Changeset 0afcfa88
- Timestamp:
- 05/30/2005 09:58:46 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fb3dd289
- Parents:
- 99b1c520
- Location:
- postlfs/security
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cracklib.xml
r99b1c520 r0afcfa88 33 33 <title>Introduction to Cracklib</title> 34 34 35 <para>The <application>cracklib</application> package contains a 36 library used to enforce strong passwords by comparing user selected 35 <para>The <application>cracklib</application> package contains a 36 library used to enforce strong passwords by comparing user selected 37 37 passwords to words in a chosen wordlist.</para> 38 38 … … 74 74 </itemizedlist> 75 75 76 <para>You will also need to download a wordlist for use with 77 <application>cracklib</application>. There are two wordlists 78 to choose from at the following location. Use the 79 <filename>cracklib</filename> word list for good security, or 80 opt for the <filename>allwords</filename> word list for 81 lightweight machines short on RAM. You can of course choose 76 <para>You will also need to download a wordlist for use with 77 <application>cracklib</application>. There are two wordlists 78 to choose from at the following location. Use the 79 <filename>cracklib</filename> word list for good security, or 80 opt for the <filename>allwords</filename> word list for 81 lightweight machines short on RAM. You can of course choose 82 82 any other word list that you have at your disposal.</para> 83 83 84 84 <itemizedlist spacing='compact'> 85 85 <listitem> 86 <para>cracklib (&crackdict-size;) at <ulink 86 <para>cracklib (&crackdict-size;) at <ulink 87 87 url="http://www.cotse.com/tools/wordlists.htm"/></para> 88 88 </listitem> 89 89 <listitem> 90 <para>allwords (&alldict-size;) at <ulink 90 <para>allwords (&alldict-size;) at <ulink 91 91 url="http://www.cotse.com/tools/wordlists.htm"/></para> 92 92 </listitem> … … 99 99 100 100 <para>First, as the <systemitem class="username">root</systemitem> 101 user, install the chosen word list for 101 user, install the chosen word list for 102 102 <application>cracklib</application>:</para> 103 103 … … 108 108 109 109 <para>The wordlist is linked to <filename>/usr/share/dict/words</filename> 110 as historically, <filename>words</filename> is the primary wordlist in the 111 <filename class="directory">/usr/share/dict</filename> directory. 112 Additionally, the value of <command>hostname</command> is echoed to a file 113 called <filename>extra.words</filename>. This extra file is intended to be 114 a site specific list which includes easy to guess passwords such as company 115 or department names, user's names, product names, computer names, domain 110 as historically, <filename>words</filename> is the primary wordlist in the 111 <filename class="directory">/usr/share/dict</filename> directory. 112 Additionally, the value of <command>hostname</command> is echoed to a file 113 called <filename>extra.words</filename>. This extra file is intended to be 114 a site specific list which includes easy to guess passwords such as company 115 or department names, user's names, product names, computer names, domain 116 116 names, etc.</para> 117 117 … … 138 138 <title>Command Explanations</title> 139 139 140 <para><command>rm -v /lib/libcrack.so; ln -v -sf ... 141 /usr/lib/libcrack.so</command>: These two commands move the 140 <para><command>rm -v /lib/libcrack.so; ln -v -sf ... 141 /usr/lib/libcrack.so</command>: These two commands move the 142 142 <filename class='symlink'>libcrack.so</filename> 143 symlink from <filename class='directory'>/lib</filename> to 143 symlink from <filename class='directory'>/lib</filename> to 144 144 <filename class='directory'>/usr/lib</filename>.</para> 145 145 … … 169 169 <term><filename class='libraryfile'>libcrack.so</filename></term> 170 170 <listitem> 171 <para>provide a fast dictionary lookup method for strong 171 <para>provide a fast dictionary lookup method for strong 172 172 password enforcement.</para> 173 173 <indexterm zone="cracklib libcrack"> -
postlfs/security/cyrus-sasl.xml
