391 Chapter 18 ✦ Backups After you create the image to put on the CD-ROM, you need to send the image to the CD writer. You must know the exact location of the CD writer, which the cdrecord program can determine (as shown here using the -scanbus option): # cdrecord -scanbus Cdrecord 1.8.1 (i586-mandrake-linux-gnu) Copyright (C) 1995-2000 Jörg Schilling Using libscg version ‘schily-0.1’ scsibus0: 0,0,0 0) * 0,1,0 1) * 0,2,0 2) * 0,3,0 3) * 0,4,0 4) ‘YAMAHA ‘ ‘CRW4416S ‘ ‘1.0g’ Removable CD-ROM 0,5,0 5) * 0,6,0 6) * 0,7,0 7) * You see from the output that the desired device (YAMAHA) resides on 0,4,0. You can now send the created image to the CD writer in confidence. The following com- mand sends the image to the desired device: cdrecord -v speed=4 dev=0,4,0 -data /var/tmp/mydata.cd The -v option indicates that the program should run in verbose mode. The verbose mode prints lots of information to the screen about what is happening with this burn session. This option then sets the record speed to 4. Here, you should specify the device number you discovered before. Finally, you indicate the location of the data to put on the CD. When using CDRs or CDRWs, the cdrecord program will check the media for the fastest speed the media can use. If the media can only write at 2x, then cdrecord will reduce the speed option to match the speed of the media. This is especially important with today’s burner speeds. The following output resulting from the verbose mode gives an indication of what is going on during the writing process. Any problems during the process will show up in the verbose output to the screen. cdrecord: fifo was 0 times empty and 7734 times full, min fill was 96%. [root@drake win_d]# more /var/tmp/cdmessage.txt Cdrecord 1.8.1 (i586-mandrake-linux-gnu) Copyright (C) 1995-2000 J ö rg Schilling TOC Type: 1 = CD-ROM scsidev: ‘0,4,0’ scsibus: 0 target: 4 lun: 0 Using libscg version ‘schily-0.1’ atapi: 0 Device type : Removable CD-ROM Version : 2 Response Format: 2 Capabilities : SYNC Note 4710-0 ch18.F 4/10/01 11:26 AM Page 391 392 Part IV ✦ Maintenance and Upgrade Vendor_info : ‘YAMAHA ‘ Identifikation : ‘CRW4416S ‘ Revision : ‘1.0g’ Device seems to be: Generic mmc CD-RW. Using generic SCSI-3/mmc CD-R driver (mmc_cdr). Driver flags : SWABAUDIO FIFO size : 4194304 = 4096 KB Track 01: data 246 MB Total size: 283 MB (28:04.26) = 126320 sectors Lout start: 283 MB (28:06/20) = 126320 sectors Current Secsize: 2048 ATIP info from disk: Current Secsize: 2048 ATIP info from disk: Indicated writing power: 5 Is not unrestricted Is not erasable ATIP start of lead in: -11689 (97:26/11) ATIP start of lead out: 336350 (74:46/50) Disk type: Long strategy type (Cyanine, AZO or similar) Manuf. index: 19 Manufacturer: POSTECH Corporation Blocks total: 336350 Blocks current: 336350 Blocks remaining: 210030 Starting to write CD/DVD at speed 4 in write mode for single session. Last chance to quit, starting real write in 1 seconds. Waiting for reader process to fill input buffer input buffer ready. Performing OPC Starting new track at sector: 0 Track 01: 246 of 246 MB written (fifo 100%). Track 01: Total bytes read/written: 258699264/258699264 (126318 sectors). Writing time: 437.780s Fixating Fixating time: 67.876s cdrecord: fifo had 7895 puts and 7895 gets. cdrecord: fifo was 0 times empty and 7734 times full, min fill was 96%. After a successful creation of a CD-ROM, the prompt returns to the screen. You can test the CD by trying to read data from it. If you can read a couple of random files, the data is good. Now you can delete the image file you created for the CD to pre- vent anyone else from getting at the data. To learn more about the CD writer hardware, turn to Chapter 17. Recovering from a Crashed System If your system ever crashes due to hardware failure, file corruption, or any other reason, you need to know how to recover your system. Often times, the only boost needed to get a system back up and running is having access to that system. Now is the time for that boot disk you saved for this system. Cross- Reference 4710-0 ch18.F 4/10/01 11:26 AM Page 392 393 Chapter 18 ✦ Backups To create a boot disk using your kernel (if you made changes to your kernel), insert a blank, formatted disk in the floppy drive. Issue the following three commands as root: dd if=/vmlinuz of=/dev/fd0 rdev /dev/fd0 rdev -R /dev/fd0 1 This is the same thing that happens when you first install Debian on your com- puter and you are asked to create a boot disk. Slip the boot disk into the floppy drive and power on the computer. (Make sure that the BIOS is set to boot to the floppy first.) This disk bypasses the LILO boot infor- mation on the