Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 1 Get a printed version here! Securing and Optimizing Linux: RedHat Edition A hands on guide for Linux professionals. Title: Securing and Optimizing Linux: RedHat Edition ISBN: 0-9700330-0-1 Author's: Gerhard Mourani Mail: gmourani@openna.com Page Count: 486 Version: 1.3 Last Revised: June 07, 2000 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 2 Overview Introduction Part I Installation-Related Reference Chapter 1 Introduction to Linux Chapter 2 Installation of your Linux Server Part II Security and Optimization-Related Reference Chapter 3 General System Security Chapter 4 General System Optimization Chapter 5 Configuring and Building a secure, optimized Kernels Part III Networking-Related Reference Chapter 6 TCP/IP Network Management Chapter 7 Networking Firewall Chapter 8 Networking Firewall with Masquerading and Forwarding support Part IV Software-Related Reference Chapter 9 Compiler Functionality Chapter 10 Securities Software (Monitoring Tools) Chapter 11 Securities Software (Network Services) Chapter 12 Securities Software (System Integrity) Chapter 13 Securities Software (Management & Limitation) Chapter 14 Server Software (BIND/DNS Network Services) Chapter 15 Server Software (Mail Network Services) Chapter 16 Server Software (Encrypting Network Services) Chapter 17 Server Software (Database Network Services) Chapter 18 Server Software (Proxy Network Services) Chapter 19 Server Software (Web Network Services) Chapter 20 Optional component to install with Apache Chapter 21 Server Software (File Sharing Network Services) Part VI Backup-Related reference Chapter 22 Backup and restore procedures Part VII Appendixes Appendix A Tweaks, Tips and Administration Tasks Appendix B Obtaining Requests for Comments (RFCs) Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 3 Contents Introduction 8 Audience 8 These installation instructions assume 8 About products mentioned in this book 8 Obtaining the book and example configuration files 8 A note about the copyright 9 Acknowledgments 10 GPG Public Key for Gerhard Mourani 10 Part I Installation-Related Reference 11 Chapter 1 Introduction to Linux 12 What is Linux? 13 Some good reasons to use Linux 13 Let's dispel some of the fear, uncertainty, and doubt about Linux 13 Chapter 2 Installation of your Linux Server 15 Linux Installation 16 Know your Hardware! 16 Creating the Boot Disk and Booting 17 Installation Class and Method (Install Type) 17 Disk Setup (Disk Druid) 18 Components to Install (Package Group Selection) 22 Individual Package Selection 23 Descriptions of programs packages we must uninstall for securities reasons 24 How to use RPM Commands 28 Starting and stopping daemon services 29 Software that must be uninstalled after installation of the Server 29 Descriptions of programs that must be uninstalled after installation of the server 31 Software that must be installed after installation of the Server 32 Installed programs on your Server 35 Put some colors on your terminal 38 Update of the latest software 39 Part II Security and optimization-Related Reference 40 Chapter 3 General System Security 41 Linux General Security 42 Chapter 4 General System Optimization 69 Linux General Optimization 70 Chapter 5 Configuring and Building a secure, optimized Kernels 85 Linux Kernel 86 Making an emergency boot floppy 87 Securing the kernel 89 Kernel configuration 91 Installing the new kernel 96 Delete program, file and lines related to modules 99 Making a new rescue floppy 100 Making a emergency boot floppy disk 100 Update your “/dev” entries 101 Part III Networking-Related Reference 103 Chapter 6 TCP/IP Network Management 104 Linux TCP/IP Network Management 105 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 4 Install more than one Ethernet Card per Machine 105 Files related to networking functionality 106 Configuring TCP/IP Networking manually with the command line 109 Chapter 7 Networking Firewall 114 Linux IPCHAINS 115 Build a kernel with IPCHAINS Firewall support 118 Some explanation of rules used in the firewall script files 118 The firewall scripts files 120 Configuration of the “/etc/rc.d/init.d/firewall” script file for the Web Server 120 Configuration of the “/etc/rc.d/init.d/firewall” script file for the Mail Server 130 Chapter 8 Networking Firewall with Masquerading and Forwarding support 139 Linux Masquerading and Forwarding 140 Build a kernel with Firewall Masquerading and Forwarding support 140 Configuration of the “/etc/rc.d/init.d/firewall” script file for the Gateway Server 142 Deny access to some address 155 IPCHAINS Administrative Tools 155 Part IV Software-Related Reference 157 Chapter 9 Compiler Functionality 158 Linux Compiler functionality 159 The necessary packages 159 Why would we choose to use tarballs? 