r99b1c520 r0afcfa88 30 30 <title>Introduction to Cyrus SASL</title> 31 31 32 <para>The <application>Cyrus SASL</application> package contains a Simple 33 Authentication and Security Layer, a method for adding authentication 34 support to connection-based protocols. To use SASL, a protocol includes a 35 command for identifying and authenticating a user to a server and for 36 optionally negotiating protection of subsequent protocol interactions. If 37 its use is negotiated, a security layer is inserted between the protocol 32 <para>The <application>Cyrus SASL</application> package contains a Simple 33 Authentication and Security Layer, a method for adding authentication 34 support to connection-based protocols. To use SASL, a protocol includes a 35 command for identifying and authenticating a user to a server and for 36 optionally negotiating protection of subsequent protocol interactions. If 37 its use is negotiated, a security layer is inserted between the protocol 38 38 and the connection.</para> 39 39 … … 66 66 67 67 <bridgehead renderas="sect4">Optional</bridgehead> 68 <para><xref linkend="Linux_PAM"/>, 69 <xref linkend="openldap"/>, 70 <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>, 71 <xref linkend="jdk"/>, 72 <xref linkend="mysql"/>, 73 <xref linkend="postgresql"/>, 74 <xref linkend="db"/>, 75 <xref linkend="gdbm"/>, 76 <xref linkend="courier"/>, 77 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>, 78 <ulink url="http://sqlite.org/">SQLite</ulink> and 68 <para><xref linkend="Linux_PAM"/>, 69 <xref linkend="openldap"/>, 70 <xref linkend="heimdal"/> or <xref linkend="mitkrb"/>, 71 <xref linkend="jdk"/>, 72 <xref linkend="mysql"/>, 73 <xref linkend="postgresql"/>, 74 <xref linkend="db"/>, 75 <xref linkend="gdbm"/>, 76 <xref linkend="courier"/>, 77 <ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>, 78 <ulink url="http://sqlite.org/">SQLite</ulink> and 79 79 <ulink url="http://dmalloc.com/">Dmalloc</ulink></para> 80 80 … … 84 84 <title>Installation of Cyrus SASL</title> 85 85 86 <para>Install <application>Cyrus SASL</application> by 86 <para>Install <application>Cyrus SASL</application> by 87 87 running the following commands:</para> 88 88 … … 107 107 <title>Command Explanations</title> 108 108 109 <para><parameter>--with-dbpath=/var/lib/sasl/sasldb2</parameter>: This 109 <para><parameter>--with-dbpath=/var/lib/sasl/sasldb2</parameter>: This 110 110 parameter forces the <command>saslauthd</command> database to be created 111 in <filename class='directory'>/var/lib/sasl</filename> instead of 111 in <filename class='directory'>/var/lib/sasl</filename> instead of 112 112 <filename class='directory'>/etc</filename>.</para> 113 113 114 <para><parameter>--with-saslauthd=/var/run</parameter>: This parameter 115 forces <command>saslauthd</command> to use the FHS compliant 116 directory <filename class='directory'>/var/run</filename> for variable 114 <para><parameter>--with-saslauthd=/var/run</parameter>: This parameter 115 forces <command>saslauthd</command> to use the FHS compliant 116 directory <filename class='directory'>/var/run</filename> for variable 117 117 run-time data.</para> 118 118 … … 120 120 with <application>OpenLDAP</application>.</para> 121 121 122 <para><command>install -v -m644 ...</command>: These commands 123 install documentation which is not installed by the 122 <para><command>install -v -m644 ...</command>: These commands 123 install documentation which is not installed by the 124 124 <command>make install</command> command.</para> 125 125 126 <para><command>install -v -d -m700 /var/lib/sasl</command>: This directory 127 must exist when starting <command>saslauthd</command>. If you're not going 126 <para><command>install -v -d -m700 /var/lib/sasl</command>: This directory 127 must exist when starting <command>saslauthd</command>. If you're not going 128 128 to be running the daemon, you may omit the creation of this directory.</para> 129 129 … … 136 136 <title>Config Files</title> 137 137 138 <para><filename>/etc/saslauthd.conf</filename> (for LDAP configuration) 139 and <filename>/usr/lib/sasl2/Appname.conf</filename> (where "Appname" 138 <para><filename>/etc/saslauthd.conf</filename> (for LDAP configuration) 139 and <filename>/usr/lib/sasl2/Appname.conf</filename> (where "Appname" 140 140 is the application defined name of the application)</para> 141 141 … … 149 149 <title>Configuration Information</title> 150 150 151 <para>See <ulink 151 <para>See <ulink 152 152 url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/sysadmin.html"/> 153 for information on what to include in the application configuration files. 154 See <ulink 153 for information on what to include in the application configuration files. 154 See <ulink 155 155 url="file:///usr/share/doc/cyrus-sasl-&cyrus-sasl-version;/LDAP_SASLAUTHD"/> 156 156 for configuring <command>saslauthd</command> with LDAP.</para> … … 161 161 <title>Init Script</title> 162 162 163 <para>If you need to run the <command>saslauthd</command> daemon at system 163 <para>If you need to run the <command>saslauthd</command> daemon at system 164 164 startup, install the <filename>/etc/rc.d/init.d/cyrus-sasl</filename> 165 165 init script included in the <xref linkend="intro-important-bootscripts"/> … … 173 173 174 174 <note> 175 <para>You'll need to modify the init script and replace the 176 <option><replaceable>[authmech]</replaceable></option> parameter 177 to the <option>-a</option> switch with your desired authentication 175 <para>You'll need to modify the init script and replace the 176 <option><replaceable>[authmech]</replaceable></option> parameter 177 to the <option>-a</option> switch with your desired authentication 178 178 mechanism.