Changeset 1ea79a1 for postlfs/security
- Timestamp:
- 05/30/2004 05:30:47 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 1dad4a4
- Parents:
- 4ea49a31
- Location:
- postlfs/security
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/cracklib/cracklib-intro.xml
r4ea49a31 r1ea79a1 2 2 <title>Introduction to <application>cracklib</application></title> 3 3 4 <para>The cracklib package contains a library used to enforce strong 5 passwords by comparing user selected passwords to words in a 6 chosen wordlist.</para> 4 <para>The cracklib package contains a library used to enforce strong passwords 5 by comparing user selected passwords to words in a chosen wordlist.</para> 7 6 8 7 <sect3><title>Package information</title> … … 27 26 </itemizedlist> 28 27 29 <para>You will also need to download a wordlist for use with cracklib. 30 There are two wordlists to choose from at the following location. 31 Use the <filename>cracklib</filename> word list for good security, 32 or opt for the <filename>allwords</filename> word list for 33 lightweight machines short on <acronym>RAM</acronym>. You can of course choose any other 34 word list that youhave at your disposal.</para>28 <para>You will also need to download a wordlist for use with cracklib. There 29 are two wordlists to choose from at the following location. Use the 30 <filename>cracklib</filename> word list for good security, or opt for the 31 <filename>allwords</filename> word list for lightweight machines short on 32 <acronym>RAM</acronym>. You can of course choose any other word list that you 33 have at your disposal.</para> 35 34 36 35 <para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para> -
postlfs/security/firewalling/busybox.xml
r4ea49a31 r1ea79a1 11 11 12 12 <para>Be cautious. Every service you offer and have enabled makes your 13 setup more complex and your box less secure :You induce the risks of14 misconfigured services or running a service with an exploitable bug , both risks15 that a firewall principally should be immune of.See the introduction to13 setup more complex and your box less secure. You induce the risks of 14 misconfigured services or running a service with an exploitable bug. A firewall 15 should generally not run any extra services. See the introduction to 16 16 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para> 17 17 … … 31 31 iptables -A OUTPUT -j ACCEPT</screen> 32 32 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted : you lose34 any control o ntrojans who'd like to "call home", and a bit of redundancy in case33 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 34 any control over trojans who'd like to "call home", and a bit of redundancy in case 35 35 you've (mis-)configured a service so that it does broadcast its existence to the 36 36 world.</para> … … 59 59 60 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 61 frequently accessing ftp-servers or enjoy chatting you might notice certain61 frequently accessing ftp-servers or enjoy chatting, you might notice certain 62 62 delays because some implementations of these daemons have the feature of 63 querying an identd on your box for your username for logging.63 querying an identd on your box for logging usernames. 64 64 Although there's really no harm in this, having an identd running is not 65 65 recommended because some implementations are known to be vulnerable.</para> … … 71 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 72 72 73 <listitem><para>To log and drop invalid packets , mostlyharmless packets74 that came in after netfilter's timeout , sometimes scans:</para>73 <listitem><para>To log and drop invalid packets (harmless packets 74 that came in after netfilter's timeout or some types of network scans):</para> 75 75 76 76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ -
postlfs/security/firewalling/disclaimer.xml
r4ea49a31 r1ea79a1 6 6 DOCUMENT.</emphasis></para> --> 7 7 8 <para>This document is meant as an introduction to how to setup a 9 firewall - it is not a complete guide to securing systems. Firewalling 10 is a complex issue that requires careful configuration. 11 The scripts quoted here are simply intended to give examples as to how 12 a firewall works, they are not intended to fit into any imaginable 13 configuration and may not prevent any imaginableattack.</para>8 <para>This document is meant as an introduction to how to setup a firewall. It 9 is not a complete guide to securing systems. Firewalling is a complex issue 10 that requires careful configuration. The scripts quoted here are simply 11 intended to give examples as to how a firewall works, they are not intended to 12 fit into any imaginable configuration and may not prevent any imaginable 13 attack.</para> 14 14 15 15 <para>The purpose of this text is simply to give you a hint on how to get -
