Sams Maximum Linux Security

1.MAXIMUML INUX S ECURITYSECOND EDITIONAnonymouswith revisions by John Ray201 West 103rd Street, Indianapolis, Indiana, 46290

2. Maximum Linux Security, Second Edition ACQUISITIONS EDITORShelley Johnston Markanday Copyright 2001 by Sams Publishing All rights reserved. No part of this book shall be reproduced, stored in a DEVELOPMENT EDITOR retrieval system, or transmitted by any means, electronic, mechanical, photo-Scott D. Meyers copying, recording, or otherwise, without written permission from the pub- MANAGING EDITOR lisher. No patent liability is assumed with respect to the use of the informationCharlotte Clapp contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors orPROJECT EDITOR omissions. Nor is any liability assumed for damages resulting from the use ofLeah Kirkpatrick the information contained herein.COPY EDITOR International Standard Book Number: 0-672-32134-3Michael Henry Library of Congress Catalog Card Number: 00-111262 INDEXER Printed in the United States of AmericaRebecca SalernoFirst Printing: June 2001PROOFREADER 04 03 020143 2 1 Daniel Ponder TECHNICAL EDITORS Trademarks Jason Byars All terms mentioned in this book that are known to be trademarks or serviceSteve Epstein marks have been appropriately capitalized. Sams cannot attest to the accuracy of this information. Use of a term in this book should not be regarded asTEAM COORDINATOR affecting the validity of any trademark or service mark. Amy Patton MEDIA DEVELOPER Warning and Disclaimer Dan Scherf Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is onINTERIOR DESIGNER an as is basis. The author(s) and the publisher shall have neither liability nor Gary Adair responsibility to any person or entity with respect to any loss or damages aris-COVER DESIGNER ing from the information contained in this book or from the use of the CD orAren Howell programs accompanying it. 3. Contents at a Glance Introduction 1Part ILinux Security Basics 71Introducing Linux Security 92Physical Security 293Installation Issues 594Basic Linux System Administration 95Part II Linux User Security 1375Password Attacks 1396Data Attacks 191 Part III Linux Network Security2197Malicious Code 2218Sniffers and Electronic Eavesdropping 2519Scanners 281 10Spoofing 325 Part IVLinux Internet Security 345 11FTP Security 347 12Mail Security 367 13Telnet and SSH Security 399 14Web Server Security 435 15Secure Web Protocols 479 16Secure Web Development 503 17File Sharing Security 531 18Denial-of-Service Attacks 549 19Linux and Firewalls 583 20Intrusion Detection 611 21Logs and Audit Trails 633 22Disaster Recovery 663 4. Part V Appendixes685 ALinux Security Command Reference 687 BLinux Security IndexPast Linux Security Issues 723 COther Useful Linux Security Utilities/Applications 741 DLinux/Unix Security Tools 767 EGlossary 797Index 837 5. ContentsIntroduction 1PART I Linux Security Basics 7 1Introducing Linux Security 9 What Is Linux? ......................................................................................10Linux Is Free ....................................................................................10Linux Closely Resembles Unix........................................................13Where Did Linux Come From?........................................................15Why Linux Isnt for Everyone ........................................................15 Linux as a Standalone System ..............................................................16 Linux as an Intranet/Internet Server ......................................................18 A Linux Security Overview ..................................................................19User Accounts ..................................................................................19Discretionary Access Control (DAC) ..............................................21Network Access Control ..................................................................23Encryption ........................................................................................24Built-in Logging, Auditing, and Network Monitoring ....................26Intrusion Detection ..........................................................................27 Summary ................................................................................................282Physical Security 29Server Location and Physical Access ....................................................31 The Network Operations Center (NOC) ..........................................32 Public Computing Facilities ............................................................32 Computer Use Policies ....................................................................33Network Topology ................................................................................34 Assorted Network Topologies ..........................................................34 Summary of Topology Security ......................................................40Network Hardware ................................................................................41 Common Network Hardware Security Measures ............................42 Summary of Network Hardware ......................................................44Workstations and Security ....................................................................44 BIOS and Console Passwords ..........................................................45 Biometric Access Controls ..............................................................46 Modem Security ..............................................................................51 Anti-Theft Devices ..........................................................................53 Unique Numbers, Marking, and Other Techniques ........................55Summary ................................................................................................58 6. Maximum Linux Security vi3 Installation Issues 59 About Various Linux Distributions, Security, and Installation..............60All Distributions Are Not Created Equal ....................................63 Partitions and Security ..........................................................................65What Are Partitions, Exactly? ..........................................................65Lumping Linux into a Single Partition ............................................70Other Advantages of Multiple Partitions..........................................73Sizing Out Partitions ........................................................................73Creating the Swap and Root Partitions ............................................76Creating the Extended Partition ......................................................78Creating Logical Partitions Within the Extended Partition..............79Other Partitioning Tools ..................................................................81Summary of Partitions and Security ................................................83 Choosing Network Services During Installation ..................................85Five Minutes to a More Secure System ..........................................87chkconfig ........................................................................................90 Boot Loaders..........................................................................................91/etc/lilo.conf: The LILO Configuration File ..............................91Summary of Boot Loaders ..............................................................93 Summary ................................................................................................94 4 Basic Linux System Administration 95The Basic Idea ......................................................................................96Your Very Own Account ..................................................................97Creating and Managing Accounts..........................................................98Account Policy ................................................................................98Account Structure ............................................................................99Adding Users ..................................................................................103Using Your Own Tools to Add Users ............................................110Deleting Users ................................................................................111Performing Administrative Tasks with su............................................112suThe Substitute User ................................................................112Access Control ....................................................................................115Permissions and Ownership ................................................................115chmod: Changing File Permissions ................................................117A Closer Look at Groups ....................................................................127Creating Groups..............................................................................129chown: Assigning User Owner and Group Permissions ................132Removing Groups ..........................................................................134Bringing Down Your System ..............................................................135shutdown: Shutting Down Your Linux System ..............................135Summary ..............................................................................................136 7. vii CONTENTS PART II Linux User Security 1375Password Attacks 139 What Is a Password Attack? ................................................................140 How Linux Generates and Stores Passwords ......................................141 Passwords Down Through the Ages ..............................................142 The Data Encryption Standard (DES) ................................................144 Dictionary Attacks ..........................................................................146 Case Study: Cracking Linux Passwords via Dictionary Attack ..........147 Crack ..............................................................................................147 Dictionary Attacks: A Historical Perspective ................................155 Password Shadowing and the shadow Suite ........................................157 /etc/shadow: The Password shadow Database ..............................158 Beyond Creating and Deleting Users and Groups ........................170 Possible Attacks Against Your Shadowed System ........................172 After Installing the shadow Suite ........................................................174 Human Password Choices and System Security............................174 Proactive Password Checking ........................................................179 Other Password Security Issues ..........................................................182 Password Proliferation and Security ..............................................182 Pluggable Authentication Modules......................................................185 Still Other Password Security Solutions..............................................187 Regarding Network Information Service and