1 This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!! Gerhard Mourani This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste. Open Network Architecture is commited to using paper with the highest recycled content available consistent with high quality. Copyright © 2002 by Gerhard Mourani and Open Network Architecture, Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the copyright holders Gerhard Mourani and Open Network Architecture, Inc. 11090 Drouart, Montreal, PQ H3M 2S3, (514) 978-6183, fax (514) 333-0236. Requests to the Publisher for permission should be addressed to the Publishing Manager, at Open Network Architecture, Inc., E-mail: books@openna.com This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that some grammatical mistakes could have occurred but this won’t jeopardize the content or the issue raised herewith. Title: Securing and Optimizing Linux: The Hacking Solution Page Count: 1100 Version: 3.0 Last Revised: 2002-06-26 Publisher: Open Network Architecture, Inc. Editor: Ted Nackad Text Design & Drawings (Graphics): Bruno Mourani Printing History: June 2000: First Publication. Author's: Gerhard Mourani Mail: gmourani@openna.com Website: http://www.openna.com/ National Library Act. R.S., c. N-11, s. 1. Legal Deposit, 2002 Securing and Optimizing Linux: The Hacking Solution / Open Network Architecture, Inc. Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada. Includes Index. ISBN 0-9688793-1-4 Printed in Canada 2 Overview Part I Installation Security Chapter 1 Introduction Chapter 2 Installation Issues Part II System Security & Optimization Chapter 3 General Security Chapter 4 Pluggable Authentication Modules Chapter 5 General Optimization Chapter 6 Kernel Security & Optimization Chapter 7 Process File System Management Part III Network Security Chapter 8 TCP/IP Network Management Chapter 9 Firewall Basic Concept Chapter 10 GIPTables Firewall Chapter 11 Squid Proxy Server Chapter 12 SquidGuard Filter Chapter 13 FreeS/WAN VPN Part IV Cryptography & Authentication Chapter 14 GnuPG Chapter 15 OpenSSL Chapter 16 OpenSSH Chapter 17 Sudo Part V Monitoring & System Integrity Chapter 18 sXid Chapter 19 LogSentry Chapter 20 HostSentry Chapter 21 PortSentry Chapter 22 Snort Chapter 23 Tripwire Part VI Super-Server Chapter 24 UCSPI-TCP Chapter 25 Xinetd Part VII Management & Limitation Chapter 26 NTP Chapter 27 Quota Part VIII Domain Name System & Dynamic Host Protocol Chapter 28 ISC BIND & DNS Chapter 29 ISC DHCP Part IX Mail Transfer Agent Protocol Chapter 30 Exim Chapter 31 Qmail 3 Part X Internet Message Access Protocol Chapter 32 tpop3d Chapter 33 UW IMAP Chapter 34 Qpopper Part XI Anti-Spam & Anti-Virus Chapter 35 SpamAssassin Chapter 36 Sophos Chapter 37 AMaViS Part XII Database Server Chapter 38 MySQL Chapter 39 PostgreSQL Chapter 40 OpenLDAP Part XIII File Transfer Protocol Chapter 41 ProFTPD Chapter 42 vsFTPD Part XIV Hypertext Transfer Protocol Chapter 43 Apache Chapter 44 PHP Chapter 45 Mod_Perl Part XV NetBios Protocol Chapter 46 Samba Part XVI Backup Chapter 47 Tar & Dump Part XVII Appendixes Appendix A Tweaks, Tips and Administration Tasks Appendix B Port list 4 Contents Steps of installation 13 Author note 13 Audience 14 These installation instructions assume 15 Obtaining the example configuration files 15 Problem with Securing & Optimizing Linux 15 Acknowledgments 15 Introduction 16 What is Linux? 17 Some good reasons to use Linux 17 Let's dispel some of the fear, uncertainty, and doubt about Linux 17 Why choose pristine source? 18 Compiling software on your system 18 Build & install software on your system 19 Editing files with the vi editor tool 20 Recommended software to include in each type of servers 21 Installation Issues 24 Know your Hardware! 25 Creating the Linux Boot Disk 25 Beginning the installation of Linux 27 Installation Class and Method (Install Options) 28 Partition your system for Linux 29 Disk Partition (Manual Partitioning) 33 Selecting Package Groups 44 Boot Disk Creation 47 How to use RPM Commands 47 Starting and stopping daemon services 50 Software that must be uninstalled after installation of the server 51 Remove unnecessary documentation files 59 Remove unnecessary/empty files and directories 60 Software that must be installed after installation of the server 60 General Security 64 BIOS 65 Unplug your server from the network 65 Security as a policy 66 Choose a right password 66 The root account 67 Set login time out