postlfs/security/firewalling/intro.xml
r4ea49a31 r1ea79a1 5 5 against malicious access by using a single machine as a firewall. 6 6 This does imply that the firewall is to be considered a single point 7 of failure, but it can make the administrator s life a lot easier.</para>7 of failure, but it can make the administrator's life a lot easier.</para> 8 8 9 9 <para>In a perfect world where you knew that every daemon or service … … 11 11 buffer-overflows and any other imaginable problem regarding its 12 12 security, and where you trusted every user accessing your services 13 to aim no harm, you wouldn't need to dohave a firewall!13 to aim no harm, you wouldn't need to have a firewall! 14 14 In the real world however, daemons may be misconfigured, 15 15 exploits against essential services are freely available, you … … 21 21 22 22 <para>Don't assume however, that having a firewall makes careful 23 configuration redundant, nor that it makes any negligent24 misconfiguration harmless , nor that it preventsanyone from exploiting a23 configuration redundant, or that it makes any negligent 24 misconfiguration harmless. It also doesn't prevent anyone from exploiting a 25 25 service you intentionally offer but haven't recently updated or patched 26 26 after an exploit went public. Despite having a firewall, you need to … … 40 40 companies such as Symantec, of which they claim or pretend that it 41 41 secures a home or desktop-pc with Internet access. This topic is 42 highly relevant for users who do not know the ways their computers43 might be accessed via the Internet and how to disable these,44 especially if they are always online and if they areconnected via42 highly relevant for users who do not know the methods their computers 43 might be accessed via the Internet or how to disable them, 44 especially if they are always online and connected via 45 45 broadband links.</para></sect3> 46 46 … … 59 59 performing masquerading or routing functions, but offering a bunch of 60 60 services, e.g., web-cache, mail, etc. This may be very commonly used 61 for home networks, but can definitely not tobe considered as secure61 for home networks, but can definitely not be considered as secure 62 62 anymore because the combining of server and router on one machine raises 63 63 the complexity of the setup.</para></sect3> -
postlfs/security/firewalling/kernel.xml
r4ea49a31 r1ea79a1 3 3 4 4 <para>If you want your Linux-Box to have a firewall, you must first ensure 5 that your kernel has been compiled with the relevant options turned on 5 that your kernel has been compiled with the relevant options turned on. 6 6 <!-- <footnote><para>If you needed assistance how to configure, compile and install 7 7 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, … … 10 10 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink> 11 11 ; note, that you'll need to reboot 12 to actually run your new kernel.</para></footnote>-->.</para> 12 to actually run your new kernel.</para></footnote>--> 13 </para> 13 14 14 15 <para>How to configure your kernel, with enabling the options to be -
postlfs/security/firewalling/masqrouter.xml
r4ea49a31 r1ea79a1 82 82 <command>EOF</command></userinput></screen> 83 83 84 <para>With this script your intranet should be sufficiently 85 secure against external attacks: no one should be able to setup a 86 new connection to any internal service and, if it's masqueraded, 87 it s even invisible; furthermore, your firewall should be nearly immune 88 because there are no services runningthat a cracker could attack.</para>84 <para>With this script your intranet should be sufficiently secure against 85 external attacks. No one should be able to setup a new connection to any 86 internal service and, if it's masqueraded, it's even invisible. Furthermore, 87 your firewall should be nearly immune because there are no services running 88 that a cracker could attack.</para> 89 89 90 90 <para>Note: if the interface you're connecting to the Internet … … 97 97 98 98 <para>If you need stronger security (e.g., against DOS, connection 99 highjacking, spoofing, etc.) have a look at the list of99 highjacking, spoofing, etc.), have a look at the list of 100 100 <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para> 101 101 -
