This is Security-HOWTO.info, produced by makeinfo version 4.0b from /tmp/sgml-tools-dir-18269/sgmltmp.Security-HOWTO18269.info.2. \input texinfo  File: Security-HOWTO.info, Node: Books - Printed Reading Material, Prev: Mailing Lists, Up: Security Sources Books - Printed Reading Material ================================ There are a number of good security books out there. This section lists a few of them. In addition to the security specific books, security is covered in a number of other books on system administration. * Building Internet Firewalls By D. Brent Chapman [amp ] Elizabeth D. Zwicky, 1st Edition September 1995, ISBN: 1-56592-124-0 * Practical UNIX [amp ] Internet Security, 2nd Edition By Simson Garfinkel [amp ] Gene Spafford, 2nd Edition April 1996, ISBN: 1-56592-148-8 * Computer Security Basics By Deborah Russell [amp ] G.T. Gangemi, Sr., 1st Edition July 1991, ISBN: 0-937175-71-4 * Linux Network Administrator's Guide By Olaf Kirch, 1st Edition January 1995, ISBN: 1-56592-087-2 * PGP: Pretty Good Privacy By Simson Garfinkel, 1st Edition December 1994, ISBN: 1-56592-098-8 * Computer Crime A Crimefighter's Handbook By David Icove, Karl Seger [amp ] William VonStorch (Consulting Editor Eugene H. Spafford), 1st Edition August 1995, ISBN: 1-56592-086-4 * Linux Security By John S. Flowers, New Riders; ISBN: 0735700354, March 1999 * Maximum Linux Security : A Hacker's Guide to Protecting Your Linux Server and Network, Anonymous, Paperback - 829 pages, Sams; ISBN: 0672313413, July 1999 * Intrusion Detection By Terry Escamilla, Paperback - 416 pages (September 1998), John Wiley and Sons; ISBN: 0471290009 * Fighting Computer Crime, Donn Parker, Paperback - 526 pages (September 1998), John Wiley and Sons; ISBN: 0471163783  File: Security-HOWTO.info, Node: Glossary, Next: Frequently Asked Questions, Prev: Security Sources, Up: Top Glossary ******** Included below are several of the most frequently used terms in computer security. A comprehensive dictionary of computer security terms is available in the LinuxSecurity.com Dictionary * `authentication:' The process of knowing that the data received is the same as the data that was sent, and that the claimed sender is in fact the actual sender. * `bastion Host:' A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projects on the outer walls of medieval castles. Bastions overlook critical areas of defense, usually having strong walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. * `buffer overflow:' Common coding style is to never allocate large enough buffers, and to not check for overflows. When such buffers overflow, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location. * `denial of service:' An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. * `dual-homed Host:' A general-purpose computer system that has at least two network interfaces. * `firewall:' A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks. * `host:' A computer system attached to a network. * `IP spoofing:' IP Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust relationship into thinking that you are someone that you really aren't. There is an extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue Forty-Eight issue of Phrack Magazine. * `non-repudiation:' The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later deny ever having sent it. * `packet:' The fundamental unit of communication on the Internet. * `packet filtering:' The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice-versa). To accomplish packet filtering, you set up rules that specify what types of packets (those to or from a particular IP address or port) are to be allowed and what types are to be blocked. * `perimeter network:' A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ. * `proxy server:' A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests to real servers, and relay answers back to clients. * `superuser:' An informal name for `root'.  File: Security-HOWTO.info, Node: Frequently Asked Questions, Next: Conclusion, Prev: Glossary, Up: Top Frequently Asked Questions ************************** 1. Is it more secure to compile driver support directly into the kernel, instead of making it a module? Answer: Some people think it is better to disable the ability to load device drivers using modules, because an intruder could load a Trojan module or a module that could affect system security. However, in order to load modules, you must be root. The module object files are also only writable by root. This means the intruder would need root access to insert a module. If the intruder gains root access, there are more serious things to worry about than whether he will load a module. Modules are for dynamically loading support for a particular device that may be infrequently used. On server machines, or firewalls for instance, this is very unlikely to happen. For this reason, it would make more sense to compile support directly into the kernel for machines acting as a server. Modules are also slower than support compiled directly in the kernel. 