for the root account 67 Shell logging 68 The single-user login mode of Linux 69 Disabling Ctrl-Alt-Delete keyboard shutdown command 69 Limiting the default number of started ttys on the server 70 The LILO and /etc/lilo.conf file 70 The GRUB and /boot/grub/grub.conf file 72 The /etc/services file 74 5 The /etc/securetty file 75 Special accounts 75 Control mounting a file system 78 Mounting the /usr directory of Linux as read-only 79 Tighten scripts under /etc/init.d 81 Tighten scripts under /etc/cron.daily/ 81 Bits from root-owned programs 81 Don’t let internal machines tell the server what their MAC address is 83 Unusual or hidden files 84 Finding Group and World Writable files and directories 85 Unowned files 86 Finding .rhosts files 86 Physical hard copies of all-important logs 87 Getting some more security by removing manual pages 89 System is compromised! 90 Pluggable Authentication Modules 91 The password length 92 Disabling console program access 94 Disabling all console access 94 The Login access control table 95 Tighten console permissions for privileged users 96 Putting limits on resource 98 Controlling access time to services 100 Blocking; su to root, by one and sundry 101 Using sudo instead of su for logging as super-user 102 General Optimization 104 Static vs. shared libraries 105 The Glibc 2.2 library of Linux 106 Why Linux programs are distributed as source 107 Some misunderstanding in the compiler flags options 108 The gcc specs file 109 Striping all binaries and libraries files 114 Tuning IDE Hard Disk Performance 115 Kernel Security & Optimization 121 Difference between a Modularized Kernel and a Monolithic Kernel 122 Making an emergency boot floppy 125 Preparing the Kernel for the installation 126 Applying the Grsecurity kernel patch 128 Obtaining and Installing Grsecurity 128 Tuning the Kernel 129 Cleaning up the Kernel 130 Configuring the Kernel 132 Compiling the Kernel 177 Installing the Kernel 177 Verifying or upgrading your boot loader 179 Reconfiguring /etc/modules.conf file 181 Rebooting your system to load the new kernel 182 Delete programs, edit files pertaining to modules 182 6 Making a new rescue floppy for Modularized Kernel 183 Making a emergency boot floppy disk for Monolithic Kernel 183 Process file system management 185 What is sysctl? 187 /proc/sys/vm: The virtual memory subsystem of Linux 187 /proc/sys/fs: The file system data of Linux 194 /proc/sys/net/ipv4: IPV4 settings of Linux 196 Other possible optimization of the system 204 TCP/IP Network Management 208 TCP/IP security problem overview 210 Installing more than one Ethernet Card per Machine 214 Files-Networking Functionality 215 Testing TCP/IP Networking 219 The last checkup 222 Firewall Basic Concept 223 What is the IANA? 224 The ports numbers 224 What is a Firewall? 226 Packet Filter vs. Application Gateway 226 What is a Network Firewall Security Policy? 228 The Demilitarized Zone 229 Linux IPTables Firewall Packet Filter 230 The Netfilter Architecture 230 GIPTables Firewall 236 Building a kernel with IPTables support 239 Compiling - Optimizing & Installing GIPTables 242 Configuring GIPTables 243 /etc/giptables.conf: The GIPTables Configuration File 243 /etc/rc.d/rc.giptables.blocked: The GIPTables Blocked File 254 /etc/init.d/giptables: The GIPTables Initialization File 255 The GIPTables Firewall Module Files 256 How GIPTables parameters work? 257 Running the type of GIPTables firewall that you need 263 The GIPTables configuration file for a Gateway/Proxy Server 264 GIPTables-Firewall Administrative Tools 282 Squid Proxy Server 284 Compiling - Optimizing & Installing Squid 287 Configuring Squid 291 Running Squid with Users Authentication Support 304 Securing Squid 308 Optimizing Squid 311 Squid Administrative Tools 311 The cachemgr.cgi program utility of Squid 313 7 SquidGuard Filter 315 Compiling - Optimizing & Installing SquidGuard 317 Configuring SquidGuard 319 Testing SquidGuard 327 Optimizing SquidGuard 328 FreeS/WAN VPN 331 Compiling - Optimizing & Installing FreeS/WAN 335 Configuring FreeS/WAN 338 Configuring RSA private keys secrets 342 Requiring network setup for IPSec 347 Testing the FreeS/WAN installation 349 GnuPG 352 Compiling - Optimizing & Installing GnuPG 354 Using GnuPG under Linux terminal 356 OpenSSL 362 Compiling - Optimizing & Installing OpenSSL 366 Configuring OpenSSL 368 OpenSSL Administrative Tools 374 Securing OpenSSL 379 OpenSSH 380 Compiling - Optimizing & Installing