THÔNG TIN TÀI LIỆU
1
This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!!
Gerhard Mourani
This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste.
Open Network Architecture is commited to using paper with the highest recycled content
available consistent with high quality.
Copyright © 2002 by Gerhard Mourani and Open Network Architecture, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the copyright holders Gerhard Mourani and Open Network Architecture, Inc. 11090
Drouart, Montreal, PQ H3M 2S3, (514) 978-6183, fax (514) 333-0236. Requests to the Publisher
for permission should be addressed to the Publishing Manager, at Open Network Architecture,
Inc., E-mail: books@openna.com
This publication is designed to provide accurate and authoritative information in regard to the
subject matter covered. It is sold with the understanding that some grammatical mistakes could
have occurred but this won’t jeopardize the content or the issue raised herewith.
Title: Securing and Optimizing Linux: The Hacking Solution
Page Count: 1100
Version: 3.0
Last Revised: 2002-06-26
Publisher: Open Network Architecture, Inc.
Editor: Ted Nackad
Text Design & Drawings (Graphics): Bruno Mourani
Printing History: June 2000: First Publication.
Author's: Gerhard Mourani
Mail: gmourani@openna.com
Website: http://www.openna.com/
National Library Act. R.S., c. N-11, s. 1.
Legal Deposit, 2002
Securing and Optimizing Linux: The Hacking Solution / Open Network Architecture, Inc.
Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada.
Includes Index.
ISBN 0-9688793-1-4
Printed in Canada
2
Overview
Part I Installation Security
Chapter 1 Introduction
Chapter 2 Installation Issues
Part II System Security & Optimization
Chapter 3 General Security
Chapter 4 Pluggable Authentication Modules
Chapter 5 General Optimization
Chapter 6 Kernel Security & Optimization
Chapter 7 Process File System Management
Part III Network Security
Chapter 8 TCP/IP Network Management
Chapter 9 Firewall Basic Concept
Chapter 10 GIPTables Firewall
Chapter 11 Squid Proxy Server
Chapter 12 SquidGuard Filter
Chapter 13 FreeS/WAN VPN
Part IV Cryptography & Authentication
Chapter 14 GnuPG
Chapter 15 OpenSSL
Chapter 16 OpenSSH
Chapter 17 Sudo
Part V Monitoring & System Integrity
Chapter 18 sXid
Chapter 19 LogSentry
Chapter 20 HostSentry
Chapter 21 PortSentry
Chapter 22 Snort
Chapter 23 Tripwire
Part VI Super-Server
Chapter 24 UCSPI-TCP
Chapter 25 Xinetd
Part VII Management & Limitation
Chapter 26 NTP
Chapter 27 Quota
Part VIII Domain Name System & Dynamic Host Protocol
Chapter 28 ISC BIND & DNS
Chapter 29 ISC DHCP
Part IX Mail Transfer Agent Protocol
Chapter 30 Exim
Chapter 31 Qmail
3
Part X Internet Message Access Protocol
Chapter 32 tpop3d
Chapter 33 UW IMAP
Chapter 34 Qpopper
Part XI Anti-Spam & Anti-Virus
Chapter 35 SpamAssassin
Chapter 36 Sophos
Chapter 37 AMaViS
Part XII Database Server
Chapter 38 MySQL
Chapter 39 PostgreSQL
Chapter 40 OpenLDAP
Part XIII File Transfer Protocol
Chapter 41 ProFTPD
Chapter 42 vsFTPD
Part XIV Hypertext Transfer Protocol
Chapter 43 Apache
Chapter 44 PHP
Chapter 45 Mod_Perl
Part XV NetBios Protocol
Chapter 46 Samba
Part XVI Backup
Chapter 47 Tar & Dump
Part XVII Appendixes
Appendix A
Tweaks, Tips and Administration Tasks
Appendix B
Port list
4
Contents
Steps of installation 13
Author note 13
Audience 14
These installation instructions assume 15
Obtaining the example configuration files 15
Problem with Securing & Optimizing Linux 15
Acknowledgments 15
Introduction 16
What is Linux? 17
Some good reasons to use Linux 17
Let's dispel some of the fear, uncertainty, and doubt about Linux 17
Why choose pristine source? 18
Compiling software on your system 18
Build & install software on your system 19
Editing files with the vi editor tool 20
Recommended software to include in each type of servers 21
Installation Issues 24
Know your Hardware! 25
Creating the Linux Boot Disk 25
Beginning the installation of Linux 27
Installation Class and Method (Install Options) 28
Partition your system for Linux 29
Disk Partition (Manual Partitioning) 33
Selecting Package Groups 44
Boot Disk Creation 47
How to use RPM Commands 47
Starting and stopping daemon services 50
Software that must be uninstalled after installation of the server 51
Remove unnecessary documentation files 59
Remove unnecessary/empty files and directories 60
Software that must be installed after installation of the server 60
General Security 64
BIOS 65
Unplug your server from the network 65
Security as a policy 66