hard disk, but it still boots to your system. You can then fix any problems affecting LILO, the kernels, or any of the initial boot parameters. Rescue disk boot options When you boot your computer using either the installation CD-ROM that comes with this book or the rescue disk you create from the Debian floppy image, you have some options at the boot prompt. Pressing F1 lists the help keys. Pressing F3 shows the different ways you can start up using linux, ramdisk, floppy, or rescue. Loading linux starts the installation process. If you already have your system loaded, use this as a last resort. First try to use rescue and point it to the root partition, as shown here: boot: rescue root=/dev/hdxx This starts the filesystem and establishes a shell where you can begin to repair any mistakes made. If this doesn’t work, try booting using floppy instead. This should load a small Linux environment in which you have very limited, rudimentary access and control. You can also start the system with a rescue disk and enter single. This takes you into single user mode. You have root access to the basic system to check the hard- ware, make basic tests on the system, and determine what changes you need to make to get your system back up and running. Fixing disk problems If something does happen to the disk filesystem, you can check out the filesystem for any errors. The e2fsck program performs this check on the disk. It scans the disk for physical errors, misplaced data, and any other problems. An equivalent program for DOS is chkdsk; for Windows, use scandisk. Here is the syntax for this command: e2fsck [options] filesystem Tip 4710-0 ch18.F 4/10/01 11:26 AM Page 393 394 Part IV ✦ Maintenance and Upgrade You should always use this program on filesystems that are unmounted or mounted in read-only mode, as in the case with the root filesystem. If not, you could possibly corrupt data on the filesystem. You can use a boot floppy to start the system in sin- gle user mode, and then run this check on the filesystem disks. Summary Like any good Boy Scout or Girl Scout, you always want to be prepared. Being a good administrator is no different. Life can get hot in a hurry when the spotlight is on you to repair a failed disk, fix a defective system, or just find those lost fishing pictures for the boss. I hope that this chapter gives you every reason to create a backup plan for your system. From this chapter’s examples, you should have an idea of what software to use to meet your environment’s needs. Whether you are mirroring a disk on the same machine or across the network, using a single tape drive for the entire system of machines, or making a periodic CD of just the important files, you now have a sound place to start. Sometimes you may run into trouble starting a system because of a simple mistake, a corrupt boot loader, or something a little more serious. Save reformatting and reinstalling for later. Generally, you can recover a system before going to that extreme. At worst case, you have a backup of your system from which you can recover. ✦✦✦ 4710-0 ch18.F 4/10/01 11:26 AM Page 394 Linux Server ✦✦✦✦ In This Part Chapter 19 Security Chapter 20 Firewall Chapter 21 Web Server Chapter 22 FTP Server Chapter 23 Network Information System Chapter 24 File Server Chapter 25 Mail ✦✦✦✦ PART V V 4710-0 pt5.F 4/10/01 11:26 AM Page 395 Security I t has been said that the only truly secure computer is one that is not connected to anything. As more computers communicate with one another through local area networks, wide area networks, and the Internet, security becomes a requirement. Moreover, security is something that constantly needs to be improved; it’s more of an ongoing project than a static state of being. This chapter covers some of the most common areas in which system integrity is compromised, explains how to lock down a system, and describes pertinent tools for protecting your system. Time now to turn on the paranoia switch concerning security. Understanding the Need for Security System security ensures that a system, or the data on a sys- tem, cannot be accessed by anyone without authorization. This means that if users accessed a system only in the way intended, security would not be an issue. However, this isn’t in reality the way it works. Two terms are frequently used when talking about security: hacker and cracker. A hacker originally referred to a com- puter enthusiast who lacked formal training. Of late, how- ever, the term hacker has become associated with individuals who compromise a computer system. In truth, this person is a cracker, a term coined by hackers in the mid-80s to differentiate themselves. The