl{ \end_inset http://astalavista.box.sk \begin_inset LatexDel }{ \end_inset http://astalavista.box.sk \begin_inset LatexDel } \end_inset and as such a BIOS password cannot be considered adequate protection from a knowledgeable attacker. \layout Standard Many x86 BIOSs also allow you to specify various other good security settings. Check your BIOS manual or look at it the next time you boot up. For example, some BIOSs disallow booting from floppy drives and some require passwords to access some BIOS features. \layout Standard \shape italic Note \shape default : If you have a server machine, and you set up a boot password, your machine will not boot up unattended. Keep in mind that you will need to come in and supply the password in the event of a power failure. ;( \layout Subsection Boot Loader Security \layout Standard The various Linux boot loaders also can have a boot password set. LILO, for example, has \family typewriter password \family default and \family typewriter restricted \family default settings; \family typewriter password \family default requires password at boot time, whereas \family typewriter restricted \family default requires a boot-time password only if you specify options (such as \family typewriter single \family default ) at the \family typewriter LILO \family default prompt. \layout Standard >From the lilo.conf man page: \begin_deeper \layout Verbatim password=password \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator The \protected_separator per-image \protected_separator option \protected_separator `password=...' \protected_separator (see \protected_separator below) \protected_separator applies \protected_separator to \protected_separator all \protected_separator images. \protected_separator \newline \protected_separator \newline restricted \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator The \protected_separator per-image \protected_separator option \protected_separator `restricted' \protected_separator (see \protected_separator below) \protected_separator applies \protected_separator to \protected_separator all \protected_separator images. \protected_separator \newline \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator password=password \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator Protect \protected_separator the \protected_separator image \protected_separator by \protected_separator a \protected_separator password. \protected_separator \newline \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator restricted \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator A \protected_separator password \protected_separator is \protected_separator only \protected_separator required \protected_separator to \protected_separator boot \protected_separator the \protected_separator image \protected_separator if \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator parameters \protected_separator are \protected_separator specified \protected_separator \protected_separator on \protected_separator \protected_separator the \protected_separator \protected_separator command \protected_separator \protected_separator line \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (e.g. \protected_separator single). \protected_separator \end_deeper \layout Standard Keep in mind when setting all these passwords that you need to remember them. :) Also remember that these passwords will merely slow the determined attacker. They won't prevent someone from booting from a floppy, and mounting your root partition. If you are using security in conjunction with a boot loader, you might as well disable booting from a floppy in your computer's BIOS, and password-protect the BIOS. \layout Standard Also keep in mind that the /etc/lilo.conf will need to be mode "600" (readable and writing for root only), or others will be able to read your passwords! \layout Standard If anyone has security-related information from a different boot loader, we would love to hear it. ( \family typewriter grub \family default , \family typewriter silo \family default , \family typewriter milo \family default , \family typewriter linload \family default , etc). \layout Standard \shape italic Note \shape default : If you have a server machine, and you set up a boot password, your machine will \shape italic not \shape default boot up unattended. Keep in mind that you will need to come in and supply the password in the event of a power failure. ;( \layout Subsection xlock and vlock \layout Standard If you wander away from your machine from time to time, it is nice to be able to "lock" your console so that no one can tamper with, or look at, your work. Two programs that do this are: \family typewriter xlock \family default and \family typewriter vlock \family default . \layout Standard \family typewriter xlock \family default is a X display locker. It should be included in any Linux distributions that support X. Check out the man page for it for more options, but in general you can run \family typewriter xlock \family default from any xterm on your console and it will lock the display and require your password to unlock. \layout Standard \family typewriter vlock \family default is a simple little program that allows you to lock some or all of the virtual consoles on your Linux box. You can lock just the one you are working in or all of them. If you just lock one, others can come in and use the console; they will just not be able to use your virtual console until you unlock it. \family typewriter vlock \family default ships with RedHat Linux, but your mileage may vary. \layout Standard Of course locking your console will prevent someone from tampering with your work, but won't prevent them from rebooting your machine or otherwise disrupting your work. It also does not prevent them from accessing your machine from another machine on the network and causing problems. \layout Standard More importantly, it does not prevent someone from switching out of the X Window System entirely, and going to a normal virtual console login prompt, or to the VC that X11 was started from, and suspending it, thus obtaining your privileges. For this reason, you might consider only using it while under control of xdm. \layout Subsection Security of local devices \layout Standard If you have a webcam or a microphone attached to your system, you should consider if there is some danger of a attacker gaining access to those devices. When not in use, unplugging or removing such devices might be an option. Otherwise you should carefully read and look at any software with provides access to such devices. \layout Subsection Detecting Physical Security Compromises \layout Standard The first thing to always note is when your machine was rebooted. Since Linux is a robust and stable OS, the only times your machine should reboot is when \shape italic you \shape default take it down for OS upgrades, hardware swapping, or the like. If your machine has rebooted without you doing it, that may be a sign that an intruder has compromised it. Many of the ways that your machine can be compromised require the intruder to reboot or power off your machine. \layout Standard Check for signs of tampering on the case and computer area. Although many intruders clean traces of their presence out of logs, it's a good idea to check through them all and note any discrepancy. \layout Standard It is also a good idea to store log data at a secure location, such as a dedicated log server within your well-protected network. Once a machine has been compromised, log data becomes of little use as it most likely has also been modified by the intruder. \layout Standard The syslog daemon can be configured to automatically send log data to a central syslog server, but this is typically sent unencrypted, allowing an intruder to view data as it is being transferred. This may reveal information about your network that is not intended to be public. There are syslog daemons available that encrypt the data as it is being sent. \layout Standard Also be aware that faking syslog messages is easy -- with an exploit program having been published. Syslog even accepts net log entries claiming to come from the local host without indicating their true origin. \layout Standard Some things to check for in your logs: \begin_deeper \layout Itemize Short or incomplete logs. \layout Itemize Logs containing strange timestamps. \layout Itemize Logs with incorrect permissions or ownership. \layout Itemize Records of reboots or restarting of services. \layout Itemize missing logs. \layout Itemize \family typewriter su \family default entries or logins from strange places. \end_deeper \layout Standard We will discuss system log data \begin_inset LatexCommand \ref{ \end_inset logs \begin_inset LatexDel }{ \end_inset later \begin_inset LatexDel } \end_inset in the HOWTO. \layout Section Local Security \begin_inset LatexCommand \label{local-security} \end_inset \layout Standard The next thing to take a look at is the security in your system against attacks from local users. Did we just say \shape italic local \shape default users? Yes! \layout Standard Getting access to a local user account is one of the first things that system intruders attempt while on their way to exploiting the root account. With lax local security, they can then "upgrade" their normal user access to root access using a variety of bugs and poorly setup local services. If you make sure your local security is tight, then the intruder will have another hurdle to jump. \layout Standard Local users can also cause a lot of havoc with your system even (especially) if they really are who they say they are. Providing accounts to people you don't know or for whom you have no contact information is a very bad idea. \layout Subsection Creating New Accounts \layout Standard You should make sure you provide user accounts with only the minimal requirements for the task they need to do. If you provide your son (age 10) with an account, you might want him to only have access to a word processor or drawing program, but be unable to delete data that is not his. \layout Standard Several good rules of thumb when allowing other people legitimate access to your Linux machine: \begin_deeper \layout Itemize Give them the minimal amount of privileges they need. \layout Itemize Be aware when/where they login from, or should be logging in from. \layout Itemize Make sure you remove inactive accounts, which you can determine by using the 'last' command and/or checking log files for any activity by the user. \layout Itemize The use of the same userid on all computers and networks is advisable to ease account maintenance, and permits easier analysis of log data. \layout Itemize The creation of group user-id's should be absolutely prohibited. User accounts also provide accountability, and this is not possible with group accounts. \end_deeper \layout Standard Many local user accounts that are used in security compromises have not been used in months or years. Since no one is using them they, provide the ideal attack vehicle. \layout Subsection Root Security \begin_inset LatexCommand \label{root-security} \end_inset \layout Standard The most sought-after account on your machine is the root (superuser) account. This account has authority over the entire machine, which may also include authority over other machines on the network. Remember that you should only use the root account for very short, specific tasks, and should mostly run as a normal user. Even small mistakes made while logged in as the root user can cause problems. The less time you are on with root privileges, the safer you will be. \layout Standard Several tricks to avoid messing up your own box as root: \begin_deeper \layout Itemize When doing some complex command, try running it first in a non-destructive way...especially commands that use globing: e.g., if you want to do \family typewriter rm foo*.bak \family default , first do \family typewriter ls foo*.bak \family default and make sure you are going to delete the files you think you are. Using \family typewriter echo \family default in place of destructive commands also sometimes works. \layout Itemize Provide your users with a default alias to the \family typewriter rm \family default command to ask for confirmation for deletion of files. \layout Itemize Only become root to do single specific tasks. If you find yourself trying to figure out how to do something, go back to a normal user shell until you are \shape italic sure \shape default what needs to be done by root. \layout Itemize The command path for the root user is very important. The command path (that is, the \family typewriter PATH \family default environment variable) specifies the directories in which the shell searches for programs. Try to limit the command path for the root user as much as possible, and \shape italic never \shape default include \family typewriter . \family default (which means "the current directory") in your PATH. Additionally, never have writable directories in your search path, as this can allow attackers to modify or place new binaries in your search path, allowing them to run as root the next time you run that command. \layout Itemize Never use the rlogin/rsh/rexec suite of tools (called the r-utilities) as root. They are subject to many sorts of attacks, and are downright dangerous when run as root. Never create a \family typewriter .rhosts \family default file for root. \layout Itemize The \family typewriter /etc/securetty \family default file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles(vtys). Be very wary of adding anything else to this file. You should be able to login remotely as your regular user account and then \family typewriter su \family default if you need to (hopefully over \family typewriter \begin_inset LatexCommand \ref{ \end_inset ssh \begin_inset LatexDel }{ \end_inset ssh \begin_inset LatexDel } \end_inset \family default or other encrypted channel), so there is no need to be able to login directly as root. \layout Itemize Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type! \end_deeper \layout Standard If you absolutely positively need to allow someone (hopefully very trusted) to have root access to your machine, there are a few tools that can help. \family typewriter sudo \family default allows users to use their password to access a limited set of commands as root. This would allow you to, for instance, let a user be able to eject and mount removable media on your Linux box, but have no other root privileges. \family typewriter sudo \family default also keeps a log of all successful and unsuccessful sudo attempts, allowing you to track down who used what command to do what. For this reason \family typewriter sudo \family default works well even in places where a number of people have root access, because it helps you keep track of changes made. \layout Standard Although \family typewriter sudo \family default can be used to give specific users specific privileges for specific tasks, it does have several shortcomings. It should be used only for a limited set of tasks, like restarting a server, or adding new users. Any program that offers a shell escape will give root access to a user invoking it via \family typewriter sudo \family default . This includes most editors, for example. Also, a program as innocuous as \family typewriter /bin/cat \family default can be used to overwrite files, which could allow root to be exploited. Consider \family typewriter sudo \family default as a means for accountability, and don't expect it to replace the root user and still be secure. \layout Section Files and File system Security \begin_inset LatexCommand \label{file-security} \end_inset \layout Standard A few minutes of preparation and planning ahead before putting your systems on-line can help to protect them and the data stored on them. \begin_deeper \layout Itemize There should never be a reason for users' home directories to allow SUID/SGID programs to be run from there. Use the \family typewriter nosuid \family default option in \family typewriter /etc/fstab \family default for partitions that are writable by others than root. You may also wish to use \family typewriter nodev \family default and \family typewriter noexec \family default on users' home partitions, as well as \family typewriter /var \family default , thus prohibiting execution of programs, and creation of character or block devices, which should never be necessary anyway. \layout Itemize If you are exporting file-systems using NFS, be sure to configure \family typewriter /etc/exports \family default with the most restrictive access possible. This means not using wild cards, not allowing root write access, and exporting read-only wherever possible. \layout Itemize Configure your users' file-creation \family typewriter umask \family default to be as restrictive as possible. See \begin_inset LatexCommand \ref{ \end_inset umask \begin_inset LatexDel }{ \end_inset umask settings \begin_inset LatexDel } \end_inset . \layout Itemize If you are mounting file systems using a network file system such as NFS, be sure to configure /etc/exports with suitable restrictions. Typically, using `nodev', `nosuid', and perhaps `noexec', are desirable. \layout Itemize Set file system limits instead of allowing \family typewriter unlimited \family default as is the default. You can control the per-user limits using the resource-limits PAM module and \family typewriter /etc/pam.d/limits.conf \family default . For example, limits for group \family typewriter users \family default might look like this: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator @users \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator hard \protected_separator \protected_separator core \protected_separator \protected_separator \protected_separator \protected_separator 0 \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator @users \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator hard \protected_separator \protected_separator nproc \protected_separator \protected_separator \protected_separator 50 \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator @users \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator hard \protected_separator \protected_separator rss \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 5000 \end_deeper \layout Standard This says to prohibit the creation of core files, restrict the number of processes to 50, and restrict memory usage per user to 5M. \layout Standard You can also use the /etc/login.defs configuration file to set the same limits. \layout Itemize The \family typewriter /var/log/wtmp \family default and \family typewriter /var/run/utmp \family default files contain the login records for all users on your system. Their integrity must be maintained because they can be used to determine when and from where a user (or potential intruder) has entered your system. These files should also have \family typewriter 644 \family default permissions, without affecting normal system operation. \layout Itemize The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a hard link to the file. See the \family typewriter chattr \family default (1) man page for information on the immutable bit. \layout Itemize SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged. \layout Standard Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator \protected_separator find \protected_separator / \protected_separator -type \protected_separator f \protected_separator \backslash \protected_separator ( \protected_separator -perm \protected_separator -04000 \protected_separator -o \protected_separator -perm \protected_separator -02000 \protected_separator \backslash \protected_separator ) \protected_separator \protected_separator \end_deeper \layout Standard The Debian distribution runs a job each night to determine what SUID files exist. It then compares this to the previous night's run. You can look in \family typewriter /var/log/setuid* \family default for this log. \layout Standard You can remove the SUID or SGID permissions on a suspicious program with \family typewriter chmod \family default , then restore them back if you absolutely feel it is necessary. \layout Itemize World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. To locate all world-writable files on your system, use the following command: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator find \protected_separator / \protected_separator -perm \protected_separator -2 \protected_separator ! \protected_separator -type \protected_separator l \protected_separator -ls \protected_separator \protected_separator \end_deeper \layout Standard and be sure you know why those files are writable. In the normal course of operation, several files will be world-writable, including some from \family typewriter /dev \family default , and symbolic links, thus the \family typewriter ! -type l \family default which excludes these from the previous \family typewriter find \family default command. \layout Itemize \layout Standard Unowned files may also be an indication an intruder has accessed your system. You can locate files on your system that have no owner, or belong to no group with the command: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator find \protected_separator / \protected_separator -nouser \protected_separator -o \protected_separator -nogroup \protected_separator -print \protected_separator \protected_separator \end_deeper \layout Itemize Finding \family typewriter .rhosts \family default files should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember, a cracker only needs one insecure account to potentially gain access to your entire network. You can locate all \family typewriter .rhosts \family default files on your system with the following command: \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator find \protected_separator /home \protected_separator -name \protected_separator .rhosts \protected_separator -print \protected_separator \protected_separator \end_deeper \layout Itemize \layout Standard Finally, before changing permissions on any system files, make sure you understand what you are doing. Never change permissions on a file because it seems like the easy way to get things working. Always determine why the file has that permission before changing it. \end_deeper \layout Subsection Umask Settings \begin_inset LatexCommand \label{umask} \end_inset \layout Standard The \family typewriter umask \family default command can be used to determine the default file creation mode on your system. It is the octal complement of the desired file mode. If files are created without any regard to their permissions settings, the user could inadvertently give read or write permission to someone that should not have this permission. Typical \family typewriter umask \family default settings include \family typewriter 022 \family default , \family typewriter 027 \family default , and \family typewriter 077 \family default (which is the most restrictive). Normally the umask is set in \family typewriter /etc/profile \family default , so it applies to all users on the system. The file creation mask can be calculated by subtracting the desired value from 777. In other words, a umask of 777 would cause newly-created files to contain no read, write or execute permission for anyone. A mask of 666 would cause newly-created files to have a mask of 111. For example, you may have a line that looks like this: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator Set \protected_separator the \protected_separator user's \protected_separator default \protected_separator umask \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator umask \protected_separator 033 \protected_separator \end_deeper \layout Standard Be sure to make root's umask \family typewriter 077 \family default , which will disable read, write, and execute permission for other users, unless explicitly changed using \family typewriter chmod \family default . In this case, newly-created directories would have 744 permissions, obtained by subtracting 033 from 777. Newly-created files using the 033 umask would have permissions of 644. \layout Standard If you are using Red Hat, and adhere to their user and group ID creation scheme (User Private Groups), it is only necessary to use \family typewriter 002 \family default for a \family typewriter umask \family default . This is due to the fact that the default configuration is one user per group. \layout Subsection File Permissions \layout Standard It's important to ensure that your system files are not open for casual editing by users and groups who shouldn't be doing such system maintenance. \layout Standard Unix separates access control on files and directories according to three characteristics: owner, group, and other. There is always exactly one owner, any number of members of the group, and everyone else. \layout Standard A quick explanation of Unix permissions: \layout Standard Ownership - Which user(s) and group(s) retain(s) control of the permission settings of the node and parent of the node \layout Standard Permissions - Bits capable of being set or reset to allow certain types of access to it. Permissions for directories may have a different meaning than the same set of permissions on files. \layout Standard \series bold Read: \series default \begin_deeper \layout Itemize To be able to view contents of a file \layout Itemize To be able to read a directory \end_deeper \layout Standard \series bold Write: \series default \begin_deeper \layout Itemize To be able to add to or change a file \layout Itemize To be able to delete or move files in a directory \end_deeper \layout Standard \series bold Execute: \series default \begin_deeper \layout Itemize To be able to run a binary program or shell script \layout Itemize To be able to search in a directory, combined with read permission \end_deeper \begin_deeper \layout Description Save \protected_separator Text \protected_separator Attribute: \protected_separator (For \protected_separator directories) \protected_separator The "sticky bit" also has a different meaning when applied to directories than when applied to files. If the sticky bit is set on a directory, then a user may only delete files that the he owns or for which he has explicit write permission granted, even when he has write access to the directory. This is designed for directories like \family typewriter /tmp \family default , which are world-writable, but where it may not be desirable to allow any user to delete files at will. The sticky bit is seen as a \family typewriter t \family default in a long directory listing. \end_deeper \begin_deeper \layout Description SUID \protected_separator Attribute: \protected_separator (For \protected_separator Files) \protected_separator This describes set-user-id permissions on the file. When the set user ID access mode is set in the owner permissions, and the file is executable, processes which run it are granted access to system resources based on user who owns the file, as opposed to the user who created the process. This is the cause of many "buffer overflow" exploits. \end_deeper \begin_deeper \layout Description SGID \protected_separator Attribute: \protected_separator (For \protected_separator Files) \protected_separator If set in the group permissions, this bit controls the "set group id" status of a file. This behaves the same way as SUID, except the group is affected instead. The file must be executable for this to have any effect. \end_deeper \begin_deeper \layout Description SGID \protected_separator Attribute: \protected_separator (For \protected_separator directories) \protected_separator If you set the SGID bit on a directory (with \family typewriter chmod g+s directory \family default ), files created in that directory will have their group set to the directory's group. \end_deeper \layout Standard You - The owner of the file \layout Standard Group - The group you belong to \layout Standard Everyone - Anyone on the system that is not the owner or a member of the group \layout Standard \series bold File Example: \series default \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator -rw-r--r-- \protected_separator \protected_separator 1 \protected_separator kevin \protected_separator \protected_separator users \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 114 \protected_separator Aug \protected_separator 28 \protected_separator \protected_separator 1997 \protected_separator .zlogin \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 1st \protected_separator bit \protected_separator - \protected_separator directory? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 2nd \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator kevin) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 3rd \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator kevin) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 4th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 5th \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator users) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 6th \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 7th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 8th \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator everyone? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator everyone) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 9th \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator everyone? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 10th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator everyone? \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \end_deeper \layout Standard The following lines are examples of the minimum sets of permissions that are required to perform the access described. You may want to give more permission than what's listed here, but this should describe what these minimum permissions on files do: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \newline -r-------- \protected_separator \protected_separator Allow \protected_separator read \protected_separator access \protected_separator to \protected_separator the \protected_separator file \protected_separator by \protected_separator owner \protected_separator \newline --w------- \protected_separator \protected_separator Allows \protected_separator the \protected_separator owner \protected_separator to \protected_separator modify \protected_separator or \protected_separator delete \protected_separator the \protected_separator file \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (Note \protected_separator that \protected_separator anyone \protected_separator with \protected_separator write \protected_separator permission \protected_separator to \protected_separator the \protected_separator directory \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator the \protected_separator file \protected_separator is \protected_separator in \protected_separator can \protected_separator overwrite \protected_separator it \protected_separator and \protected_separator thus \protected_separator delete \protected_separator it) \protected_separator \newline ---x------ \protected_separator \protected_separator The \protected_separator owner \protected_separator can \protected_separator execute \protected_separator this \protected_separator program, \protected_separator but \protected_separator not \protected_separator shell \protected_separator scripts, \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator which \protected_separator still \protected_separator need \protected_separator read \protected_separator permission \protected_separator \newline ---s------ \protected_separator \protected_separator Will \protected_separator execute \protected_separator with \protected_separator effective \protected_separator User \protected_separator ID \protected_separator = \protected_separator to \protected_separator owner \protected_separator \newline --------s- \protected_separator \protected_separator Will \protected_separator execute \protected_separator with \protected_separator effective \protected_separator Group \protected_separator ID \protected_separator = \protected_separator to \protected_separator group \protected_separator \newline -rw------T \protected_separator \protected_separator No \protected_separator update \protected_separator of \protected_separator "last \protected_separator modified \protected_separator time". \protected_separator \protected_separator Usually \protected_separator used \protected_separator for \protected_separator swap \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator files \protected_separator \newline ---t------ \protected_separator \protected_separator No \protected_separator effect. \protected_separator \protected_separator (formerly \protected_separator sticky \protected_separator bit) \protected_separator \newline \protected_separator \end_deeper \layout Standard \series bold Directory Example: \series default \begin_deeper \layout Verbatim \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator drwxr-xr-x \protected_separator \protected_separator 3 \protected_separator kevin \protected_separator \protected_separator users \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 512 \protected_separator Sep \protected_separator 19 \protected_separator 13:47 \protected_separator .public_html/ \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 1st \protected_separator bit \protected_separator - \protected_separator directory? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator it \protected_separator contains \protected_separator many \protected_separator files) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 2nd \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator kevin) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 3rd \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator kevin) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 4th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator owner? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator kevin) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 5th \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator users \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 6th \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 7th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator group? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator users) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 8th \protected_separator bit \protected_separator - \protected_separator read \protected_separator by \protected_separator everyone? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (yes, \protected_separator by \protected_separator everyone) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 9th \protected_separator bit \protected_separator - \protected_separator write \protected_separator by \protected_separator everyone? \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator (no) \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 10th \protected_separator bit \protected_separator - \protected_separator execute \protected_separator by \protected_separator everyone? \protected_separator \protected_separator (yes, \protected_separator by \protected_separator everyone) \protected_separator \newline \protected_separator \end_deeper \layout Standard The following lines are examples of the minimum sets of permissions that are required to perform the access described. You may want to give more permission than what's listed, but this should describe what these minimum permissions on directories do: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \newline dr-------- \protected_separator \protected_separator The \protected_separator contents \protected_separator can \protected_separator be \protected_separator listed, \protected_separator but \protected_separator file \protected_separator attributes \protected_separator can't \protected_separator be \protected_separator read \protected_separator \newline d--x------ \protected_separator \protected_separator The \protected_separator directory \protected_separator can \protected_separator be \protected_separator entered, \protected_separator and \protected_separator used \protected_separator in \protected_separator full \protected_separator execution \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator paths \protected_separator \newline dr-x------ \protected_separator \protected_separator File \protected_separator attributes \protected_separator can \protected_separator be \protected_separator read \protected_separator by \protected_separator owner \protected_separator \newline d-wx------ \protected_separator \protected_separator Files \protected_separator can \protected_separator be \protected_separator created/deleted, \protected_separator even \protected_separator if \protected_separator the \protected_separator directory \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator isn't \protected_separator the \protected_separator current \protected_separator one \protected_separator \newline d------x-t \protected_separator \protected_separator Prevents \protected_separator files \protected_separator from \protected_separator deletion \protected_separator by \protected_separator others \protected_separator with \protected_separator write \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator access. \protected_separator Used \protected_separator on \protected_separator /tmp \protected_separator \newline d---s--s-- \protected_separator \protected_separator No \protected_separator effect \protected_separator \newline \protected_separator \end_deeper \layout Standard System configuration files (usually in \family typewriter /etc \family default ) are usually mode \family typewriter 640 \family default ( \family typewriter -rw-r----- \family default ), and owned by root. Depending on your site's security requirements, you might adjust this. Never leave any system files writable by a group or everyone. Some configuration files, including \family typewriter /etc/shadow \family default , should only be readable by root, and directories in \family typewriter /etc \family default should at least not be accessible by others. \begin_deeper \layout Description SUID \protected_separator Shell \protected_separator Scripts \protected_separator SUID shell scripts are a serious security risk, and for this reason the kernel will not honor them. Regardless of how secure you think the shell script is, it can be exploited to give the cracker a root shell. \end_deeper \layout Subsection Integrity Checking \layout Standard Another very good way to detect local (and also network) attacks on your system is to run an integrity checker like \family typewriter Tripwire \family default , \family typewriter Aide \family default or \family typewriter Osiris \family default . These integrety checkers run a number of checksums on all your important binaries and config files and compares them against a database of former, known-good values as a reference. Thus, any changes in the files will be flagged. \layout Standard It's a good idea to install these sorts of programs onto a floppy, and then physically set the write protect on the floppy. This way intruders can't tamper with the integrety checker itself or change the database. Once you have something like this setup, it's a good idea to run it as part of your normal security administration duties to see if anything has changed. \layout Standard You can even add a \family typewriter crontab \family default entry to run the checker from your floppy every night and mail you the results in the morning. Something like: \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator set \protected_separator mailto \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator MAILTO=kevin \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator run \protected_separator Tripwire \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator 15 \protected_separator 05 \protected_separator * \protected_separator * \protected_separator * \protected_separator root \protected_separator /usr/local/adm/tcheck/tripwire \protected_separator \protected_separator \end_deeper \layout Standard will mail you a report each morning at 5:15am. \layout Standard Integrity checkers can be a godsend to detecting intruders before you would otherwise notice them. Since a lot of files change on the average system, you have to be careful what is cracker activity and what is your own doing. \layout Standard You can find the freely available unsusported version of \family typewriter Tripwire \family default at \begin_inset LatexDel \htmlurl{ \end_inset http://www.tripwire.org \begin_inset LatexDel }{ \end_inset http://www.tripwire.org \begin_inset LatexDel } \end_inset , free of charge. Manuals and support can be purchased. \layout Standard \family typewriter Aide \family default can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.cs.tut.fi/~rammer/aide.html \begin_inset LatexDel }{ \end_inset http://www.cs.tut.fi/~rammer/aide.html \begin_inset LatexDel } \end_inset . \layout Standard \family typewriter Osiris \family default can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.shmoo.com/osiris/ \begin_inset LatexDel }{ \end_inset http://www.shmoo.com/osiris/ \begin_inset LatexDel } \end_inset . \layout Subsection Trojan Horses \layout Standard "Trojan Horses" are named after the fabled ploy in Homer's "Iliad". The idea is that a cracker distributes a program or binary that sounds great, and encourages other people to download it and run it as root. Then the program can compromise their system while they are not paying attention. While they think the binary they just pulled down does one thing (and it might very well), it also compromises their security. \layout Standard You should take care of what programs you install on your machine. RedHat provides MD5 checksums and PGP signatures on its RPM files so you can verify you are installing the real thing. Other distributions have similar methods. You should never run any unfamiliar binary, for which you don't have the source, as root! Few attackers are willing to release source code to public scrutiny. \layout Standard Although it can be complex, make sure you are getting the source for a program from its real distribution site. If the program is going to run as root, make sure either you or someone you trust has looked over the source and verified it. \layout Section Password Security and Encryption \begin_inset LatexCommand \label{password-security} \end_inset \layout Standard One of the most important security features used today are passwords. It is important for both you and all your users to have secure, unguessable passwords. Most of the more recent Linux distributions include \family typewriter passwd \family default programs that do not allow you to set a easily guessable password. Make sure your \family typewriter passwd \family default program is up to date and has these features. \layout Standard In-depth discussion of encryption is beyond the scope of this document, but an introduction is in order. Encryption is very useful, possibly even necessary in this day and age. There are all sorts of methods of encrypting data, each with its own set of characteristics. \layout Standard Most Unicies (and Linux is no exception) primarily use a one-way encryption algorithm, called DES (Data Encryption Standard) to encrypt your passwords. This encrypted password is then stored in (typically) \family typewriter /etc/passwd \family default (or less commonly) \family typewriter /etc/shadow \family default . When you attempt to login, the password you type in is encrypted again and compared with the entry in the file that stores your passwords. If they match, it must be the same password, and you are allowed access. Although DES is a two-way encryption algorithm (you can code and then decode a message, given the right keys), the variant that most Unixes use is one-way. This means that it should not be possible to reverse the encryption to get the password from the contents of \family typewriter /etc/passwd \family default (or \family typewriter /etc/shadow \family default ). \layout Standard Brute force attacks, such as "Crack" or "John the Ripper" (see Section \begin_inset LatexCommand \ref{ \end_inset crack \begin_inset LatexDel }{ \end_inset {refnam} \begin_inset LatexDel } \end_inset ) can often guess passwords unless your password is sufficiently random. PAM modules (see below) allow you to use a different encryption routine with your passwords (MD5 or the like). You can use Crack to your advantage, as well. Consider periodically running Crack against your own password database, to find insecure passwords. Then contact the offending user, and instruct him to change his password. \layout Standard You can go to \begin_inset LatexDel \htmlurl{ \end_inset http://consult.cern.ch/writeup/security/security_3.html \begin_inset LatexDel }{ \end_inset http://consult.cern.ch/writeup/security/security_3.html \begin_inset LatexDel } \end_inset for information on how to choose a good password. \layout Subsection PGP and Public-Key Cryptography \layout Standard Public-key cryptography, such as that used for PGP, uses one key for encryption, and one key for decryption. Traditional cryptography, however, uses the same key for encryption and decryption; this key must be known to both parties, and thus somehow transferred from one to the other securely. \layout Standard To alleviate the need to securely transmit the encryption key, public-key encryption uses two separate keys: a public key and a private key. Each person's public key is available by anyone to do the encryption, while at the same time each person keeps his or her private key to decrypt messages encrypted with the correct public key. \layout Standard There are advantages to both public key and private key cryptography, and you can read about those differences in \begin_inset LatexDel \url{ \end_inset http://www.rsa.com/rsalabs/newfaq/ \begin_inset LatexDel }{ \end_inset the RSA Cryptography FAQ \begin_inset LatexDel } \end_inset , listed at the end of this section. \layout Standard PGP (Pretty Good Privacy) is well-supported on Linux. Versions 2.6.2 and 5.0 are known to work well. For a good primer on PGP and how to use it, take a look at the PGP FAQ: \begin_inset LatexDel \htmlurl{ \end_inset http://www.pgp.com/service/export/faq/55faq.cgi \begin_inset LatexDel }{ \end_inset http://www.pgp.com/service/export/faq/55faq.cgi \begin_inset LatexDel } \end_inset \layout Standard Be sure to use the version that is applicable to your country. Due to export restrictions by the US Government, strong-encryption is prohibited from being transferred in electronic form outside the country. \layout Standard US export controls are now managed by EAR (Export Administration Regulations). They are no longer governed by ITAR. \layout Standard There is also a step-by-step guide for configuring PGP on Linux available at \begin_inset LatexDel \htmlurl{ \end_inset http://mercury.chem.pitt.edu/~angel/LinuxFocus/English/November1997/article7.html \begin_inset LatexDel }{ \end_inset http://mercury.chem.pitt.edu/~angel/LinuxFocus/English/November1997/article7.html \begin_inset LatexDel } \end_inset . It was written for the international version of PGP, but is easily adaptable to the United States version. You may also need a patch for some of the latest versions of Linux; the patch is available at \begin_inset LatexDel \htmlurl{ \end_inset ftp://metalab.unc.edu/pub/Linux/apps/crypto \begin_inset LatexDel }{ \end_inset ftp://metalab.unc.edu/pub/Linux/apps/crypto \begin_inset LatexDel } \end_inset . \layout Standard There is a project maintaining a free re-implementation of pgp with open source. GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is in compliance with \begin_inset LatexDel \htmlurl{ \end_inset http://www.faqs.org/rfcs/rfc2440.html \begin_inset LatexDel }{ \end_inset OpenPGP \begin_inset LatexDel } \end_inset . See the GNU Privacy Guard web page for more information: \begin_inset LatexDel \htmlurl{ \end_inset http://www.gnupg.org \begin_inset LatexDel }{ \end_inset http://www.gnupg.org/ \begin_inset LatexDel } \end_inset . \layout Standard More information on cryptography can be found in the RSA cryptography FAQ, available at \begin_inset LatexDel \htmlurl{ \end_inset http://www.rsa.com/rsalabs/newfaq/ \begin_inset LatexDel }{ \end_inset http://www.rsa.com/rsalabs/newfaq/ \begin_inset LatexDel } \end_inset . Here you will find information on such terms as "Diffie-Hellman", "public-key cryptography", "digital certificates", etc. \layout Subsection SSL, S-HTTP and S/MIME \layout Standard Often users ask about the differences between the various security and encryption protocols, and how to use them. While this isn't an encryption document, it is a good idea to explain briefly what each protocol is, and where to find more information. \begin_deeper \layout Itemize \series bold SSL: \series default - SSL, or Secure Sockets Layer, is an encryption method developed by Netscape to provide security over the Internet. It supports several different encryption protocols, and provides client and server authentication. SSL operates at the transport layer, creates a secure encrypted channel of data, and thus can seamlessly encrypt data of many types. This is most commonly seen when going to a secure site to view a secure online document with Communicator, and serves as the basis for secure communications with Communicator, as well as many other Netscape Communications data encryption. More information can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.consensus.com/security/ssl-talk-faq.html \begin_inset LatexDel }{ \end_inset http://www.consensus.com/security/ssl-talk-faq.html \begin_inset LatexDel } \end_inset . Information on Netscape's other security implementations, and a good starting point for these protocols is available at \begin_inset LatexDel \htmlurl{ \end_inset http://home.netscape.com/info/security-doc.html \begin_inset LatexDel }{ \end_inset http://home.netscape.com/info/security-doc.html \begin_inset LatexDel } \end_inset . It's also worth noting that the SSL protocol can be used to pass many other common protocols, "wrapping" them for security. See \begin_inset LatexDel \htmlurl{ \end_inset http://www.quiltaholic.com/rickk/sslwrap/ \begin_inset LatexDel }{ \end_inset http://www.quiltaholic.com/rickk/sslwrap/ \begin_inset LatexDel } \end_inset \layout Itemize \series bold S-HTTP: \series default - S-HTTP is another protocol that provides security services across the Internet. It was designed to provide confidentiality, authentication, integrity, and non-repudiability [ cannot be mistaken for someone else] while supporting multiple key-management mechanisms and cryptographic algorithms via option negotiation between the parties involved in each transaction. S-HTTP is limited to the specific software that is implementing it, and encrypts each message individually. [ From RSA Cryptography FAQ, page 138] \layout Itemize \series bold S/MIME: \series default - S/MIME, or Secure Multipurpose Internet Mail Extension, is an encryption standard used to encrypt electronic mail and other types of messages on the Internet. It is an open standard developed by RSA, so it is likely we will see it on Linux one day soon. More information on S/MIME can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://home.netscape.com/assist/security/smime/overview.html \begin_inset LatexDel }{ \end_inset http://home.netscape.com/assist/security/smime/overview.html \begin_inset LatexDel } \end_inset . \end_deeper \layout Subsection Linux IPSEC Implementations \layout Standard Along with CIPE, and other forms of data encryption, there are also several other implementations of IPSEC for Linux. IPSEC is an effort by the IETF to create cryptographically-secure communications at the IP network level, and to provide authentication, integrity, access control, and confidentiality. Information on IPSEC and Internet draft can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.ietf.org/html.charters/ipsec-charter.html \begin_inset LatexDel }{ \end_inset http://www.ietf.org/html.charters/ipsec-charter.html \begin_inset LatexDel } \end_inset . You can also find links to other protocols involving key management, and an IPSEC mailing list and archives. \layout Standard The x-kernel Linux implementation, which is being developed at the University of Arizona, uses an object-based framework for implementing network protocols called