This book is dedicated to OpenNA staff Thanks, guys (no-gender)!! Gerhard Mourani Copyright © 2001 by Gerhard Mourani and Open Network Architecture, Inc This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (http://www.opencontent.org/openpub/) Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes are prohibited unless prior permission is obtained from the copyright holder Please note even if I, Gerhard Mourani have the copyright, I don't control commercial printing of the book Please contact OpenNA @ http://www.openna.com/ if you have questions concerning such matters This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that some grammatical mistakes could have occurred but this won’t jeopardize the content or the issue raised herewith Title: Securing and Optimizing Linux: The Ultimate Solution Page Count: 855 Version: 2.0 Last Revised: 2001-06-10 Publisher: Open Network Architecture, Inc Editor: Ted Nackad Text Design & Drawings (Graphics): Bruno Mourani Printing History: June 2000: First Publication Author's: Gerhard Mourani Mail: gmourani@openna.com Website: http://www.openna.com/ National Library Act R.S., c N-11, s Legal Deposit, 2001 Securing and Optimizing Linux: The Ultimate Solution / Open Network Architecture Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada Includes Index ISBN 0-9688793-0-6 Latest version of this book New version of this book (version 3.0 title “Securing & Optimizing Linux: The Hacking Solution”) is available on our website but not as a free document If you like this book and are interested to get the latest version, then go to http://www.openna.com/ Overview Part I Installation Related Reference Chapter Chapter Introduction Installing a Linux Server Part II Security and Optimization Related Reference Chapter Chapter Chapter Chapter General System Security Linux Pluggable Authentication Modules General System Optimization Kernel Security & Optimization Part III Networking Related Reference Chapter Chapter Chapter TCP/IP Network Management Firewall IPTABLES Packet Filter Firewall IPTABLES Masquerading & Forwarding Part IV Cryptography & Authentication Related Reference Chapter 10 Chapter 11 Chapter 12 GnuPG OpenSSL OpenSSH Part V Monitoring & System Integrity Related Reference Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 sXid Logcheck PortSentry Tripwire Xinetd Part VI Management & Limitation Related Reference Chapter 18 Quota Part VII Domain Name System Related Reference Chapter 19 ISC BIND/DNS Part VIII Mail Transfer Agent Related Reference Chapter 20 Chapter 21 Sendmail qmail Part IX Internet Message Access Protocol Related Reference Chapter 22 UW IMAP Part X Database Server Related Reference Chapter 23 Chapter 24 Chapter 25 MySQL PostgreSQL OpenLDAP Part XI Gateway Server Related Reference Chapter 26 Chapter 27 Squid FreeS/WAN VPN Part XII Other Server Related Reference Chapter 28 Chapter 29 Chapter 30 Wu-ftpd Apache Samba Part XIII Backup Related Reference Chapter 31 Backup & restore procedures Part XIII APPENDIXES APPENDIX A Tweaks, Tips and Administration Tasks APPENDIX B Contributor Users APPENDIX C Obtaining Requests for Comments (RFCs) APPENDIX D Port list Contents Organization of the Book 11 Steps of installation 12 Author note 13 Audience 14 These installation instructions assume 14 About products mentioned in this book 14 Obtaining the example configuration files 14 Problem with Securing & Optimizing Linux 15 Acknowledgments 15 Part I Installation Related Reference16 Installation - Introduction 17 What is Linux? 18 Some good reasons to use Linux 18 Let's dispel some of the fear, uncertainty, and doubt about Linux 18 Why choose Pristine source? 19 Compiling software on your system 19 Build & install software on your system 20 Editing files with the vi editor tool 21 Recommended software to include in each type of servers 22 Some last comments 24 Installation - Installing a Linux Server 25 Know your Hardware! 26 Creating the Linux Boot Disk 26 Beginning the installation of Linux 28 Installation Class and Method (Install Options) 30 Partition your system for Linux 31 Disk Partition (Manual Partitioning) 34 Selecting Package Groups 46 How to use RPM Commands 49 Starting and stopping daemon services 51 Software that must be uninstalled after installation of the server 52 Remove unnecessary documentation files 57 Remove unnecessary/empty files and directories 57 Software that must be installed after installation of the server 58 Verifying installed programs on your Server 61 Update of the latest software 63 Part II Security and Optimization Related Reference 65 Security and Optimization - General System Security 66 BIOS 67 Unplug your server from the network 67 Security as a policy 67 Choose a right password 68 The root account 69 Set login time out for the root account 69 The /etc/exports file 69 The single-user login mode of Linux 70 The LILO and /etc/lilo.conf file 70 Disabling Ctrl-Alt-Delete keyboard shutdown command 72 The /etc/services file 73 The /etc/securetty file 73 Special accounts 74 Control mounting a file system 76 Mounting the /boot directory of Linux as read-only 78 Conceal binary RPM 79 Shell logging 79 Physical hard copies of all-important logs 80 Tighten scripts under /etc/rc.d/init.d/ 83 The /etc/rc.local file 83 Bits from root-owned programs 84 Finding all files with the SUID/SGID bit enabled 85 Don’t let internal machines tell the server what their MAC address is 86 Unusual or hidden files 87 Finding Group and World Writable files and directories 87 Unowned files 88 Finding rhosts files 88 System is compromised! 