160 Compiling software on your system 160 Build and Install software on your system 161 Editing files with the vi editor tool 162 Some last comments 163 Chapter 10 Securities Software (Monitoring Tools) 164 Linux sXid 165 Configurations 166 sXid Administrative Tools 167 Linux Logcheck 169 Configurations 171 Linux PortSentry 173 Configurations 175 Start up PortSentry 179 Chapter 11 Securities Software (Network Services) 181 Linux OpenSSH Client/Server 182 Configurations 184 Configure OpenSSH to use TCP-Wrappers inetd super server 188 OpenSSH Per-User Configuration 189 OpenSSH Users Tools 190 Linux SSH2 Client/Server 193 Configurations 194 Configure sshd2 to use tcp-wrappers inetd super server 199 Ssh2 Per-User Configuration 200 SSH2 Users Tools 201 Chapter 12 Securities Software (System Integrity) 203 Linux Tripwire 2.2.1 204 Configurations 207 Securing Tripwire for Linux 212 Commands 213 Linux Tripwire ASR 1.3.1 216 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 5 Configurations 218 Securing Tripwire 220 Commands 220 Chapter 13 Securities Software (Management & Limitation) 223 Linux GnuPG 224 Commands 225 Set Quota on your Linux system 230 Build a kernel with Quota support 230 Modify the “/etc/fstab” file 230 Creation of the "quota.user" and "quota.group" files 231 Assigning Quota for Users and Groups 232 Commands 234 Chapter 14 Server Software (BIND/DNS Network Services) 236 Linux DNS and BIND Server 237 Configurations 239 Caching-only name Server 240 Primary master name Server 242 Secondary slave name Server 245 Securing ISC BIND/DNS 247 DNS Administrative Tools 253 DNS Users Tools 254 Chapter 15 Server Software (Mail Network Services) 258 Linux Sendmail Server 259 Configurations 263 Securing Sendmail 274 Sendmail Administrative Tools 278 Sendmail Users Tools 279 Linux IMAP & POP Server 281 Configurations 284 Enable IMAP or POP via the tcp-wrappers inetd super server 285 Securing IMAP/POP 285 Chapter 16 Server Software (Encrypting Network Services) 288 Linux OPENSSL Server 289 Configurations 293 Commands 298 Securing OpenSSL 301 Linux FreeS/WAN VPN 304 Configure RSA private keys secrets 313 Requiring network setup for IPSec 318 Testing the installation 321 Chapter 17 Server Software (Database Network Services) 326 Linux OpenLDAP Server 327 Configurations 330 Securing OpenLDAP 333 OpenLDAP Creation and Maintenance Tools 334 OpenLDAP Users Tools 336 The Netscape Address Book client for LDAP 337 Linux PostgreSQL Database Server 340 Create the database installation from your Postgres superuser account 343 Configurations 344 Commands 346 Chapter 18 Server Software (Proxy Network Services) 350 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 6 Linux Squid Proxy Server 351 Using GNU malloc library to improve cache performance of Squid 353 Configurations 355 Securing Squid 363 Optimizing Squid 363 The cachemgr.cgi program utility of Squid 364 The Netscape Proxies Configuration for Squid 366 Chapter 19 Server Software (Web Network Services) 369 Linux MM – Shared Memory Library for Apache 370 Linux Apache Web Server 372 Configurations 378 PHP4 server-side scripting language 385 Perl module Devel::Symdump 387 CGI.pm Perl library 389 Securing Apache 390 Running Apache in a chroot jail 392 Optimizing Apache 399 Chapter 20 Optional component to install with Apache 406 Linux Webalizer 407 Configurations 408 Inform Apache about the output directory of Webalizer 410 Running Webalizer manually for the first time 410 Running Webalizer automatically with a cron job 411 Linux FAQ-O-Matic 413 Inform Apache about the location of Faq-O-Matic files 414 Configure your FAQ-O-Matic software 415 Linux Webmail IMP 419 Setting up PHPLib which is requires by Horde program of Webmail IMP 420 Configure and create Webmail IMP SQL database 421 Configure your “php.ini” configuration file of PHP4 423 Configure Apache to recognize Webmail IMP 424 Configure Webmail IMP via your web browser 424 Chapter 21 Server Software (File Sharing Network Services) 427 Linux Samba Server 428 Configurations 431 Create an encrypted Samba password file for your clients 436 Securing Samba 439 Optimizing Samba 439 Samba Administrative Tools 441 Samba Users Tools 442 Linux FTP Server 444 Setup an FTP user account for each user without shells 446 Setup a chroot user environment 447 Configurations 450 Configure ftpd to use tcp-wrappers inetd super server 455 FTP Administrative Tools 455 Securing FTP 456 Part V Backup-Related reference 459 Chapter 22 Backup and restore procedures 460 Linux Backup and Restore 461 The tar backup program 461 Making backups with tar 462 Automating tasks of backups made with tar 463 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 7 Restoring files with tar 465 The dump backup program 466 Making backups with dump 468 Restoring files with dump 470 Backing up and restoring over the network 472 Part VI Appendixes 474 Appendix A 475 Tweaks, Tips and Administration tasks 476 Appendix B 479 Obtaining Requests for Comments (RFCs) 480 INTRODUCTION Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 8 Introduction When I began writing this book, the first question I asked myself was how to install Linux on a server, and be sure that no one from the outside, or inside, could access it without authorization. Then I wondered if any method similar to the one on windows exists to improve the computer’s performance. Subsequently, I began a search on the Internet and read several books to get the most information on security and performance for my server. After many years of research and studies I had finally found the answer to my questions. Those answers were found all throughout different documents, books, articles, and Internet sites. I created documentation based on my research that could help me through my daily activities. Through the years, my documentation grew and started to look more like a book and less like simple, scattered notes. I decide to publish it on the Internet so that anyone could take advantage of it. By sharing this information, I felt that I did my part for the community who answered so many of my computing needs with one magical, reliable, strong, powerful, fast and free operating system named Linux. I’d received a lot of feedback and comments about my documentation, which helped to improve it over time. Also, I’d found that a lot of people wanted to see it published for its contents, to get advantages out of it and see the power of this beautiful Linux system in action. A lot of time and effort went into the making of this book, and to ensure that the results were as accurate as possible. If you find any abnormalities, inconsistent results, errors, omissions or anything else that doesn't look right, please let me know so I that can investigate the problem or correct the error. Suggestions for future versions are also welcome and appreciated. Audience This book is intended for a technical audience and system administrators who manage Linux servers, but it also includes material for home users and others. It discusses how to install and setup a Red Hat Linux Server with all the necessary security and optimization for a high performance Linux specific machine. Since we speak of optimization and security configuration, we will use a source distribution (tar.gz) program the most available type for critical server software like Apache, BIND/DNS, Samba, Squid, OpenSSL etc. Source packages give us fast upgrades, security updates when necessary, and a better compilation, customization, and optimization for our specific machines that often we can’t have with RPM packages. These installation instructions assume You have a CD-ROM drive on your computer and the Official Red Hat Linux CD-ROM. Installations were tested on the Official Red Hat Linux version 6.1 and 6.2. You should understand the hardware system on which the operating system will be installed. After examining the hardware, the rest of this document guides you, step-by-step, though the installation process. About products mentioned in this book Many products will be mentioned in this book— some commercial, but most are not commercial, cost nothing and can be freely used or distributed. It is also important to say that I’m not affiliated with any of them and if I mention a tool, it’s because it is useful. You will find that a lot of big companies in their daily use, use most of them. Obtaining the book and example configuration files INTRODUCTION Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 9 Securing and Optimizing Linux: RedHat Edition is now also available to download around the most popular Linux web sites. Free formatted versions of this book can be found on the Internet via the following addresses listed below.  