x-kernel, and can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html \begin_inset LatexDel }{ \end_inset http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html \begin_inset LatexDel } \end_inset . Most simply, the x-kernel is a method of passing messages at the kernel level, which makes for an easier implementation. \layout Standard Another freely-available IPSEC implementation is the Linux FreeS/WAN IPSEC. Their web page states, \layout Quote "These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet." \layout Standard It's available for download from \begin_inset LatexDel \htmlurl{ \end_inset http://www.xs4all.nl/~freeswan/ \begin_inset LatexDel }{ \end_inset http://www.xs4all.nl/~freeswan/ \begin_inset LatexDel } \end_inset , and has just reached 1.0 at the time of this writing. \layout Standard As with other forms of cryptography, it is not distributed with the kernel by default due to export restrictions. \layout Subsection \family typewriter ssh \family default (Secure Shell) and \family typewriter stelnet \family default \begin_inset LatexCommand \label{ssh} \end_inset \layout Standard \family typewriter ssh \family default and \family typewriter stelnet \family default are suites of programs that allow you to login to remote systems and have a encrypted connection. \layout Standard \family typewriter openssh \family default is a suite of programs used as a secure replacement for \family typewriter rlogin \family default , \family typewriter rsh \family default and \family typewriter rcp \family default . It uses public-key cryptography to encrypt communications between two hosts, as well as to authenticate users. It can be used to securely login to a remote host or copy data between hosts, while preventing man-in-the-middle attacks (session hijacking) and DNS spoofing. It will perform data compression on your connections, and secure X11 communications between hosts. \layout Standard There are several ssh implementiations now. The original commercial implementation by Data Fellows can be found at The \family typewriter ssh \family default home page can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.datafellows.com \begin_inset LatexDel }{ \end_inset http://www.datafellows.com \begin_inset LatexDel } \end_inset . \layout Standard The excellent Openssh implementation is based on a early version of the datafellows ssh and has been totally reworked to not include any patented or proprietary pieces. It is free and under a BSD license. It can be found at: \begin_inset LatexDel \htmlurl{ \end_inset http://www.openssh.com \begin_inset LatexDel }{ \end_inset http://www.openssh.com \begin_inset LatexDel } \end_inset . \layout Standard There is also a open source project to re-implement ssh from the ground up called "psst...". For more information see: \begin_inset LatexDel \htmlurl{ \end_inset http://www.net.lut.ac.uk/psst/ \begin_inset LatexDel }{ \end_inset http://www.net.lut.ac.uk/psst/ \begin_inset LatexDel } \end_inset \layout Standard You can also use \family typewriter ssh \family default from your Windows workstation to your Linux \family typewriter ssh \family default server. There are several freely available Windows client implementations, including the one at \begin_inset LatexDel \htmlurl{ \end_inset http://guardian.htu.tuwien.ac.at/therapy/ssh/ \begin_inset LatexDel }{ \end_inset http://guardian.htu.tuwien.ac.at/therapy/ssh/ \begin_inset LatexDel } \end_inset as well as a commercial implementation from DataFellows, at \begin_inset LatexDel \htmlurl{ \end_inset http://www.datafellows.com \begin_inset LatexDel }{ \end_inset http://www.datafellows.com \begin_inset LatexDel } \end_inset . \layout Standard SSLeay is a free implementation of Netscape's Secure Sockets Layer protocol, developed by Eric Young. It includes several applications, such as Secure telnet, a module for Apache, several databases, as well as several algorithms including DES, IDEA and Blowfish. \layout Standard Using this library, a secure telnet replacement has been created that does encryption over a telnet connection. Unlike SSH, stelnet uses SSL, the Secure Sockets Layer protocol developed by Netscape. You can find Secure telnet and Secure FTP by starting with the SSLeay FAQ, available at \begin_inset LatexDel \htmlurl{ \end_inset http://www.psy.uq.oz.au/~ftp/Crypto/ \begin_inset LatexDel }{ \end_inset http://www.psy.uq.oz.au/~ftp/Crypto/ \begin_inset LatexDel } \end_inset . \layout Standard SRP is another secure telnet/ftp implementation. From their web page: \layout Quote "The SRP project is developing secure Internet software for free worldwide use. Starting with a fully-secure Telnet and FTP distribution, we hope to supplant weak networked authentication systems with strong replacements that do not sacrifice user-friendliness for security. Security should be the default, not an option!" \layout Standard For more information, go to \begin_inset LatexDel \htmlurl{ \end_inset http://www-cs-students.stanford.edu/~tjw/srp/ \begin_inset LatexDel }{ \end_inset http://www-cs-students.stanford.edu/~tjw/srp/ \begin_inset LatexDel } \end_inset \layout Subsection PAM - Pluggable Authentication Modules \layout Standard Newer versions of the Red Hat Linux and Debian Linux distributions ship with a unified authentication scheme called "PAM". PAM allows you to change your authentication methods and requirements on the fly, and encapsulate all local authentication methods without recompiling any of your binaries. Configuration of PAM is beyond the scope of this document, but be sure to take a look at the PAM web site for more information. \begin_inset LatexDel \htmlurl{ \end_inset http://www.kernel.org/pub/linux/libs/pam/index.html \begin_inset LatexDel }{ \end_inset http://www.kernel.org/pub/linux/libs/pam/index.html \begin_inset LatexDel } \end_inset . \layout Standard Just a few of the things you can do with PAM: \begin_deeper \layout Itemize Use encryption other than DES for your passwords. (Making them harder to brute-force decode) \layout Itemize Set resource limits on all your users so they can't perform denial-of-service attacks (number of processes, amount of memory, etc) \layout Itemize Enable shadow passwords (see below) on the fly \layout Itemize allow specific users to login only at specific times from specific places \end_deeper \layout Standard Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of \family typewriter .rhosts \family default files in user's home directories by adding these lines to \family typewriter /etc/pam.d/rlogin \family default : \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator Disable \protected_separator rsh/rlogin/rexec \protected_separator for \protected_separator users \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator # \protected_separator \newline \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator login \protected_separator auth \protected_separator required \protected_separator pam_rhosts_auth.so \protected_separator no_rhosts \protected_separator \end_deeper \layout Subsection Cryptographic IP Encapsulation (CIPE) \layout Standard The primary goal of this software is to provide a facility for secure (against eavesdropping, including traffic analysis, and faked message injection) subnetwork interconnection across an insecure packet network such as the Internet. \layout Standard CIPE encrypts the data at the network level. Packets traveling between hosts on the network are encrypted. The encryption engine is placed near the driver which sends and receives packets. \layout Standard This is unlike SSH, which encrypts the data by connection, at the socket level. A logical connection between programs running on different hosts is encrypted. \layout Standard CIPE can be used in tunnelling, in order to create a Virtual Private Network. Low-level encryption has the advantage that it can be made to work transparently between the two networks connected in the VPN, without any change to application software. \layout Standard Summarized from the CIPE documentation: \layout Quote The IPSEC standards define a set of protocols which can be used (among other things) to build encrypted VPNs. However, IPSEC is a rather heavyweight and complicated protocol set with a lot of options, implementations of the full protocol set are still rarely used and some issues (such as key management) are still not fully resolved. CIPE uses a simpler approach, in which many things which can be parameterized (such as the choice of the actual encryption algorithm used) are an install-time fixed choice. This limits flexibility, but allows for a simple (and therefore efficient, easy to debug...) implementation. \layout Standard Further information can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://www.inka.de/~bigred/devel/cipe.html \begin_inset LatexDel }{ \end_inset http://www.inka.de/~bigred/devel/cipe.html \begin_inset LatexDel } \end_inset \layout Standard As with other forms of cryptography, it is not distributed with the kernel by default due to export restrictions. \layout Subsection Kerberos \layout Standard Kerberos is an authentication system developed by the Athena Project at MIT. When a user logs in, Kerberos authenticates that user (using a password), and provides the user with a way to prove her identity to other servers and hosts scattered around the network. \layout Standard This authentication is then used by programs such as \family typewriter rlogin \family default to allow the user to login to other hosts without a password (in place of the \family typewriter .rhosts \family default file). This authentication method can also used by the mail system in order to guarantee that mail is delivered to the correct person, as well as to guarantee that the sender is who he claims to be. \layout Standard Kerberos and the other programs that come with it, prevent users from "spoofing" the system into believing they are someone else. Unfortunately, installing Kerberos is very intrusive, requiring the modification or replacement of numerous standard programs. \layout Standard You can find more information about kerberos by looking at \begin_inset LatexDel \htmlurl{ \end_inset http://www.cis.ohio-state.edu/hypertext/faq/usenet/kerberos-faq/general/faq.html \begin_inset LatexDel }{ \end_inset the kerberos FAQ \begin_inset LatexDel } \end_inset , and the code can be found at \begin_inset LatexDel \htmlurl{ \end_inset http://nii.isi.edu/info/kerberos/ \begin_inset LatexDel }{ \end_inset http://nii.isi.edu/info/kerberos/ \begin_inset LatexDel } \end_inset . \layout Standard [From: Stein, Jennifer G., Clifford Neuman, and Jeffrey L. Schiller. "Kerberos: An Authentication Service for Open Network Systems." USENIX Conference Proceedings, Dallas, Texas, Winter 1998.] \layout Standard Kerberos should not be your first step in improving security of your host. It is quite involved, and not as widely used as, say, SSH. \layout Subsection Shadow Passwords. \layout Standard Shadow passwords are a means of keeping your encrypted password information secret from normal users. Recent versions of both Red Hat and Debian Linux use shadow passwords by default, but on other systems, encrypted passwords are stored in \family typewriter /etc/passwd \family default file for all to read. Anyone can then run password-guesser programs on them and attempt to determine what they are. Shadow passwords, by contrast, are saved in \family typewriter /etc/shadow \family default , which only privileged users can read. In order to use shadow passwords, you need to make sure all your utilities that need access to password information are recompiled to support them. PAM (above) also allows you to just plug in a shadow module; it doesn't require re-compilation of executables. You can refer to the Shadow-Password HOWTO for further information if necessary. It is available at \begin_inset LatexDel \htmlurl{ \end_inset http://metalab.unc.edu/LDP/HOWTO/Shadow-Password-HOWTO.html \begin_inset LatexDel }{ \end_inset http://metalab.unc.edu/LDP/HOWTO/Shadow-Password-HOWTO.html \begin_inset LatexDel } \end_inset It is rather dated now, and will not be required for distributions supporting PAM. \layout Subsection "Crack" and "John the Ripper" \begin_inset LatexCommand \label{crack} \end_inset \layout Standard If for some reason your \family typewriter passwd \family default program is not enforcing hard-to-guess passwords, you might want to run a password-cracking program and make sure your users' passwords are secure. \layout Standard Password cracking programs work on a simple idea: they try every word in the dictionary, and then variations on those words, encrypting each one and checking it against your encrypted password. If they get a match they know what your password is. \layout Standard There are a number of programs out there...the two most notable of which are "Crack" and "John the Ripper" (\begin_inset LatexDel \htmlurl{ \end_inset http://www.openwall.com/john/ \begin_inset LatexDel }{ \end_inset http://www.openwall.com/john/ \begin_inset LatexDel } \end_inset ) . They will take up a lot of your CPU time, but you should be able to tell if an attacker could get in using them by running them first yourself and notifying users with weak passwords. Note that an attacker would have to use some other hole first in order to read your \family typewriter /etc/passwd \family default file, but such holes are more common than you might think. \layout Standard Because security is only as strong as the most insecure host, it is worth mentioning that if you have any Windows machines on your network, you should check out L0phtCrack, a Crack implementation for Windows. It's available from \begin_inset LatexDel \htmlurl{ \end_inset http://www.l0pht.com \begin_inset LatexDel }{ \end_inset http://www.l0pht.com \begin_inset LatexDel } \end_inset \layout Subsection CFS - Cryptographic File System and TCFS - Transparent Cryptographic File System \layout Standard CFS is a way of encrypting entire directory trees and allowing users to store encrypted files on them. It uses an NFS server running on the local machine. RPMS are available at \begin_inset LatexDel \htmlurl{ \end_inset http://www.zedz.net/redhat/ \begin_inset LatexDel }{ \end_inset http://www.zedz.net/redhat/ \begin_inset LatexDel } \end_inset , and more information on how it all works is at \begin_inset LatexDel \htmlurl{ \end_inset ftp://ftp.research.att.com/dist/mab/ \begin_inset LatexDel }{ \end_inset ftp://ftp.research.att.com/dist/mab/ \begin_inset LatexDel } \end_inset . \layout Standard TCFS improves on CFS by adding more integration with the file system, so that it's transparent to users that the file system that is encrypted. More information at: \begin_inset LatexDel \htmlurl{ \end_inset http://www.tcfs.it/ \begin_inset LatexDel }{ \end_inset http://www.tcfs.it/ \begin_inset LatexDel } \end_inset . \layout Standard It also need not be used on entire file systems. It works on directory trees as well. \layout Subsection X11, SVGA and display security \layout Subsubsection X11 \layout Standard It's important for you to secure your graphical display to prevent attackers from grabbing your passwords as you type them, reading documents or information you are reading on your screen, or even using a hole to gain root access. Running remote X applications over a network also can be fraught with peril, allowing sniffers to see all your interaction with the remote system. \layout Standard X has a number of access-control mechanisms. The simplest of them is host-based: you use \family typewriter xhost \family default to specify the hosts that are allowed access to your display. This is not very secure at all, because if someone has access to your machine, they can \family typewriter xhost + their machine \family default and get in easily. Also, if you have to allow access from an untrusted machine, anyone there can compromise your display. \layout Standard When using \family typewriter xdm \family default (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1. A 128-bit "cookie" is generated and stored in your \family typewriter .Xauthority \family default file. If you need to allow a remote machine access to your display, you can use the \family typewriter xauth \family default command and the information in your \family typewriter .Xauthority \family default file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at \begin_inset LatexDel \htmlurl{ \end_inset http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html \begin_inset LatexDel }{ \end_inset http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html \begin_inset LatexDel } \end_inset . \layout Standard You can also use \family typewriter ssh \family default (see \begin_inset LatexCommand \ref{ \end_inset ssh \begin_inset LatexDel }{ \end_inset {refnam} \begin_inset LatexDel } \end_inset , above) to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network. \layout Standard You can also disable any remote connections to your X server by using the '-nolisten tcp' options to your X server. This will prevent any network connections to your server over tcp sockets. \layout Standard Take a look at the \family typewriter Xsecurity \family default man page for more information on X security. The safe bet is to use \family typewriter xdm \family default to login to your console and then use \family typewriter ssh \family default to go to remote sites on which you wish to run X programs. \layout Subsubsection SVGA \layout Standard SVGAlib programs are typically SUID-root in order to access all your Linux machine's video hardware. This makes them very dangerous. If they crash, you typically need to reboot your machine to get a usable console back. Make sure any SVGA programs you are running are authentic, and can at least be somewhat trusted. Even better, don't run them at all. \layout Subsubsection GGI (Generic Graphics Interface project) \layout Standard The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse \family typewriter login \family default program running on your console. \begin_inset LatexDel \htmlurl{ \end_inset http://synergy.caltech.edu/~ggi/ \begin_inset LatexDel }{ \end_inset http://synergy.caltech.edu/~ggi/ \begin_inset LatexDel } \end_inset \layout Section Kernel Security \begin_inset LatexCommand \label{kernel-security} \end_inset \layout Standard This is a description of the kernel configuration options that relate to security, and an explanation of what they do, and how to use them. \layout Standard As the kernel controls your computer's networking, it is important that it be very secure, and not be compromised. To prevent some of the latest networking attacks, you should try to keep your kernel version current. You can find new kernels at \begin_inset LatexDel \url{ \end_inset ftp://ftp.kernel.org \begin_inset LatexDel }{ \end_inset {urlnam} \begin_inset LatexDel } \end_inset or from your distribution vendor. \layout Standard There is also a international group providing a single unified crypto patch to the mainstream Linux kernel. This patch provides support for a number of cryptographic subsystems and things that cannot be included in the mainstream kernel due to export restrictions. For more information, visit their web page at: \begin_inset LatexDel \htmlurl{ \end_inset http://www.kerneli.org \begin_inset LatexDel }{ \end_inset http://www.kerneli.org \begin_inset LatexDel } \end_inset \layout Subsection 2.0 Kernel Compile Options \layout Standard For 2.0.x kernels, the following options apply. You should see these options during the kernel configuration process. Many of the comments here are from \family typewriter ./linux/Documentation/Configure.help \family default , which is the same document that is referenced while using the Help facility during the \family typewriter make config \family default stage of compiling the kernel. \begin_deeper \layout Itemize Network Firewalls (CONFIG_FIREWALL) \layout Standard This option should be on if you intend to run any firewalling or masquerading on your Linux machine. If it's just going to be a regular client machine, it's safe to say no. \layout Itemize IP: forwarding/gatewaying (CONFIG_IP_FORWARD) \layout Standard If you enable IP forwarding, your Linux box essentially becomes a router. If your machine is on a network, you could be forwarding data from one network to another, and perhaps subverting a firewall that was put there to prevent this from happening. Normal dial-up users will want to disable this, and other users should concentrate on the security implications of doing this. Firewall machines will want this enabled, and used in conjunction with firewall software. \layout Standard You can enable IP forwarding dynamically using the following command: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator \protected_separator echo \protected_separator 1 \protected_separator > \protected_separator /proc/sys/net/ipv4/ip_forward \protected_separator \protected_separator \end_deeper \layout Standard and disable it with the command: \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator \protected_separator echo \protected_separator 0 \protected_separator > \protected_separator /proc/sys/net/ipv4/ip_forward \protected_separator \protected_separator \end_deeper \layout Standard Keep in mind the files in /proc are "virtual" files and the shown size of the file might not reflect the data output from it. \layout Itemize IP: syn cookies (CONFIG_SYN_COOKIES) \layout Standard a "SYN Attack" is a denial of service (DoS) attack that consumes all the resources on your machine, forcing you to reboot. We can't think of a reason you wouldn't normally enable this. In the 2.2.x kernel series this config option merely allows syn cookies, but does not enable them. To enable them, you have to do: \layout Standard \begin_deeper \layout Verbatim \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator \protected_separator root# \protected_separator echo \protected_separator 1 \protected_separator > \protected_separator /proc/sys/net/ipv4/tcp_syncookies \protected_separator
\protected_separator
\protected_separator
\end_deeper
\layout Itemize
IP: Firewalling
(CONFIG_IP_FIREWALL)
\layout Standard
This option is necessary if you are going to configure your machine as
a firewall, do masquerading, or wish to protect your dial-up
workstation from someone entering via your PPP dial-up interface.
\layout Itemize
IP: firewall packet logging
(CONFIG_IP_FIREWALL_VERBOSE)
\layout Standard
This option gives you information about packets your firewall
received, like sender, recipient, port, etc.
\layout Itemize
IP: Drop source routed frames
(CONFIG_IP_NOSR)
\layout Standard
This option should be enabled. Source routed frames contain the
entire path to their destination inside of the packet. This means
that routers through which the packet goes do not need to inspect it,
and just forward it on. This could lead to data entering your system
that may be a potential exploit.
\layout Itemize
IP: masquerading
(CONFIG_IP_MASQUERADE)
If one of the computers on your local network for which your Linux
box acts as a firewall wants to send something to the outside, your
box can "masquerade" as that host, i.e., it forewords the traffic
to the intended destination, but makes it look like it came from the
firewall box itself. See \begin_inset LatexDel \htmlurl{
\end_inset
http://www.indyramp.com/masq
\begin_inset LatexDel }{
\end_inset
http://www.indyramp.com/masq
\begin_inset LatexDel }
\end_inset
for more information.
\layout Itemize
IP: ICMP masquerading
(CONFIG_IP_MASQUERADE_ICMP)
This option adds ICMP masquerading to the previous option of only
masquerading TCP or UDP traffic.
\layout Itemize
IP: transparent proxy support
(CONFIG_IP_TRANSPARENT_PROXY)
This enables your Linux firewall to transparently redirect any
network traffic originating from the local network and
destined for a remote host to a local server, called a "transparent
proxy server". This makes the local computers think they are talking
to the remote end, while in fact they are connected to the local proxy.
See the IP-Masquerading HOWTO and \begin_inset LatexDel \htmlurl{
\end_inset
http://www.indyramp.com/masq
\begin_inset LatexDel }{
\end_inset
http://www.indyramp.com/masq
\begin_inset LatexDel }
\end_inset
for more information.
\layout Itemize
IP: always defragment
(CONFIG_IP_ALWAYS_DEFRAG)
\layout Standard
Generally this option is disabled, but if you are building a firewall
or a masquerading host, you will want to enable it. When data is sent
from one host to another, it does not always get sent as a single
packet of data, but rather it is fragmented into several pieces. The
problem with this is that the port numbers are only stored in the
first fragment. This means that someone can insert information into
the remaining packets that isn't supposed to be there.
It could also prevent a teardrop attack against an internal
host that is not yet itself patched against it.
\layout Itemize
Packet Signatures
(CONFIG_NCPFS_PACKET_SIGNING)
\layout Standard
This is an option that is available in the 2.2.x kernel series that will
sign NCP packets for stronger security. Normally you can leave it
off, but it is there if you do need it.
\layout Itemize
IP: Firewall packet netlink device
(CONFIG_IP_FIREWALL_NETLINK)
\layout Standard
This is a really neat option that allows you to analyze the first 128
bytes of the packets in a user-space program, to determine if you would
like to accept or deny the packet, based on its validity.
\end_deeper
\layout Subsection
2.2 Kernel Compile Options
\layout Standard
For 2.2.x kernels, many of the options are the same, but a few new
ones have been developed. Many of the comments here are from
\family typewriter ./linux/Documentation/Configure.help
\family default , which is the same
document that is referenced while using the Help facility during
the
\family typewriter make config
\family default stage of compiling the kernel. Only the newly-
added options are listed below. Consult the 2.0 description for a
list of other necessary options. The most significant change in the
2.2 kernel series is the IP firewalling code. The
\family typewriter ipchains
\family default
program is now used to install IP firewalling, instead of the
\family typewriter ipfwadm
\family default program used in the 2.0 kernel.