Choose a right password 66
The root account 67
Set login time out for the root account 67
Shell logging 68
The single-user login mode of Linux 69
Disabling Ctrl-Alt-Delete keyboard shutdown command 69
Limiting the default number of started ttys on the server 70
The LILO and /etc/lilo.conf file 70
The GRUB and /boot/grub/grub.conf file 72
The /etc/services file 74
5
The /etc/securetty file 75
Special accounts 75
Control mounting a file system 78
Mounting the /usr directory of Linux as read-only 79
Tighten scripts under /etc/init.d 81
Tighten scripts under /etc/cron.daily/ 81
Bits from root-owned programs 81
Don’t let internal machines tell the server what their MAC address is 83
Unusual or hidden files 84
Finding Group and World Writable files and directories 85
Unowned files 86
Finding .rhosts files 86
Physical hard copies of all-important logs 87
Getting some more security by removing manual pages 89
System is compromised! 90
Pluggable Authentication Modules 91
The password length 92
Disabling console program access 94
Disabling all console access 94
The Login access control table 95
Tighten console permissions for privileged users 96
Putting limits on resource 98
Controlling access time to services 100
Blocking; su to root, by one and sundry 101
Using sudo instead of su for logging as super-user 102
General Optimization 104
Static vs. shared libraries 105
The Glibc 2.2 library of Linux 106
Why Linux programs are distributed as source 107
Some misunderstanding in the compiler flags options 108
The gcc specs file 109
Striping all binaries and libraries files 114
Tuning IDE Hard Disk Performance 115
Kernel Security & Optimization 121
Difference between a Modularized Kernel and a Monolithic Kernel 122
Making an emergency boot floppy 125
Preparing the Kernel for the installation 126
Applying the Grsecurity kernel patch 128
Obtaining and Installing Grsecurity 128
Tuning the Kernel 129
Cleaning up the Kernel 130
Configuring the Kernel 132
Compiling the Kernel 177
Installing the Kernel 177
Verifying or upgrading your boot loader 179
Reconfiguring /etc/modules.conf file 181
Rebooting your system to load the new kernel 182
Delete programs, edit files pertaining to modules 182
6
Making a new rescue floppy for Modularized Kernel 183
Making a emergency boot floppy disk for Monolithic Kernel 183
Process file system management 185
What is sysctl? 187
/proc/sys/vm: The virtual memory subsystem of Linux 187
/proc/sys/fs: The file system data of Linux 194
/proc/sys/net/ipv4: IPV4 settings of Linux 196
Other possible optimization of the system 204
TCP/IP Network Management 208
TCP/IP security problem overview 210
Installing more than one Ethernet Card per Machine 214
Files-Networking Functionality 215
Testing TCP/IP Networking 219
The last checkup 222
Firewall Basic Concept 223
What is the IANA? 224
The ports numbers 224
What is a Firewall? 226
Packet Filter vs. Application Gateway 226
What is a Network Firewall Security Policy? 228
The Demilitarized Zone 229
Linux IPTables Firewall Packet Filter 230
The Netfilter Architecture 230
GIPTables Firewall 236
Building a kernel with IPTables support 239
Compiling - Optimizing & Installing GIPTables 242
Configuring GIPTables 243
/etc/giptables.conf: The GIPTables Configuration File 243
/etc/rc.d/rc.giptables.blocked: The GIPTables Blocked File 254
/etc/init.d/giptables: The GIPTables Initialization File 255
The GIPTables Firewall Module Files 256
How GIPTables parameters work? 257
Running the type of GIPTables firewall that you need 263
The GIPTables configuration file for a Gateway/Proxy Server 264
GIPTables-Firewall Administrative Tools 282
Squid Proxy Server 284
Compiling - Optimizing & Installing Squid 287
Configuring Squid 291
Running Squid with Users Authentication Support 304
Securing Squid 308
Optimizing Squid 311
Squid Administrative Tools 311
The cachemgr.cgi program utility of Squid 313
7
SquidGuard Filter 315
Compiling - Optimizing & Installing SquidGuard 317
Configuring SquidGuard 319
Testing SquidGuard 327
Optimizing SquidGuard 328
FreeS/WAN VPN 331
Compiling - Optimizing & Installing FreeS/WAN 335
Configuring FreeS/WAN 338
Configuring RSA private keys secrets 342
Requiring network setup for IPSec 347
Testing the FreeS/WAN installation 349
GnuPG 352
Compiling - Optimizing & Installing GnuPG 354
Using GnuPG under Linux terminal 356
OpenSSL 362
Compiling - Optimizing & Installing OpenSSL 366
Configuring OpenSSL 368
OpenSSL Administrative Tools 374
Securing OpenSSL 379
OpenSSH 380