</para> 179 179 </note> … … 193 193 <seglistitem> 194 194 <seg>saslauthd, sasldblistusers2, and saslpasswd2</seg> 195 <seg>libjavasasl.so, libsasl2.so, and SASL plugins/Java 195 <seg>libjavasasl.so, libsasl2.so, and SASL plugins/Java 196 196 classes</seg> 197 <seg>/usr/include/sasl, /usr/lib/java, /usr/lib/sasl2, 197 <seg>/usr/include/sasl, /usr/lib/java, /usr/lib/sasl2, 198 198 /usr/share/doc/cyrus-sasl-&cyrus-sasl-version;, and /var/lib/sasl</seg> 199 199 </seglistitem> … … 228 228 <term><command>saslpasswd2</command></term> 229 229 <listitem> 230 <para>is used to set and delete a user's SASL password and 230 <para>is used to set and delete a user's SASL password and 231 231 mechanism specific secrets in the SASL password database.</para> 232 232 <indexterm zone="cyrus-sasl saslpasswd2"> … … 239 239 <term><filename class='libraryfile'>libsasl2.so</filename></term> 240 240 <listitem> 241 <para>is a general purpose authentication library for server and 241 <para>is a general purpose authentication library for server and 242 242 client applications.</para> 243 243 <indexterm zone="cyrus-sasl libsasl2"> -
postlfs/security/firewalling.xml
r99b1c520 r0afcfa88 16 16 <title>Setting Up a Network Firewall</title> 17 17 18 <para>Before you read this part of the chapter, you should have 18 <para>Before you read this part of the chapter, you should have 19 19 already installed iptables as described in the previous section.</para> 20 20 … … 22 22 <title>Introduction to Firewall Creation</title> 23 23 24 <para>The general purpose of a firewall is to protect a computer or 24 <para>The general purpose of a firewall is to protect a computer or 25 25 a network against malicious access.</para> 26 26 27 <para>In a perfect world, every daemon or service on every machine 28 is perfectly configured and immune to flaws such as buffer overflows 29 or other problems regarding its security. Furthermore, you trust 30 every user accessing your services. In this world, you do not need 27 <para>In a perfect world, every daemon or service on every machine 28 is perfectly configured and immune to flaws such as buffer overflows 29 or other problems regarding its security. Furthermore, you trust 30 every user accessing your services. In this world, you do not need 31 31 to have a firewall.</para> 32 32 33 <para>In the real world however, daemons may be misconfigured and 34 exploits against essential services are freely available. You may 35 wish to choose which services are accessible by certain machines or 36 you may wish to limit which machines or applications are allowed 37 external access. Alternatively, you may simply not trust some of 38 your applications or users. You are probably connected to the 33 <para>In the real world however, daemons may be misconfigured and 34 exploits against essential services are freely available. You may 35 wish to choose which services are accessible by certain machines or 36 you may wish to limit which machines or applications are allowed 37 external access. Alternatively, you may simply not trust some of 38 your applications or users. You are probably connected to the 39 39 Internet. In this world, a firewall is essential.</para> 40 40 41 <para>Don't assume however, that having a firewall makes careful 42 configuration redundant, or that it makes any negligent 43 misconfiguration harmless. It doesn't prevent anyone from exploiting 44 a service you intentionally offer but haven't recently updated or 45 patched after an exploit went public. Despite having a firewall, you 46 need to keep applications and daemons on your system properly 47 configured and up to date. A firewall is not a cure all, but should 41 <para>Don't assume however, that having a firewall makes careful 42 configuration redundant, or that it makes any negligent 43 misconfiguration harmless. It doesn't prevent anyone from exploiting 44 a service you intentionally offer but haven't recently updated or 45 patched after an exploit went public. Despite having a firewall, you 46 need to keep applications and daemons on your system properly 47 configured and up to date. A firewall is not a cure all, but should 48 48 be an essential part of your overall security startegy.