cracker’s mission is to maliciously break into a computer system, whereas the hacker’s goal is to gain knowledge. With the growth of the Internet, more systems have access to one another. For example, Internet access was originally only available using dial-up modems. Once cable modems became Note 19 19 CHAPTER ✦✦✦✦ In This Chapter Understanding the need for security Using the tools of the trade Locking down a system by limiting its services Considering viruses, permissions, and passwords Fixing a compromised system ✦✦✦✦ 4710-0 ch19.F 4/10/01 11:26 AM Page 397 398 Part V ✦ Linux Server available, people started hooking up to small networks through the cable company, leaving publicly shared file systems vulnerable. The key to successfully securing your system is to acquire the same knowledge of the would-be attacker and to know your system. You must protect your system from two enemies — those who have legitimate access and those who don’t. Those who have legitimate access may not intend to damage a system, but without appropriate precautions in place, they can still wreak havoc on a system. This is where permissions, disk quotas, and password encryp- tion come into play. If the permissions on a file or directory are properly set, unau- thorized users will not be able to gain access. Disk quotas limit the amount of disk space a user can take up, thus freeing the rest for the system. Using encrypted passwords prevents users from viewing one another’s passwords. Protecting yourself against outside intrusion requires a little more effort at the sys- tem level. This includes keeping software updated so that crackers don’t use known vulnerabilities to gain access, limiting the services that run on a system, limiting the hosts that have access, and other similar tactics covered in this chapter. Avoiding crackers The basic goal of crackers is to gain root access to your system, after which they have complete control over it. But if they gain access as a normal user, they can still cause trouble for others. A common practice is to crack one system, and then use that system as a launching point for attacking other systems. One attack method is to use a common service, such as e-mail, the Web, or a database. The cracker will launch a Denial of Service (DoS) attack on a system by bombarding a service like e-mail, with normal requests to the point where the ser- vice breaks or the system crashes. When something like this happens, the victim may not have any recourse other than waiting until the attack finishes or dropping requests from the offending host. A DoS attack might never happen to the casual user, small business, or low-profile corporation. After all, crackers are more interested in creating havoc with higher profile sites such as Yahoo, Amazon, or CNN. The best way to avoid becoming a target for attacks is to make it difficult enough for would-be crackers that they go elsewhere for an easier target. To accomplish this, you need to fill your tool chest with the appropriate tools. The security of a system is only as good as its weakest point. Knowing where those weak points are comes from experience and familiarity with the system. Note Note 4710-0 ch19.F 4/10/01 11:26 AM Page 398 399 Chapter 19 ✦ Security Tools of the Trade There are numerous tools that, when applied properly, can keep your system secure, as well as provide an avenue for tracking down the offender. This section covers tools for several areas to best protect a system. In most cases, these tools are used together for the best results in ensuring system integrity. Authentication tools As a first line of defense, you need to run certain tools; namely, password protec- tion and encryption. This prevents someone from easily accessing all of your data. Shadow passwords The first form of password protection is the shadow password. This removes passwords from the /etc/passwd file and stores them in an encrypted form in /etc/shadow. You are asked whether you want to use shadow passwords when setting up Debian — it’s a good idea to do so. You can tell whether you are using shadow passwords by looking at the /etc/passwd file. If there is an x after the first colon ( :) for each account listed, you are using shadow passwords. Crack This program uses a dictionary to try to deliberately crack the passwords for the accounts on the system. When this tool cracks a password, an e-mail message is sent to the account to notify the person. The Debian package is cracklib-run. You can set it up using cron to run regularly to notify users of their weak, crackable passwords. You can get more information about crack by going to /usr/doc/cracklib- runtime/index.html . The utilities that come with the run-time install are as follows: ✦ crack_mkdict — This takes a plain text file(s) containing one word per line to create the dictionary for cracking passwords. The utility lowercases all the words, removes any control characters, and sorts the list before sending the results to standard output. ✦ crack_packer — This takes the standard input and creates three database files that the test utilities understand. These files end in .hwm, .pwd, and .pwi. ✦ crack_unpacker — This utility sends to standard output the words making up the database files. ✦ crack_testlib — This tests the input to see whether it is a valid password. 