OpenSSH 382 Configuring OpenSSH 385 Running OpenSSH in a chroot jail 395 Creating OpenSSH private & public keys 400 OpenSSH Users Tools 402 Sudo 404 Compiling - Optimizing & Installing Sudo 406 Configuring Sudo 408 A more complex sudoers configuration file 410 Securing Sudo 413 Sudo Users Tools 413 sXid 415 Compiling - Optimizing & Installing sXid 417 Configuring sXid 418 sXid Administrative Tools 420 LogSentry 421 Compiling - Optimizing & Installing LogSentry 423 8 Configuring LogSentry 427 HostSentry 428 Compiling - Optimizing & Installing HostSentry 430 Configuring HostSentry 434 PortSentry 440 Compiling - Optimizing & Installing PortSentry 442 Configuring PortSentry 445 Removing hosts that have been blocked by PortSentry 452 Snort 453 Compiling - Optimizing & Installing Snort 456 Configuring Snort 458 Running Snort in a chroot jail 464 Tripwire 468 Compiling - Optimizing & Installing Tripwire 470 Configuring Tripwire 473 Running Tripwire for the first time 482 Securing Tripwire 484 Tripwire Administrative Tools 484 ucspi-tcp 486 Compiling - Optimizing & Installing ucsip-tcp 488 Using ucsip-tcp 490 Xinetd 492 Compiling - Optimizing & Installing Xinetd 494 Configuring Xinetd 496 The /etc/xinetd.d directory 497 NTP 507 Compiling - Optimizing & Installing NTP 511 Configuring NTP 513 Running NTP in Client Mode 513 Running NTP in Server Mode 519 Running NTP in a chroot jail 521 NTP Administrative Tools 525 Quota 527 Build a kernel with Quota support enable 529 Compiling - Optimizing & Installing Quota 529 Modifying the /etc/fstab file 531 9 Creating the aquota.user and aquota.group files 532 Assigning Quota for Users and Groups 532 Quota Administrative Tools 535 ISC BIND & DNS 536 Compiling - Optimizing & Installing ISC BIND & DNS 540 Configuring ISC BIND & DNS 542 Running ISC BIND & DNS as Caching-Only Name Server 543 Running ISC BIND & DNS as Primary Master Name Server 552 Running ISC BIND & DNS as Secondary Slave Name Server 557 Running ISC BIND & DNS in a chroot jail 559 Securing ISC BIND & DNS 563 Optimizing ISC BIND & DNS 580 ISC BIND & DNS Administrative Tools 583 ISC BIND & DNS Users Tools 585 ISC DHCP 587 Building a kernel with ISC DHCP support 590 Compiling - Optimizing & Installing ISC DHCP 591 Configuring ISC DHCP 595 Testing the DHCP server 603 Running ISC DHCP in a chroot jail 605 Securing ISC DHCP 616 Running the DHCP client for Linux 617 Exim 622 Compiling - Optimizing & Installing Exim 626 Configuring Exim 631 Testing Exim 654 Allowing Users to authenticate with Exim before relaying 657 Running Exim with SSL support 660 Running Exim with Virtual Hosts support 667 Running Exim with Maildir support 670 Running Exim with mail quota support 672 Running Exim as a Null Client Mail Server 673 Exim Administrative Tools 676 Qmail 678 Compiling, Optimizing & Installing Qmail 681 Configuring Qmail 687 Testing Qmail 691 Allowing Users to authenticate with Qmail before relaying 692 Running Qmail with SSL support 696 Running Qmail with Virtual Hosts support 701 Running Qmail as a Null Client Mail Server 705 Running Qmail as a Mini-Qmail Mail Server 709 Running qmail-pop3d with SSL support 713 Qmail Administrative Tools 716 10 Qmail Users Tools 717 tpop3d 719 Compiling - Optimizing & Installing tpop3d 723 Configuring tpop3d 724 Securing tpop3d 728 UW IMAP 730 Compiling - Optimizing & Installing UW IMAP 733 Configuring UW IMAP 737 Enable IMAP or POP services via UCSPI-TCP 739 Enable IMAP or POP services via Xinetd 740 Securing UW IMAP 742 Running UW IMAP with SSL support 743 Qpopper 747 Compiling - Optimizing & Installing Qpopper 750 Configuring Qpopper 752 Securing Qpopper 756 Running Qpopper with SSL support 758 SpamAssassin 763 Compiling - Optimizing & Installing SpamAssassin 766 Configuring SpamAssassin 767 Testing SpamAssassin 769 Running SpamAssassin with Exim 770 Running SpamAssassin with Qmail 771 Sophos 775 Compiling & Installing Sophos 778 Configuring Sophos 779 Testing Sophos 780 AMaViS 781 Verifying & installing all the additional prerequisites to run AMaViS 783 Compiling - Optimizing & Installing AMaViS 795 Running AMaViS with Exim 798 Running AMaViS with Qmail 800 Testing AMaViS 801 MySQL 802 Compiling - Optimizing & Installing MySQL 806 Configuring MySQL 808 Securing MySQL 813 Optimizing MySQL 814 [...]