</para> 49 49 … … 58 58 <title><xref linkend="fw-persFw"/></title> 59 59 60 <para>This is a hardware device or software program commercially 61 sold by companies such as Symantec which claims that it secures 62 a home or desktop computer with Internet access. This type of 63 firewall is highly relevant for users who do not know how their 64 computers might be accessed via the Internet or how to disable 65 that access, especially if they are always online and connected 60 <para>This is a hardware device or software program commercially 61 sold by companies such as Symantec which claims that it secures 62 a home or desktop computer with Internet access. This type of 63 firewall is highly relevant for users who do not know how their 64 computers might be accessed via the Internet or how to disable 65 that access, especially if they are always online and connected 66 66 via broadband links.</para> 67 67 … … 72 72 73 73 <para>This is a system placed between the Internet and an intranet. 74 To minimize the risk of compromising the firewall itself, it should 74 To minimize the risk of compromising the firewall itself, it should 75 75 generally have only one role—that of protecting the intranet. 76 76 Although not completely risk free, the tasks of doing the routing and 77 IP masquerading (rewriting IP headers of the packets it routes from 78 clients with private IP addresses onto the Internet so that they seem 79 to come from the firewall itself) are commonly considered relatively 77 IP masquerading (rewriting IP headers of the packets it routes from 78 clients with private IP addresses onto the Internet so that they seem 79 to come from the firewall itself) are commonly considered relatively 80 80 secure.</para> 81 81 … … 85 85 <title><xref linkend="fw-busybox"/></title> 86 86 87 <para>This is often an old computer you may have retired and nearly 88 forgotten, performing masquerading or routing functions, but offering 89 non-firewall services such as a web-cache or mail. This may be used 90 for home networks, but is not be considered as secure as a firewall 91 only machine because the combination of server and router/firewall on 87 <para>This is often an old computer you may have retired and nearly 88 forgotten, performing masquerading or routing functions, but offering 89 non-firewall services such as a web-cache or mail. This may be used 90 for home networks, but is not be considered as secure as a firewall 91 only machine because the combination of server and router/firewall on 92 92 one machine raises the complexity of the setup.</para> 93 93 … … 95 95 96 96 <sect3> 97 <title>Firewall with a Demilitarized Zone [Not Further 97 <title>Firewall with a Demilitarized Zone [Not Further 98 98 Described Here]</title> 99 99 100 <para>This box performs masquerading or routing, but grants public 101 access to some branch of your network which, because of public IP's 102 and a physically separated structure, is essentially a separate 103 network with direct Internet access. The servers on this network are 104 those which must be easily accessible from both the Internet and 105 intranet. The firewall protects both networks. This type of firewall 100 <para>This box performs masquerading or routing, but grants public 101 access to some branch of your network which, because of public IP's 102 and a physically separated structure, is essentially a separate 103 network with direct Internet access. The servers on this network are 104 those which must be easily accessible from both the Internet and 105 intranet. The firewall protects both networks. This type of firewall 106 106 has a minimum of three network interfaces.</para> 107 107 … … 111 111 <title>Packetfilter</title> 112 112 113 <para>This type of firewall does routing or masquerading, but does 114 not maintain a state table of ongoing communication streams. It is 115 fast, but quite limited in its ability to block inappropriate packets 113 <para>This type of firewall does routing or masquerading, but does 114 not maintain a state table of ongoing communication streams. It is 115 fast, but quite limited in its ability to block inappropriate packets 116 116 without blocking desired packets.</para> 117 117 … … 124 124 125 125 <caution> 126 <para>This introduction on how to setup a firewall is not a 127 complete guide to securing systems. Firewalling is a complex 128 issue that requires careful configuration. The scripts quoted 129 here are simply intended to give examples of how a firewall 130 works. They are not intended to fit into any particular 131 configuration and may not provide complete protection from 126 <para>This introduction on how to setup a firewall is not a 127 complete guide to securing systems. Firewalling is a complex 128 issue that requires careful configuration. The scripts quoted 129 here are simply intended to give examples of how a firewall 130 works. They are not intended to fit into any particular 131 configuration and may not provide complete protection from 132 132 an attack.