4710-0 ch19.F 4/10/01 11:26 AM Page 399 400 Part V ✦ Linux Server ✦ crack_testnum— Based on the index number, this checks the corresponding word in the database. ✦ crack_teststr — This checks for the word in the database and returns the index number if the word exists. The ispell and wenglish packages provide word lists that can be used to create a dictionary database of words found in a dictionary. MD5 The newest form of data authentication is the MD5 program. It accepts a message of any length as input and produces a 128-bit fingerprint or checksum as output. The idea is that no two messages will have the same checksum. This tool is an excellent method of verifying the integrity of data. If even the smallest change is made, the checksum changes. You can get the source from ftp.cerias.purdue.edu/pub/ tools/unix/crypto/md5/MD5.tar.Z . Decompress the file once downloaded, unpack the tar file, and compile the source using the following: $ uncompress MD5.tar.Z $ tar xvf MD5.tar $ make To see how a slight difference in a file will change the checksum, look at the follow- ing example. First, create a simple file and display its contents: $ echo ‘Hello, Reader!’ > test1 $ cat test1 Hello, Reader! Next, use the MD5 program to generate a unique checksum for the file: $ md5 test1 MD5 (test1) = 0c8e6a79de8cf4aec0e938d672b30eff Then, make a copy of the first file, using the diff command to check for content differences between the first file and the copy. You can then verify that there are no differences by comparing the MD5 checksums for the two files: $ cp test1 test2 $ diff test1 test2 $ md5 test1 test2 MD5 (test1) = 0c8e6a79de8cf4aec0e938d672b30eff MD5 (test2) = 0c8e6a79de8cf4aec0e938d672b30eff Make a small change to the second file by adding a new line with a space in it. Notice that the MD5 checksum of the modified file changes considerably: 4710-0 ch19.F 4/10/01 11:26 AM Page 400 401 Chapter 19 ✦ Security $ echo ‘ ‘ >> test2 $ md5 test1 test2 MD5 (test1) = 0c8e6a79de8cf4aec0e938d672b30eff MD5 (test2) = 117506fd1c0222825dc5e93d657c5e80 This tool cleverly verifies the contents of all types of data. Network monitoring tools Because computers are accessible thru networks, this makes them vulnerable to remote attacks. Another set of tools monitors the network traffic for various types of information to help detect these attacks. Argus This network-monitoring tool uses a client-server approach to capture data. It provides network auditing and can be adapted for intrusion detection, protocol analysis, and other security-related needs. You can find this tool at ftp.andrew.cmu.edu/pub/argus/. Tcpdump This Debian-packaged tool listens to the network traffic and reports what it finds. Each TCP packet is read, and the header information is sent to the screen. If you are suspicious of the traffic on a specific interface, you can set tcpdump to listen to that interface with the -l option. The listen option prints to the screen all traffic that passes on the selected device. Swatch This simple program monitors the log files for specific patterns you specify. It will filter out unwanted data and take action based on what you define. You can obtain the source files from ftp.cerias.purdue.edu/pub/tools/unix/logutils/ swatch . Follow the instructions packaged with the source. Logcheck Logcheck is an included Debian package that monitors the log files and notifies the user via e-mail of any security violations and problems. This script is installed as /usr/sbin/logcheck.sh and is added to /etc/cron.d for routine checks. The configuration file is stored in /etc/logcheck and is already very thoroughly configured. When picking up software source code, be careful when using beta versions of the code, which can contain bugs that make the program perform differently than expected. For peace of mind, use the tried-and-true version until the beta test completes and a final release is available. Caution 4710-0 ch19.F 4/10/01 11:26 AM Page 401 [...]