2. Why does logging in as root from a remote machine always fail? Answer: See *Note Root Security:: . This is done intentionally to prevent remote users from attempting to connect via `telnet' to your machine as `root', which is a serious security vulnerability, because then the root password would be transmitted, in clear text, across the network. Don't forget: potential intruders have time on their side, and can run automated programs to find your password. Additionally, this is done to keep a clear record of who logged in, not just root. 3. How do I enable shadow passwords on my Linux box? Answer: To enable shadow passwords, run `pwconv' as root, and `/etc/shadow' should now exist, and be used by applications. If you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal `/etc/passwd' to shadow passwords without any other change. Some background: shadow passwords is a mechanism for storing your password in a file other than the normal `/etc/passwd' file. This has several advantages. The first one is that the shadow file, `/etc/shadow', is only readable by root, unlike `/etc/passwd', which must remain readable by everyone. The other advantage is that as the administrator, you can enable or disable accounts without everyone knowing the status of other users' accounts. The `/etc/passwd' file is then used to store user and group names, used by programs like `/bin/ls' to map the user ID to the proper user name in a directory listing. The `/etc/shadow' file then only contains the user name and his/her password, and perhaps accounting information, like when the account expires, etc. To enable shadow passwords, run `pwconv' as root, and `/etc/shadow' should now exist, and be used by applications. Since you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal `/etc/passwd' to shadow passwords without any other change. Since you're interested in securing your passwords, perhaps you would also be interested in generating good passwords to begin with. For this you can use the `pam[lowbar]cracklib' module, which is part of PAM. It runs your password against the Crack libraries to help you decide if it is too-easily guessable by password-cracking programs. 4. How can I enable the Apache SSL extensions? Answer: 1. Get SSLeay 0.8.0 or later from urlnam (ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL) 2. Build and test and install it! 3. Get Apache source 4. Get Apache SSLeay extensions from here (ftp://ftp.ox.ac.uk/pub/crypto/SSL/) 5. Unpack it in the apache source directory and patch Apache as per the README. 6. Configure and build it. You might also try ZEDZ net which has many pre-built packages, and is located outside of the United States. 5. How can I manipulate user accounts, and still retain security? Answer: most distributions contain a great number of tools to change the properties of user accounts. * The `pwconv' and `unpwconv' programs can be used to convert between shadow and non-shadowed passwords. * The `pwck' and `grpck' programs can be used to verify proper organization of the `passwd' and `group' files. * The `useradd', `usermod', and `userdel' programs can be used to add, delete and modify user accounts. The `groupadd', `groupmod', and `groupdel' programs will do the same for groups. * Group passwords can be created using `gpasswd'. All these programs are "shadow-aware" - that is, if you enable shadow they will use `/etc/shadow' for password information, otherwise they won't. See the respective man pages for further information. 6. How can I password-protect specific HTML documents using Apache? I bet you didn't know about http://www.apacheweek.org, did you? You can find information on user authentication at http://www.apacheweek.com/features/userauth as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html  File: Security-HOWTO.info, Node: Conclusion, Next: Acknowledgments, Prev: Frequently Asked Questions, Up: Top Conclusion ********** By subscribing to the security alert mailing lists, and keeping current, you can do a lot towards securing your machine. If you pay attention to your log files and run something like `tripwire' regularly, you can do even more. A reasonable level of computer security is not difficult to maintain on a home machine. More effort is required on business machines, but Linux can indeed be a secure platform. Due to the nature of Linux development, security fixes often come out much faster than they do on commercial operating systems, making Linux an ideal platform when security is a requirement.  File: Security-HOWTO.info, Node: Acknowledgments, Prev: Conclusion, Up: Top Acknowledgments *************** Information here is collected from many sources. Thanks to the following who either indirectly or directly have contributed: Rob Riggs rob@DevilsThumb.com S. Coffin scoffin@netcom.com Viktor Przebinda viktor@CRYSTAL.MATH.ou.edu Roelof Osinga roelof@eboa.com Kyle Hasselbacher kyle@carefree.quux.soltc.net David S. Jackson dsj@dsj.net Todd G. Ruskell ruskell@boulder.nist.gov Rogier Wolff R.E.Wolff@BitWizard.nl Antonomasia ant@notatla.demon.co.uk Nic Bellamy sky@wibble.net Eric Hanchrow offby1@blarg.net Robert J. Bergerrberger@ibd.com Ulrich Alpers lurchi@cdrom.uni-stuttgart.de David Noha dave@c-c-s.com Pavel Epifanov. epv@ibm.net Joe Germuska. joe@germuska.com Franklin S. Werren fswerren@bagpipes.net Paul Rusty Russell Christine Gaunt lin bhewitt@refmntutl01.afsc.noaa.gov A. Steinmetz astmail@yahoo.com Jun Morimoto morimoto@xantia.citroen.org Xiaotian Sun sunx@newton.me.berkeley.edu Eric Hanchrow offby1@blarg.net Camille Begnis camille@mandrakesoft.com Neil D neild@sympatico.ca Michael Tandy Michael.Tandy@BTInternet.com Tony Foiani tkil@scrye.com Matt Johnston Geoff Billin gbillin@turbonet.com Hal Burgiss hburgiss@bellsouth.net Ian Macdonald M.Kiesel Mario Kratzer kratzer@mathematik.uni-marburg.de Othmar Pasteka pasteka@kabsi.at Robert M rom@romab.com Cinnamon Lowe clowe@cinci.rr.com The following have translated this HOWTO into various other languages! A special thank you to all of them for help spreading the Linux word... Polish: Ziemek Borowski ziembor@FAQ-bot.ZiemBor.Waw.PL Japanese: FUJIWARA Teruyoshi fjwr@mtj.biglobe.ne.jp Indonesian: Tedi Heriyanto 22941219@students.ukdw.ac.id Korean: Bume Chang Boxcar0001@aol.com Spanish: Juan Carlos Fernandez piwiman@visionnetware.com Dutch: "Nine Matthijssen" nine@matthijssen.nl Norwegian: ketil@vestby.com ketil@vestby.com Turkish: tufan karadere tufank@metu.edu.tr