\begin_deeper
\layout Itemize
Socket Filtering
(CONFIG_FILTER)
\layout Standard
For most people, it's safe to say no to this option. This option
allows you to connect a user-space filter to any socket and determine
if packets should be allowed or denied. Unless you have a very
specific need and are capable of programming such a filter, you should
say no. Also note that as of this writing, all protocols were
supported except TCP.
\layout Itemize
Port Forwarding
\layout Standard
Port Forwarding is an addition to IP Masquerading which allows some
forwarding of packets from outside to inside a firewall on given
ports. This could be useful if, for example, you want to run a web
server behind the firewall or masquerading host and that web server
should be accessible from the outside world. An external client
sends a request to port 80 of the firewall, the firewall forwards
this request to the web server, the web server handles the request
and the results are sent through the firewall to the original
client. The client thinks that the firewall machine itself is
running the web server. This can also be used for load balancing if
you have a farm of identical web servers behind the firewall.
\layout Standard
Information about this feature is available from
http://www.monmouth.demon.co.uk/ipsubs/portforwarding.html (to
browse the WWW, you need to have access to a machine on the Internet
that has a program like lynx or Netscape). For general info, please
see ftp://ftp.compsoc.net/users/steve/ipportfw/linux21/
\layout Itemize
Socket Filtering
(CONFIG_FILTER)
\layout Standard
Using this option, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket. Linux socket
filtering works on all socket types except TCP for now. See the
text file
\family typewriter ./linux/Documentation/networking/filter.txt
\family default for
more information.
\layout Itemize
IP: Masquerading
\layout Standard
The 2.2 kernel masquerading has been improved. It provides additional
support for masquerading special protocols, etc. Be sure to read
the IP Chains HOWTO for more information.
\end_deeper
\layout Subsection
Kernel Devices
\layout Standard
There are a few block and character devices available on Linux that
will also help you with security.
\layout Standard
The two devices
\family typewriter /dev/random
\family default and
\family typewriter /dev/urandom
\family default are provided by the
kernel to provide random data at any time.
\layout Standard
Both
\family typewriter /dev/random
\family default and
\family typewriter /dev/urandom
\family default should be secure enough to use in
generating PGP keys,
\family typewriter ssh
\family default challenges, and other applications where
secure random numbers are required. Attackers should be unable to
predict the next number given any initial sequence of numbers from these
sources. There has been a lot of effort put in to ensuring that the
numbers you get from these sources are random in every sense of the word.
\layout Standard
The only difference between the two devices, is that
\family typewriter /dev/random
\family default runs out of random bytes
and it makes you wait for more to be accumulated. Note that on some
systems, it can block for a long time waiting for new user-generated
entropy to be entered into the system. So you have to use care before
using
\family typewriter /dev/random
\family default . (Perhaps the best thing to do is to use it when
you're generating sensitive keying information, and you tell the user to
pound on the keyboard repeatedly until you print out "OK, enough".)
\layout Standard
\family typewriter /dev/random
\family default is high quality entropy, generated from measuring the
inter-interrupt times etc. It blocks until enough bits of random data
are available.
\layout Standard
\family typewriter /dev/urandom
\family default is similar, but when the store of entropy is running low,
it'll return a cryptographically strong hash of what there is. This
isn't as secure, but it's enough for most applications.
\layout Standard
You might read from the devices using something like:
\layout Standard
\begin_deeper
\layout Verbatim
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
root#
\protected_separator
\protected_separator
head
\protected_separator
-c
\protected_separator
6
\protected_separator
/dev/urandom
\protected_separator
|
\protected_separator
mimencode
\protected_separator
\protected_separator
\end_deeper
\layout Standard
This will print six random characters on the console, suitable for
password generation. You can find
\family typewriter mimencode
\family default in the
\family typewriter metamail
\family default
package.
\layout Standard
See
\family typewriter /usr/src/linux/drivers/char/random.c
\family default for a description of the
algorithm.
\layout Standard
Thanks to Theodore Y. Ts'o, Jon Lewis, and others from Linux-kernel
for helping me (Dave) with this.
\layout Section
Network Security
\begin_inset LatexCommand \label{network-security}
\end_inset
\layout Standard
Network security is becoming more and more important as people spend
more and more time connected. Compromising network security is often
much easier than compromising physical or local security, and is much more common.
\layout Standard
There are a number of good tools to assist with network security, and
more and more of them are shipping with Linux distributions.
\layout Subsection
Packet Sniffers
\layout Standard
One of the most common ways intruders gain access to more systems on
your network is by employing a packet sniffer on a already compromised
host. This "sniffer" just listens on the Ethernet port for things like
\family typewriter passwd
\family default and
\family typewriter login
\family default and
\family typewriter su
\family default in the packet stream
and then logs the traffic after that. This way, attackers gain passwords
for systems they are not even attempting to break into. Clear-text
passwords are very vulnerable to this attack.
\layout Standard
Example: Host A has been compromised. Attacker installs a
sniffer. Sniffer picks up admin logging into Host B from Host C. It
gets the admins personal password as they login to B. Then, the admin
does a
\family typewriter su
\family default to fix a problem. They now have the root password for Host
B. Later the admin lets someone
\family typewriter telnet
\family default from his account to Host Z on
another site. Now the attacker has a password/login on Host Z.
\layout Standard
In this day and age, the attacker doesn't even need to compromise a
system to do this: they could also bring a laptop or pc into a
building and tap into your net.
\layout Standard
Using
\family typewriter ssh
\family default or other encrypted password methods thwarts this
attack. Things like APOP for POP accounts also prevents this
attack. (Normal POP logins are very vulnerable to this, as is anything
that sends clear-text passwords over the network.)
\layout Subsection
System services and tcp_wrappers
\layout Standard
Before you put your Linux system on
\shape italic ANY
\shape default network the first thing to
look at is what services you need to offer. Services that you do not
need to offer should be disabled so that you have one less thing to
worry about and attackers have one less place to look for a hole.
\layout Standard
There are a number of ways to disable services under Linux. You can
look at your
\family typewriter /etc/inetd.conf
\family default file and see what services are being
offered by your
\family typewriter inetd
\family default . Disable any that you do not need by commenting
them out (
\family typewriter #
\family default at the beginning of the line), and then sending
your inetd process a SIGHUP.
\layout Standard
You can also remove (or comment out) services in your
\family typewriter /etc/services
\family default
file. This will mean that local clients will also be unable to find
the service (i.e., if you remove
\family typewriter ftp
\family default , and try and ftp to a remote site
from that machine it will fail with an "unknown service" message). It's
usually not worth the trouble to remove services from
\family typewriter /etc/services
\family default , since it provides no
additional security. If a local person wanted to use
\family typewriter ftp
\family default even though
you had commented it out, they would make their own client that used
the common FTP port and would still work fine.
\layout Standard
Some of the services you might want to leave enabled are:
\begin_deeper
\layout Itemize
\family typewriter ftp
\family default
\layout Itemize
\family typewriter telnet
\family default (or
\family typewriter ssh
\family default )
\layout Itemize
mail, such as
\family typewriter pop-3
\family default or
\family typewriter imap
\family default
\layout Itemize
\family typewriter identd
\family default
\end_deeper
\layout Standard
If you know you are not going to use some particular package, you can
also delete it entirely.
\family typewriter rpm -e packagename
\family default under
the Red Hat distribution will erase an entire package. Under Debian
\family typewriter dpkg --remove
\family default does the same thing.
\layout Standard
Additionally, you really want to disable the rsh/rlogin/rcp utilities,
including login (used by
\family typewriter rlogin
\family default ), shell (used by
\family typewriter rcp
\family default ),
and exec (used
by
\family typewriter rsh
\family default ) from being started in
\family typewriter /etc/inetd.conf
\family default .
These protocols are extremely insecure and have been the cause of exploits
in the past.
\layout Standard
You should check
\family typewriter /etc/rc.d/rc[0-9].d
\family default (on Red Hat;
\family typewriter /etc/rc[0-9].d
\family default on Debian), and see if any of the servers started in those
directories are not needed. The files in those directories are
actually symbolic links to files in the directory
\family typewriter /etc/rc.d/init.d
\family default (on Red Hat;
\family typewriter /etc/init.d
\family default on Debian).
Renaming the files in the
\family typewriter init.d
\family default directory
disables all the symbolic links that point to that file. If you
only wish to disable a service for a particular run level, rename the
appropriate symbolic link by replacing the upper-case
\family typewriter S
\family default with a lower-case
\family typewriter s
\family default , like this:
\layout Standard
\begin_deeper
\layout Verbatim
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
root#
\protected_separator
\protected_separator
cd
\protected_separator
/etc/rc6.d
\protected_separator
\protected_separator
\newline
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
root#
\protected_separator
\protected_separator
mv
\protected_separator
S45dhcpd
\protected_separator
s45dhcpd
\protected_separator
\end_deeper
\layout Standard
If you have BSD-style
\family typewriter rc
\family default files, you will want to check
\family typewriter /etc/rc*
\family default for programs you don't need.
\layout Standard
Most Linux distributions ship with tcp_wrappers "wrapping" all your
TCP services. A tcp_wrapper (
\family typewriter tcpd
\family default ) is invoked from
\family typewriter inetd
\family default instead of
the real server.
\family typewriter tcpd
\family default then checks the host that is requesting the
service, and either executes the real server, or denies access from that
host.
\family typewriter tcpd
\family default allows you to restrict access to your TCP services. You
should make a
\family typewriter /etc/hosts.allow
\family default and add in only those hosts that need
to have access to your machine's services.
\layout Standard
If you are a home dial up user, we suggest you deny ALL.
\family typewriter tcpd
\family default also logs
failed attempts to access services, so this can alert you if
you are under attack. If you add new services, you should be sure to
configure them to use tcp_wrappers if they are TCP-based. For example, a normal
dial-up user can prevent outsiders from connecting to his machine,
yet still have the ability to retrieve mail, and make network
connections to the Internet. To do this, you might add the following
to your
\family typewriter /etc/hosts.allow
\family default :
\layout Standard
ALL: 127.
\layout Standard
And of course /etc/hosts.deny would contain:
\layout Standard
ALL: ALL
\layout Standard
which will prevent external connections to your machine, yet still
allow you from the inside to connect to servers on the Internet.
\layout Standard
Keep in mind that tcp_wrappers only protects services executed from
\family typewriter inetd
\family default , and a select few others. There very well may be other
services running on your machine. You can use
\family typewriter netstat -ta
\family default to
find a list of all the services your machine is offering.
\layout Subsection
Verify Your DNS Information
\layout Standard
Keeping up-to-date DNS information about all hosts on your network can
help to increase security. If an unauthorized host
becomes connected to your network, you can recognize it by its lack of
a DNS entry. Many services can be configured to not accept
connections from hosts that do not have valid DNS entries.
\layout Subsection
identd
\layout Standard
\family typewriter identd
\family default is a small program that typically runs out of your
\family typewriter inetd
\family default server. It keeps track of what user is running what TCP
service, and then reports this to whoever requests it.
\layout Standard
Many people misunderstand the usefulness of
\family typewriter identd
\family default , and so disable it
or block all off site requests for it.
\family typewriter identd
\family default is not there to help out
remote sites. There is no way of knowing if the data you get from the
remote
\family typewriter identd
\family default is correct or not. There is no authentication in
\family typewriter identd
\family default
requests.
\layout Standard
Why would you want to run it then? Because it helps
\shape italic you
\shape default out, and is
another data-point in tracking. If your
\family typewriter identd
\family default is un compromised, then
you know it's telling remote sites the user-name or uid of people using
TCP services. If the admin at a remote site comes back to you and
tells you user so-and-so was trying to hack into their site, you can
easily take action against that user. If you are not running
\family typewriter identd
\family default ,
you will have to look at lots and lots of logs, figure out who was on
at the time, and in general take a lot more time to track down the
user.
\layout Standard
The
\family typewriter identd
\family default that ships with most distributions is more configurable
than many people think. You can disable it for specific users
(they can make a
\family typewriter .noident
\family default file), you can log all
\family typewriter identd
\family default requests (We recommend it), you can even have identd
return a uid instead of a user name or even NO-USER.
\layout Subsection
Configuring and Securing the Postfix MTA
\layout Standard
The Postfix mail server was written by Wietse Venema, author of
Postfix and several other staple Internet security products, as an "attempt to
provide an alternative to the widely-used Sendmail program. Postfix attempts
to be fast, easy to administer, and hopefully secure, while at the same time
being sendmail compatible enough to not upset your users."
\layout Standard
Further information on postfix can be found at the
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.postfix.org
\begin_inset LatexDel }{
\end_inset
Postfix home
\begin_inset LatexDel }
\end_inset
and in the
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/feature_stories/feature_story-91.html
\begin_inset LatexDel }{
\end_inset
Configuring and Securing Postfix
\begin_inset LatexDel }
\end_inset
.
\layout Subsection
SATAN, ISS, and Other Network Scanners
\layout Standard
There are a number of different software packages out there that do
port and service-based scanning of machines or networks. SATAN, ISS,
SAINT, and Nessus are some of the more well-known ones. This software
connects to the target machine (or all the target machines on a
network) on all the ports they can, and try to determine what service
is running there. Based on this information, you can tell if the
machine is vulnerable to a specific exploit on that server.
\layout Standard
SATAN (Security Administrator's Tool for Analyzing Networks) is a port
scanner with a web interface. It can be configured to do light,
medium, or strong checks on a machine or a network of machines. It's a
good idea to get SATAN and scan your machine or network, and fix the
problems it finds. Make sure you get the copy of SATAN from \begin_inset LatexDel \htmlurl{
\end_inset
http://metalab.unc.edu/pub/packages/security/Satan-for-Linux/
\begin_inset LatexDel }{
\end_inset
metalab
\begin_inset LatexDel }
\end_inset
or a reputable FTP or web site. There was a Trojan
copy of SATAN that was distributed out on the net. \begin_inset LatexDel \htmlurl{
\end_inset
http://www.trouble.org/~zen/satan/satan.html
\begin_inset LatexDel }{
\end_inset
http://www.trouble.org/~zen/satan/satan.html
\begin_inset LatexDel }
\end_inset
. Note that SATAN
has not been updated in quite a while, and some of the other tools
below might do a better job.
\layout Standard
ISS (Internet Security Scanner) is another port-based scanner. It is
faster than Satan, and thus might be better for large
networks. However, SATAN tends to provide more information.
\layout Standard
Abacus is a suite of tools to provide host-based security and
intrusion detection. Look at it's home page on the web for more
information. \begin_inset LatexDel \htmlurl{
\end_inset
http://www.psionic.com/abacus
\begin_inset LatexDel }{
\end_inset
http://www.psionic.com/abacus/
\begin_inset LatexDel }
\end_inset
\layout Standard
SAINT is a updated version of SATAN. It is web-based and has many more
up-to-date tests than SATAN. You can find out more about it at:
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.wwdsi.com/saint
\begin_inset LatexDel }{
\end_inset
http://www.wwdsi.com/~saint
\begin_inset LatexDel }
\end_inset
\layout Standard
Nessus is a free security scanner. It has a GTK graphical interface
for ease of use. It is also designed with a very nice plug in setup for
new port-scanning tests. For more information, take a look at: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.nessus.org/
\begin_inset LatexDel }{
\end_inset
http://www.nessus.org
\begin_inset LatexDel }
\end_inset
\layout Subsubsection
Detecting Port Scans
\layout Standard
There are some tools designed to alert you to probes by SATAN and ISS
and other scanning software. However, if you liberally use tcp_wrappers, and
look over your log files regularly, you should be able
to notice such probes. Even on the lowest setting, SATAN still leaves
traces in the logs on a stock Red Hat system.
\layout Standard
There are also "stealth" port scanners. A packet with the TCP ACK bit
set (as is done with established connections) will likely get through
a packet-filtering firewall. The returned RST packet from a port that
\shape italic _had no established session_
\shape default can be taken as proof of life on
that port. I don't think TCP wrappers will detect this.
\layout Standard
You might also look at SNORT, which is a free IDS (Intrusion Detection
System), which can detect other network intrusions. \begin_inset LatexDel \htmlurl{
\end_inset
http://www.snort.org
\begin_inset LatexDel }{
\end_inset
http://www.snort.org
\begin_inset LatexDel }
\end_inset
\layout Subsection
sendmail, qmail and MTA's
\layout Standard
One of the most important services you can provide is a mail
server. Unfortunately, it is also one of the most vulnerable to attack,
simply due to the number of tasks it must perform and the privileges it
typically needs.
\layout Standard
If you are using
\family typewriter sendmail
\family default it is very important to keep up on current
versions.
\family typewriter sendmail
\family default has a long long history of security
exploits. Always make sure you are running the most recent version from
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.sendmail.org/
\begin_inset LatexDel }{
\end_inset
http://www.sendmail.org
\begin_inset LatexDel }
\end_inset
.
\layout Standard
Keep in mind that sendmail does not have to be running in order for you
to send mail. If you are a home user, you can disable sendmail entirely,
and simply use your mail client to send mail. You might also choose to
remove the "-bd" flag from the sendmail startup file, thereby disabling
incoming requests for mail. In other words, you can execute sendmail
from your startup script using the following instead:
\begin_deeper
\layout Verbatim
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
#
\protected_separator
/usr/lib/sendmail
\protected_separator
-q15m
\protected_separator
\protected_separator
\end_deeper
\layout Standard
This will cause sendmail to flush the mail queue every fifteen minutes
for any messages that could not be successfully delivered on the first
attempt.
\layout Standard
Many administrators choose not to use sendmail, and instead choose one
of the other mail transport agents. You might consider switching over
to
\family typewriter qmail
\family default .
\family typewriter qmail
\family default was designed with security in mind
from the ground up. It's fast, stable, and secure. Qmail can be found at
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.qmail.org
\begin_inset LatexDel }{
\end_inset
http://www.qmail.org
\begin_inset LatexDel }
\end_inset
\layout Standard
In direct competition to qmail is "postfix", written by Wietse Venema,
the author of tcp_wrappers and other security tools. Formerly called
vmailer, and sponsored by IBM, this is also a mail transport agent
written from the ground up with security in mind. You can find more
information about postfix at \begin_inset LatexDel \htmlurl{
\end_inset
http:/www.postfix.org
\begin_inset LatexDel }{
\end_inset
http://www.postfix.org
\begin_inset LatexDel }
\end_inset
\layout Subsection
Denial of Service Attacks
\layout Standard
A "Denial of Service" (DoS) attack is one where the attacker tries to make
some resource too busy to answer legitimate requests, or to deny
legitimate users access to your machine.
\layout Standard
Denial of service attacks have increased greatly in recent years. Some
of the more popular and recent ones are listed below. Note that new
ones show up all the time, so this is just a few examples. Read the
Linux security lists and the bugtraq list and archives for more
current information.
\begin_deeper
\layout Itemize
\series bold SYN Flooding
\series default - SYN flooding is a network
denial of service attack. It takes advantage of a "loophole" in the
way TCP connections are created. The newer Linux kernels (2.0.30 and
up) have several configurable options to prevent SYN flood attacks
from denying people access to your machine or services. See
\begin_inset LatexCommand \ref{
\end_inset
kernel-security
\begin_inset LatexDel }{
\end_inset
Kernel Security
\begin_inset LatexDel }
\end_inset
for proper kernel
protection options.
\layout Itemize
\series bold Pentium "F00F" Bug
\series default - It was recently discovered that a series of
assembly codes sent to a genuine Intel Pentium processor would reboot
the machine. This affects every machine with a Pentium processor (not
clones, not Pentium Pro or PII), no matter what operating system it's
running. Linux kernels 2.0.32 and up contain a work around for this
bug, preventing it from locking your machine. Kernel 2.0.33 has an
improved version of the kernel fix, and is suggested over 2.0.32. If
you are running on a Pentium, you should upgrade now!