... You can also subscribe to the debian- security-announce mailing list It includes the latest information about Debian- related issues, includes the Debian package names, and other security issues relating to Linux applications You can find a complete list of these mailing lists at www .debian. org/MailingLists/subscribe 413 471 0-0 ch19.F 414 4/10/01 11:26 AM Page 414 Part V ✦ Linux Server Table 19-1 lists... other sites that include resources, articles, how-tos, and other security information Table 19-1 Debian security-related sites Site Features SecurityFocus.ORG Includes articles focusing on security This site covers Linux as well as other platforms www.linuxdoc.org How-tos on security for Linux as a part of the Linux Documentation Project www.ugu.com UNIX GURU Universe offers general information for UNIX... currently logged in — yours Overall, the number of Linux viruses, Trojan horses, and such is relatively insignificant compared to those found on unprotected operating systems such as Windows, DOS, and Apple OS Setting secure permissions When working with files, directories, and such, there may be a temptation to set the permissions on a file to 77 7, which gives full access to everyone Although it may... network Initially, to install the module for the second card, use the following: # insmod /lib/modules/2.2. 17/ net/rtl8139.o Once the module is successfully added to the kernel, add the module name to /etc/modules so it gets loaded at boot time 4 17 471 0-0 ch20.F 418 4/10/01 11:26 AM Page 418 Part V ✦ Linux Server 2 Then add the specifics about the new card to /etc/network/interfaces: iface eth1 inet static... do so By default, the umask is set to 022, which masks the permissions on new files to rwxr r , or read/write for the user, read only for group, and other levels of access 4 07 471 0-0 ch19.F 408 4/10/01 11:26 AM Page 408 Part V ✦ Linux Server You can restrict the permissions on new files even further by setting the umask to 026 (for no permission to the universe), or 066 (for no permissions to group... proxy server does Here are the minimum requirements for a system destined for a firewall only: 471 0-0 ch20.F 4/10/01 11:26 AM Page 4 17 Chapter 20 ✦ Firewall ✦ A computer with at least a 486 running at 100MHz ✦ 32MB of RAM ✦ A 500MB hard drive to hold the operating system ✦ Two network cards compatible with Linux (I stick with name-brand PCI cards.) Looking over the preceding specs, this might be a good... setting up a firewall  471 0-0 ch19.F 4/10/01 11:26 AM Page 4 07 Chapter 19 ✦ Security Viruses, worms, and other creepy things In the computer world, there are three types of computer illnesses — viruses, worms, and Trojan horses A virus is a tiny foreign program embedded in another legitimate program with the purpose of duplicating itself and causing mischief, if not destroying data Linux is designed so... build a system that uses no moving parts to run You can investigate the Linux Router Project (or LRP) at www.linuxrouter.org Masquerading a Private Network In most cases, masquerading a private network is a great option The purpose of the masquerade is to make numerous machines appear as one 1 Install the ipmasq package using the Debian package-management system There may be a recommended package that... a number of things to make a system secure Some of these things may just mean a change in procedure The following list of tips can help you create a more secure system: 409 471 0-0 ch19.F 410 4/10/01 11:26 AM Page 410 Part V ✦ Linux Server ✦ Create multiple root accounts If more than one person needs root access, create a root account for each person In doing so, you can track who is doing what For... runs the program as root The program is designed to create a hole in the system, allowing the cracker to easily gain access later In short, be careful what you run as root 411 471 0-0 ch19.F 412 4/10/01 11:26 AM Page 412 Part V ✦ Linux Server Tip Set up a firewall to protect the rest of the network from the Internet Leave only those systems that require direct access to the Internet on the exposed side . (126318 sectors). Writing time: 4 37. 780s Fixating Fixating time: 67. 876 s cdrecord: fifo had 78 95 puts and 78 95 gets. cdrecord: fifo was 0 times empty and 77 34 times full, min fill was 96%. After. screen. cdrecord: fifo was 0 times empty and 77 34 times full, min fill was 96%. [root@drake win_d]# more /var/tmp/cdmessage.txt Cdrecord 1.8.1 (i586-mandrake -linux -gnu) Copyright (C) 1995-2000 J ö rg. test2 $ diff test1 test2 $ md5 test1 test2 MD5 (test1) = 0c8e6a79de8cf4aec0e938d 672 b30eff MD5 (test2) = 0c8e6a79de8cf4aec0e938d 672 b30eff Make a small change to the second file by adding a new