</para> 133 133 134 <para>Customization of these scripts for your specific situation 135 will be necessary for an optimal configuration, but you should 136 make a serious study of the iptables documentation and creating 137 firewalls in general before hacking away. Have a look at the 138 list of <xref linkend="fw-library"/> at the end of this section for 139 more details. There you will find a list of URLs that contain quite 134 <para>Customization of these scripts for your specific situation 135 will be necessary for an optimal configuration, but you should 136 make a serious study of the iptables documentation and creating 137 firewalls in general before hacking away. Have a look at the 138 list of <xref linkend="fw-library"/> at the end of this section for 139 more details. There you will find a list of URLs that contain quite 140 140 comprehensive information about building your own firewall.</para> 141 141 </caution> 142 142 143 <para>The firewall configuration script installed in the last section 144 differs from the standard configuration script. It only has two of 145 the standard targets: start and status. The other targets are clear 143 <para>The firewall configuration script installed in the last section 144 differs from the standard configuration script. It only has two of 145 the standard targets: start and status. The other targets are clear 146 146 and lock. For instance when you run:</para> 147 147 148 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen> 149 149 150 <para>the firewall will be restarted just as it is upon system startup. 151 The status target will present a list of all currently implemented 152 rules. The clear target turns off all firewall rules and the lock 153 target will block all packets in and out of the computer with the 150 <para>the firewall will be restarted just as it is upon system startup. 151 The status target will present a list of all currently implemented 152 rules. The clear target turns off all firewall rules and the lock 153 target will block all packets in and out of the computer with the 154 154 exception of the loopback interface.</para> 155 155 156 <para>The main startup firewall is located in the file 157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide 156 <para>The main startup firewall is located in the file 157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide 158 158 three different approaches that can be used for a system.</para> 159 159 160 160 <note> 161 161 <para>You should always run your firewall rules from a script. 162 This ensures consistency and a record of what was done. It also 163 allows retention of comments that are essential for understanding 162 This ensures consistency and a record of what was done. It also 163 allows retention of comments that are essential for understanding 164 164 the rules long after they were written.</para> 165 165 </note> … … 168 168 <title>Personal Firewall</title> 169 169 170 <para>A Personal Firewall is designed to let you access all the 171 services offered on the Internet, but keep your box secure and 170 <para>A Personal Firewall is designed to let you access all the 171 services offered on the Internet, but keep your box secure and 172 172 your data private.</para> 173 173 174 <para>Below is a slightly modified version of Rusty Russell's 175 recommendation from the <ulink 174 <para>Below is a slightly modified version of Rusty Russell's 175 recommendation from the <ulink 176 176 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 177 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 177 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 178 178 to the Linux 2.6 kernels.</para> 179 179 … … 183 183 # Begin $rc_base/rc.iptables 184 184 185 # Insert connection-tracking modules 185 # Insert connection-tracking modules 186 186 # (not needed if built into the kernel) 187 187 modprobe ip_tables … … 207 207 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 208 208 209 # Drop Spoofed Packets coming in on an interface, where responses 209 # Drop Spoofed Packets coming in on an interface, where responses 210 210 # would result in the reply going out a different interface. 