Password Security........................................................................187 Summary ..............................................................................................189 6Data Attacks 191 When Is Data Security Necessary?......................................................192Real-life Attacks ............................................................................193 Forms of Data Security........................................................................194Private Keys....................................................................................194Public Keys ....................................................................................196 Common Encryption Algorithms ........................................................197 mcrypt: Installation and Usage ............................................................199Using mcrypt ..................................................................................201 GnuPG: Installing and Using a Public Key Encryption Utility ............205Generating a Keypair......................................................................206Using Your Keychain......................................................................208Encrypting and Decrypting Documents ........................................210Adding a GUI to GnuPG ..................................................................210 SteganographyTime for Something Completely Different..............214Installing and Using JPHIDE/JPSEEK ..........................................215 Additional Resources ..........................................................................217 Summary ..............................................................................................218 8. Maximum Linux Security viii PART III Linux Network Security 2197 Malicious Code 221What Is Malicious Code? ....................................................................222 What Is a Trojan? ..........................................................................222 Viruses ............................................................................................226Detecting Malicious Code ..................................................................229 Tripwire ..........................................................................................232 Availability of Tripwire ..................................................................234 Installing Tripwire ..........................................................................234 Configuring and Running Tripwire ................................................241 Checking File Integrity with Tripwire............................................242 Summary on Tripwire ....................................................................245Other File Integrity Checking Software ..............................................245 Aide ................................................................................................246 Distributed L6 ................................................................................247 Hobgoblin ......................................................................................247 sXid ................................................................................................248 trojan.pl ......................................................................................248 Additional Resources......................................................................248Summary ..............................................................................................249 8 Sniffers and Electronic Eavesdropping 251 How Sniffers Work ..............................................................................252 Case Studies: Performing a Few Simple Sniffer Attacks ....................254linsniffer ....................................................................................254linux_sniffer ................................................................................258hunt ................................................................................................264sniffit ..........................................................................................268 Other Sniffers and Network Monitoring Tools....................................272 Risks Posed by Sniffers ......................................................................274 Defending Against Sniffer Attacks ......................................................276ifconfig ........................................................................................277NEPED: Network Promiscuous Ethernet Detector........................277Other, More Generic Defenses Against Sniffers ............................278 Further Reading ..................................................................................279 Summary ..............................................................................................280 9 Scanners 281What Is a Scanner? ..............................................................................282 Anatomy of a System Scanner ......................................................283 Anatomy of a Network Scanner ....................................................286Scanner Building Blocks and Scanner Evolution................................290How Scanners Fit into Your Security Regimen ..................................299 9. ix CONTENTSVarious Scanner Tools ........................................................................300SAINT (Security Administrators Integrated Network Tool) ........300Nessus ............................................................................................301nmapThe Network Mapper..........................................................306CGI scanner v1.0............................................................................309Are Scanners Legal? ......................................................................314Defending Against Scanner Attacks ....................................................315courtney (SATAN and SAINT Detector) ......................................315IcmpInfo (ICMP Scan/Bomb Detector) ........................................317scan-detector (Generic UDP Scan Detector) ..............................319klaxon ............................................................................................320Psionic PortSentry ........................................................................321Interesting Resources ..........................................................................322Summary ..............................................................................................32310Spoofing 325 What Is Spoofing All About? ..............................................................326 TCP and IP Spoofing ..........................................................................326 Case Study: A Simple Spoofing Attack ..............................................329A Sample Attack ............................................................................329TCP and IP Spoofing Tools............................................................331What Services Are Vulnerable to IP Spoofing? ............................332 Preventing IP Spoofing Attacks ..........................................................334 ARP Spoofing ......................................................................................335Defending Against ARP Spoofing Attacks ....................................337 DNS Spoofing......................................................................................338 Other Strange Spoofing Attacks ..........................................................340 Couic ....................................................................................................342 Further Reading ..................................................................................343 Summary ..............................................................................................344PART IV Linux Internet Security 345 11FTP Security 347 File Transfer Protocol ..........................................................................348FTP Security History......................................................................348 FTPs Default Security Features..........................................................352/etc/ftpusers: The Restricted Users Access File ........................352/etc/ftpaccess: The ftpd Configuration File ..............................354 SSH File Transfers ..............................................................................360scp ..................................................................................................360sftp ................................................................................................361Alternative Solutions: SSLftp and sftp ........................................363 10. Maximum Linux Security xSpecific FTP Application Security ......................................................363 ncftp ..............................................................................................363 filerunner ....................................................................................364 ftpwatch ........................................................................................364 wu-ftpd ..........................................................................................364Summary ..............................................................................................365 12 Mail Security 367 SMTP Servers and Clients ..................................................................368A Simple SMTP Client ..................................................................370 sendmail Security Basics ....................................................................374sendmail Service Protection ..........................................................381Other sendmail Resources ............................................................391 Replacing sendmail with Qmail..........................................................392Qmail Installation ..........................................................................392Other Qmail Resources ..................................................................396 Summary ..............................................................................................397 13 Telnet and SSH Security 399 Telnets Security History ....................................................................400 Secure Telnet Systems ........................................................................402 deslogin ..............................................................................................402 Installing the deslogin Distribution ..............................................403 STEL (Secure Telnet) ......................................................................409 SRA Telnet from Texas A&M University ..........................................410 The Stanford SRP Telnet/FTP Package ..............................................410 Important Documents ....................................................................411 Secure Shell (ssh) ................................................................................411 The ssh Core Utilities ....................................................................413 Quick Start: Installing the ssh Distribution ..................................413 ssh Server Configuration................................................................415 sshd Startup Command-Line Options............................................418 Starting sshd ..................................................................................421 Using the ssh Client ......................................................................423 scp: The Secure Copy Remote File Copy Program ............................425 Providing ssh Services in a Heterogeneous Network..........................425 PuTTY ............................................................................................425 Tera Term........................................................................................426 ssh Support for Macintosh..............................................................426 Examples of ssh in Action ............................................................426 ssh Security Issues ..............................................................................432 Additional Resources ..........................................................................432 Summary ..............................................................................................433 11. xiCONTENTS 14 Web Server Security 435 Eliminating Nonessential Services ......................................................436File Transfer Protocol (FTP) ..........................................................437finger ............................................................................................437Network File System (NFS) ..........................................................439Other RPC Services........................................................................440rwalld (The rwall Server) ............................................................441The R Services................................................................................441Other Services ................................................................................443Applying Access Control to Running Services..............................446 Web Server Security ............................................................................446httpd ..............................................................................................446Controlling Outside Access: httpd.conf ......................................447Configuration Options That Can Affect Security ..........................453The ExecCGI Option: Enabling CGI Program Execution ..............454The FollowSymLinks Option: Allowing Users toFollow Symbolic Links................................................................455The Includes Option: Enabling Server-Side Includes (SSI) ........455The Indexes Option: Enabling Directory Indexing ......................458 Adding Directory Access Control with Basic HTTP Authentication ..................................................................................459htpasswd ........................................................................................460 Weaknesses in Basic HTTP Authentication ........................................465 HTTP and Cryptographic Authentication............................................466Adding MD5 Digest Authentication ..............................................467 Running a chroot Web Environment ..................................................468 WebDAV ..............................................................................................469Installing and Configuring WebDAV ............................................470Using WebDAV on Mac OS X ......................................................471Using WebDAV on Windows ........................................................473 Accreditation and Certification............................................................475PricewaterhouseCoopers, Resource ProtectionServices (USA) ..........................................................................475The American Institute of Certified PublicAccountants (AICPA) ................................................................475International Computer Security Association(Previously NCSA) ......................................................................476Troy Systems ..................................................................................477 Summary ..............................................................................................477 12. Maximum Linux Security xii15 Secure Web Protocols 479 The Problem ........................................................................................480 Secure Sockets Layer (SSL) from Netscape Communications Corporation ..........................................................480SSLs Security History ..................................................................481 Installing mod_ssl ................................................................................485Unpacking, Compiling, and Installing OpenSSL ..........................485Unpacking, Compiling, and Installing mod_ssl ............................487Testing the Server ..........................................................................494About Certificates and Certificate Authorities ..............................500Summary of Apache-SSL ..............................................................501Further Reading on SSL ................................................................502 Summary ..............................................................................................502 16 Secure Web Development 503 Development Risk Factors: A Wide Overview....................................504 Spawning Shells ..................................................................................504Executing Shell Commands with system() ..................................505popen() in C and C++ ....................................................................509open() in Perl ................................................................................511eval (Perl and shell) ......................................................................513exec() in Perl ................................................................................513 Buffer Overruns ..................................................................................513About User Input in General ..........................................................516 Paths, Directories, and Files ................................................................517chdir() ..........................................................................................519Files ................................................................................................519 Embedded Programming Languages ..................................................519Installing PHP ................................................................................522Other Embedded Languages ..........................................................525 Automated CGI Testing Tools ............................................................526Other Interesting Security Programming and Testing Tools..........527 Other Online Resources ......................................................................529 Summary ..............................................................................................529 17 File Sharing Security 531Linux as a File Server..........................................................................532Samba ..................................................................................................533 Global Directives ............................................................................534 Share-Level Directives ..................................................................537 SWAT..............................................................................................540 Other Resources..............................................................................541 13. xiiiCONTENTS Netatalk ................................................................................................542Basic Netatalk Configuration ........................................................543Additional Information ..................................................................544 NFS Security........................................................................................545exports ............................................................................................546Other References ............................................................................546 Virtual Private Networks......................................................................547IPSEC ............................................................................................547 Summary ..............................................................................................548 18 Denial-of-Service Attacks 549What Is a Denial-of-Service Attack? ..................................................551Risks Posed by Denial-of-Service Attacks ..........................................552 Distributed Denial-of-Service Attacks (DDoS)..............................553How This Chapter Is Laid Out ............................................................554Network Hardware DoS Attacks ........................................................554Attacks on Linux Networking ............................................................558 knfsd Attack ..................................................................................559 ICMP Fragmentation Attack ............................................................560 sesquipedalian.c ..........................................................................560 inetd and NMAP ..........................................................................562 lpd Bogus Print Requests ..............................................................563 mimeflood.pl ..................................................................................563 portmap (and Other RPC Services) ................................................564 Unix Socket Garbage Collection DoS............................................564 time and daytime DoS ..................................................................565 teardrop.c ....................................................................................566 identd Open Socket Flood ............................................................568 Lynx/chargen Browser Attack........................................................568 nestea.c ........................................................................................569 pong.c and ICMP Floods ..............................................................569 The Ping of Death ..........................................................................570 octopus.c ......................................................................................571Attacks on Linux Applications ............................................................573 Netscape Communicator Content Type (1) ....................................573 Netscape Communicator Content Type (2) ....................................573 passwd Resource Starvation............................................................574 xdm ..................................................................................................575 wtmp Lock ......................................................................................575Other DoS Attacks ..............................................................................576Defending Against Denial-of-Service Attacks ....................................579Online Resources ................................................................................580Summary ..............................................................................................581 14. Maximum Linux Security xiv19 Linux and Firewalls 583 What Is a Firewall? ..............................................................................584 Network-Level Firewalls: Packet Filters ........................................585 Application-Proxy Firewalls/Application Gateways......................586 Assessing Whether You Really Need a Firewall ................................588 Internet Gateway/Firewalls ..................................................................589 tcpd: TCP Wrappers ............................................................................592 TCP Wrappers and Network Access Control ................................595 Summary of TCP Wrappers ..........................................................598 ipfwadm ................................................................................................598 ipfwadm Basics................................................................................599 Configuring ipfwadm ......................................................................602 ipchains ..............................................................................................603 ipchains Security History..............................................................604 iptables ..............................................................................................604 Free Firewall Tools and Add-ons for Linux ........................................605 Commercial Firewalls..........................................................................606 CSM Proxy/Enterprise Edition ......................................................607 GNAT Box Firewall........................................................................607 NetScreen........................................................................................607 Sun Cobalt Adaptive Firewall ........................................................608 PIX Firewall ..................................................................................608 Additional Resources ..........................................................................608 Summary ..............................................................................................610 20 Intrusion Detection 611What Is Intrusion Detection? ..............................................................612Basic Intrusion Detection Concepts ....................................................613Some Interesting Intrusion Detection Tools ........................................615 chkwtmp ..........................................................................................615 tcplogd ..........................................................................................616 Snort ..............................................................................................617 HostSentry ....................................................................................618 Shadow ............................................................................................619 MOM ..................................................................................................620 The HummingBird System ............................................................621 AAFID (Autonomous Agents for Intrusion Detection) ....................622Practical Intrusion Detection ..............................................................623 PortSentry ....................................................................................624 Installing and Configuring PortSentry ..........................................625 Automating Startup ........................................................................628 Documents on Intrusion Detection ................................................629Summary ..............................................................................................631 15. xvCONTENTS 21 Logs and Audit Trails 633What Is Logging, Exactly? ..................................................................634Logging in Linux ................................................................................635 lastlog ..........................................................................................636 last ................................................................................................637 xferlog ..........................................................................................640 httpd Logs......................................................................................641 Samba ............................................................................................645 System and Kernel Messages ........................................................647 /var/log/messages: Recording System and Kernel Messages ....647 Writing to syslog from Your Own Programs ................................651 Backing and Handling Logs ..........................................................654Other Interesting Logging and Audit Tools ........................................657 SWATCH (The System Watcher) ..................................................658 SNORT ..........................................................................................659 Watcher ..........................................................................................659 NOCOL/NetConsole v4.0 ..............................................................660 PingLogger ....................................................................................660 LogSurfer........................................................................................660 Analog ............................................................................................661Summary ..............................................................................................66122 Disaster Recovery 663What Is Disaster Recovery? ................................................................664 Why You Need a Disaster Recovery-Contingency Plan ................664Steps to Take Before Building Your Linux Network ..........................664 Hardware Standardization ..............................................................664 Software Standardization: Your Basic Config................................666Choosing Your Backup Tools ..............................................................669Simple Archiving: tarring and Zipping Your Files andDirectories ........................................................................................670 Creating a tar Archive ..................................................................670 Compressing Your tar Archive with gzip ....................................671 kArchiver ........................................................................................672 cpio: Another File Archive Tool ....................................................673 Creating a Hot Archive Site ..........................................................674Types of Backups and Backup Strategies............................................675Backup Packages ................................................................................679 KDat................................................................................................679 KBackup (from Karsten) ................................................................680 Enhanced Software Technologies BRU ........................................680 AMANDA (the Advanced Maryland Automatic Network Disk Archiver)..............................................................................681Odds and Ends ....................................................................................682Summary ..............................................................................................683 16. Maximum Linux Security xviPART V Appendixes 685 A Linux Security Command Reference 687.htaccess ......................................................................................688.htpasswd ......................................................................................688ACUA (An Add-On) ......................................................................689amadmin ..........................................................................................689amanda ............................................................................................689amcheck ..........................................................................................689amcleanup ......................................................................................689amdump ............................................................................................690amrestore ......................................................................................690Angel Network Monitor (An Add-On) ..........................................690AppleVolumes.default ..................................................................690APS (An Add-On) ..........................................................................690arp ..................................................................................................691bootpd ............................................................................................691cfdisk ............................................................................................691chmod ..............................................................................................692chown ..............................................................................................692chroot ............................................................................................692CIPE Crypto IP Encapsulation (An Add-On) ................................693crypt ..............................................................................................693ctrlaltdel ....................................................................................693Dante (An Add-On) ........................................................................693Deception Toolkit (An Add-On) ....................................................694DOC (Domain Obscenity Control, an Add-On) ..............................694dns_lint (An Add-On) ..................................................................694dnswalk (An Add-On) ....................................................................694Ethereal (An Add-On) ....................................................................694exports ..........................................................................................694exscan (An Add-On) ......................................................................695FakeBO (An Add-On) ....................................................................695fdisk ..............................................................................................695finger ............................................................................................695fingerd ..........................................................................................696ftphosts ........................................................................................696ftpaccess ......................................................................................696ftpd ................................................................................................697ftpshut ..........................................................................................697ftpwho ............................................................................................697GNU Privacy Guard (An Add-On) ................................................697halt ................................................................................................698 17. xviiCONTENTS hosts_access ..................................................................................698 hosts.allow....................................................................................698 hosts.deny ....................................................................................698 hosts_options ................................................................................698 hosts.equiv....................................................................................699 HostSentry from the Abacus Project ..............................................699 htpasswd ........................................................................................699 httpd ..............................................................................................700 identd ............................................................................................700 IdentTCPscan (An Add-On) ..........................................................700 inetd.conf ....................................................................................700 ip_filter (An Add-On) ................................................................701 IPAC (An Add-On) ........................................................................701 IPchains ..........................................................................................702 ipfwadm ..........................................................................................702 IPTables ..........................................................................................702 IPv4 & IPv6 Sniffer........................................................................702 ISS (An Add-On)............................................................................702 KSniffer (An Add-On)....................................................................703 last ................................................................................................703 Logcheck from the Abacus Project (An Add-On)..........................703 lsof (An Add-On) ..........................................................................703 MAT (Monitoring and Administration Tool, an Add-On)..............704 WebDAV (mod_davan Apache Add-On) ....................................704 mod_ssl (An Apache Add-On) ......................................................704 MOM (An Add-On)........................................................................704 msystem (An Add-On Thats Made for Unix but Can Work with Linux) ........................................................................704 NEPED (Network Promiscuous Ethernet Detector, an Add-On) ..................................................................................705 Nessus (An Add-On) ......................................................................705 netstat ..........................................................................................705 NMAP (The Network Mapper, an Add-On) ..................................705 npasswd (An Add-On) ....................................................................706 ntop (An Add-On) ..........................................................................706 OpenSSL ........................................................................................706 passwd ............................................................................................706 passwd+ (An Add-On) ....................................................................707 pgp4pine ........................................................................................707 ping ................................................................................................707 ps ....................................................................................................708 qmail (An Add-On) ........................................................................708 QueSo (An Add-On) ........................................................................708 18. Maximum Linux Security xviiircmd................................................................................................708rcp ..................................................................................................709reboot ............................................................................................709rlogin ............................................................................................709rhosts ............................................................................................709rhosts.dodgy (An Add-On) ..........................................................710rsh ..................................................................................................710scp ..................................................................................................710PortSentry from the Abacus Project ..............................................710services ........................................................................................711shadow ............................................................................................711Shadow in a Box (An Add-On)......................................................711showmount ......................................................................................711shutdown ........................................................................................712SINUS (An Add-On) ......................................................................712smb.conf ........................................................................................712Snort (An Add-On) ........................................................................712SocketScript (An Add-On) ............................................................712ssh ..................................................................................................713ssh-add ..........................................................................................713ssh-agent ......................................................................................713ssh-keygen ....................................................................................713sshd ................................................................................................713Strobe (An Add-On) ......................................................................714sudo ................................................................................................714Swan (An Add-On) ........................................................................714sXid Secure (An Add-On) ..............................................................714sysklogd ........................................................................................714System Administrators Tool for Analyzing Networks(SATAN, an Add-On) ..................................................................715tcpd (TCP Wrappers) ....................................................................715tcpdchk ..........................................................................................715tcpdmatch ......................................................................................715tcpdump ..........................................................................................716tftp ................................................................................................716The Linux Shadow Password Suite (An Add-On) ........................716traceroute ....................................................................................716traffic-vis (An Add-On) ............................................................718Trinux (An Add-On) ......................................................................718TripWire (An Add-On) ..................................................................718trafgraf ........................................................................................718trojan.pl ......................................................................................718 19. xixCONTENTSttysnoop........................................................................................719vipw................................................................................................719visudo ............................................................................................719w ......................................................................................................719who ..................................................................................................720whois ..............................................................................................720xinetd.conf....................................................................................721Xlogmaster (An Add-On) ..............................................................721B Linux Security IndexOlder Linux Security Issues 723 Summary ..............................................................................................739C Other Useful Linux Security Tools 741D Sources for More Information 767Linux Security Patches, Updates, and Advisories..........................768 Mailing Lists ........................................................................................768 Usenet Newsgroups ............................................................................771Secure Programming ......................................................................773General Web Security ....................................................................776General Security Resources............................................................777RFCS of Interest ............................................................................787E Glossary 797Index 837 20. About the Authors Anonymous is a self-described Unix and Perl fanatic who lives in southern California with his wife Michelle and a half-dozen computers. He currently