Compiling - Optimizing & Installing OpenSSH 382
Configuring OpenSSH 385
Running OpenSSH in a chroot jail 395
Creating OpenSSH private & public keys 400
OpenSSH Users Tools 402
Sudo 404
Compiling - Optimizing & Installing Sudo 406
Configuring Sudo 408
A more complex sudoers configuration file 410
Securing Sudo 413
Sudo Users Tools 413
sXid 415
Compiling - Optimizing & Installing sXid 417
Configuring sXid 418
sXid Administrative Tools 420
LogSentry 421
Compiling - Optimizing & Installing LogSentry 423
8
Configuring LogSentry 427
HostSentry 428
Compiling - Optimizing & Installing HostSentry 430
Configuring HostSentry 434
PortSentry 440
Compiling - Optimizing & Installing PortSentry 442
Configuring PortSentry 445
Removing hosts that have been blocked by PortSentry 452
Snort 453
Compiling - Optimizing & Installing Snort 456
Configuring Snort 458
Running Snort in a chroot jail 464
Tripwire 468
Compiling - Optimizing & Installing Tripwire 470
Configuring Tripwire 473
Running Tripwire for the first time 482
Securing Tripwire 484
Tripwire Administrative Tools 484
ucspi-tcp 486
Compiling - Optimizing & Installing ucsip-tcp 488
Using ucsip-tcp 490
Xinetd 492
Compiling - Optimizing & Installing Xinetd 494
Configuring Xinetd 496
The /etc/xinetd.d directory 497
NTP 507
Compiling - Optimizing & Installing NTP 511
Configuring NTP 513
Running NTP in Client Mode 513
Running NTP in Server Mode 519
Running NTP in a chroot jail 521
NTP Administrative Tools 525
Quota 527
Build a kernel with Quota support enable 529
Compiling - Optimizing & Installing Quota 529
Modifying the /etc/fstab file 531
9
Creating the aquota.user and aquota.group files 532
Assigning Quota for Users and Groups 532
Quota Administrative Tools 535
ISC BIND & DNS 536
Compiling - Optimizing & Installing ISC BIND & DNS 540
Configuring ISC BIND & DNS 542
Running ISC BIND & DNS as Caching-Only Name Server 543
Running ISC BIND & DNS as Primary Master Name Server 552
Running ISC BIND & DNS as Secondary Slave Name Server 557
Running ISC BIND & DNS in a chroot jail 559
Securing ISC BIND & DNS 563
Optimizing ISC BIND & DNS 580
ISC BIND & DNS Administrative Tools 583
ISC BIND & DNS Users Tools 585
ISC DHCP 587
Building a kernel with ISC DHCP support 590
Compiling - Optimizing & Installing ISC DHCP 591
Configuring ISC DHCP 595
Testing the DHCP server 603
Running ISC DHCP in a chroot jail 605
Securing ISC DHCP 616
Running the DHCP client for Linux 617
Exim 622
Compiling - Optimizing & Installing Exim 626
Configuring Exim 631
Testing Exim 654
Allowing Users to authenticate with Exim before relaying 657
Running Exim with SSL support 660
Running Exim with Virtual Hosts support 667
Running Exim with Maildir support 670
Running Exim with mail quota support 672
Running Exim as a Null Client Mail Server 673
Exim Administrative Tools 676
Qmail 678
Compiling, Optimizing & Installing Qmail 681
Configuring Qmail 687
Testing Qmail 691
Allowing Users to authenticate with Qmail before relaying 692
Running Qmail with SSL support 696
Running Qmail with Virtual Hosts support 701
Running Qmail as a Null Client Mail Server 705
Running Qmail as a Mini-Qmail Mail Server 709
Running qmail-pop3d with SSL support 713
Qmail Administrative Tools 716
10
Qmail Users Tools 717
tpop3d 719
Compiling - Optimizing & Installing tpop3d 723
Configuring tpop3d 724
Securing tpop3d 728
UW IMAP 730
Compiling - Optimizing & Installing UW IMAP 733
Configuring UW IMAP 737
Enable IMAP or POP services via UCSPI-TCP 739
Enable IMAP or POP services via Xinetd 740
Securing UW IMAP 742
Running UW IMAP with SSL support 743
Qpopper 747
Compiling - Optimizing & Installing Qpopper 750
Configuring Qpopper 752
Securing Qpopper 756
Running Qpopper with SSL support 758
SpamAssassin 763
Compiling - Optimizing & Installing SpamAssassin 766
Configuring SpamAssassin 767
Testing SpamAssassin 769
Running SpamAssassin with Exim 770
Running SpamAssassin with Qmail 771
Sophos 775
Compiling & Installing Sophos 778
Configuring Sophos 779
Testing Sophos 780
AMaViS 781
Verifying & installing all the additional prerequisites to run AMaViS 783
Compiling - Optimizing & Installing AMaViS 795
Running AMaViS with Exim 798
Running AMaViS with Qmail 800
Testing AMaViS 801
MySQL 802
Compiling - Optimizing & Installing MySQL 806
Configuring MySQL 808
Securing MySQL 813
Optimizing MySQL 814