211 211 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter … … 217 217 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 218 218 219 # disable Explicit Congestion Notification 219 # disable Explicit Congestion Notification 220 220 # too many routers are still ignorant 221 221 echo 0 > /proc/sys/net/ipv4/tcp_ecn … … 238 238 iptables -A INPUT -i lo -j ACCEPT 239 239 240 # Free output on any interface to any ip for any service 240 # Free output on any interface to any ip for any service 241 241 # (equal to -P ACCEPT) 242 242 iptables -A OUTPUT -j ACCEPT 243 243 244 244 # Permit answers on already established connections 245 # and permit new connections related to established ones 245 # and permit new connections related to established ones 246 246 # (e.g. port mode ftp) 247 247 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT … … 253 253 EOF</userinput></screen> 254 254 255 <para>This script is quite simple, it drops all traffic coming 256 in into your computer that wasn't initiated from your box, but 257 as long as you are simply surfing the Internet you are unlikely 255 <para>This script is quite simple, it drops all traffic coming 256 in into your computer that wasn't initiated from your box, but 257 as long as you are simply surfing the Internet you are unlikely 258 258 to exceed its limits.</para> 259 259 260 <para>If you frequently encounter certain delays at accessing 260 <para>If you frequently encounter certain delays at accessing 261 261 ftp-servers, take a look at <xref linkend="fw-BB-4"/>.</para> 262 262 263 <para>Even if you have daemons or services running on your system, 264 these will be inaccessible everywhere but from your computer itself. 265 If you want to allow access to services on your machine, such as 266 <command>ssh</command> or <command>ping</command>, take a look at 263 <para>Even if you have daemons or services running on your system, 264 these will be inaccessible everywhere but from your computer itself. 265 If you want to allow access to services on your machine, such as 266 <command>ssh</command> or <command>ping</command>, take a look at 267 267 <xref linkend="fw-busybox"/>.</para> 268 268 … … 272 272 <title>Masquerading Router</title> 273 273 274 <para>A true Firewall has two interfaces, one connected to an 275 intranet, in this example <emphasis role="strong">eth0</emphasis>, 276 and one connected to the Internet, here <emphasis 277 role="strong">ppp0</emphasis>. To provide the maximum security 278 for the firewall itself, make sure that there are no unnecessary 274 <para>A true Firewall has two interfaces, one connected to an 275 intranet, in this example <emphasis role="strong">eth0</emphasis>, 276 and one connected to the Internet, here <emphasis 277 role="strong">ppp0</emphasis>. To provide the maximum security 278 for the firewall itself, make sure that there are no unnecessary 279 279 servers running on it such as <application>X11</application> et 280 al. As a general principle, the firewall itself should not access 281 any untrusted service (Think of a remote server giving answers that 282 makes a daemon on your system crash, or, even worse, that implements 280 al. As a general principle, the firewall itself should not access 281 any untrusted service (Think of a remote server giving answers that 282 makes a daemon on your system crash, or, even worse, that implements 283 283 a worm via a buffer-overflow).</para> 284 284 … … 338 338 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 339 339 340 # Disable Explicit Congestion Notification 340 # Disable Explicit Congestion Notification 341 341 # Too many routers are still ignorant 342 342 echo 0 > /proc/sys/net/ipv4/tcp_ecn … … 368 368 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 369 369 370 # Log everything for debugging 370 # Log everything for debugging 371 371 # (last of all rules, but before policy rules) 372 372 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " … … 374 374 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 375 375 376 # Enable IP Forwarding 376 # Enable IP Forwarding 377 377 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 378 378 EOF</userinput></screen> 379 379 380 <para>With this script your intranet should be reasonably secure 381 against external attacks. No one should be able to setup a new 382 connection to any internal service and, if it's masqueraded, 383 makes your intranet invisible to the Internet. Furthermore, your 384 firewall should be relatively safe because there are no services 380 <para>With this script your intranet should be reasonably secure 381 against external attacks. No one should be able to setup a new 382 connection to any internal service and, if it's masqueraded, 383 makes your intranet invisible to the Internet. Furthermore, your 384 firewall should be relatively safe because there are no services 385 385 running that a cracker could attack.</para> 386 386 387 387 <note> 388 <para>If the interface you're connecting to the Internet 389 doesn't connect via ppp, you will need to change 390 <replaceable>ppp+</replaceable> to the name of the interface, 391 e.g. <emphasis role="strong">eth1</emphasis>, which you are 388 <para>If the interface you're connecting to the Internet 389 doesn't connect via ppp, you will need to change 390 <replaceable>ppp+</replaceable> to the name of the interface, 391 e.g. <emphasis role="strong">eth1</emphasis>, which you are 392 392 using.