runs an Internet security consulting company and is at work building one of the worlds largest computer security archives. He also moonlights doing contract programming for several Fortune 500 firms. John Ray is an award-winning developer and security consultant with more than 16 years of programming and administration experience. He has worked on projects for the FCC, The Ohio State University, Xerox, and the state of Florida, as well as serving as IT Director for Blue Cosmos Design, Inc. Ray has written/contributed to more than 10 titles currently in print, ranging from Using TCP/IP: Special Edition to Sams Teach Yourself Dreamweaver UltraDev 4 in 21 Days. 21. DedicationsFor Harlie, my sister. For you, I stopped the clocks. I wound down the money machine. I bade the planets come to rest and commanded that all the winds fall silent, merely so thatI could hear you. I still hear you now, laughing, as you rush through the trees in our garden. AnonymousIn memory ofCarol Neuschwanderand William C. Ray, I John Ray Acknowledgments The following persons were indispensable: Harry Reginald Hammond, Michael Michaleczko, Scott Lobel, David Fugate, Andrew Marsh, Tonie Villeneuve, and John Sale. Additionally, my deepest thanks to a superb editing team: Mark Taber, Scott Meyers, Shelley Johnston Markanday, Randi Roger, Jason Byars, Steve Epstein, Dan Scherf, Mike Henry, and Ben Berg. Anonymous Many thanks to the wonderful people at Sams, including Shelley Johnston Markanday, Scott Meyers, and Leah Kirkpatrick. Id also like to express my gratitude to Jason and Steve, the tech editors, for checking and double-checking each example and URL, and to the original author (who shall continue to remain nameless) for creating a work that was a delight to update, yet comprehensive in scope. Finally, a very special thanks to Amtrak security and Chicago police for not shooting me or my companion during our recent train ride. John Ray 22. Tell Us What You Think! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what were doing right, what we could do better, what areas youd like to see us publish in, and any other words of wisdom youre willing to pass our way. You can e-mail or write me directly to let me know what you did or didnt like about this bookas well as what we can do to make our books stronger. Please note that I cannot help you with technical problems related to the topic of this book, and that due to the high volume of mail I receive, I might not be able to reply to every message. When you write, please be sure to include this books title and author as well as your name and phone or e-mail address. I will carefully review your comments and share them with the author and editors who worked on the book. E-mail: [email protected] Mail: Mark Taber Associate Publisher Sams Publishing 201 West 103rd Street Indianapolis, IN 46290 USA 23. Introduction As little as four years ago, Linux books were a rarity on the bookstand. The fledgling operating system was considered a dead-end by some, and a hobby operating system by others. The marketplace for a Linux security book was, as you might guess, remarkably small. Today, Linux growth in the server marketplace easily outpaces commercial operating systems such as Windows NT. Expansion into the consumer arena has also started, with the maturation of the KDE and GNOME environments and the strong support of innovative companies such as Eazel. No matter how you use Linux, you need to understand its security model. The advent of wide- spread broadband service has suddenly turned each connected computer into the potential tool of a hacker. Without the proper security provisions, you risk the loss of data, theft of information, perhaps even criminal prosecution for negligence. To make matters worse, Linux distributions are not created equal. Depending on the version of Linux youre installing, you might be getting a system more secure than traditional desktop operating systems, or a computer more open and exposed than Windows NT on its worst day. With this revision, Maximum Linux Security continues its tradition of providing the most comprehensive and up-to-date information available. Those new to Linux will enjoy the depth of coverage, and seasoned pros will appreciate the unbiased look at new and upcoming technologies. Linux security is no longer just useful to a select few, and Maximum Linux Security will continue to bring the latest tools and developments to you, the reader. This Books Organization Over the course of writing several books, Ive learned much about structure and organization. Armed with this knowledge, Ive examined my earlier works and found serious shortcomings that might have prevented readers from quickly locating important information. To prevent that from happening again, I wrote this book with a new approach. In particular, Maximum Linux Security is cross-referenced exceptionally well, and is therefore a more cohesive resource. Such cross-referencing inevitably leads to better indexing, tooa critical point thats often overlooked in otherwise superb books. This books most valuable facet, in fact, might be how I cross-referenced it. Lets briefly cover that issue now. 24. Maximum Linux Security 2 How This Book Is Cross-Referenced Authors of books like this one generally enjoy certain advantages. For example, imagine if this books title were Maximum NT Security. I could write it swiftly, cover to cover, secure in the knowledge that Windows NT users have years of experience (if not with NT, with Windows 3, 3.1, 3.11, 95, and 98). Indeed, my readers would quickly understand and implement every sug- gestion and tip. But this book is a special case. Although Linux users now number more than 10 million, the majority of them have used Linux for less than one year. In fact, many are just now getting their bearings. Additionally, although excellent Linux security documentation is available online, there are few hardcopy books on the subject. Again, this is in contrast to Windows NT. A big problem that is being addressed (albeit slowly), is the availability of GUI software for configuring much of Linuxs server functionality. Unlike Windows NT, Linux was built with command-line tools and has been adding graphic interfaces to these tools over time. In the Windows world, much of the configuration is handled by centralized management software and with preferences being stored in a proprietary binary databasealso known as the Registry. Linux developers, on the other hand, often break up essential functions into separate commands, or files, or both. A good example is the tcpd system, which allows you to accept or deny network connections from specified hosts or host hierarchies. To skillfully employ tcpd, you must be familiar with several commands and files: /etc/hosts.allowA table of host access rules /etc/hosts.denyA table of host denial rules hosts_accessAsystem and language for establishing access rules hosts_optionsAn extension to hosts_access tcpdThe TCP daemon tcpdchkA tool that verifies your tcpd-centric configuration tcpdmatchAtool that interactively demonstrates your rules These arrangements can be frustrating and confusing for first-time Linux users. They might become discouraged, believing that theyll never properly configure all those commands and files. This understandably contributes to Linuxs reputation as a difficult-to-configure operating system. Finally, Linux conforms to the axiom most commonly attributed to Perl programmers: Theres more than one way to do it. Linux often has several commands that perform the same (or sub- stantially the same) function. 25. 3 INTRODUCTION My chief aim in writing Maximum Linux Security was to impart a holistic understanding of Linux security, especially to new users. To do that, I needed a way to clearly identify and cross-reference Groups of commands and files that must be used in concert Groups of commands that perform similar tasks I settled on something that I call clusters. These are maps that point to required commands and files and related or similar tools. This has resulted in a level of context-sensitive cross- referencing rarely seen in retail technical books. Lets look at an example. Chapter 4, Basic Linux System Administration, will cover basic system administration tasks such as adding and deleting users. One tool you can use for this purpose is linuxconf. Linuxconfs cluster provides a basic summary about the tool:linuxconf Application: linuxconf Required: linuxconf+support modules Config Files: self-maintained Similar Utilities: useradd, adduser Security History: Version 1.11r11, as shipped with Red Hat 5.1 was SUID root (youll learn more about SUID and its implications later in this chapter). Because linuxconf can alter many of the configuration files on a machine, this presented a very serious problem. The quick fix is to remove the inappropriate permission by typing chmod -s /bin/linuxconf. There have been other minor bugs with the program itself. These are documented in depth at http://www.solucorp.qc.ca/linuxconf/. New users will benefit from this approach because they can quickly see the relationships between different commands or files. This is especially important when the main tool is associated with many separate configuration files, as in the case of tcpd. But thats not all. This sort of bi-directional, context-sensitive cross-referencing (even without cluster maps) occurs throughout the book. Wherever possible, when discussing one tool, I cross-reference similar or associated tools that are discussed elsewhere. These associative trails lead not simply to relevant chapters, sections, and man pages, but to supplementary information online. 26. Maximum Linux Security 4 Heres an example from Appendix A, Linux Security Command Reference:amadmin Description: Administrative interface to control amanda backups. Security Relevance: Use amadmin to configure the amanda backup system. For more information, please see Chapter 22, Disaster Recovery; amanda, amcheck, and amcleanup in this appendix; the amadmin manual page; or http://www.cs.umd.edu/projects/amanda/ amanda.html.This double-barreled approach has led to a tight book that you can use to instantly find the information you want in great detail and depth. Using This Book To implement the examples in this book, youll need the following: Linux (Craftworks, Debian, Delix DLD, Eagle Group, Eurielec, Kheops, Linux Universe,MNIS, OpenLinux, Red Hat, SuSE, SlackWare, Stampede Linux, TransAmeritech,TurboLinux, Yggdrasil, and so on) A full installation, including standard TCP/IP clients and servers, GCC/EGCS, and Perl NOTE Examples are often either dependent on Linux or an application version. For instance, sometools demand recent versions of Perl, some demand gtk, some demand a.out support, andmany demand ELF (Executable and Linking Format) support. Ideally, youll have a recentLinux distribution that satisfies these requirements (examples were generated withRed Hat and Caldera Systems).Internet connectivity is not strictly required, although extensive online resource listings are provided. Most examples can be replicated with a local Web server on a single networked machine. However, I strongly recommend that you use an intranet at the very least. Certain examples require multiple machines, such as testing firewall rules. With few exceptions, examples focus on achieving security without using the proprietary tools sometimes included in commercial Linux distributions. I took this approach to ensure that the material would be relevant to all versions of Linux. At the same time, I do realize that many people want to use graphical administration tools, so Ive included information on the latest tools that are available for a wide variety of Linux distributions. 27. 5INTRODUCTION Finally, I wrote this book to be useful to more than just advanced administrators. If youre new to Linux, the sheer volume of commands and options might be overwhelming. This text helps weed through the unnecessary information and get to what actually works. Odds and Ends Finally, a few notes: Links and home pagesBetween revisions of Maximum Linux Security, many of theresource links have changed or disappeared altogether. Such is the way of the Web. Ivemade every attempt to provide links to large and reliable security sites. If, for any reason,a link fails to work, try a search engine such as http://www.google.com/ to locate anarchive, or cached copy of the original material. About products mentioned in Maximum Linux SecurityI mention many products inthis booksome commercial, some notbut Im not affiliated with any of them. If Imention a tool, I do so purely because its useful or because an example was generatedwith it. That said, Id like to thank those developers who provided technical support ontheir products. Their help was greatly appreciated. Software versionsOne of the great things about Linux is that the available software isalways undergoing constant improvement. Unfortunately, this also makes it very difficultto document a particular version of an application and expect it to remain currentthrough the lifetime of the book. Although a conscious effort is made to provide the mostup-to-date information, dont be surprised if a version number doesnt match what yousee or a screenshot has changed slightly. Mistakes and suchIf you find that your product has been mentioned and the informa-tion was incorrect, please contact Sams Publishing. Summary So, that covers it. I hope you enjoy Maximum Linux Security and find it useful. Although the book is not exhaustive, it does cover essential Linux security tasks. Also, the accompanying CD-ROM and many online references will provide you with indispensable tools and additional information sources. These combined elements should put you well on your way to securing your Linux system. Please mail your comments and criticisms to [email protected]. 28. PART Linux Security BasicsIIN THIS PART 1 Introducing Linux Security 92 Physical Security 293 Installation Issues 594 Basic Linux System Administration 95 29. Introducing Linux Security CHAPTER1 30. Linux Security Basics 10PART IIts an unbroken rule in the computer publishing industry: Books like this one must begin witha tour of the featured operating system. If youre sick to death of introductory Linux chapters,please feel free to skip ahead to Chapter 2, Physical Security.Here, Ill address the following questions: What is Linux? Where did Linux come from? Can you use Linux as a standalone system? Is Linux suitable as an intranet/Internet server? What security features does Linux offer? What Is Linux?What is Linux? That depends on who you ask. The short answer is this:Linux is a free, Unix-like, open-source, Internet-optimized, 32- or 64-bit network operat-ing system (often used by hackers) that runs on widely disparate hardware, includingIntel (X86) and RISC processors.Lets break this down one step at a time. Linux Is FreeLinuxs best-known characteristic is that its free. However, free in this context has a dualmeaning.In one sense, Linux is free because you can obtain it for no cost. For example, although manyfolks do, you neednt buy a Linux book and CD-ROM just to get Linux. Instead, if you havefast online access, you can download Linux from the Internet and install it for nothing.Compare this to other operating systems. Most commercial vendors demand that you pay on aper-installation basis. That means each time you install an operating system, you must payadditional fees. Hence, if you have 10 workstations, youll pay 10 license fees. In contrast, youcan install Linux on multiple workstations (hundreds, if you like) and never pay a cent. CAUTIONA few third-party Linux applications are commercial, and their vendors do impose licensing restrictions. Check your Linux documentation to ensure that you dont inadvertently copy and distribute commercial tools. Typically, Linux distributions that contain commercial software are packaged and sold commercially. Although you can download Red Hat 7.x from Red Hat software, for example, you will not get everything that comes with the boxed version. 31. Introducing Linux Security11 CHAPTER 1 Linux is also free in other, more important ways. One is that Linux offers you overwhelming 1 technical freedom. When you purchase Linux, you get more than just the operating system LINUX SECURITY you also get the source code. Thus, if you dont like how Linux works out-of-the-box, you canINTRODUCING change it. (And not just a little bit, either. You can mold the entire operating system to suit your needs.) Additionally, Linux offers many free programming languages, compilers, and associated development tools. Here are just a few: ADA BASIC C C++ Expect, a scripting language for automating network sessions FORTRAN Gawk, an implementation of awka pattern scanning and matching language GTK, a toolkit for building Linux GUI applications. Used extensively in the GNOMEenvironment. PASCAL PHP, an embedded programming language, much like Active Server Pages in Windows;used to add dynamic functionality to Web sites Python, an object-oriented scripting language Qt, a cross-platform toolkit, similar to GTK, that is used for building GUI KDEapplications Shell languages (csh, bash) SQL, Structured Query LanguageThe industry standard relational database query lan-guage; used developing sophisticated database server applications TCL/Tk, a scripting language and GUI toolkit, respectively The Practical Extraction and Report Language (Perl) Under the GNU General Public License, you can use these tools to develop and resell Linux applications without paying royalty fees. However, if you make changes to GPL libraries, you must also make these free under the GPL. For more information about the GNU GPL, please see the accompanying CD-ROM, or visit the online reference: http://www.gnu.org/ copyleft/gpl.html.The greatest freedom that Linux offers, though, is still its open source, which provides substan- tial security benefits. When you use commercial operating systems, you place your destiny in 32. Linux Security Basics 12PART Ithe vendors hands. If their code is fundamentally flawed, youll never know it. (Or if you do,you might discover the truth too late. Your system might already be compromised.)With Linux, you can examine the code yourself to see how system security is implemented.This raises a hotly debated issue. Linux critics insist that to reap the full benefits of Linuxstechnical freedom, you must cultivate a higher level of technical expertise than you would needwhen using consumer-oriented operating systems. Is this true? Absolutely.In fact, youll find that some Linux security tools are actually toolkits consisting of many inde-pendent security modules. When properly used in concert, these toolkits grant you wide lati-tude to conceive and implement custom security solutions. In exchange for this power, yougive up some of the ease of point-and-click computing. So, establishing a secure Linux hostwill admittedly take time and effort. But I have good news and a rebuttal to this. Linux soft-ware development is increasing at an exponential rate, and, growing along with it is the soft-ware to administer Linux machines. Figure 1.1 shows one of the more popular administrationtools, Solucorps Linuxconf (http://www.solucorp.qc.ca/linuxconf/), which allows cen-tralized administration from an easy-to-use interface. This book will show you the best of bothworldsthe command line and the maturing GNOME/KDE tools.FIGURE 1.1Linxconf provides a centralized point for many administration tasks. 33. Introducing Linux Security 13 CHAPTER 1 NOTE1LINUX SECURITY INTRODUCINGIn all fairness to Linux, it should be mentioned that the best NT/2000 administrators also usethe command line. The difference between administering Linux/Unix and Windows is mainlyone of perception. The assumption is made that you can point and click your way to every-thing youd ever want to do in Windows, but experienced administrators will tell you other-wise. Linuxs GUI administration tools are often as good as or even surpass their Windowscounterparts, but youll still need the command line to fine-tune your settings.Linux Closely Resembles Unix Linux is often called Unix-like, a Unix clone, or an operating system based on Unix. Such descriptions are accurate but not very illuminating if youve never used Unix. Let me remedy that. Unix has ancient roots. In 1964, MIT, General Electric, and Bell Labs (then a division of AT&T) collaborated on an operating system called the Multiplexed Information and Computing System, or MULTICS. The MULTICS project, Im sorry to say, was a disaster. It was large, unwieldy, and buggy. Despite that early failure, good things emerged from the MULTICS project. Ken Thompson, a programmer from Bell Labs, felt that he could do better. In 1969, with assistance from fellow programmers Dennis Ritchie and Joseph Ossanna, Thompson did just that. Some signs of the times: America was at war in Vietnam, the number-one hit single was Marvin Gayes I Heard It Through the Grapevine, and if you were cool, you were driving a Dodge Charger. It was against this backdrop that Thompson did his work. Thompsons early Unix was shaky, but that quickly changed. He rewrote Unix in the C programming language a year later. The result was a quicker, more stable operating system that was both portable and easily maintained. What happened next was critical. In the early 1970s, Unix was distributed to universities. There, students and educators alike found Unix to be practical, versatile, and relatively easy to use. Unix was therefore incorporated into the computer science curriculum at many universities. As a result, a generation of computer science graduates acquired Unix experience. When they later took that experience to the marketplace, they brought Unix to the mainstream. However, the events that would ultimately make Unix an immensely popular network operating system occurred elsewhere. Around the same time, the U.S. government was working on an internetwork for wartime communication. This network was designed to be impervious to a Soviet nuclear first strike. The problem was this: Although the government had a suitable transmission medium, the telephone system, it had no operating system to match. Enter Unix. 34. Linux Security Basics 14PART