... Preface These installation instructions assume You have a CD-ROM drive on your computer and the Official Red Hat Linux or OpenNA Linux CD-ROM Installations were tested on the Official Red Hat Linux version 7.3 and OpenNA Linux You should familiarize yourself with the hardware on which the operating system will be installed After examining the hardware, the rest of this document guides you, step-by-step,... label the diskette “Red Hat boot disk”, for example 26 Installation Issues 0 CHAPTER 2 Beginning the installation of Linux Now that we have made the boot disk, it is time to begin the installation of Linux Since we’d start the installation directly off the CD-ROM, boot with the boot disk Insert the boot diskette you create into the drive A: on the computer where you want to install Linux and reboot the. .. you cannot get the examples from the Internet, please contact the author at this email address: gmourani@openna.com Problem with Securing & Optimizing Linux When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it Your reports are an important part in making the book more reliable, because even with the utmost care we cannot guarantee that every part of the book will work... drive A: and press -ENTER- : D:\dosutils>exit The rawrite.exe program asks for the filename of the disk image: Enter boot.img and insert a blank floppy into drive A It will then ask for a disk to write to: Enter a:, and when complete, label the disk “Red Hat boot disk”, for example Making a Diskette under a Linux- Like OS: To make a diskette under Linux or any other variant of Linux- Like operating system,... completing the installation Below, we will show you two methods to create the installation Boot Disk, the first method is to use an existing Microsoft Windows computer and the second using an existing Linux computer Making a Diskette under MS-DOS: Before you make the boot disk, insert the Official Red Hat Linux CD-ROM Disk 1 in your computer that runs the Windows operating system When the program asks for the. .. swap partition on the server The 2.4 kernel of Linux is more aggressive than the 2.2 kernels in its use of swap space and the optimal sizing of swap space remains dependent on the following: 1 2 3 4 The amount of RAM installed The amount of disk space available for swap The applications being run The mix of applications that are run concurrently No rule-of-thumb can possibly take all these points into... to use the n key for a new partition Choose logical; tell it where the first cylinder should be (2) Tell fdisk how big you want your swap partition You then need to change the partition type to Linux swap Enter the t key to change the type and enter the partition number of your swap partition Enter the number 82 for the hex code for the Linux swap partition 35 Now that you have created your Linux boot... command The “x” option tells tar to extract all files from the archive The “z” option tells tar that the archive is compressed with gzip utility The “p” option maintains the original permissions the files had when the archive was created The “f” option tells tar that the very next argument is the file name 19 Once the tarball has been decompressed into the appropriate directory, you will almost certainly... to write to the device representing the floppy drive (known as /dev/fd0H1440 under Linux) This permission is granted when you log in to the system as the super-user “root” Once you have logged as “root”, insert a blank formatted diskette into the diskette drive of your computer without issuing a mount command on it Now it’s time to mount the Red Hat Linux CD-ROM on Linux and change to the directory... thing of the past You only need to buy good hardware; it is worth spending money on the hardware and gets the software from the Internet The important point is that it is the computer hardware that is doing the bulk of the work The hardware is the real workhorse and the software is just driving it It is for this reason that we believe in working with and using Open source software Much of the software . with Securing & Optimizing Linux When you encounter a problem in " ;Securing & Optimizing Linux& quot; we want to hear about it. Your reports are an important part in making the book. ucspi-tcp 486 Compiling - Optimizing & Installing ucsip-tcp 488 Using ucsip-tcp 490 Xinetd 492 Compiling - Optimizing & Installing Xinetd 494 Configuring Xinetd 496 The /etc/xinetd.d. Title: Securing and Optimizing Linux: The Hacking Solution Page Count: 1100 Version: 3.0 Last Revised: 200 2-0 6-2 6 Publisher: Open Network Architecture, Inc. Editor: Ted Nackad Text Design &