\layout Itemize
\series bold Ping Flooding
\series default - Ping flooding is a simple brute-force denial
of service attack. The attacker sends a "flood" of ICMP packets to
your machine. If they are doing this from a host with better bandwidth
than yours, your machine will be unable to send anything on the
network. A variation on this attack, called "smurfing", sends ICMP
packets to a host with
\shape italic your
\shape default machine's return IP, allowing them to
flood you less detectably. You can find more information about the
"smurf" attack at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.quadrunner.com/~chuegen/smurf.txt
\begin_inset LatexDel }{
\end_inset
http://www.quadrunner.com/~chuegen/smurf.txt
\begin_inset LatexDel }
\end_inset
\layout Standard
If you are ever under a ping flood attack, use a tool like
\family typewriter tcpdump
\family default to
determine where the packets are coming from (or appear to be coming
from), then contact your provider with this information. Ping floods
can most easily be stopped at the router level or by using a firewall.
\layout Itemize
\series bold Ping o' Death
\series default - The Ping o' Death attack sends
ICMP ECHO REQUEST packets that are too large to fit in the kernel data
structures intended to store them. Because sending a
single, large (65,510 bytes) "ping" packet to many systems will cause
them to hang or even crash, this problem was quickly dubbed the "Ping
o' Death." This one has long been fixed, and is no longer anything to
worry about.
\layout Itemize
\series bold Teardrop / New Tear
\series default - One of the most recent exploits
involves a bug present in the IP fragmentation code on Linux and
Windows platforms. It is fixed in kernel version 2.0.33, and does not
require selecting any kernel compile-time options to utilize the fix.
Linux is apparently not vulnerable to the "newtear" exploit.
\end_deeper
You can find code for most exploits, and a more in-depth description of how
they work, at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.rootshell.com
\begin_inset LatexDel }{
\end_inset
http://www.rootshell.com
\begin_inset LatexDel }
\end_inset
using their search engine.
\layout Subsection
NFS (Network File System) Security.
\layout Standard
NFS is a very widely-used file sharing protocol. It allows servers
running
\family typewriter nfsd
\family default and
\family typewriter mountd
\family default to "export" entire file systems
to other machines using NFS filesystem support built in to their kernels
(or some other client support if they are not Linux machines).
\family typewriter mountd
\family default keeps track of mounted file systems in
\family typewriter /etc/mtab
\family default ,
and can display them with
\family typewriter showmount
\family default .
\layout Standard
Many sites use NFS to serve home directories to users, so that
no matter what machine in the cluster they login to, they will have
all their home files.
\layout Standard
There is some small amount of security allowed in exporting
file systems. You can make your
\family typewriter nfsd
\family default map the remote root user (uid=0)
to the
\family typewriter nobody
\family default user, denying them total access to the files
exported. However, since individual users have access to their own (or
at least the same uid) files, the remote root user can login or
\family typewriter su
\family default to
their account and have total access to their files. This is only a
small hindrance to an attacker that has access to mount your remote
file systems.
\layout Standard
If you must use NFS, make sure you export to only those machines that
you really need to. Never export your entire root
directory; export only directories you need to export.
\layout Standard
See the NFS HOWTO for more information on NFS, available at \begin_inset LatexDel \htmlurl{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
\begin_inset LatexDel }{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
\begin_inset LatexDel }
\end_inset
\layout Subsection
NIS (Network Information Service) (formerly YP).
\layout Standard
Network Information service (formerly YP) is a means of distributing
information to a group of machines. The NIS master holds the
information tables and converts them into NIS map files. These maps
are then served over the network, allowing NIS client machines to get
login, password, home directory and shell information (all the
information in a standard
\family typewriter /etc/passwd
\family default file). This allows users to
change their password once and have it take effect on all the machines
in the NIS domain.
\layout Standard
NIS is not at all secure. It was never meant to be. It was meant to be
handy and useful. Anyone that can guess the name of your NIS domain
(anywhere on the net) can get a copy of your passwd file, and use
"crack" and "John the Ripper" against your users' passwords. Also, it is
possible to spoof NIS and do all sorts of nasty tricks. If you must
use NIS, make sure you are aware of the dangers.
\layout Standard
There is a much more secure replacement for NIS, called NIS+.
Check out the NIS HOWTO for more information: \begin_inset LatexDel \htmlurl{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
\begin_inset LatexDel }{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
\begin_inset LatexDel }
\end_inset
\layout Subsection
Firewalls
\layout Standard
Firewalls are a means of controlling what information is allowed into
and out of your local network. Typically the firewall host is
connected to the Internet and your local LAN, and the only access from
your LAN to the Internet is through the firewall. This way the
firewall can control what passes back and forth from the Internet and
your LAN.
\layout Standard
There are a number of types of firewalls and methods of setting them up. Linux
machines make pretty good firewalls. Firewall code can be
built right into 2.0 and higher kernels. The user-space tools
\family typewriter ipfwadm
\family default for 2.0
kernels and
\family typewriter ipchains
\family default for 2.2 kernels,
allows you to change, on the fly, the types of network traffic you allow.
You can also log particular types of network traffic.
\layout Standard
Firewalls are a very useful and important technique in securing your
network. However, never think that because you have a firewall, you don't
need to secure the machines behind it. This is a fatal mistake. Check
out the very good
\family typewriter Firewall-HOWTO
\family default at your latest metalab archive for
more information on firewalls and Linux. \begin_inset LatexDel \htmlurl{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
\begin_inset LatexDel }{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
\begin_inset LatexDel }
\end_inset
\layout Standard
More information can also be found in the IP-Masquerade
mini-howto: \begin_inset LatexDel \htmlurl{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html
\begin_inset LatexDel }{
\end_inset
http://metalab.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html
\begin_inset LatexDel }
\end_inset
\layout Standard
More information on
\family typewriter ipfwadm
\family default (the tool that lets you change settings on
your firewall, can be found at it's home page: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.xos.nl/linux/ipfwadm/
\begin_inset LatexDel }{
\end_inset
http://www.xos.nl/linux/ipfwadm/
\begin_inset LatexDel }
\end_inset
\layout Standard
If you have no experience with firewalls, and plan to set up one for
more than just a simple security policy, the Firewalls book by O'Reilly
and Associates or other online firewall document is mandatory reading.
Check out \begin_inset LatexDel \htmlurl{
\end_inset
http://www.ora.com
\begin_inset LatexDel }{
\end_inset
http://www.ora.com
\begin_inset LatexDel }
\end_inset
for more information. The National Institute of Standards and Technology
have put together an excellent document on firewalls. Although dated 1995,
it is still quite good. You can find it at
\begin_inset LatexDel \htmlurl{
\end_inset
http://csrc.nist.gov/nistpubs/800-10/main.html
\begin_inset LatexDel }{
\end_inset
http://csrc.nist.gov/nistpubs/800-10/main.html
\begin_inset LatexDel }
\end_inset
. Also of interest:
\begin_deeper
\layout Itemize
The Freefire Project -- a list of freely-available firewall tools,
available at \begin_inset LatexDel \htmlurl{
\end_inset
http://sites.inka.de/sites/lina/freefire-l/index_en.html
\begin_inset LatexDel }{
\end_inset
http://sites.inka.de/sites/lina/freefire-l/index_en.html
\begin_inset LatexDel }
\end_inset
\layout Itemize
SunWorld Firewall Design -- written by the authors of the O'Reilly
book, this provides a rough introduction to the different firewall types.
It's available at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.sunworld.com/swol-01-1996/swol-01-firewall.html
\begin_inset LatexDel }{
\end_inset
http://www.sunworld.com/swol-01-1996/swol-01-firewall.html
\begin_inset LatexDel }
\end_inset
\layout Itemize
Mason - the automated firewall builder for Linux. This is a
firewall script that learns as you do the things you need to do on
your network! More info at: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.pobox.com/~wstearns/mason/
\begin_inset LatexDel }{
\end_inset
http://www.pobox.com/~wstearns/mason/
\begin_inset LatexDel }
\end_inset
\end_deeper
\layout Subsection
IP Chains - Linux Kernel 2.2.x Firewalling
\layout Standard
Linux IP Firewalling Chains is an update to the 2.0 Linux firewalling
code for the 2.2 kernel. It has many more features than
previous implementations, including:
\begin_deeper
\layout Itemize
More flexible packet manipulations
\layout Itemize
More complex accounting
\layout Itemize
Simple policy changes possible atomically
\layout Itemize
Fragments can be explicitly blocked, denied, etc.
\layout Itemize
Logs suspicious packets.
\layout Itemize
Can handle protocols other than ICMP/TCP/UDP.
\end_deeper
\layout Standard
If you are currently using
\family typewriter ipfwadm
\family default on your 2.0 kernel, there are scripts
available to convert the
\family typewriter ipfwadm
\family default command format to the format
\family typewriter ipchains
\family default uses.
\layout Standard
Be sure to read the IP Chains HOWTO for further information. It is
available at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
\begin_inset LatexDel }{
\end_inset
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
\begin_inset LatexDel }
\end_inset
\layout Subsection
Netfilter - Linux Kernel 2.4.x Firewalling
\layout Standard
In yet another set of advancements to the kernel IP packet filtering code,
netfilter allows users to set up, maintain, and inspect the packet filtering
rules in the new 2.4 kernel.
\layout Standard
The netfilter subsystem is a complete rewrite of previous packet filtering
implementations including ipchains and ipfwadm. Netfilter provides a large
number of improvements, and it has now become an even more mature and robust
solution for protecting corporate networks.
\layout Code
iptables is the command-line interface used to manipulate
the firewall tables within the kernel.
\layout Standard
Netfilter provides a raw framework for manipulating packets as they traverse
through various parts of the kernel. Part of this framework includes support for
masquerading, standard packet filtering, and now more complete network
address translation. It even includes improved support for load balancing
requests for a particular service among a group of servers behind the
firewall.
\layout Standard
The stateful inspection features are especially powerful. Stateful inspection
provides the ability to track and control the flow of communication passing
through the filter. The ability to keep track of state and context information
about a session makes rules simpler and tries to interpret higher-level protocols.
\layout Standard
Additionally, small modules can be developed to perform additional specific
functions, such as passing packets to programs in userspace for processing
then reinjecting back into the normal packet flow. The ability to develop these
programs in userspace reduces the level of complexity that was previously
associated with having to make changes directly at the kernel level.
\layout Standard
Other IP Tables references include:
\begin_deeper
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/feature_stories/feature_story-94.html
\begin_inset LatexDel }{
\end_inset
Oskar Andreasson IP Tables Tutorial
\begin_inset LatexDel }
\end_inset
\shape default -- Oskar Andreasson speaks
with LinuxSecurity.com about his comprehensive IP Tables tutorial and
how this document can be used to build a robust firewall for your organization.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/feature_stories/feature_story-93.html
\begin_inset LatexDel }{
\end_inset
Hal Burgiss Introduces Linux Security Quick-Start Guides
\begin_inset LatexDel }
\end_inset
\shape default -- Hal Burgiss has written two authoritative guides on securing Linux,
including managing firewalling.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://netfilter.samba.org
\begin_inset LatexDel }{
\end_inset
Netfilter Homepage
\begin_inset LatexDel }
\end_inset
\shape default -- The netfilter/iptables homepage.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html
\begin_inset LatexDel }{
\end_inset
Linux Kernel 2.4 Firewalling Matures: netfilter
\begin_inset LatexDel }
\end_inset
\shape default -- This
LinuxSecurity.com article describes the basics of packet filtering, how to
get started using iptables, and a list of the new features available in
the latest generation of firewalling for Linux.
\end_deeper
\layout Subsection
VPNs - Virtual Private Networks
\layout Standard
VPN's are a way to establish a "virtual" network on top of some
already-existing network. This virtual network often is encrypted and
passes traffic only to and from some known entities that have joined
the network. VPNs are often used to connect someone working at home
over the public Internet to an internal company network.
\layout Standard
If you are running a Linux masquerading firewall and need to pass MS
PPTP (Microsoft's VPN point-to-point product) packets, there is a
Linux kernel patch out to do just that. See: \begin_inset LatexDel \htmlurl{
\end_inset
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html
\begin_inset LatexDel }{
\end_inset
ip-masq-vpn
\begin_inset LatexDel }
\end_inset
.
\layout Standard
There are several Linux VPN solutions available:
\begin_deeper
\layout Itemize
vpnd. See the \begin_inset LatexDel \htmlurl{
\end_inset
http://sunsite.auc.dk/vpnd/
\begin_inset LatexDel }{
\end_inset
http://sunsite.auc.dk/vpnd/
\begin_inset LatexDel }
\end_inset
.
\layout Itemize
Free S/Wan, available at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.xs4all.nl/~freeswan/
\begin_inset LatexDel }{
\end_inset
http://www.xs4all.nl/~freeswan/
\begin_inset LatexDel }
\end_inset
\layout Itemize
ssh can be used to construct a VPN. See the VPN mini-howto
for more information.
\layout Itemize
vps (virtual private server) at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.strongcrypto.com
\begin_inset LatexDel }{
\end_inset
http://www.strongcrypto.com
\begin_inset LatexDel }
\end_inset
.
\layout Itemize
yawipin at \begin_inset LatexDel \htmlurl{
\end_inset
mailto:http://yavipin.sourceforge.net
\begin_inset LatexDel }{
\end_inset
http://yavipin.sourceforge.net
\begin_inset LatexDel }
\end_inset
\end_deeper
\layout Standard
See also the section on IPSEC for pointers and more information.
\layout Section
Security Preparation (before you go on-line)
\begin_inset LatexCommand \label{secure-prep}
\end_inset
\layout Standard
Ok, so you have checked over your system, and determined it's as secure
as feasible, and you're ready to put it online. There are a few things
you should now do in order to prepare for an intrusion,
so you can quickly disable the intruder, and get
back up and running.
\layout Subsection
Make a Full Backup of Your Machine
\layout Standard
Discussion of backup methods and storage is beyond the scope of this
document, but here are a few words relating to backups and security:
\layout Standard
If you have less than 650mb of data to store on a partition, a CD-R
copy of your data is a good way to go (as it's hard to tamper with
later, and if stored properly can last a long time), you will of
course need at least 650MB of space to make the image. Tapes and other
re-writable media should be write-protected as soon as your backup is
complete, and then verified to prevent tampering. Make sure you store your
backups in a secure off-line area. A good backup will ensure that you
have a known good point to restore your system from.
\layout Subsection
Choosing a Good Backup Schedule
\layout Standard
A six-tape cycle is easy to maintain. This includes four tapes
for during the week, one tape for even Fridays, and one tape for odd
Fridays. Perform an incremental backup every day, and a full backup
on the appropriate Friday tape. If you make some particularly important
changes or add some important data to your system, a full backup might
well be in order.
\layout Subsection
Testing your backups
\layout Standard
You should do periodic tests of your backups to make sure they are
working as you might expect them to. Restores of files and checking
against the real data, sizes and listings of backups, and reading old
backups should be done on a regular basis.
\layout Subsection
Backup Your RPM or Debian File Database
\layout Standard
In the event of an intrusion, you can use your RPM database like you
would use
\family typewriter tripwire
\family default , but only if you can be sure it too hasn't been
modified. You should copy the RPM database to a floppy, and keep this
copy off-line at all times. The Debian distribution likely has
something similar.
\layout Standard
The files
\family typewriter /var/lib/rpm/fileindex.rpm
\family default and
\family typewriter /var/lib/rpm/packages.rpm
\family default most likely won't fit on a single floppy.
But if compressed, each should fit on a seperate floppy.
\layout Standard
Now, when your system is compromised, you can use the command:
\layout Standard
\begin_deeper
\layout Verbatim
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
\protected_separator
root#
\protected_separator
\protected_separator
rpm
\protected_separator
-Va
\protected_separator
\protected_separator
\end_deeper
\layout Standard
to verify each file on the system. See the
\family typewriter rpm
\family default man page, as there are
a few other options that can be included to make it less verbose.
Keep in mind you must also be sure your RPM binary has not been
compromised.
\layout Standard
This means that every time a new RPM is added to the system, the RPM
database will need to be rearchived. You will have to decide the
advantages versus drawbacks.
\layout Subsection
Keep Track of Your System Accounting Data
\begin_inset LatexCommand \label{logs}
\end_inset
\layout Standard
It is very important that the information that comes from
\family typewriter syslog
\family default
not be compromised. Making the files in
\family typewriter /var/log
\family default readable and
writable by only a limited number of users is a good start.
\layout Standard
Be sure to keep an eye on what gets written there, especially under
the
\family typewriter auth
\family default facility. Multiple login failures, for example, can
indicate an attempted break-in.
\layout Standard
Where to look for your log file will depend on your distribution. In a
Linux system that conforms to the "Linux Filesystem Standard", such as
Red Hat, you will want to look in
\family typewriter /var/log
\family default and check
\family typewriter messages
\family default ,
\family typewriter mail.log
\family default , and others.
\layout Standard
You can find out where your distribution is logging to by looking at
your
\family typewriter /etc/syslog.conf
\family default file. This is the file that tells
\family typewriter syslogd
\family default (the system logging daemon) where to log various messages.
\layout Standard
You might also want to configure your log-rotating script or daemon to
keep logs around longer so you have time to examine them. Take a look
at the
\family typewriter logrotate
\family default package on recent Red Hat distributions. Other
distributions likely have a similar process.
\layout Standard
If your log files have been tampered with, see if you can determine
when the tampering started, and what sort of things appeared to be
tampered with. Are there large periods of time that cannot be accounted
for? Checking backup tapes (if you have any) for untampered log files
is a good idea.
\layout Standard
Intruders typically modify log files in order to cover their
tracks, but they should still be checked for strange happenings. You
may notice the intruder attempting to gain entrance, or exploit a
program in order to obtain the root account. You might see log entries
before the intruder has time to modify them.
\layout Standard
You should also be sure to separate the
\family typewriter auth
\family default facility from other log
data, including attempts to switch users using
\family typewriter su
\family default , login attempts,
and other user accounting information.
\layout Standard
If possible, configure
\family typewriter syslog
\family default to send a copy of the most important
data to a secure system. This will prevent an intruder from covering
his tracks by deleting his login/su/ftp/etc attempts. See the
\family typewriter syslog.conf
\family default man page, and refer to the
\family typewriter @
\family default option.
\layout Standard
There are several more advanced
\family typewriter syslogd
\family default programs out
there. Take a look at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.core-sdi.com/ssyslog/
\begin_inset LatexDel }{
\end_inset
http://www.core-sdi.com/ssyslog/
\begin_inset LatexDel }
\end_inset
for Secure Syslog. Secure
Syslog allows you to encrypt your syslog entries and make sure no one
has tampered with them.
\layout Standard
Another
\family typewriter syslogd
\family default with more features is \begin_inset LatexDel \htmlurl{
\end_inset
http://www.balabit.hu/products/syslog-ng.html
\begin_inset LatexDel }{
\end_inset
syslog-ng
\begin_inset LatexDel }
\end_inset
. It allows you a lot more flexibility in your
logging and also can has your remote syslog streams to prevent
tampering.
\layout Standard
Finally, log files are much less useful when no one is reading
them. Take some time out every once in a while to look over your log
files, and get a feeling for what they look like on a normal
day. Knowing this can help make unusual things stand out.
\layout Subsection
Apply All New System Updates.
\layout Standard
Most Linux users install from a CD-ROM. Due to the fast-paced nature of
security fixes, new (fixed) programs are always being released. Before
you connect your machine to the network, it's a good idea to check with your
distribution's ftp site and get all the updated packages since you
received your distribution CD-ROM. Many times these packages contain
important security fixes, so it's a good idea to get them installed.