[...]... Preface These installation instructions assume You have a CD-ROM drive on your computer and the Official Red Hat Linux or OpenNA Linux CD-ROM Installations were tested on the Official Red Hat Linux version 7.3 and OpenNA Linux You should familiarize yourself with the hardware on which the operating system will be installed After examining the hardware, the rest of this document guides you, step-by-step,... label the diskette “Red Hat boot disk”, for example 26 Installation Issues 0 CHAPTER 2 Beginning the installation of Linux Now that we have made the boot disk, it is time to begin the installation of Linux Since we’d start the installation directly off the CD-ROM, boot with the boot disk Insert the boot diskette you create into the drive A: on the computer where you want to install Linux and reboot the. .. you cannot get the examples from the Internet, please contact the author at this email address: gmourani@openna.com Problem with Securing & Optimizing Linux When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it Your reports are an important part in making the book more reliable, because even with the utmost care we cannot guarantee that every part of the book will work... drive A: and press -ENTER- : D:\dosutils>exit The rawrite.exe program asks for the filename of the disk image: Enter boot.img and insert a blank floppy into drive A It will then ask for a disk to write to: Enter a:, and when complete, label the disk “Red Hat boot disk”, for example Making a Diskette under a Linux- Like OS: To make a diskette under Linux or any other variant of Linux- Like operating system,... completing the installation Below, we will show you two methods to create the installation Boot Disk, the first method is to use an existing Microsoft Windows computer and the second using an existing Linux computer Making a Diskette under MS-DOS: Before you make the boot disk, insert the Official Red Hat Linux CD-ROM Disk 1 in your computer that runs the Windows operating system When the program asks for the. .. swap partition on the server The 2.4 kernel of Linux is more aggressive than the 2.2 kernels in its use of swap space and the optimal sizing of swap space remains dependent on the following: 1 2 3 4 The amount of RAM installed The amount of disk space available for swap The applications being run The mix of applications that are run concurrently No rule-of-thumb can possibly take all these points into... to use the n key for a new partition Choose logical; tell it where the first cylinder should be (2) Tell fdisk how big you want your swap partition You then need to change the partition type to Linux swap Enter the t key to change the type and enter the partition number of your swap partition Enter the number 82 for the hex code for the Linux swap partition 35 Now that you have created your Linux boot... command The “x” option tells tar to extract all files from the archive The “z” option tells tar that the archive is compressed with gzip utility The “p” option maintains the original permissions the files had when the archive was created The “f” option tells tar that the very next argument is the file name 19 Once the tarball has been decompressed into the appropriate directory, you will almost certainly... to write to the device representing the floppy drive (known as /dev/fd0H1440 under Linux) This permission is granted when you log in to the system as the super-user “root” Once you have logged as “root”, insert a blank formatted diskette into the diskette drive of your computer without issuing a mount command on it Now it’s time to mount the Red Hat Linux CD-ROM on Linux and change to the directory... thing of the past You only need to buy good hardware; it is worth spending money on the hardware and gets the software from the Internet The important point is that it is the computer hardware that is doing the bulk of the work The hardware is the real workhorse and the software is just driving it It is for this reason that we believe in working with and using Open source software Much of the software . with Securing & Optimizing Linux When you encounter a problem in " ;Securing & Optimizing Linux& quot; we want to hear about it. Your reports are an important part in making the book. ucspi-tcp 486 Compiling - Optimizing & Installing ucsip-tcp 488 Using ucsip-tcp 490 Xinetd 492 Compiling - Optimizing & Installing Xinetd 494 Configuring Xinetd 496 The /etc/xinetd.d. Title: Securing and Optimizing Linux: The Hacking Solution Page Count: 1100 Version: 3.0 Last Revised: 200 2-0 6-2 6 Publisher: Open Network Architecture, Inc. Editor: Ted Nackad Text Design &
Ngày đăng: 25/03/2014, 12:06
Xem thêm: securing & optimizing linux - the hacking solution