IInternetwork engineers chose Unix based on several factors. By then, roughly 1974, Unixalready had powerful networking capabilities. For example, thanks to Ray Tomlinson of Bolt,Beranek, and Newman, Unix had electronic mail. Other network protocols would follow, andby 1978, Unix was jam-packed with networking software. The U.S. government got its inter-network after all, which we now call the Internet, and Unix became a phenomenon.So, Unix is the operating system of yore that was used to create the Internet. Linux shares acommon lineage and many characteristics with Unix. For example: Much of Linux is also written in C. Linux supports preemptive multitasking, or the capability to handle multiple processessimultaneously. Using Linux, you can simultaneously compile a program, download e-mail, and play solitaire. The system divides up the processor time automatically, so eachprogram can continue to run in the background. Linux supports multiuser sessions. Multiple users can log in to Linux simultaneously(and during these sessions, they can also multitask). Linux offers a hierarchical file system. Its top-level directory holds subdirectories thatbranch out to even further subdirectories. Together, these subdirectories form a tree struc-ture. Multiple drives show up within the same tree, rather than as separate entities, as inWindows and Mac OS. Linuxs graphical user interface (GUI) is MITs X Window System, or X. Linux offers extensive network functionality, supporting most internetworking protocolsand services.Finally, many Unix applications have been ported to Linux, or require no porting at all. Thus,Linux has a pronounced Unix-like look and feel.In these respects, Linux is very much like Unix. Indeed, Linux so closely resembles Unix thatcasual users could confuse the two. They shouldnt. Beyond these similarities, Linux and Unixpart ways when it comes to the philosophy behind their development.For example, Unix evolved into a mostly academic variation (BSD), and a commercial operat-ing system (System V) that, for many years, ran on expensive proprietary hardware. Linux runson almost anything, including Advanced Micro Devices and Cyrix processors Digital Alpha processors Intel 80386, 80486, and Pentium family of processors Motorola/IBM PowerPC processors Sparc processors 35. Introducing Linux Security 15 CHAPTER 1 Also, Unix licensing can be quite restrictive. Developers must often pay hefty fees for indus-1 try-standard programming libraries (nearly $17,000 for a full Motif ensemble). As discussedLINUX SECURITY above, Linux imposes no such restrictions. INTRODUCING Finally, there is one major difference between Unix and Linux. Unix vendors provide technical support, but unless you purchase a commercial boxed distribution, Linux vendors dont (although thats rapidly changing). Linux was developed by freelance and independent programmers, and in large part continues to be. This brings us to the next issue: Where did Linux come from?Note to the Unix AdministatorsBefore you whack your head against the wall thinking youre going to have to learn Unix allover again, stop worrying. Linuxs main difference from commercial Unix distributions is inthe philosophy of its development. If youre familiar with Unix, 99% of your knowledge willbe applicable under Linux. Many of the security techniques and tools used under Unix arealso applicable to Linux.Where Did Linux Come From? To examine Linuxs origins, we must fast forward to 1991, to Suomen Tasavalta in the Republic of Finland. There, a student named Linus Torvalds was attending university, studying Unix and the C programming language. Torvalds had been working with a small Unix-like operating system called Minix, which is sometimes used in academic settings for training and experimentation. Torvalds found that Minix had several shortcomings, and he felt that he could do better. So, at the age of 23, he began hacking his own Unix-like operating system for X86 machines. In October 1991, after rigorous testing, Torvalds posted an Internet message announcing that his new system was stable. He offered to post the source code and invited other developers to contribute. From that moment on, Linux was alive and kicking. Linux has since grown into a full-featured operating system that is often used in enterprise environments. A project that started as a sideline for Linus Torvalds has changed the face of computing.Why Linux Isnt for Everyone With all the good that comes with running a Linux system, there also come problems. Linux, because of its open nature and wildly growing popularity, is experiencing extremely rapid development. Blink your eyes and Linux has a new kernel upgrade or other significant update. 36. Linux Security Basics 16PART IMany people are used to installing an operating system, getting it into a stable state, then justletting it go. Every year or so, the operating system vendor releases an incremental update.Linux, on the other hand, requires far more frequent attention. In fact, updating frequentlyalters some very specific and fundamental operating characteristics, such asStabilityKernel updates increase functionality, sometimes at the cost of stability. AsLinux tries to support more hardware and technology, it does so at a loss of stability.Without standardized quality control on the components, all updates should be testedbefore being put into production.CompatibilitySystem libraries, such as glibc, are under constant revision. Some oldercompiled software might not work with newer systems and vice versa.Configuration FilesThere is no standardized system for storing preferences (such asthe registry on Windows and XML/NetInfo on Mac OS X). Although updates try tomaintain your system settings, sometimes this is not possible and you must reconfigureportions of your system.Additionally, because Linux development is open, there is also the problem of duplica-tion of effort. You might love a particular program or utility, only to find that it is nolonger in fashion.Competing GUI StandardsSadly, there are two excellent desktop environments forLinux (KDE and GNOME). Each has its merits, but they are markedly different from oneanother. Because of this, there is no standard desktop for Linux. Multiple administrationtools garnish each environment. Until the developers join forces or one environment pre-vails, the best you can do is choose your favorite desktop system and hope it comes outon top.Multiple Administration ToolsThere are many ways to do the same thing. Eventhough this can be considered a good thing from a support standpoint, it can also be aheadache. If youre left with the charge of administering and securing a network of mul-tiple different Linux versions and distributions, dont expect to find your favorite admin-istration tools on each machine.That said, I highly recommend Linux to anyone who wants a modern, stable, and extremelyexciting operating system. It is, however, an operating system that does not hold your hand andrequires attention in keeping it up-to-date. Be patient; to reach the future of computing, youneed to get your hands a little dirty.Linux as a Standalone SystemGreat emphasis has been placed on Linuxs networking capabilities, leading newcomers towonder: Can Linux be used as a standalone system? The answer is an emphatic yes. Linux is asuperb standalone system, suitable for 37. Introducing Linux Security 17 CHAPTER 1 Accounting, database, and general record keeping1 Advanced math and scienceLINUX SECURITY INTRODUCING Development High-performance media Research Word processing However, some words of caution: Linux differs from popular desktop operating systems like Windows 98, ME, 2000, and XP. If you use Linux as a standalone system and go online, you must implement network security measures. Coming from an academic environment, Im used to setting Linux systems and configuring security. As Linuxs popularity increases, so does the attack rate. Typically, a machine set up in the morning will be subjected to port scans and pre- liminary attacks by mid-afternoon. Although Linux is well suited to personal use (even in non-networked environments), it is still inherently a network operating system. Default Linux installations run many Internet services, and unless you take proper precautions, attackers can target these services remotely throughout the duration of your online session. The advent of cable modems has made attacks even more prevalent. Now attackers potentially have access to thousands of high-speed connections put in place by people with little to no training in network security. For example, take a look at the security logs of my home machine over the past two daysas you can see, even a computer in your own home isnt safe from intrusion anymore! Dec 28 01:29:29 pointy portsentry[1029]: attackalert: SYN/Normal scan from host: 210.124.110.251/210.124.110.251 to TCP port: 111 Dec 28 02:59:52 pointy portsentry[1029]: attackalert: SYN/Normal scan from host: 194.179.89.35/194.179.89.35 to TCP port: 23 ftpd[7283]: refused connect from usr3043-cro.cableinet.co.uk Dec 28 20:23:56 pointy portsentry[1029]: attackalert: SYN/Normal scan from host: dsl-pool-46-35.vermontel.net/63.167.46.35 to TCP port: 23 Dec 29 11:18:18 pointy portsentry[1029]: attackalert: SYN/Normal scan from host: async201-wol-isp-2.nas.one.net.au/203.101.35.202 to TCP port:23To find out more about disabling nonessential network services (a good idea on a standalone box), please see Chapter 3, Installation Issues. 38. Linux Security Basics 18PART ILinux as an Intranet/Internet ServerIf you chose Linux as an intranet or Internet server platform, you did the right thing. Linuxoffers optimal internetworking power and provides clients and servers for every essential proto-col, including but not limited to File Transfer Protocol (FTP) Gopher Protocol Hypertext Transfer Protocol (HTTP) Internet Protocol (IP) Internet Message Access Protocol (IMAP) Network News Transfer Protocol (NNTP) Post Office Protocol (POP) Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) Simple Mail Transfer Protocol (SMTP) Telnet Protocol Transmission Control Protocol (TCP)Linux also offers many indispensable Web development tools, including Expect, a scripting language for automating interactive network sessions. Using Expect,you can perform system administration tasks not simply on one host, but on all Linuxservers on your network. For example, suppose that you wanted to collect statistics on allmachines arbitrarily. You could create an Expect script that telnets to a server, grabsstatistics, logs out, and connects to another server (and another, and so on). Perl and mod_perl, all-purpose scripting languages often used for Common GatewayInterface (CGI) development. Using Perl, you can create online search engines, Webstores, and statistics-tracking programs. Moreover, Perl is a system administrators lan-guage, useful for automating many repetitive security tasks. mod_perl attaches a Perlprocessor to each Apache process, giving extremely high performance on Perl scripts. PHP, PHP Hypertext Preprocessor (the nam

Sams Maximum Linux Security

Technology

Transcript of Sams Maximum Linux Security