603 lines
8.7 KiB
HTML
603 lines
8.7 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Linux Security HOWTO</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="NEXT"
|
|
TITLE="Introduction"
|
|
HREF="x21.html"></HEAD
|
|
><BODY
|
|
CLASS="article"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="ARTICLE"
|
|
><DIV
|
|
CLASS="TITLEPAGE"
|
|
><H1
|
|
CLASS="title"
|
|
><A
|
|
NAME="AEN2"
|
|
></A
|
|
>Linux Security HOWTO</H1
|
|
><H3
|
|
CLASS="author"
|
|
><A
|
|
NAME="AEN4"
|
|
>Kevin Fenzi</A
|
|
></H3
|
|
><DIV
|
|
CLASS="affiliation"
|
|
><SPAN
|
|
CLASS="orgname"
|
|
>tummy.com, ltd.<BR></SPAN
|
|
><DIV
|
|
CLASS="address"
|
|
><P
|
|
CLASS="address"
|
|
><TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:kevin-securityhowto@tummy.com"
|
|
>kevin-securityhowto@tummy.com</A
|
|
>></TT
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><H3
|
|
CLASS="author"
|
|
><A
|
|
NAME="AEN11"
|
|
>Dave Wreski</A
|
|
></H3
|
|
><DIV
|
|
CLASS="affiliation"
|
|
><SPAN
|
|
CLASS="orgname"
|
|
>linuxsecurity.com<BR></SPAN
|
|
><DIV
|
|
CLASS="address"
|
|
><P
|
|
CLASS="address"
|
|
><TT
|
|
CLASS="email"
|
|
><<A
|
|
HREF="mailto:dave@linuxsecurity.com"
|
|
>dave@linuxsecurity.com</A
|
|
>></TT
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><P
|
|
CLASS="pubdate"
|
|
>v2.3, 22 January 2004<BR></P
|
|
><DIV
|
|
><DIV
|
|
CLASS="abstract"
|
|
><A
|
|
NAME="AEN19"
|
|
></A
|
|
><P
|
|
></P
|
|
><P
|
|
> This document is a general overview of security issues that face the
|
|
administrator of Linux systems. It covers general security philosophy
|
|
and a number of specific examples of how to better secure your Linux
|
|
system from intruders. Also included are pointers to security-related
|
|
material and programs. Improvements, constructive criticism, additions and corrections are
|
|
gratefully accepted. Please mail your feedback to both authors,
|
|
with "Security HOWTO" in the subject.
|
|
</P
|
|
><P
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><HR></DIV
|
|
><DIV
|
|
CLASS="TOC"
|
|
><DL
|
|
><DT
|
|
><B
|
|
>Table of Contents</B
|
|
></DT
|
|
><DT
|
|
>1. <A
|
|
HREF="x21.html"
|
|
>Introduction</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>1.1. <A
|
|
HREF="x21.html#AEN27"
|
|
>New Versions of this Document</A
|
|
></DT
|
|
><DT
|
|
>1.2. <A
|
|
HREF="x21.html#AEN49"
|
|
>Feedback</A
|
|
></DT
|
|
><DT
|
|
>1.3. <A
|
|
HREF="x21.html#AEN62"
|
|
>Disclaimer</A
|
|
></DT
|
|
><DT
|
|
>1.4. <A
|
|
HREF="x21.html#AEN68"
|
|
>Copyright Information</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>2. <A
|
|
HREF="x82.html"
|
|
>Overview</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>2.1. <A
|
|
HREF="x82.html#AEN85"
|
|
>Why Do We Need Security?</A
|
|
></DT
|
|
><DT
|
|
>2.2. <A
|
|
HREF="x82.html#AEN89"
|
|
>How Secure Is Secure?</A
|
|
></DT
|
|
><DT
|
|
>2.3. <A
|
|
HREF="x82.html#AEN95"
|
|
>What Are You Trying to Protect?</A
|
|
></DT
|
|
><DT
|
|
>2.4. <A
|
|
HREF="x82.html#AEN133"
|
|
>Developing A Security Policy</A
|
|
></DT
|
|
><DT
|
|
>2.5. <A
|
|
HREF="x82.html#AEN147"
|
|
>Means of Securing Your Site</A
|
|
></DT
|
|
><DT
|
|
>2.6. <A
|
|
HREF="x82.html#AEN162"
|
|
>Organization of This Document</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>3. <A
|
|
HREF="physical-security.html"
|
|
>Physical Security</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>3.1. <A
|
|
HREF="physical-security.html#AEN190"
|
|
>Computer locks</A
|
|
></DT
|
|
><DT
|
|
>3.2. <A
|
|
HREF="physical-security.html#AEN195"
|
|
>BIOS Security</A
|
|
></DT
|
|
><DT
|
|
>3.3. <A
|
|