</para> 393 393 </note> … … 398 398 <title>BusyBox</title> 399 399 400 <para>This scenario isn't too different from the <xref 401 linkend="fw-masqRouter"/>, but additionally offers some 402 services to your intranet. Examples of this can be when 403 you want to administer your firewall from another host on 400 <para>This scenario isn't too different from the <xref 401 linkend="fw-masqRouter"/>, but additionally offers some 402 services to your intranet. Examples of this can be when 403 you want to administer your firewall from another host on 404 404 your intranet or use it as a proxy or a name server.</para> 405 405 406 406 <note> 407 <para>Outlining a true concept of how to protect a server that 408 offers services on the Internet goes far beyond the scope of 409 this document. See the references at the end of this section 407 <para>Outlining a true concept of how to protect a server that 408 offers services on the Internet goes far beyond the scope of 409 this document. See the references at the end of this section 410 410 for more information.</para> 411 411 </note> 412 412 413 413 <para>Be cautious. Every service you have enabled makes your 414 setup more complex and your firewall less secure. You are 415 exposed to the risks of misconfigured services or running 416 a service with an exploitable bug. A firewall should generally 417 not run any extra services. See the introduction to the 414 setup more complex and your firewall less secure. You are 415 exposed to the risks of misconfigured services or running 416 a service with an exploitable bug. A firewall should generally 417 not run any extra services. See the introduction to the 418 418 <xref linkend="fw-masqRouter"/> for some more details.</para> 419 419 420 <para>If you want to add services such as internal samba or 420 <para>If you want to add services such as internal samba or 421 421 name servers that do not need to access the Internet themselves, 422 the additional statements are quite simple and should still be 422 the additional statements are quite simple and should still be 423 423 acceptable from a security standpoint. Just add the following lines 424 424 into the script <emphasis>before</emphasis> the logging rules.</para> … … 427 427 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen> 428 428 429 <para>If daemons, such as squid, have to access the Internet 430 themselves, you could open OUTPUT generally and restrict 429 <para>If daemons, such as squid, have to access the Internet 430 themselves, you could open OUTPUT generally and restrict 431 431 INPUT.</para> 432 432 … … 434 434 iptables -A OUTPUT -j ACCEPT</literal></screen> 435 435 436 <para>However, it is generally not advisable to leave OUTPUT 437 unrestricted. You lose any control over trojans who would like 438 to "call home", and a bit of redundancy in case you've 439 (mis-)configured a service so that it broadcasts its existence 436 <para>However, it is generally not advisable to leave OUTPUT 437 unrestricted. You lose any control over trojans who would like 438 to "call home", and a bit of redundancy in case you've 439 (mis-)configured a service so that it broadcasts its existence 440 440 to the world.</para> 441 441 442 442 <para>To accomplish this, you should restrict INPUT and OUTPUT 443 on all ports except those that it's absolutely necessary to have 444 open. Which ports you have to open depends on your needs: mostly 445 you will find them by looking for failed accesses in your log 443 on all ports except those that it's absolutely necessary to have 444 open. Which ports you have to open depends on your needs: mostly 445 you will find them by looking for failed accesses in your log 446 446 files.</para> 447 447 … … 464 464 </listitem> 465 465 <listitem> 466 <para>You want to be able to ping your box to 466 <para>You want to be able to ping your box to 467 467 ensure it's still alive:</para> 468 468 … … 472 472 </listitem> 473 473 <listitem> 474 <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If 475 you are frequently accessing ftp servers or enjoy chatting, you might 476 notice certain delays because some implementations of these daemons 477 have the feature of querying an identd on your system to obtain 478 usernames. Although there's really little harm in this, having an 479 identd running is not recommended because many security experts feel 474 <para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If 475 you are frequently accessing ftp servers or enjoy chatting, you might 476 notice certain delays because some implementations of these daemons 477 have the feature of querying an identd on your system to obtain 478 usernames. Although there's really little harm in this, having an 479 identd running is not recommended because many security experts feel 480 480 the service gives out too much additional information.