postlfs/security/firewalling/persfw.xml
r4ea49a31 r1ea79a1 2 2 <title>Personal Firewall</title> 3 3 4 <para>A Personal Firewall is supposed to let you access the allservices4 <para>A Personal Firewall is supposed to let you access all the services 5 5 offered on the Internet, but keep your box secure and your data private.</para> 6 6 7 <para>Below is a slightly modified version of Rusty Russell's 8 recommendation from the <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux 7 <para>Below is a slightly modified version of Rusty Russell's recommendation 8 from the <ulink 9 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux 9 10 2.4 Packet Filtering HOWTO</ulink>:</para> 10 11 … … 56 57 <xref linkend="postlfs-security-fw-BB-4"/>.</para> 57 58 58 <para>Even if you have daemons /services running on your box, these59 <para>Even if you have daemons or services running on your box, these 59 60 should be inaccessible everywhere but from your box itself. 60 61 If you want to allow access to services on your machine, such as ssh or pinging, -
postlfs/security/pam/linux_pam-config.xml
r4ea49a31 r1ea79a1 9 9 <sect3><title>Configuration Information</title> 10 10 11 <para>Configuration information is placed in <filename>/etc/pam.d</filename> or 12 <filename>/etc/pam.conf</filename> depending on the application that is using 13 <application><acronym>PAM</acronym></application>. Below are example files of 14 each type:</para> 11 <para>Configuration information is placed in <filename>/etc/pam.d</filename> or 12 <filename>/etc/pam.conf</filename> depending on user preference. Below are 13 example files of each type:</para> 15 14 16 15 <screen># Begin /etc/pam.d/other -
postlfs/security/pam/linux_pam-exp.xml
r4ea49a31 r1ea79a1 12 12 the mailspool directory <acronym>FHS</acronym> compliant.</para> 13 13 14 <para><option>--enable-read-both-confs</option>: This switch lets the local administrator choose which configuration file setup to use.</para> 14 <para><option>--enable-read-both-confs</option>: This switch lets the local 15 administrator choose which configuration file setup to use.</para> 15 16 16 17 <para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a -
postlfs/security/security.xml
r4ea49a31 r1ea79a1 16 16 <para>Prevention of breaches, like a trojan, are assisted by applications like 17 17 <application>GnuPG</application>, specifically the ability to confirm signed 18 packages, which prevents modificationof the <acronym>TAR</acronym> ball after18 packages, which recognizes modifications of the <acronym>TAR</acronym> ball after 19 19 the packager creates it.</para> 20 20 -
postlfs/security/shadow/shadow-config.xml
r4ea49a31 r1ea79a1 7 7 <filename>/etc/pam.d/passwd</filename>, 8 8 <filename>/etc/pam.d/su</filename>, 9 <filename>/etc/pam.d/shadow</filename>, 9 <filename>/etc/pam.d/shadow</filename>, and 10 10 <filename>/etc/pam.d/useradd</filename></para> 11 11 </sect3> -
postlfs/security/tripwire/tripwire-config.xml
r4ea49a31 r1ea79a1 38 38 tripwire -m i</command></userinput></screen> 39 39 40 <para>During configuration <application>Tripwire</application> will create two (2) keys: a site key and41 a local key which will be stored in <filename class="directory">/etc/tripwire/ 42 </filename>.</para>40 <para>During installation <application>Tripwire</application> will create two 41 (2) keys: a site key and a local key which will be stored in <filename 42 class="directory">/etc/tripwire/</filename>.</para> 43 43 44 44 </sect3> … … 59 59 on your system so that <application>Tripwire</application> will not continually notify you that 60 60 files you intentionally changed are a security violation. To do this you 61 must first <command>ls /var/lib/tripwire/report/</command> and note61 must first <command>ls -l /var/lib/tripwire/report/</command> and note 62 62 the name of the newest file which starts with <filename>linux-</filename> and 63 63 ends in <filename>.twr</filename>. This encrypted file was created during the
Note:
See TracChangeset
for help on using the changeset viewer.