HREF="physical-security.html#AEN206"
|
|
>Boot Loader Security</A
|
|
></DT
|
|
><DT
|
|
>3.4. <A
|
|
HREF="physical-security.html#AEN234"
|
|
>xlock and vlock</A
|
|
></DT
|
|
><DT
|
|
>3.5. <A
|
|
HREF="physical-security.html#AEN247"
|
|
>Security of local devices</A
|
|
></DT
|
|
><DT
|
|
>3.6. <A
|
|
HREF="physical-security.html#AEN250"
|
|
>Detecting Physical Security Compromises</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>4. <A
|
|
HREF="local-security.html"
|
|
>Local Security</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>4.1. <A
|
|
HREF="local-security.html#AEN281"
|
|
>Creating New Accounts</A
|
|
></DT
|
|
><DT
|
|
>4.2. <A
|
|
HREF="local-security.html#root-security"
|
|
>Root Security</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>5. <A
|
|
HREF="file-security.html"
|
|
>Files and File system Security</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>5.1. <A
|
|
HREF="file-security.html#umask"
|
|
>Umask Settings</A
|
|
></DT
|
|
><DT
|
|
>5.2. <A
|
|
HREF="file-security.html#AEN432"
|
|
>File Permissions</A
|
|
></DT
|
|
><DT
|
|
>5.3. <A
|
|
HREF="file-security.html#AEN513"
|
|
>Integrity Checking</A
|
|
></DT
|
|
><DT
|
|
>5.4. <A
|
|
HREF="file-security.html#AEN533"
|
|
>Trojan Horses</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>6. <A
|
|
HREF="password-security.html"
|
|
>Password Security and Encryption</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>6.1. <A
|
|
HREF="password-security.html#AEN553"
|
|
>PGP and Public-Key Cryptography</A
|
|
></DT
|
|
><DT
|
|
>6.2. <A
|
|
HREF="password-security.html#AEN571"
|
|
>SSL, S-HTTP and S/MIME</A
|
|
></DT
|
|
><DT
|
|
>6.3. <A
|
|
HREF="password-security.html#AEN588"
|
|
>Linux IPSEC Implementations</A
|
|
></DT
|
|
><DT
|
|
>6.4. <A
|
|
HREF="password-security.html#ssh"
|
|
><TT
|
|
CLASS="literal"
|
|
>ssh</TT
|
|
> (Secure Shell) and <TT
|
|
CLASS="literal"
|
|
>stelnet</TT
|
|
></A
|
|
></DT
|
|
><DT
|
|
>6.5. <A
|
|
HREF="password-security.html#AEN631"
|
|
>PAM - Pluggable Authentication Modules</A
|
|
></DT
|
|
><DT
|
|
>6.6. <A
|
|
HREF="password-security.html#AEN650"
|
|
>Cryptographic IP Encapsulation (CIPE)</A
|
|
></DT
|
|
><DT
|
|
>6.7. <A
|
|
HREF="password-security.html#AEN662"
|
|
>Kerberos</A
|
|
></DT
|
|
><DT
|
|
>6.8. <A
|
|
HREF="password-security.html#AEN674"
|
|
>Shadow Passwords.</A
|
|
></DT
|
|
><DT
|
|
>6.9. <A
|
|
HREF="password-security.html#crack"
|
|
>"Crack" and "John the Ripper"</A
|
|
></DT
|
|
><DT
|
|
>6.10. <A
|
|
HREF="password-security.html#AEN690"
|
|
>CFS - Cryptographic File System and TCFS - Transparent Cryptographic File System</A
|
|
></DT
|
|
><DT
|
|
>6.11. <A
|
|
HREF="password-security.html#AEN698"
|
|
>X11, SVGA and display security</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>7. <A
|
|
HREF="kernel-security.html"
|
|
>Kernel Security</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>7.1. <A
|
|
HREF="kernel-security.html#AEN735"
|
|
>2.0 Kernel Compile Options</A
|
|
></DT
|
|
><DT
|
|
>7.2. <A
|
|
HREF="kernel-security.html#AEN783"
|
|
>2.2 Kernel Compile Options</A
|
|
></DT
|
|
><DT
|
|
>7.3. <A
|
|
HREF="kernel-security.html#AEN806"
|
|
>Kernel Devices</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>8. <A
|
|
HREF="network-security.html"
|
|
>Network Security</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>8.1. <A
|
|
HREF="network-security.html#AEN835"
|
|
>Packet Sniffers</A
|
|
></DT
|
|
><DT
|
|
>8.2. <A
|
|
HREF="network-security.html#AEN847"
|
|
>System services and tcp_wrappers</A
|
|
></DT
|
|
><DT
|
|
>8.3. <A
|
|
HREF="network-security.html#AEN914"
|
|