From the original web site (Open Network Architecture): http://www.openna.com  The Linux Documentation Project homepage: http://www.linuxdoc.org/guides.html  O'Reilly Network: http://oreilly.linux.com/pub/d/25  TuneLinux.COM: http://tunelinux.com/bin/page?general/optimization/ Other related web sites may exist without my knowledge. If you host this book (Securing and Optimizing Linux: RedHat Edition) and want to be included in the list of the next release, please send me a message with your intentions. If you receive this as part of a printed distribution or on a CD-ROM, please check out the Linux Documentation home page http://www.linuxdoc.org/ or the original website at http://www.openna.com/ to see if there is a more recent version. This could potentially save you a lot of trouble. If you want to translate this book, please notify me so I can keep track of what languages I have been published in. The example configuration files in this book are available electronically via http from this URL: http://www.openna.com/books/floppy.tgz In either case, extract the files from the archive by typing: [root@deep tmp]# tar xzpf floppy.tgz If you cannot get the examples directly over the Internet, please contact the author at these email addresses: gmourani@openna.com gmourani@netscape.net A note about the copyright It’s important to note that the copyright of this book has been changed from the Open Content to the Open Publication License. Copyright 2000 by Gerhard Mourani and OpenDocs, LLC. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/ ). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Please note even if I, Gerhard Mourani have the copyright, I don't control commercial printing of the book. Please contact OpenDocs @ http://www.opendocspublishing.com/ if you have questions concerning such matters. INTRODUCTION Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 10 Acknowledgments I would like to thank Michel Méral who has drawn all the beautiful animal drawing in my book, Robert L. Ziegler for allowing me to include his Firewall software and all Linux users around the word for their comments and suggestions. GPG Public Key for Gerhard Mourani BEGIN PGP PUBLIC KEY BLOCK Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDgU8UcRBADiuIKn95nz0qsvjU1GzBxv0AOxJHVTNhFBl6lt+3DzDA0G7UTu hOhT0aGwVGts3bzjXVbhS44CTfAvvuVYQq7Ic/BHkwIhFvSu/Xv/fGbD3IQy+Gn5 UYzhZegCGwB0KQhGkIwQPus2ONOS5oT3ChZ8L7JlCPBnlOcVBT+hZ3BXUwCg4y4L Mz5aEe0MPCZ3xkcNE7AE71EEAL4Jf2uVhIRgOfwIpdB1rKVKrDDFxZLx+yZeOZmq gdwa4m7wV+Rk+c4I1+qBxxkmcUBhTHigx+9kpBDE2J0aEGQezDN+RoqlmdyVFO98 T/znf4ZLIf0upu5aP4kAItJJuFB1AaJyDLesB5xGjfyWz+RhbKOmeqr2zHniOsa8 HcZ/BACKZFBjNElqFUf0niWf822W6IbNf7ASh8pwTgR9PmXcq2qtBBq8uCIpEYcD wzk+ccl2jt8qt5RB7DXz/r/uG+3YHU+ID4iz6Qm6zl84gYQLDXST2YXZ5BPURo7H O4nEIJfeHEuUCstE5ROKnblG2U+t5QmxSGbETnK9I/OZrzFwILRDR2VyaGFyZCBN b3VyYW5pIChPcGVuIE5ldHdvcmsgQXJjaGl0ZWN0dXJlKSA8Z21vdXJhbmlAdmlk ZW90cm9uLmNhPohVBBMRAgAVBQI4FPFHAwsKAwMVAwIDFgIBAheAAAoJEDPaC2+7 tLqbGcYAnjHIPAsZrRC5qU5OrqdPvvEmICUWAKCdeyWwJ785A58U8Vh1bpxzCVVb PbkCDQQ4FPI0EAgAy7qa88bVYWIEyAWxJPZRxl8G2GcxgshSu4+5udeP+4PlVAm8 3DUynzlcax4/ikx8Q8MoVR7s6lCLJXCycLENE8xFCJJQ26IxzBjdftGdmvKteVkZ Kld9PZMzjUsxKzmhZbGEWug6xaav68EIewTw/S0TFtPhXyUKFrYPV6aID7YGatzB P4hQJfh4Wt3NdP9QznASBze6bPZxR07iEZaUO0AMHeeBKwL6rptEcGuxHPMYc00R s+SdGTOAa9E/REIiiEike9mXTKKWJYG2e7leDP3SBruM/c7n+DC9ptFAapg1GD9f Re7LLFqj6EQzZqybPB61B9rB/8ShIrApcNYF4wADBQgAvROi9N0/J5kYvBVb60no xBUBYtZp4cJO9X1uVdVahCb9XZpbvxhKujaUoWpPCIb0pm8K+J8x0o9HFl9f/JTs 25N/eJwksr63+j8OdCHqxv4z+qQYgc/qvU42ekHlSfMc7vsiAIE1e1liuTBdN9KR 7oSBoaht+dKi16ffxXmMDvQs1YSBR114XXDSzI+xXRuaIISpi75NE6suLLlrksnL +i/NcLRbCTEv4p1UJGYT4OVnX6quC3CC+U4Drpjf2ohawsXqS7jKUYduZRr9Hbar /sE0pQ/P0uf+VAspQJgpvBqiDxbIRCDSx8VgDoRL7iayxPDXtFmbPOrUEPdS7qYX pIhGBBgRAgAGBQI4FPI0AAoJEDPaC2+7tLqbdzQAniStW48nFU6CWkvQTy8fr0lu ZXmXAKC5bgSLgg1gZAvx61Z20yzM+hwNFQ== =95nO END PGP PUBLIC KEY BLOCK . installation 32 1 Chapter 17 Server Software (Database Network Services) 32 6 Linux OpenLDAP Server 32 7 Configurations 33 0 Securing OpenLDAP 33 3 OpenLDAP. Proxy Server 35 1 Using GNU malloc library to improve cache performance of Squid 35 3 Configurations 35 5 Securing Squid 36 3 Optimizing Squid 36 3 The cachemgr.cgi