89 Security and Optimization - Pluggable Authentication Modules 90 The password length 91 Disabling console program access 93 Disabling all console access 94 The Login access control table 94 Tighten console permissions for privileged users 96 Putting limits on resource 97 Controlling access time to services 99 Blocking; su to root, by one and sundry 100 Security and Optimization - General System Optimization 102 Static vs shared libraries 103 The Glibc 2.2 library of Linux 104 Why Linux programs are distributed as source 105 Some misunderstanding in the compiler flags options 105 The gcc 2.96 specs file 106 Tuning IDE Hard Disk Performance 112 Security and Optimization – Kernel Security & Optimization 116 Making an emergency boot floppy 119 Checking the /boot partition of Linux 119 Tuning the Kernel 120 Applying the Openwall kernel patch 123 Cleaning up the Kernel 125 Configuring the Kernel 126 Compiling the Kernel 142 Installing the Kernel 143 Reconfiguring /etc/modules.conf file 146 Delete programs, edit files pertaining to modules 147 Remounting the /boot partition of Linux as read-only 148 Rebooting your system to load the new kernel 148 Making a new rescue floppy for Modularized Kernel 149 Making a emergency boot floppy disk for Monolithic Kernel 149 Optimizing Kernel 150 Part III Networking Related Reference 163 Networking - TCP/IP Network Management 164 TCP/IP security problem overview 166 Installing more than one Ethernet Card per Machine 170 Files-Networking Functionality 171 Securing TCP/IP Networking 175 Optimizing TCP/IP Networking 183 Testing TCP/IP Networking 189 The last checkup 193 Networking - Firewall IPTABLES Packet Filter 194 What is a Network Firewall Security Policy? 196 The Demilitarized Zone 197 What is Packet Filtering? 198 The topology 198 Building a kernel with IPTABLES Firewall support 200 Rules used in the firewall script files 200 /etc/rc.d/init.d/iptables: The Web Server File 203 /etc/rc.d/init.d/iptables: The Mail Server File 212 /etc/rc.d/init.d/iptables: The Primary Domain Name Server File 220 /etc/rc.d/init.d/iptables: The Secondary Domain Name Server File 228 Networking - Firewall Masquerading & Forwarding 236 Recommended RPM packages to be installed for a Gateway Server 237 Building a kernel with Firewall Masquerading & Forwarding support 239 /etc/rc.d/init.d/iptables: The Gateway Server File 242 Deny access to some address 254 IPTABLES Administrative Tools 255 Part IV Cryptography & Authentication Related Reference 257 10 Cryptography & Authentication - GnuPG 258 Compiling - Optimizing & Installing GnuPG 260 GnuPG Administrative Tools 262 11 Cryptography & Authentication - OPENSSL 267 Compiling - Optimizing & Installing OpenSSL 270 Configuring OpenSSL 272 OpenSSL Administrative Tools 279 Securing OpenSSL 283 12 Cryptography & Authentication - OpenSSH 286 Compiling - Optimizing & Installing OpenSSH 288 Configuring OpenSSH 290 OpenSSH Per-User Configuration 298 OpenSSH Users Tools 300 Part V Monitoring & System Integrity Related Reference 303 13 Monitoring & System Integrity - sXid 304 Compiling - Optimizing & Installing sXid 306 Configuring sXid 307 sXid Administrative Tools 309 14 Monitoring & System Integrity - Logcheck 310 Compiling - Optimizing & Installing Logcheck 312 Configuring Logcheck 317 15 Monitoring & System Integrity - PortSentry 319 Compiling - Optimizing & Installing PortSentry 321 Configuring PortSentry 324 16 Monitoring & System Integrity - Tripwire 334 Compiling - Optimizing & Installing Tripwire 336 Configuring Tripwire 339 Securing Tripwire 342 Tripwire Administrative Tools 342 17 Monitoring & System Integrity - Xinetd 345 Compiling - Optimizing & Installing Xinetd 347 Configuring Xinetd 349 Securing Xinetd 361 Part VI Management & Limitation Related Reference 363 18 Management & Limitation - Quota 364 Build a kernel with Quota support enable 365 Modifying the /etc/fstab file 365 Creating the quota.user and quota.group files 367 Assigning Quota for Users and Groups 367 Quota Administrative Tools 370 Part VII Domain Name System Related Reference 19 Domain Name System - ISC BIND/DNS 371 372 Recommended RPM packages to be installed for a DNS Server 374 Compiling - Optimizing & Installing ISC BIND & DNS 378 Configuring ISC BIND & DNS 381 Caching-Only Name Server 382 Primary Master Name Server 385 Secondary Slave Name Server 390 