>Verify Your DNS Information</A
|
|
></DT
|
|
><DT
|
|
>8.4. <A
|
|
HREF="network-security.html#AEN917"
|
|
>identd</A
|
|
></DT
|
|
><DT
|
|
>8.5. <A
|
|
HREF="network-security.html#AEN935"
|
|
>Configuring and Securing the Postfix MTA</A
|
|
></DT
|
|
><DT
|
|
>8.6. <A
|
|
HREF="network-security.html#AEN941"
|
|
>SATAN, ISS, and Other Network Scanners</A
|
|
></DT
|
|
><DT
|
|
>8.7. <A
|
|
HREF="network-security.html#AEN961"
|
|
>sendmail, qmail and MTA's</A
|
|
></DT
|
|
><DT
|
|
>8.8. <A
|
|
HREF="network-security.html#AEN976"
|
|
>Denial of Service Attacks</A
|
|
></DT
|
|
><DT
|
|
>8.9. <A
|
|
HREF="network-security.html#AEN1003"
|
|
>NFS (Network File System) Security.</A
|
|
></DT
|
|
><DT
|
|
>8.10. <A
|
|
HREF="network-security.html#AEN1019"
|
|
>NIS (Network Information Service) (formerly YP).</A
|
|
></DT
|
|
><DT
|
|
>8.11. <A
|
|
HREF="network-security.html#AEN1026"
|
|
>Firewalls</A
|
|
></DT
|
|
><DT
|
|
>8.12. <A
|
|
HREF="network-security.html#AEN1054"
|
|
>IP Chains - Linux Kernel 2.2.x Firewalling</A
|
|
></DT
|
|
><DT
|
|
>8.13. <A
|
|
HREF="network-security.html#AEN1076"
|
|
>Netfilter - Linux Kernel 2.4.x Firewalling</A
|
|
></DT
|
|
><DT
|
|
>8.14. <A
|
|
HREF="network-security.html#AEN1104"
|
|
>VPNs - Virtual Private Networks</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>9. <A
|
|
HREF="secure-prep.html"
|
|
>Security Preparation (before you go on-line)</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>9.1. <A
|
|
HREF="secure-prep.html#AEN1129"
|
|
>Make a Full Backup of Your Machine</A
|
|
></DT
|
|
><DT
|
|
>9.2. <A
|
|
HREF="secure-prep.html#AEN1133"
|
|
>Choosing a Good Backup Schedule</A
|
|
></DT
|
|
><DT
|
|
>9.3. <A
|
|
HREF="secure-prep.html#AEN1136"
|
|
>Testing your backups</A
|
|
></DT
|
|
><DT
|
|
>9.4. <A
|
|
HREF="secure-prep.html#AEN1139"
|
|
>Backup Your RPM or Debian File Database</A
|
|
></DT
|
|
><DT
|
|
>9.5. <A
|
|
HREF="secure-prep.html#logs"
|
|
>Keep Track of Your System Accounting Data</A
|
|
></DT
|
|
><DT
|
|
>9.6. <A
|
|
HREF="secure-prep.html#AEN1183"
|
|
>Apply All New System Updates.</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>10. <A
|
|
HREF="after-breakin.html"
|
|
>What To Do During and After a Breakin</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>10.1. <A
|
|
HREF="after-breakin.html#AEN1189"
|
|
>Security Compromise Underway.</A
|
|
></DT
|
|
><DT
|
|
>10.2. <A
|
|
HREF="after-breakin.html#AEN1202"
|
|
>Security Compromise has already happened</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>11. <A
|
|
HREF="sources.html"
|
|
>Security Sources</A
|
|
></DT
|
|
><DD
|
|
><DL
|
|
><DT
|
|
>11.1. <A
|
|
HREF="sources.html#linuxsecurity"
|
|
>LinuxSecurity.com References</A
|
|
></DT
|
|
><DT
|
|
>11.2. <A
|
|
HREF="sources.html#ftpsites"
|
|
>FTP Sites</A
|
|
></DT
|
|
><DT
|
|
>11.3. <A
|
|
HREF="sources.html#websites"
|
|
>Web Sites</A
|
|
></DT
|
|
><DT
|
|
>11.4. <A
|
|
HREF="sources.html#AEN1324"
|
|
>Mailing Lists</A
|
|
></DT
|
|
><DT
|
|
>11.5. <A
|
|
HREF="sources.html#AEN1332"
|
|
>Books - Printed Reading Material</A
|
|
></DT
|
|
></DL
|
|
></DD
|
|
><DT
|
|
>12. <A
|
|
HREF="x1357.html"
|
|
>Glossary</A
|
|
></DT
|
|
><DT
|
|
>13. <A
|
|
HREF="q-and-a.html"
|
|
>Frequently Asked Questions</A
|
|
></DT
|
|
><DT
|
|
>14. <A
|
|
HREF="conclusion.html"
|
|
>Conclusion</A
|
|
></DT
|
|
><DT
|
|
>15. <A
|
|
HREF="x1505.html"
|
|
>Acknowledgments</A
|
|
></DT
|
|
></DL
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x21.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Introduction</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |