Chapter 10. Security Under GNU/Linux
Prev Part III. Applied Theory Next

Chapter 10. Security Under GNU/Linux

Table of Contents

Preamble
Copyright Information
Introduction
Overview
Why Do we Need Security?
How Secure Is Secure?
What Are You Trying to Protect?
Developing a Security Policy
Means of Securing your Site
Organization of This Chapter
Physical Security
Computer Locks
BIOS Security
OpenBoot Security
Boot Loader Security
xlock and vlock
Security of Local Devices
Detecting Physical Security Compromises
Local Security
Creating New Accounts
Root Security
Files and File-System Security
umask Settings
File Permissions
Integrity Checking
Trojan Horses
Password Security and Encryption
PGP And Public-Key Cryptography
SSL, S-HTTP and S/MIME
IPSEC Implementations
ssh (Secure SHell) And stelnet
PAM - Pluggable Authentication Modules
Cryptographic IP Encapsulation (CIPE)
Kerberos
Crack and John the Ripper
CFS – Cryptographic File System And TCFS – Transparent Cryptographic File System
X11, SVGA And Display Security
Kernel Security
Kernel Compile Options
Kernel Devices
Network Security
Packet Sniffers
System Services and tcp_wrappers
Verify Your DNS Information
identd
Configuring And Securing The Postfix MTA
SATAN, ISS, And Other Network Scanners
Sendmail, qmail and MTA's
Denial of Service (DoS) Attacks
NFS (Network File System) Security
NIS (Network Information Service)
Firewalls
IP Chains – GNU/Linux Kernel 2.2.x Firewalling
Netfilter – Linux Kernel 2.4.x Firewalling
VPNs – Virtual Private Networks
Security Preparation (Before You Go On-Line)
Make a Full Backup of Your Computer
Choosing a Good Backup Schedule
Testing Your Backups
Backup Your RPM File Database
Keep Track of your System Accounting Data
Apply All New System Updates
What to Do During and After a Breaking
Security Compromise Underway
Security Compromise Has Already Happened
Security Sources
LinuxSecurity.com References
FTP Sites
Web Sites
Mailing Lists
Books – Printed Reading Material
Frequently Asked Questions
Conclusion
Security-Related Terms

This document is a general overview of security issues that face the administrator of GNU/Linux systems. It covers general security philosophy and a number of specific examples of how to better secure your GNU/Linux system from intruders. Also included are pointers to security-related material and programs.

Note

  1. The original document (see below) has been adapted to Mandrake Linux distribution, removing parts, changing others, etc.

Preamble

This chapter is based on a HOWTO by Kevin Fenzi and Dave Wreski which original is hosted by the Linux Documentation Project.

Copyright Information

This document is copyrighted (c) 1998 - 2002 Kevin Fenzi and Dave Wreski.

Modifications from v1.3.1, 11 February 2002, (C)opyright 2000-2002 MandrakeSoft

and distributed under the following terms:

  • Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium, physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the authors would like to be notified of any such distributions.

  • All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.

  • If you have questions, please contact Tim Bynum, the Linux HOWTO coordinator, at tjbynum@metalab.unc.edu.

Introduction

This chapter covers some of the main issues that affect GNU/Linux security. General philosophy and net-born resources are discussed.

A number of other HOWTO documents overlap with security issues, and those documents have been pointed to wherever appropriate.

This chapter is not meant to be an up-to-date exploits document. Large numbers of new exploits happen all the time. This chapter will tell you where to look for such up-to-date information, and will give you some general methods to prevent such exploits from taking place.

Security-Related Terms

Abstract

Included below are several of the most frequently used terms in computer security. A comprehensive dictionary of computer security terms is available in the LinuxSecurity.com Dictionary

authentication

The process of knowing that the data received is the same as the data that was sent, and that the claimed sender is in fact the actual sender.

bastion Host

A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projects on the outer walls of medieval castles. Bastions overlook critical areas of defense, usually having strong walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. Some reasonable definition here.

buffer overflow

Common coding style is to never allocate large enough buffers, and to not check for overflows. When such buffers overflow, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location.

denial of service

An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes.

dual-homed Host

A general-purpose computer system that has at least two network interfaces.

firewall

A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

host

A computer system attached to a network.

IP spoofing

IP Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust relationship into thinking that you are someone that you really aren't. There is an extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue Forty-Eight of Phrack Magazine.

non-repudiation

The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later deny ever having sent it.

packet

The fundamental unit of communication on the Internet.

packet filtering

The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice-versa). To accomplish packet filtering, you set up rules that specify what types of packets (those to or from a particular IP address or port) are to be allowed and what types are to be blocked.

perimeter network

A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.

proxy server

A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests to real servers, and relay answers back to clients.

superuser

An informal name for root.

Prev Up Next
Part III. Applied Theory Home Overview
Hosted by Internet News Unlimited