Running ISC BIND & DNS in a chroot jail 396 Securing ISC BIND & DNS 400 Optimizing ISC BIND & DNS 415 ISC BIND & DNS Administrative Tools 418 ISC BIND & DNS Users Tools 419 Part VIII Mail Transfer Agent Related Reference 423 20 Mail Transfer Agent - Sendmail 424 Recommended RPM packages to be installed for a Mail Server 426 Compiling - Optimizing & Installing Sendmail 431 Configuring Sendmail 436 Running Sendmail with SSL support 452 Securing Sendmail 460 Sendmail Administrative Tools 465 Sendmail Users Tools 466 21 Mail Transfer Agent - qmail 468 Recommended RPM packages to be installed for a Mail Server 470 Verifying & installing all the prerequisites to run qmail 472 Compiling, Optimizing & Installing ucspi-tcp 473 Compiling, Optimizing & Installing checkpassword 474 Compiling, Optimizing & Installing qmail 476 Configuring qmail 483 Running qmail as a standalone null client 492 Running qmail with SSL support 493 Securing qmail 493 qmail Administrative Tools 497 qmail Users Tools 498 Part IX Internet Message Access Protocol Related Reference500 22 Internet Message Access Protocol - UW IMAP 501 Compiling - Optimizing & Installing UW IMAP 505 Configuring UW IMAP 509 Enable IMAP or POP services via Xinetd 509 Securing UW IMAP 512 Running UW IMAP with SSL support 514 Part X Database Server Related Reference 521 23 Database Server - MySQL522 Recommended RPM packages to be installed for a SQL Server 525 Compiling - Optimizing & Installing MySQL 529 Configuring MySQL 532 Securing MySQL 536 Optimizing MySQL 537 MySQL Administrative Tools 542 24 Database Server - PostgreSQL 550 Recommended RPM packages to be installed for a SQL Server 551 Compiling - Optimizing & Installing PostgreSQL 555 Configuring PostgreSQL 557 Running PostgreSQL with SSL support 563 Securing PostgreSQL 566 Optimizing PostgreSQL 570 PostgreSQL Administrative Tools 572 25 Database Server - OpenLDAP 577 Recommended RPM packages to be installed for a LDAP Server 579 Compiling - Optimizing & Installing OpenLDAP 584 Configuring OpenLDAP 587 Running OpenLDAP in a chroot jail 593 Running OpenLDAP with TLS/SSL support 600 Securing OpenLDAP 605 Optimizing OpenLDAP 606 OpenLDAP Administrative Tools 608 OpenLDAP Users Tools 613 Part XI Gateway Server Related Reference 616 26 Gateway Server - Squid Proxy Server 617 Recommended RPM packages to be installed for a Proxy Server 619 Compiling - Optimizing & Installing Squid 622 Using GNU malloc library to improve cache performance of Squid 624 Configuring Squid 627 Securing Squid 640 Optimizing Squid 641 The cachemgr.cgi program utility of Squid 641 27 Gateway Server - FreeS/WAN VPN Server644 Recommended RPM packages to be installed for a VPN Server 646 Compiling - Optimizing & Installing FreeS/WAN 650 Configuring RSA private keys secrets 660 Requiring network setup for IPSec 665 Testing the FreeS/WAN installation 668 Part XII Other Server Related Reference 673 28 Other Server - Wu-ftpd FTP Server 674 Recommended RPM packages to be installed for a FTP Server 676 Compiling - Optimizing & Installing Wu-ftpd 680 Running Wu-ftpd in a chroot jail 683 Configuring Wu-ftpd 687 Securing Wu-ftpd 695 Setup an Anonymous FTP server 697 Wu-ftpd Administrative Tools 702 29 Other Server - Apache Web Server 704 Compiling - Optimizing & Installing MM 706 Some statistics about Apache and Linux 710 Recommended RPM packages to be installed for a Web Server 712 Compiling - Optimizing & Installing Apache 719 Configuring Apache 726 Enable PHP4 server-side scripting language with the Web Server 734 Securing Apache 735 Optimizing Apache 739 Running Apache in a chroot jail 742 30 Other Server - Samba File Sharing Server 755 Recommended RPM packages to be installed for a Samba Server 757 Compiling - Optimizing & Installing Samba 762 Configuring Samba 765 Running Samba with SSL support 775 Securing Samba 780 Optimizing Samba 782 Samba Administrative Tools 784 Samba Users Tools 785 Part XIII Backup Related Reference 787 31 Backup - Tar & Dump 788 Recommended RPM packages to be installed for a Backup Server 789 The tar backup program 792 Making backups with tar 793 Automating tasks of backups made with tar 795 Restoring files with tar 797 The dump backup program 798 Making backups with dump 800 Restoring files with dump 802 Backing up and restoring over the network 804 Part XIV APPENDIXES APPENDIX A 810 APPENDIX B 815 APPENDIX C 817 APPENDIX D 825 809 10 ... documentation Commercial Linux distributions such as Red Hat Linux, Caldera, SuSE, Mandrake, Turbo Linux and OpenLinux offer initial support for registered users, and small business and corporate accounts... answers fundamental questions about network devices, network configuration files, and network security as well as essential networking commands The second and third chapters provide information... author at this email address: gmourani@openna.com 14 Preface Problem with Securing & Optimizing Linux When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it Your