\layout Section
What To Do During and After a Breakin
\begin_inset LatexCommand \label{after-breakin}
\end_inset
\layout Standard
So you have followed some of the advice here (or elsewhere) and have
detected a break-in? The first thing to do is to remain calm. Hasty
actions can cause more harm than the attacker would have.
\layout Subsection
Security Compromise Underway.
\layout Standard
Spotting a security compromise under way can be a tense
undertaking. How you react can have large consequences.
\layout Standard
If the compromise you are seeing is a physical one, odds are you have
spotted someone who has broken into your home, office or lab. You
should notify your local authorities. In a lab, you might have
spotted someone trying to open a case or reboot a machine. Depending
on your authority and procedures, you might ask them to stop, or
contact your local security people.
\layout Standard
If you have detected a local user trying to compromise your security,
the first thing to do is confirm they are in fact who you think they
are. Check the site they are logging in from. Is it the site they
normally log in from? No? Then use a non-electronic means of getting in
touch. For instance, call them on the phone or walk over to their
office/house and talk to them. If they agree that they are on, you can
ask them to explain what they were doing or tell them to cease doing
it. If they are not on, and have no idea what you are talking about,
odds are this incident requires further investigation. Look into such
incidents , and have lots of information before making any
accusations.
\layout Standard
If you have detected a network compromise, the first thing to do (if
you are able) is to disconnect your network. If they are connected via
modem, unplug the modem cable; if they are connected via Ethernet,
unplug the Ethernet cable. This will prevent them from doing any
further damage, and they will probably see it as a network problem
rather than detection.
\layout Standard
If you are unable to disconnect the network (if you have a busy site,
or you do not have physical control of your machines), the next best
step is to use something like
\family typewriter tcp_wrappers
\family default or
\family typewriter ipfwadm
\family default
to deny access from the intruder's site.
\layout Standard
If you can't deny all people from the same site as the intruder,
locking the user's account will have to do. Note that locking an
account is not an easy thing. You have to keep in mind
\family typewriter .rhosts
\family default files,
FTP access, and a host of possible backdoors.
\layout Standard
After you have done one of the above (disconnected the network, denied
access from their site, and/or disabled their account), you need to
kill all their user processes and log them off.
\layout Standard
You should monitor your site well for the next few minutes, as the
attacker will try to get back in. Perhaps using a different account,
and/or from a different network address.
\layout Subsection
Security Compromise has already happened
\layout Standard
So you have either detected a compromise that has already happened or
you have detected it and locked (hopefully) the offending attacker out
of your system. Now what?
\layout Subsubsection
Closing the Hole
\layout Standard
If you are able to determine what means the attacker used to get into
your system, you should try to close that hole. For instance, perhaps
you see several FTP entries just before the user logged in. Disable
the FTP service and check and see if there is an updated version, or
if any of the lists know of a fix.
\layout Standard
Check all your log files, and make a visit to your security lists and
pages and see if there are any new common exploits you can fix. You
can find Caldera security fixes at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.caldera.com/tech-ref/security/
\begin_inset LatexDel }{
\end_inset
http://www.caldera.com/tech-ref/security/
\begin_inset LatexDel }
\end_inset
. Red Hat has not
yet separated their security fixes from bug fixes, but their
distribution errata is available at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.redhat.com/errata
\begin_inset LatexDel }{
\end_inset
http://www.redhat.com/errata
\begin_inset LatexDel }
\end_inset
\layout Standard
Debian now has a security mailing list and web page. See: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.debian.org/security/
\begin_inset LatexDel }{
\end_inset
http://www.debian.org/security/
\begin_inset LatexDel }
\end_inset
for more information.
\layout Standard
It is very likely that if one vendor has released a security update,
that most other Linux vendors will as well.
\layout Standard
There is now a Linux security auditing project. They are methodically
going through all the user-space utilities and looking for possible
security exploits and overflows. From their announcement:
\layout Quote
"We are attempting a systematic audit of Linux sources with a view to
being as secure as OpenBSD. We have already uncovered (and fixed) some
problems, but more help is welcome. The list is unmoderated and also a
useful resource for general security discussions. The list address
is: security-audit@ferret.lmh.ox.ac.uk To subscribe, send a mail to:
security-audit-subscribe@ferret.lmh.ox.ac.uk"
\layout Standard
If you don't lock the attacker out, they will likely be back. Not just
back on your machine, but back somewhere on your network. If they were
running a packet sniffer, odds are good they have access to other
local machines.
\layout Subsubsection
Assessing the Damage
\layout Standard
The first thing is to assess the damage. What has been compromised?
If you are running an integrity checker like
\family typewriter Tripwire
\family default , you
can use it to perform an integrity check; it should help to tell you
what has been compromised.
If not, you will have to look around at all your important data.
\layout Standard
Since Linux systems are getting easier and easier to install, you
might consider saving your config files, wiping your disk(s),
reinstalling, then restoring your user files and your
config files from backups. This will ensure that you have a new, clean system. If
you have to restore files from the compromised system, be especially
cautious of any binaries that you restore, as they may be Trojan horses
placed there by the intruder.
\layout Standard
Re-installation should be considered mandatory upon an intruder
obtaining root access. Additionally, you'd like to keep any evidence
there is, so having a spare disk in the safe may make sense.
\layout Standard
Then you have to worry about how long ago the compromise happened, and
whether the backups hold any damaged work. More on backups later.
\layout Subsubsection
Backups, Backups, Backups!
\layout Standard
Having regular backups is a godsend for security matters. If your
system is compromised, you can restore the data you need from
backups. Of course, some data is valuable to the attacker too, and they
will not only destroy it, they will steal it and have their own
copies; but at least you will still have the data.
\layout Standard
You should check several backups back into the past before restoring a
file that has been tampered with. The intruder could have compromised
your files long ago, and you could have made many successful backups
of the compromised file!
\layout Standard
Of course, there are also a raft of security concerns with
backups. Make sure you are storing them in a secure place. Know who
has access to them. (If an attacker can get your backups, they can
have access to all your data without you ever knowing it.)
\layout Subsubsection
Tracking Down the Intruder.
\layout Standard
Ok, you have locked the intruder out, and recovered your system, but
you're not quite done yet. While it is unlikely that most intruders
will ever be caught, you should report the attack.
\layout Standard
You should report the attack to the admin contact at
the site from which the attacker attacked your system. You can look up this
contact with
\family typewriter whois
\family default or the Internic database. You might send them an
email with all applicable log entries and dates and times. If you
spotted anything else distinctive about your intruder, you might
mention that too. After sending the email, you should (if you are so
inclined) follow up with a phone call. If that admin in turn spots
your attacker, they might be able to talk to the admin of the site
where they are coming from and so on.
\layout Standard
Good crackers often use many intermediate systems, some (or many) of
which may not even know they have been compromised. Trying to track a
cracker back to their home system can be difficult. Being polite to
the admins you talk to can go a long way to getting help from them.
\layout Standard
You should also notify any security organizations you are a part of
(\begin_inset LatexDel \url{
\end_inset
http://www.cert.org/
\begin_inset LatexDel }{
\end_inset
CERT
\begin_inset LatexDel }
\end_inset
or similar), as well as your Linux system vendor.
\layout Section
Security Sources
\begin_inset LatexCommand \label{sources}
\end_inset
\layout Standard
There are a LOT of good sites out there for Unix security in general
and Linux security specifically. It's very important to subscribe to
one (or more) of the security mailing lists and keep current on
security fixes. Most of these lists are very low volume, and very
informative.
\layout Subsection
LinuxSecurity.com References
\begin_inset LatexCommand \label{linuxsecurity}
\end_inset
\layout Standard
The LinuxSecurity.com web site has numerous Linux and open source security
references written by the LinuxSecurity staff and people collectively around
the world.
\begin_deeper
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/vuln-newsletter.html
\begin_inset LatexDel }{
\end_inset
Linux Advisory Watch
\begin_inset LatexDel }
\end_inset
\shape default -- A comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes
pointers to updated packages and descriptions of each vulnerability.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/newsletter.html
\begin_inset LatexDel }{
\end_inset
Linux Security Week
\begin_inset LatexDel }
\end_inset
\shape default --
The purpose of this document is to provide our readers with a quick summary
of each week's most relevant Linux security headlines.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/general/mailinglists.html
\begin_inset LatexDel }{
\end_inset
Linux Security Discussion List
\begin_inset LatexDel }
\end_inset
\shape default -- This mailing list is for general security-related questions and comments.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/general/mailinglists.html
\begin_inset LatexDel }{
\end_inset
Linux Security Newsletters
\begin_inset LatexDel }
\end_inset
\shape default -- Subscription information for all newsletters.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/docs/colsfaq.html
\begin_inset LatexDel }{
\end_inset
comp.os.linux.security FAQ
\begin_inset LatexDel }
\end_inset
\shape default -- Frequently Asked Questions with answers for the comp.os.linux.security newsgroup.
\layout Itemize
\shape italic \begin_inset LatexDel \htmlurl{
\end_inset
http://www.linuxsecurity.com/docs/
\begin_inset LatexDel }{
\end_inset
Linux Security Documentation
\begin_inset LatexDel }
\end_inset
\shape default -- A great starting point for information pertaining to Linux and Open Source security.
\end_deeper
\layout Subsection
FTP Sites
\begin_inset LatexCommand \label{ftpsites}
\end_inset
\layout Standard
CERT is the Computer Emergency Response Team. They often send out
alerts of current attacks and fixes. See \begin_inset LatexDel \htmlurl{
\end_inset
ftp://ftp.cert.org
\begin_inset LatexDel }{
\end_inset
ftp://ftp.cert.org
\begin_inset LatexDel }
\end_inset
for more information.
\layout Standard
ZEDZ (formerly Replay) (\begin_inset LatexDel \htmlurl{
\end_inset
http://www.zedz.net
\begin_inset LatexDel }{
\end_inset
http://www.zedz.net
\begin_inset LatexDel }
\end_inset
)
has archives of many security programs. Since they are outside
the US, they don't need to obey US crypto restrictions.
\layout Standard
Matt Blaze is the author of CFS and a great security advocate. Matt's
archive is available at \begin_inset LatexDel \url{
\end_inset
ftp://ftp.research.att.com/pub/mab
\begin_inset LatexDel }{
\end_inset
ftp://ftp.research.att.com/pub/mab
\begin_inset LatexDel }
\end_inset
\layout Standard
\family typewriter tue.nl
\family default is a great security FTP site in the Netherlands.
\begin_inset LatexDel \htmlurl{
\end_inset
ftp://ftp.win.tue.nl/pub/security/
\begin_inset LatexDel }{
\end_inset
ftp.win.tue.nl
\begin_inset LatexDel }
\end_inset
\layout Subsection
Web Sites
\begin_inset LatexCommand \label{websites}
\end_inset
\begin_deeper
\layout Itemize
The Hacker FAQ is a FAQ about hackers: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.solon.com/~seebs/faqs/hacker.html
\begin_inset LatexDel }{
\end_inset
The Hacker FAQ
\begin_inset LatexDel }
\end_inset
\layout Itemize
The COAST archive has a large number of Unix security programs and
information: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.cs.purdue.edu/coast/
\begin_inset LatexDel }{
\end_inset
COAST
\begin_inset LatexDel }
\end_inset
\layout Itemize
SuSe Security Page: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.suse.de/security/
\begin_inset LatexDel }{
\end_inset
http://www.suse.de/security/
\begin_inset LatexDel }
\end_inset
\layout Itemize
Rootshell.com is a great site for seeing what exploits are currently
being used by crackers: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.rootshell.com/
\begin_inset LatexDel }{
\end_inset
http://www.rootshell.com/
\begin_inset LatexDel }
\end_inset
\layout Itemize
BUGTRAQ puts out advisories on security issues: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.netspace.org/lsv-archive/bugtraq.html
\begin_inset LatexDel }{
\end_inset
BUGTRAQ archives
\begin_inset LatexDel }
\end_inset
\layout Itemize
CERT, the Computer Emergency Response Team, puts out advisories on
common attacks on Unix platforms: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.cert.org/
\begin_inset LatexDel }{
\end_inset
CERT home
\begin_inset LatexDel }
\end_inset
\layout Itemize
Dan Farmer is the author of SATAN and many other security tools. His
home site has some interesting security survey information, as well as
security tools: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.trouble.org
\begin_inset LatexDel }{
\end_inset
http://www.trouble.org
\begin_inset LatexDel }
\end_inset
\layout Itemize
The Linux security WWW is a good site for Linux security information:
\begin_inset LatexDel \htmlurl{
\end_inset
http://www.aoy.com/Linux/Security/
\begin_inset LatexDel }{
\end_inset
Linux Security WWW
\begin_inset LatexDel }
\end_inset
\layout Itemize
Infilsec has a vulnerability engine that can tell you what
vulnerabilities affect a specific platform: \begin_inset LatexDel \htmlurl{
\end_inset
http://www.infilsec.com/vulnerabilities/
\begin_inset LatexDel }{
\end_inset
http://www.infilsec.com/vulnerabilities/
\begin_inset LatexDel }
\end_inset
\layout Itemize
CIAC sends out periodic security bulletins on common exploits: \begin_inset LatexDel \htmlurl{
\end_inset
http://ciac.llnl.gov/cgi-bin/index/bulletins
\begin_inset LatexDel }{
\end_inset
http://ciac.llnl.gov/cgi-bin/index/bulletins
\begin_inset LatexDel }
\end_inset
\layout Itemize
A good starting point for Linux Pluggable Authentication modules can
be found at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.kernel.org/pub/linux/libs/pam/
\begin_inset LatexDel }{
\end_inset
http://www.kernel.org/pub/linux/libs/pam/
\begin_inset LatexDel }
\end_inset
.
\layout Itemize
The Debian project has a web page for their security fixes and
information. It is at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.debian.com/security/
\begin_inset LatexDel }{
\end_inset
http://www.debian.com/security/
\begin_inset LatexDel }
\end_inset
.
\layout Itemize
WWW Security FAQ, written by Lincoln Stein, is a great web
security reference. Find it at \begin_inset LatexDel \htmlurl{
\end_inset
http://www.w3.org/Security/Faq/www-security-faq.html
\begin_inset LatexDel }{
\end_inset
http://www.w3.org/Security/Faq/www-security-faq.html
\begin_inset LatexDel }
\end_inset
\end_deeper
\layout Subsection
Mailing Lists
\layout Standard
Bugtraq: To subscribe to bugtraq, send mail to listserv@netspace.org
containing the message body subscribe bugtraq. (see links above for
archives).
\layout Standard
CIAC: Send e-mail to majordomo@tholia.llnl.gov. In the BODY (not
subject) of the message put (either or both):
\layout Verbatim
@/verb@
\protected_separator
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\protected_separator
\newline
Red
\protected_separator
Hat
\protected_separator
has
\protected_separator
a
\protected_separator
number
\protected_separator
of
\protected_separator
mailing
\protected_separator
lists,
\protected_separator
the
\protected_separator
most
\protected_separator
important
\protected_separator
of
\protected_separator
which
\protected_separator
is
\protected_separator
\newline
the
\protected_separator
redhat-announce
\protected_separator
list.
\protected_separator
You
\protected_separator
can
\protected_separator
read
\protected_separator
about
\protected_separator
security
\protected_separator
(and
\protected_separator
other)
\protected_separator
\newline
fixes
\protected_separator
as
\protected_separator
soon
\protected_separator
as
\protected_separator
they
\protected_separator
come
\protected_separator
out.
\protected_separator
\protected_separator
Send
\protected_separator
email
\protected_separator
to
\protected_separator
\newline
\layout Verbatim
@/verb@
\protected_separator
\newline
\protected_separator
\newline
See
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
https://listman.redhat.com/mailman/listinfo/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
https://listman.redhat.com/mailman/listinfo/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
for
\protected_separator
\newline
more
\protected_separator
info
\protected_separator
and
\protected_separator
archives.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
The
\protected_separator
Debian
\protected_separator
project
\protected_separator
has
\protected_separator
a
\protected_separator
security
\protected_separator
mailing
\protected_separator
list
\protected_separator
that
\protected_separator
covers
\protected_separator
their
\protected_separator
\newline
security
\protected_separator
fixes.
\protected_separator
See
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.debian.com/security/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
http://www.debian.com/security/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
for
\protected_separator
more
\protected_separator
information.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Subsection
\newline
Books
\protected_separator
-
\protected_separator
Printed
\protected_separator
Reading
\protected_separator
Material
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
There
\protected_separator
are
\protected_separator
a
\protected_separator
number
\protected_separator
of
\protected_separator
good
\protected_separator
security
\protected_separator
books
\protected_separator
out
\protected_separator
there.
\protected_separator
This
\protected_separator
section
\protected_separator
\newline
lists
\protected_separator
a
\protected_separator
few
\protected_separator
of
\protected_separator
them.
\protected_separator
In
\protected_separator
addition
\protected_separator
to
\protected_separator
the
\protected_separator
security
\protected_separator
specific
\protected_separator
books,
\protected_separator
\newline
security
\protected_separator
is
\protected_separator
covered
\protected_separator
in
\protected_separator
a
\protected_separator
number
\protected_separator
of
\protected_separator
other
\protected_separator
books
\protected_separator
on
\protected_separator
system
\protected_separator
\newline
administration.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\begin_deeper
\layout Itemize
\protected_separator
\newline
Building
\protected_separator
Internet
\protected_separator
Firewalls
\protected_separator
By
\protected_separator
D.
\protected_separator
Brent
\protected_separator
Chapman
\protected_separator
&
\protected_separator
Elizabeth
\protected_separator
D.
\protected_separator
Zwicky,
\protected_separator
\newline
1st
\protected_separator
Edition
\protected_separator
September
\protected_separator
1995,
\protected_separator
\newline
ISBN:
\protected_separator
1-56592-124-0
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Practical
\protected_separator
UNIX
\protected_separator
&
\protected_separator
Internet
\protected_separator
Security,
\protected_separator
2nd
\protected_separator
Edition
\protected_separator
By
\protected_separator
Simson
\protected_separator
Garfinkel
\protected_separator
&
\protected_separator
Gene
\protected_separator
Spafford,
\protected_separator
2nd
\protected_separator
Edition
\protected_separator
April
\protected_separator
1996,
\protected_separator
ISBN:
\protected_separator
1-56592-148-8
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Computer
\protected_separator
Security
\protected_separator
Basics
\protected_separator
By
\protected_separator
Deborah
\protected_separator
Russell
\protected_separator
&
\protected_separator
G.T.
\protected_separator
Gangemi,
\protected_separator
Sr.,
\protected_separator
1st
\protected_separator
\protected_separator
\newline
Edition
\protected_separator
July
\protected_separator
1991,
\protected_separator
ISBN:
\protected_separator
0-937175-71-4
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Linux
\protected_separator
Network
\protected_separator
Administrator's
\protected_separator
Guide
\protected_separator
By
\protected_separator
Olaf
\protected_separator
Kirch,
\protected_separator
1st
\protected_separator
Edition
\protected_separator
January
\protected_separator
\protected_separator
\newline
1995,
\protected_separator
ISBN:
\protected_separator
1-56592-087-2
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
PGP:
\protected_separator
Pretty
\protected_separator
Good
\protected_separator
Privacy
\protected_separator
By
\protected_separator
Simson
\protected_separator
Garfinkel,
\protected_separator
1st
\protected_separator
Edition
\protected_separator
December
\protected_separator
1994,
\protected_separator
\protected_separator
\newline
ISBN:
\protected_separator
1-56592-098-8
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Computer
\protected_separator
Crime
\protected_separator
A
\protected_separator
Crimefighter's
\protected_separator
Handbook
\protected_separator
By
\protected_separator
David
\protected_separator
Icove,
\protected_separator
Karl
\protected_separator
\protected_separator
\newline
Seger
\protected_separator
&
\protected_separator
William
\protected_separator
VonStorch
\protected_separator
(Consulting
\protected_separator
Editor
\protected_separator
Eugene
\protected_separator
H.
\protected_separator
Spafford),
\protected_separator
\newline
1st
\protected_separator
Edition
\protected_separator
August
\protected_separator
1995,
\protected_separator
ISBN:
\protected_separator
1-56592-086-4
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Linux
\protected_separator
Security
\protected_separator
By
\protected_separator
John
\protected_separator
S.
\protected_separator
Flowers,
\protected_separator
New
\protected_separator
Riders;
\protected_separator
ISBN:
\protected_separator
0735700354,
\protected_separator
March
\protected_separator
1999
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Maximum
\protected_separator
Linux
\protected_separator
Security
\protected_separator
:
\protected_separator
A
\protected_separator
Hacker's
\protected_separator
Guide
\protected_separator
to
\protected_separator
Protecting
\protected_separator
Your
\protected_separator
Linux
\protected_separator
Server
\protected_separator
\protected_separator
\newline
and
\protected_separator
Network,
\protected_separator
Anonymous,
\protected_separator
Paperback
\protected_separator
-
\protected_separator
829
\protected_separator
pages,
\protected_separator
Sams;
\protected_separator
ISBN:
\protected_separator
0672313413,
\protected_separator
July
\protected_separator
\protected_separator
\newline
1999
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Intrusion
\protected_separator
Detection
\protected_separator
By
\protected_separator
Terry
\protected_separator
Escamilla,
\protected_separator
Paperback
\protected_separator
-
\protected_separator
416
\protected_separator
pages
\protected_separator
\protected_separator
\newline
(September
\protected_separator
1998),
\protected_separator
John
\protected_separator
Wiley
\protected_separator
and
\protected_separator
Sons;
\protected_separator
ISBN:
\protected_separator
0471290009
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
Fighting
\protected_separator
Computer
\protected_separator
Crime,
\protected_separator
Donn
\protected_separator
Parker,
\protected_separator
Paperback
\protected_separator
-
\protected_separator
526
\protected_separator
pages
\protected_separator
(September
\protected_separator
\protected_separator
\newline
1998),
\protected_separator
John
\protected_separator
Wiley
\protected_separator
and
\protected_separator
Sons;
\protected_separator
ISBN:
\protected_separator
0471163783
\protected_separator
\newline
\end_deeper
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Section
\newline
Glossary
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Included
\protected_separator
below
\protected_separator
are
\protected_separator
several
\protected_separator
of
\protected_separator
the
\protected_separator
most
\protected_separator
frequently
\protected_separator
used
\protected_separator
terms
\protected_separator
in
\protected_separator
computer
\protected_separator
\newline
security.
\protected_separator
A
\protected_separator
comprehensive
\protected_separator
dictionary
\protected_separator
of
\protected_separator
computer
\protected_separator
security
\protected_separator
terms
\protected_separator
is
\protected_separator
available
\protected_separator
\newline
in
\protected_separator
the
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.linuxsecurity.com/dictionary/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
LinuxSecurity.com
\protected_separator
Dictionary
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\begin_deeper
\layout Itemize
\layout
\protected_separator
Standard
\newline
\series
\protected_separator
bold
\protected_separator
authentication:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
The
\protected_separator
process
\protected_separator
of
\protected_separator
knowing
\protected_separator
that
\protected_separator
the
\protected_separator
data
\protected_separator
\newline
received
\protected_separator
is
\protected_separator
the
\protected_separator
same
\protected_separator
as
\protected_separator
the
\protected_separator
data
\protected_separator
that
\protected_separator
was
\protected_separator
sent,
\protected_separator
and
\protected_separator
that
\protected_separator
the
\protected_separator
claimed
\protected_separator
\newline
sender
\protected_separator
is
\protected_separator
in
\protected_separator
fact
\protected_separator
the
\protected_separator
actual
\protected_separator
sender.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
bastion
\protected_separator
Host:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
computer
\protected_separator
system
\protected_separator
that
\protected_separator
must
\protected_separator
be
\protected_separator
highly
\protected_separator
\newline
secured
\protected_separator
because
\protected_separator
it
\protected_separator
is
\protected_separator
vulnerable
\protected_separator
to
\protected_separator
attack,
\protected_separator
usually
\protected_separator
because
\protected_separator
it
\protected_separator
is
\protected_separator
\newline
exposed
\protected_separator
to
\protected_separator
the
\protected_separator
Internet
\protected_separator
and
\protected_separator
is
\protected_separator
a
\protected_separator
main
\protected_separator
point
\protected_separator
of
\protected_separator
contact
\protected_separator
for
\protected_separator
users
\protected_separator
of
\protected_separator
\newline
internal
\protected_separator
networks.
\protected_separator
\protected_separator
It
\protected_separator
gets
\protected_separator
its
\protected_separator
name
\protected_separator
from
\protected_separator
the
\protected_separator
highly
\protected_separator
fortified
\protected_separator
\newline
projects
\protected_separator
on
\protected_separator
the
\protected_separator
outer
\protected_separator
walls
\protected_separator
of
\protected_separator
medieval
\protected_separator
castles.
\protected_separator
\protected_separator
Bastions
\protected_separator
overlook
\protected_separator
\newline
critical
\protected_separator
areas
\protected_separator
of
\protected_separator
defense,
\protected_separator
usually
\protected_separator
having
\protected_separator
strong
\protected_separator
walls,
\protected_separator
room
\protected_separator
for
\protected_separator
\newline
extra
\protected_separator
troops,
\protected_separator
and
\protected_separator
the
\protected_separator
occasional
\protected_separator
useful
\protected_separator
tub
\protected_separator
of
\protected_separator
boiling
\protected_separator
hot
\protected_separator
oil
\protected_separator
for
\protected_separator
\newline
discouraging
\protected_separator
attackers.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
buffer
\protected_separator
overflow:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
Common
\protected_separator
coding
\protected_separator
style
\protected_separator
is
\protected_separator
to
\protected_separator
never
\protected_separator
\newline
allocate
\protected_separator
large
\protected_separator
enough
\protected_separator
buffers,
\protected_separator
and
\protected_separator
to
\protected_separator
not
\protected_separator
check
\protected_separator
for
\protected_separator
overflows.
\protected_separator
\protected_separator
When
\protected_separator
\newline
such
\protected_separator
buffers
\protected_separator
overflow,
\protected_separator
the
\protected_separator
executing
\protected_separator
program
\protected_separator
(daemon
\protected_separator
or
\protected_separator
set-uid
\protected_separator
\newline
program)
\protected_separator
can
\protected_separator
be
\protected_separator
tricked
\protected_separator
in
\protected_separator
doing
\protected_separator
some
\protected_separator
other
\protected_separator
things.
\protected_separator
\protected_separator
Generally
\protected_separator
this
\protected_separator
\newline
works
\protected_separator
by
\protected_separator
overwriting
\protected_separator
a
\protected_separator
function's
\protected_separator
return
\protected_separator
address
\protected_separator
on
\protected_separator
the
\protected_separator
stack
\protected_separator
to
\protected_separator
point
\protected_separator
\newline
to
\protected_separator
another
\protected_separator
location.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
denial
\protected_separator
of
\protected_separator
service:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
An
\protected_separator
attack
\protected_separator
that
\protected_separator
consumes
\protected_separator
the
\protected_separator
\newline
resources
\protected_separator
on
\protected_separator
your
\protected_separator
computer
\protected_separator
for
\protected_separator
things
\protected_separator
it
\protected_separator
was
\protected_separator
\protected_separator
\newline
not
\protected_separator
intended
\protected_separator
to
\protected_separator
be
\protected_separator
doing,
\protected_separator
thus
\protected_separator
preventing
\protected_separator
normal
\protected_separator
use
\protected_separator
of
\protected_separator
your
\protected_separator
network
\protected_separator
\newline
resources
\protected_separator
for
\protected_separator
legitimate
\protected_separator
purposes.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
dual-homed
\protected_separator
Host:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
general-purpose
\protected_separator
computer
\protected_separator
system
\protected_separator
that
\protected_separator
\newline
has
\protected_separator
at
\protected_separator
least
\protected_separator
two
\protected_separator
network
\protected_separator
interfaces.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
firewall:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
component
\protected_separator
or
\protected_separator
set
\protected_separator
of
\protected_separator
components
\protected_separator
that
\protected_separator
restricts
\protected_separator
\newline
access
\protected_separator
between
\protected_separator
a
\protected_separator
protected
\protected_separator
network
\protected_separator
and
\protected_separator
the
\protected_separator
Internet,
\protected_separator
or
\protected_separator
between
\protected_separator
other
\protected_separator
\newline
sets
\protected_separator
of
\protected_separator
networks.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
host:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
computer
\protected_separator
system
\protected_separator
attached
\protected_separator
to
\protected_separator
a
\protected_separator
network.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
IP
\protected_separator
spoofing:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
IP
\protected_separator
Spoofing
\protected_separator
is
\protected_separator
a
\protected_separator
complex
\protected_separator
technical
\protected_separator
attack
\protected_separator
\newline
that
\protected_separator
is
\protected_separator
made
\protected_separator
up
\protected_separator
of
\protected_separator
several
\protected_separator
components.
\protected_separator
\protected_separator
It
\protected_separator
is
\protected_separator
a
\protected_separator
security
\protected_separator
exploit
\protected_separator
that
\protected_separator
\newline
works
\protected_separator
by
\protected_separator
tricking
\protected_separator
computers
\protected_separator
in
\protected_separator
a
\protected_separator
trust
\protected_separator
relationship
\protected_separator
into
\protected_separator
thinking
\protected_separator
that
\protected_separator
\newline
you
\protected_separator
are
\protected_separator
someone
\protected_separator
that
\protected_separator
you
\protected_separator
really
\protected_separator
aren't.
\protected_separator
\protected_separator
There
\protected_separator
is
\protected_separator
an
\protected_separator
extensive
\protected_separator
paper
\protected_separator
\newline
written
\protected_separator
by
\protected_separator
daemon9,
\protected_separator
route,
\protected_separator
and
\protected_separator
infinity
\protected_separator
in
\protected_separator
the
\protected_separator
Volume
\protected_separator
Seven,
\protected_separator
Issue
\protected_separator
\newline
Forty-Eight
\protected_separator
issue
\protected_separator
of
\protected_separator
Phrack
\protected_separator
Magazine.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
non-repudiation:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
The
\protected_separator
property
\protected_separator
of
\protected_separator
a
\protected_separator
receiver
\protected_separator
being
\protected_separator
able
\protected_separator
\newline
to
\protected_separator
prove
\protected_separator
that
\protected_separator
the
\protected_separator
sender
\protected_separator
of
\protected_separator
some
\protected_separator
data
\protected_separator
did
\protected_separator
in
\protected_separator
fact
\protected_separator
send
\protected_separator
the
\protected_separator
data
\protected_separator
even
\protected_separator
\newline
though
\protected_separator
the
\protected_separator
sender
\protected_separator
might
\protected_separator
later
\protected_separator
deny
\protected_separator
ever
\protected_separator
having
\protected_separator
sent
\protected_separator
it.
\protected_separator
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
packet:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
The
\protected_separator
fundamental
\protected_separator
unit
\protected_separator
of
\protected_separator
communication
\protected_separator
on
\protected_separator
the
\protected_separator
\newline
Internet.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
packet
\protected_separator
filtering:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
The
\protected_separator
action
\protected_separator
a
\protected_separator
device
\protected_separator
takes
\protected_separator
to
\protected_separator
\newline
selectively
\protected_separator
control
\protected_separator
the
\protected_separator
flow
\protected_separator
of
\protected_separator
data
\protected_separator
to
\protected_separator
and
\protected_separator
from
\protected_separator
a
\protected_separator
network.
\protected_separator
\protected_separator
Packet
\protected_separator
\newline
filters
\protected_separator
allow
\protected_separator
or
\protected_separator
block
\protected_separator
packets,
\protected_separator
usually
\protected_separator
while
\protected_separator
routing
\protected_separator
them
\protected_separator
from
\protected_separator
one
\protected_separator
\newline
network
\protected_separator
to
\protected_separator
another
\protected_separator
(most
\protected_separator
often
\protected_separator
from
\protected_separator
the
\protected_separator
Internet
\protected_separator
to
\protected_separator
an
\protected_separator
internal
\protected_separator
\newline
network,
\protected_separator
and
\protected_separator
vice-versa).
\protected_separator
To
\protected_separator
accomplish
\protected_separator
packet
\protected_separator
filtering,
\protected_separator
you
\protected_separator
set
\protected_separator
up
\protected_separator
\newline
rules
\protected_separator
that
\protected_separator
specify
\protected_separator
what
\protected_separator
types
\protected_separator
of
\protected_separator
packets
\protected_separator
(those
\protected_separator
to
\protected_separator
or
\protected_separator
from
\protected_separator
a
\protected_separator
\newline
particular
\protected_separator
IP
\protected_separator
address
\protected_separator
or
\protected_separator
port)
\protected_separator
are
\protected_separator
to
\protected_separator
be
\protected_separator
allowed
\protected_separator
and
\protected_separator
what
\protected_separator
types
\protected_separator
are
\protected_separator
to
\protected_separator
\newline
be
\protected_separator
blocked.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
perimeter
\protected_separator
network:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
network
\protected_separator
added
\protected_separator
between
\protected_separator
a
\protected_separator
protected
\protected_separator
\newline
network
\protected_separator
and
\protected_separator
an
\protected_separator
external
\protected_separator
network,
\protected_separator
in
\protected_separator
order
\protected_separator
to
\protected_separator
provide
\protected_separator
an
\protected_separator
additional
\protected_separator
\newline
layer
\protected_separator
of
\protected_separator
security.
\protected_separator
\protected_separator
A
\protected_separator
perimeter
\protected_separator
network
\protected_separator
is
\protected_separator
sometimes
\protected_separator
called
\protected_separator
a
\protected_separator
DMZ.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
proxy
\protected_separator
server:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
A
\protected_separator
program
\protected_separator
that
\protected_separator
deals
\protected_separator
with
\protected_separator
external
\protected_separator
\newline
servers
\protected_separator
on
\protected_separator
behalf
\protected_separator
of
\protected_separator
internal
\protected_separator
clients.
\protected_separator
\protected_separator
Proxy
\protected_separator
clients
\protected_separator
talk
\protected_separator
to
\protected_separator
proxy
\protected_separator
\newline
servers,
\protected_separator
which
\protected_separator
relay
\protected_separator
approved
\protected_separator
client
\protected_separator
requests
\protected_separator
to
\protected_separator
real
\protected_separator
servers,
\protected_separator
and
\protected_separator
\newline
relay
\protected_separator
answers
\protected_separator
back
\protected_separator
to
\protected_separator
clients.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\series
\protected_separator
bold
\protected_separator
superuser:
\newline
\series
\protected_separator
default
\protected_separator
\protected_separator
An
\protected_separator
informal
\protected_separator
name
\protected_separator
for
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
root
\newline
\family
\protected_separator
default
\protected_separator
.
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\end_deeper
\newline
\protected_separator
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Section
\newline
Frequently
\protected_separator
Asked
\protected_separator
Questions
\newline
\begin_inset
\protected_separator
LatexCommand
\protected_separator
\label{q-and-a}
\newline
\end_inset
\protected_separator
\newline
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\begin_deeper
\layout Enumerate
\protected_separator
\newline
\protected_separator
Is
\protected_separator
it
\protected_separator
more
\protected_separator
secure
\protected_separator
to
\protected_separator
compile
\protected_separator
driver
\protected_separator
support
\protected_separator
directly
\protected_separator
into
\protected_separator
the
\protected_separator
\newline
kernel,
\protected_separator
instead
\protected_separator
of
\protected_separator
making
\protected_separator
it
\protected_separator
a
\protected_separator
module?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Answer:
\protected_separator
Some
\protected_separator
people
\protected_separator
think
\protected_separator
it
\protected_separator
is
\protected_separator
better
\protected_separator
to
\protected_separator
disable
\protected_separator
the
\protected_separator
ability
\protected_separator
to
\protected_separator
load
\protected_separator
\newline
device
\protected_separator
drivers
\protected_separator
using
\protected_separator
modules,
\protected_separator
because
\protected_separator
an
\protected_separator
intruder
\protected_separator
could
\protected_separator
load
\protected_separator
a
\protected_separator
Trojan
\protected_separator
\newline
module
\protected_separator
or
\protected_separator
a
\protected_separator
module
\protected_separator
that
\protected_separator
could
\protected_separator
affect
\protected_separator
system
\protected_separator
security.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
However,
\protected_separator
in
\protected_separator
order
\protected_separator
to
\protected_separator
load
\protected_separator
modules,
\protected_separator
you
\protected_separator
must
\protected_separator
be
\protected_separator
root.
\protected_separator
\protected_separator
The
\protected_separator
module
\protected_separator
\newline
object
\protected_separator
files
\protected_separator
are
\protected_separator
also
\protected_separator
only
\protected_separator
writable
\protected_separator
by
\protected_separator
root.
\protected_separator
\protected_separator
This
\protected_separator
means
\protected_separator
the
\protected_separator
intruder
\protected_separator
\newline
would
\protected_separator
need
\protected_separator
root
\protected_separator
access
\protected_separator
to
\protected_separator
insert
\protected_separator
a
\protected_separator
module.
\protected_separator
\protected_separator
If
\protected_separator
the
\protected_separator
intruder
\protected_separator
gains
\protected_separator
root
\protected_separator
\newline
access,
\protected_separator
there
\protected_separator
are
\protected_separator
more
\protected_separator
serious
\protected_separator
things
\protected_separator
to
\protected_separator
worry
\protected_separator
about
\protected_separator
than
\protected_separator
whether
\protected_separator
he
\protected_separator
\newline
will
\protected_separator
load
\protected_separator
a
\protected_separator
module.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Modules
\protected_separator
are
\protected_separator
for
\protected_separator
dynamically
\protected_separator
loading
\protected_separator
support
\protected_separator
for
\protected_separator
a
\protected_separator
particular
\protected_separator
device
\protected_separator
\newline
that
\protected_separator
may
\protected_separator
be
\protected_separator
infrequently
\protected_separator
used.
\protected_separator
\protected_separator
On
\protected_separator
server
\protected_separator
machines,
\protected_separator
or
\protected_separator
firewalls
\protected_separator
for
\protected_separator
\newline
instance,
\protected_separator
this
\protected_separator
is
\protected_separator
very
\protected_separator
unlikely
\protected_separator
to
\protected_separator
happen.
\protected_separator
\protected_separator
For
\protected_separator
this
\protected_separator
reason,
\protected_separator
it
\protected_separator
would
\protected_separator
\newline
make
\protected_separator
more
\protected_separator
sense
\protected_separator
to
\protected_separator
compile
\protected_separator
support
\protected_separator
directly
\protected_separator
into
\protected_separator
the
\protected_separator
kernel
\protected_separator
for
\protected_separator
\newline
machines
\protected_separator
acting
\protected_separator
as
\protected_separator
a
\protected_separator
server.
\protected_separator
\protected_separator
Modules
\protected_separator
are
\protected_separator
also
\protected_separator
slower
\protected_separator
than
\protected_separator
support
\protected_separator
\newline
compiled
\protected_separator
directly
\protected_separator
in
\protected_separator
the
\protected_separator
kernel.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
\protected_separator
Why
\protected_separator
does
\protected_separator
logging
\protected_separator
in
\protected_separator
as
\protected_separator
root
\protected_separator
from
\protected_separator
a
\protected_separator
remote
\protected_separator
machine
\protected_separator
always
\protected_separator
fail?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Answer:
\protected_separator
See
\protected_separator
\newline
\begin_inset
\protected_separator
LatexCommand
\protected_separator
\ref{
\newline
\end_inset
\newline
root-security
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
Root
\protected_separator
Security
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
.
\protected_separator
\protected_separator
This
\protected_separator
is
\protected_separator
done
\protected_separator
\newline
intentionally
\protected_separator
to
\protected_separator
prevent
\protected_separator
remote
\protected_separator
users
\protected_separator
from
\protected_separator
attempting
\protected_separator
to
\protected_separator
connect
\protected_separator
via
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
telnet
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
to
\protected_separator
your
\protected_separator
machine
\protected_separator
as
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
root
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
which
\protected_separator
is
\protected_separator
a
\protected_separator
serious
\protected_separator
\newline
security
\protected_separator
\newline
vulnerability,
\protected_separator
because
\protected_separator
then
\protected_separator
the
\protected_separator
root
\protected_separator
password
\protected_separator
would
\protected_separator
be
\protected_separator
transmitted,
\protected_separator
in
\protected_separator
\newline
clear
\protected_separator
text,
\protected_separator
across
\protected_separator
the
\protected_separator
network.
\protected_separator
\protected_separator
Don't
\protected_separator
forget:
\protected_separator
potential
\protected_separator
intruders
\protected_separator
have
\protected_separator
time
\protected_separator
on
\protected_separator
their
\protected_separator
\newline
side,
\protected_separator
and
\protected_separator
can
\protected_separator
run
\protected_separator
automated
\protected_separator
programs
\protected_separator
to
\protected_separator
find
\protected_separator
your
\protected_separator
\newline
password.
\protected_separator
Additionally,
\protected_separator
this
\protected_separator
is
\protected_separator
done
\protected_separator
to
\protected_separator
keep
\protected_separator
a
\protected_separator
clear
\protected_separator
record
\protected_separator
of
\protected_separator
who
\protected_separator
\newline
logged
\protected_separator
in,
\protected_separator
not
\protected_separator
just
\protected_separator
root.
\protected_separator
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
\protected_separator
How
\protected_separator
do
\protected_separator
I
\protected_separator
enable
\protected_separator
shadow
\protected_separator
passwords
\protected_separator
on
\protected_separator
my
\protected_separator
Linux
\protected_separator
box?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Answer:
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
To
\protected_separator
enable
\protected_separator
shadow
\protected_separator
passwords,
\protected_separator
run
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
pwconv
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
as
\protected_separator
root,
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/shadow
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
should
\protected_separator
now
\protected_separator
exist,
\protected_separator
and
\protected_separator
be
\protected_separator
used
\protected_separator
by
\protected_separator
applications.
\protected_separator
\newline
If
\protected_separator
you
\protected_separator
are
\protected_separator
using
\protected_separator
RH
\protected_separator
4.2
\protected_separator
or
\protected_separator
above,
\protected_separator
the
\protected_separator
PAM
\protected_separator
modules
\protected_separator
will
\protected_separator
automatically
\protected_separator
\newline
adapt
\protected_separator
to
\protected_separator
the
\protected_separator
change
\protected_separator
from
\protected_separator
using
\protected_separator
normal
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/passwd
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
to
\protected_separator
shadow
\protected_separator
\newline
passwords
\protected_separator
without
\protected_separator
any
\protected_separator
other
\protected_separator
change.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Some
\protected_separator
background:
\protected_separator
shadow
\protected_separator
passwords
\protected_separator
is
\protected_separator
a
\protected_separator
mechanism
\protected_separator
for
\protected_separator
storing
\protected_separator
your
\protected_separator
\newline
password
\protected_separator
in
\protected_separator
a
\protected_separator
file
\protected_separator
other
\protected_separator
than
\protected_separator
the
\protected_separator
normal
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/passwd
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
file.
\protected_separator
\protected_separator
This
\protected_separator
has
\protected_separator
\newline
several
\protected_separator
advantages.
\protected_separator
\protected_separator
The
\protected_separator
first
\protected_separator
one
\protected_separator
is
\protected_separator
that
\protected_separator
the
\protected_separator
shadow
\protected_separator
file,
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/shadow
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
is
\protected_separator
only
\protected_separator
readable
\protected_separator
by
\protected_separator
root,
\protected_separator
unlike
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/passwd
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
\newline
which
\protected_separator
must
\protected_separator
remain
\protected_separator
readable
\protected_separator
by
\protected_separator
everyone.
\protected_separator
\protected_separator
The
\protected_separator
other
\protected_separator
advantage
\protected_separator
is
\protected_separator
that
\protected_separator
as
\protected_separator
the
\protected_separator
\newline
administrator,
\protected_separator
you
\protected_separator
can
\protected_separator
enable
\protected_separator
or
\protected_separator
disable
\protected_separator
accounts
\protected_separator
without
\protected_separator
everyone
\protected_separator
\newline
knowing
\protected_separator
the
\protected_separator
status
\protected_separator
of
\protected_separator
other
\protected_separator
users'
\protected_separator
accounts.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/passwd
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
file
\protected_separator
is
\protected_separator
then
\protected_separator
used
\protected_separator
to
\protected_separator
store
\protected_separator
user
\protected_separator
and
\protected_separator
group
\protected_separator
names,
\protected_separator
used
\protected_separator
\newline
by
\protected_separator
programs
\protected_separator
like
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/bin/ls
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
to
\protected_separator
map
\protected_separator
the
\protected_separator
user
\protected_separator
ID
\protected_separator
to
\protected_separator
the
\protected_separator
proper
\protected_separator
user
\protected_separator
name
\protected_separator
\newline
in
\protected_separator
a
\protected_separator
directory
\protected_separator
listing.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/shadow
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
file
\protected_separator
then
\protected_separator
only
\protected_separator
contains
\protected_separator
the
\protected_separator
user
\protected_separator
name
\protected_separator
and
\protected_separator
his/her
\protected_separator
\newline
password,
\protected_separator
and
\protected_separator
perhaps
\protected_separator
accounting
\protected_separator
information,
\protected_separator
like
\protected_separator
when
\protected_separator
the
\protected_separator
account
\protected_separator
\newline
expires,
\protected_separator
etc.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
To
\protected_separator
enable
\protected_separator
shadow
\protected_separator
passwords,
\protected_separator
run
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
pwconv
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
as
\protected_separator
root,
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/shadow
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
should
\protected_separator
now
\protected_separator
exist,
\protected_separator
and
\protected_separator
be
\protected_separator
used
\protected_separator
by
\protected_separator
applications.
\protected_separator
\newline
Since
\protected_separator
you
\protected_separator
are
\protected_separator
using
\protected_separator
RH
\protected_separator
4.2
\protected_separator
or
\protected_separator
above,
\protected_separator
the
\protected_separator
PAM
\protected_separator
modules
\protected_separator
will
\protected_separator
automatically
\protected_separator
\newline
adapt
\protected_separator
to
\protected_separator
the
\protected_separator
change
\protected_separator
from
\protected_separator
using
\protected_separator
normal
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/passwd
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
to
\protected_separator
shadow
\protected_separator
\newline
passwords
\protected_separator
without
\protected_separator
any
\protected_separator
other
\protected_separator
change.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Since
\protected_separator
you're
\protected_separator
interested
\protected_separator
in
\protected_separator
securing
\protected_separator
your
\protected_separator
passwords,
\protected_separator
perhaps
\protected_separator
you
\protected_separator
would
\protected_separator
\newline
also
\protected_separator
be
\protected_separator
interested
\protected_separator
in
\protected_separator
generating
\protected_separator
good
\protected_separator
passwords
\protected_separator
to
\protected_separator
begin
\protected_separator
with.
\protected_separator
\protected_separator
For
\protected_separator
\newline
this
\protected_separator
you
\protected_separator
can
\protected_separator
use
\protected_separator
the
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
pam_cracklib
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
module,
\protected_separator
which
\protected_separator
is
\protected_separator
part
\protected_separator
of
\protected_separator
PAM.
\protected_separator
\protected_separator
It
\protected_separator
\newline
runs
\protected_separator
your
\protected_separator
password
\protected_separator
against
\protected_separator
the
\protected_separator
Crack
\protected_separator
libraries
\protected_separator
to
\protected_separator
help
\protected_separator
you
\protected_separator
decide
\protected_separator
if
\protected_separator
\newline
it
\protected_separator
is
\protected_separator
too-easily
\protected_separator
guessable
\protected_separator
by
\protected_separator
password-cracking
\protected_separator
programs.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
\protected_separator
How
\protected_separator
can
\protected_separator
I
\protected_separator
enable
\protected_separator
the
\protected_separator
Apache
\protected_separator
SSL
\protected_separator
extensions?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Answer:
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\layout Enumerate
\protected_separator
\newline
Get
\protected_separator
SSLeay
\protected_separator
0.8.0
\protected_separator
or
\protected_separator
later
\protected_separator
from
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\url{
\newline
\end_inset
\newline
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
{urlnam}
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
Build
\protected_separator
and
\protected_separator
test
\protected_separator
and
\protected_separator
install
\protected_separator
it!
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
Get
\protected_separator
Apache
\protected_separator
source
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
Get
\protected_separator
Apache
\protected_separator
SSLeay
\protected_separator
extensions
\protected_separator
from
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\url{
\newline
\end_inset
\newline
ftp://ftp.ox.ac.uk/pub/crypto/SSL/
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
here
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
Unpack
\protected_separator
it
\protected_separator
in
\protected_separator
the
\protected_separator
apache
\protected_separator
source
\protected_separator
directory
\protected_separator
and
\protected_separator
patch
\protected_separator
Apache
\protected_separator
as
\protected_separator
\newline
per
\protected_separator
the
\protected_separator
README.
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
Configure
\protected_separator
and
\protected_separator
build
\protected_separator
it.
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
You
\protected_separator
might
\protected_separator
also
\protected_separator
try
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.zedz.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
ZEDZ
\protected_separator
net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
which
\protected_separator
has
\protected_separator
many
\protected_separator
pre-built
\protected_separator
packages,
\protected_separator
and
\protected_separator
is
\protected_separator
located
\protected_separator
outside
\protected_separator
of
\protected_separator
the
\protected_separator
United
\protected_separator
States.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Enumerate
\newline
\protected_separator
How
\protected_separator
can
\protected_separator
I
\protected_separator
manipulate
\protected_separator
user
\protected_separator
accounts,
\protected_separator
and
\protected_separator
still
\protected_separator
retain
\protected_separator
security?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Answer:
\protected_separator
\protected_separator
most
\protected_separator
distributions
\protected_separator
contain
\protected_separator
a
\protected_separator
great
\protected_separator
number
\protected_separator
of
\protected_separator
tools
\protected_separator
to
\protected_separator
change
\protected_separator
\newline
the
\protected_separator
properties
\protected_separator
of
\protected_separator
user
\protected_separator
accounts.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\layout Itemize
\protected_separator
\newline
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
pwconv
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
unpwconv
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
programs
\protected_separator
can
\protected_separator
be
\protected_separator
used
\protected_separator
to
\protected_separator
convert
\protected_separator
\protected_separator
\newline
between
\protected_separator
shadow
\protected_separator
and
\protected_separator
non-shadowed
\protected_separator
passwords.
\protected_separator
\newline
\layout Itemize
\newline
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
pwck
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
grpck
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
programs
\protected_separator
can
\protected_separator
be
\protected_separator
used
\protected_separator
to
\protected_separator
verify
\protected_separator
proper
\protected_separator
\newline
organization
\protected_separator
of
\protected_separator
the
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
passwd
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
group
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
files.
\protected_separator
\newline
\layout Itemize
\newline
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
useradd
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
usermod
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
userdel
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
programs
\protected_separator
can
\protected_separator
be
\protected_separator
used
\protected_separator
to
\protected_separator
\newline
add,
\protected_separator
delete
\protected_separator
and
\protected_separator
modify
\protected_separator
user
\protected_separator
accounts.
\protected_separator
\protected_separator
The
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
groupadd
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
groupmod
\newline
\family
\protected_separator
default
\protected_separator
,
\protected_separator
and
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
groupdel
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
programs
\protected_separator
will
\protected_separator
do
\protected_separator
the
\protected_separator
same
\protected_separator
for
\protected_separator
groups.
\protected_separator
\newline
\layout Itemize
\newline
Group
\protected_separator
passwords
\protected_separator
can
\protected_separator
be
\protected_separator
created
\protected_separator
using
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
gpasswd
\newline
\family
\protected_separator
default
\protected_separator
.
\protected_separator
\newline
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
All
\protected_separator
these
\protected_separator
programs
\protected_separator
are
\protected_separator
"shadow-aware"
\protected_separator
--
\protected_separator
that
\protected_separator
is,
\protected_separator
if
\protected_separator
you
\protected_separator
enable
\protected_separator
shadow
\protected_separator
\newline
they
\protected_separator
will
\protected_separator
use
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
/etc/shadow
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
for
\protected_separator
password
\protected_separator
information,
\protected_separator
otherwise
\protected_separator
they
\protected_separator
won't.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
See
\protected_separator
the
\protected_separator
respective
\protected_separator
man
\protected_separator
pages
\protected_separator
for
\protected_separator
further
\protected_separator
information.
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout Itemize
\newline
\protected_separator
How
\protected_separator
can
\protected_separator
I
\protected_separator
password-protect
\protected_separator
specific
\protected_separator
HTML
\protected_separator
documents
\protected_separator
using
\protected_separator
\newline
Apache?
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
I
\protected_separator
bet
\protected_separator
you
\protected_separator
didn't
\protected_separator
know
\protected_separator
about
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.apacheweek.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
http://www.apacheweek.org
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
,
\protected_separator
did
\protected_separator
you?
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
You
\protected_separator
can
\protected_separator
find
\protected_separator
information
\protected_separator
on
\protected_separator
user
\protected_separator
authentication
\protected_separator
at
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.apacheweek.com/features/userauth
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
http://www.apacheweek.com/features/userauth
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
as
\protected_separator
well
\protected_separator
as
\protected_separator
other
\protected_separator
\newline
web
\protected_separator
server
\protected_separator
security
\protected_separator
tips
\protected_separator
from
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
http://www.apache.org/docs/misc/security_tips.html
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
http://www.apache.org/docs/misc/security_tips.html
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\end_deeper
\newline
\protected_separator
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Section
\newline
Conclusion
\newline
\begin_inset
\protected_separator
LatexCommand
\protected_separator
\label{conclusion}
\newline
\end_inset
\protected_separator
\newline
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
By
\protected_separator
subscribing
\protected_separator
to
\protected_separator
the
\protected_separator
security
\protected_separator
alert
\protected_separator
mailing
\protected_separator
lists,
\protected_separator
and
\protected_separator
keeping
\protected_separator
\newline
current,
\protected_separator
you
\protected_separator
can
\protected_separator
do
\protected_separator
a
\protected_separator
lot
\protected_separator
towards
\protected_separator
securing
\protected_separator
your
\protected_separator
machine.
\protected_separator
If
\protected_separator
you
\protected_separator
pay
\protected_separator
\newline
attention
\protected_separator
to
\protected_separator
your
\protected_separator
log
\protected_separator
files
\protected_separator
and
\protected_separator
run
\protected_separator
something
\protected_separator
like
\protected_separator
\newline
\family
\protected_separator
typewriter
\protected_separator
tripwire
\newline
\family
\protected_separator
default
\protected_separator
\protected_separator
regularly,
\protected_separator
\newline
you
\protected_separator
can
\protected_separator
do
\protected_separator
even
\protected_separator
more.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
A
\protected_separator
reasonable
\protected_separator
level
\protected_separator
of
\protected_separator
computer
\protected_separator
security
\protected_separator
is
\protected_separator
not
\protected_separator
difficult
\protected_separator
to
\protected_separator
maintain
\protected_separator
\newline
on
\protected_separator
a
\protected_separator
home
\protected_separator
machine.
\protected_separator
More
\protected_separator
effort
\protected_separator
is
\protected_separator
required
\protected_separator
on
\protected_separator
business
\protected_separator
machines,
\protected_separator
but
\protected_separator
\newline
Linux
\protected_separator
can
\protected_separator
indeed
\protected_separator
be
\protected_separator
a
\protected_separator
secure
\protected_separator
platform.
\protected_separator
Due
\protected_separator
to
\protected_separator
the
\protected_separator
nature
\protected_separator
of
\protected_separator
Linux
\protected_separator
\newline
development,
\protected_separator
security
\protected_separator
fixes
\protected_separator
often
\protected_separator
come
\protected_separator
out
\protected_separator
much
\protected_separator
faster
\protected_separator
than
\protected_separator
they
\protected_separator
do
\protected_separator
on
\protected_separator
\newline
commercial
\protected_separator
operating
\protected_separator
systems,
\protected_separator
making
\protected_separator
Linux
\protected_separator
an
\protected_separator
ideal
\protected_separator
platform
\protected_separator
when
\protected_separator
\newline
security
\protected_separator
is
\protected_separator
a
\protected_separator
requirement.
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Section
\newline
Acknowledgments
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Information
\protected_separator
here
\protected_separator
is
\protected_separator
collected
\protected_separator
from
\protected_separator
many
\protected_separator
sources.
\protected_separator
Thanks
\protected_separator
to
\protected_separator
the
\protected_separator
\newline
following
\protected_separator
who
\protected_separator
either
\protected_separator
indirectly
\protected_separator
or
\protected_separator
directly
\protected_separator
have
\protected_separator
contributed:
\protected_separator
\newline
\begin_deeper
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Rob
\protected_separator
Riggs
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:rob@DevilsThumb.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
rob@DevilsThumb.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
S.
\protected_separator
Coffin
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:scoffin@netcom.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
scoffin@netcom.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Viktor
\protected_separator
Przebinda
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:viktor@CRYSTAL.MATH.ou.edu
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
viktor@CRYSTAL.MATH.ou.edu
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Roelof
\protected_separator
Osinga
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:roelof@eboa.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
roelof@eboa.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Kyle
\protected_separator
Hasselbacher
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:kyle@carefree.quux.soltec.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
kyle@carefree.quux.soltc.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
David
\protected_separator
S.
\protected_separator
Jackson
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:dsj@dsj.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
dsj@dsj.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Todd
\protected_separator
G.
\protected_separator
Ruskell
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:ruskell@boulder.nist.gov
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
ruskell@boulder.nist.gov
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Rogier
\protected_separator
Wolff
\protected_separator
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:R.E.Wolff@BitWizard.nl
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
R.E.Wolff@BitWizard.nl
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Antonomasia
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:ant@notatla.demon.co.uk
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
ant@notatla.demon.co.uk
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Nic
\protected_separator
Bellamy
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:sky@wibble.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
sky@wibble.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Eric
\protected_separator
Hanchrow
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:offby1@blarg.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
offby1@blarg.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Robert
\protected_separator
J.
\protected_separator
Berger\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:rberger@ibd.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
rberger@ibd.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Ulrich
\protected_separator
Alpers
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:lurchi@cdrom.uni-stuttgart.de
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
lurchi@cdrom.uni-stuttgart.de
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
David
\protected_separator
Noha
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:dave@c-c-s.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
dave@c-c-s.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Pavel
\protected_separator
Epifanov.
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:epv@ibm.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
epv@ibm.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Joe
\protected_separator
Germuska.
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:joe@germuska.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
joe@germuska.com
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Franklin
\protected_separator
S.
\protected_separator
Werren
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:fswerren@bagpipes.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline
fswerren@bagpipes.net
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}
\newline
\end_inset
\newline
\protected_separator
\protected_separator
\newline
\newline
\layout
\protected_separator
Standard
\newline
\protected_separator
\newline
Paul
\protected_separator
Rusty
\protected_separator
Russell
\protected_separator
\begin_inset
\protected_separator
LatexDel
\protected_separator
\htmlurl{
\newline
\end_inset
\newline
mailto:Paul.Russell@rustcorp.com.au
\newline
\begin_inset
\protected_separator
LatexDel
\protected_separator
}{
\newline
\end_inset
\newline