</para> 481 481 482 <para>To avoid these delays you could reject the requests 482 <para>To avoid these delays you could reject the requests 483 483 with a 'tcp-reset':</para> 484 484 … … 488 488 <listitem> 489 489 <para>To log and drop invalid packets (packets 490 that came in after netfilter's timeout or some types of 490 that came in after netfilter's timeout or some types of 491 491 network scans):</para> 492 492 … … 504 504 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen> 505 505 506 <para>There are other addresses that you may also want to 507 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 506 <para>There are other addresses that you may also want to 507 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 508 508 experimental), 169.254.0.0/16 (Link Local Networks), and 509 509 192.0.2.0/24 (IANA defined test network).</para> 510 510 </listitem> 511 511 <listitem> 512 <para>If your firewall is a DHCP client, you need to allow 512 <para>If your firewall is a DHCP client, you need to allow 513 513 those packets:</para> 514 514 … … 518 518 </listitem> 519 519 <listitem> 520 <para>To simplify debugging and be fair to anyone who'd like 521 to access a service you have disabled, purposely or by mistake, 520 <para>To simplify debugging and be fair to anyone who'd like 521 to access a service you have disabled, purposely or by mistake, 522 522 you could REJECT those packets that are dropped.</para> 523 523 … … 530 530 </itemizedlist> 531 531 532 <para>These are only examples to show you some of the capabilities 532 <para>These are only examples to show you some of the capabilities 533 533 of the firewall code in Linux. Have a look at the man page of iptables. 534 There you will find much more information. The port numbers needed for 535 this can be found in <filename>/etc/services</filename>, in case you 534 There you will find much more information. The port numbers needed for 535 this can be found in <filename>/etc/services</filename>, in case you 536 536 didn't find them by trial and error in your log file.</para> 537 537 … … 544 544 545 545 <para>Finally, there is one fact you must not forget: The effort spent 546 attacking a system corresponds to the value the cracker expects to gain 547 from it. If you are responsible for valuable information, you need to 546 attacking a system corresponds to the value the cracker expects to gain 547 from it. If you are responsible for valuable information, you need to 548 548 spend the time to protect it properly.</para> 549 549 -
postlfs/security/gnupg.xml
r99b1c520 r0afcfa88 30 30 <title>Introduction to GnuPG</title> 31 31 32 <para>The <application>GnuPG</application> package contains a 33 public/private key encryptor. This is becoming useful for signing 34 files or emails as proof of identity and preventing tampering with 32 <para>The <application>GnuPG</application> package contains a 33 public/private key encryptor. This is becoming useful for signing 34 files or emails as proof of identity and preventing tampering with 35 35 contents of the file or email.</para> 36 36 … … 61 61 <itemizedlist spacing='compact'> 62 62 <listitem> 63 <para>Required Patch: <ulink 63 <para>Required Patch: <ulink 64 64 url="&patch-root;/gnupg-&gnupg-version;-po_install_fix-1.patch"/> 65 65 </para> … … 71 71 72 72 <bridgehead renderas="sect4">Optional</bridgehead> 73 <para><xref linkend="openldap"/>, 74 <xref linkend="libusb"/>, 75 <xref linkend="curl"/>, 76 <ulink url="../server/mail.html">MTA</ulink>, 77 <xref linkend="docbook-utils"/> and <ulink 73 <para><xref linkend="openldap"/>, 74 <xref linkend="libusb"/>, 75 <xref linkend="curl"/>, 76 <ulink url="../server/mail.html">MTA</ulink>, 77 <xref linkend="docbook-utils"/> and <ulink 78 78 url="http://www.oasis-open.org/docbook/tools/dtm/">docbook-to-man</ulink></para> 79 79 … … 83 83 <title>Installation of GnuPG</title> 84 84 85 <para>Install <application>GnuPG</application> by running the following 85 <para>Install <application>GnuPG</application> by running the following 86 86 commands:</para> 87 87 … … 104 104 <filename class="directory">/usr/libexec</filename>.</para> 105 105 106 <para><command>chmod -v 4755 /usr/bin/gpg</command>: 107 <command>gpg</command> is installed setuid root to avoid swapping 106 <para><command>chmod -v 4755 /usr/bin/gpg</command>: 107 <command>gpg</command> is installed setuid root to avoid swapping 108 108 out sensitive data.</para> 109 109
Note:
See TracChangeset
for help on using the changeset viewer.