Changeset b4b71892


Ignore:
Timestamp:
06/10/2004 05:47:11 AM (17 years ago)
Author:
Bruce Dubbs <bdubbs@…>
Branches:
10.0, 10.1, 11.0, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, ken/refactor-virt, krejzi/svn, lazarus, nosym, perl-modules, qt5new, systemd-11177, systemd-13485, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
cf43c83
Parents:
f8d632a
Message:

New XML Chapter 4

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2288 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
12 edited

Legend:

Unmodified
Added
Removed
  • general.ent

    rf8d632a rb4b71892  
    1919<!ENTITY blfs-bootscripts-download "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2">
    2020
    21 <!ENTITY reiser-version "3.6.14">
    22 <!ENTITY xfsprogs-version "2.6.13">
     21<!-- Chapter 4 -->
     22<!ENTITY cracklib-version  "2.7">   
     23<!ENTITY Linux_PAM-version "0.77"> 
     24<!ENTITY shadow-version    "4.0.4.1"> 
     25<!ENTITY iptables-version  "1.2.9">
     26<!ENTITY gnupg-version     "1.2.4"> 
     27<!ENTITY tripwire-version  "2.3.1-2">   
     28<!ENTITY heimdal-version   "0.6.2">   
     29<!ENTITY mitkrb-version    "1.3.3">
    2330
    24 <!ENTITY gnome-version   "2.6">
     31
     32<!-- Chapter 5 -->
     33<!ENTITY reiser-version    "3.6.14">
     34<!ENTITY xfsprogs-version  "2.6.13">
     35
     36
     37
     38
     39<!ENTITY gnome-version     "2.6">
  • postlfs/postlfs.xml

    rf8d632a rb4b71892  
    33<title>Post <acronym>LFS</acronym> Configuration and Extra Software</title>
    44
     5<!-- &postlfs-config; -->
    56<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/config/config.xml"/>
    6 <!-- &postlfs-config; -->
    7 &postlfs-security;
     7
     8<!-- &postlfs-security; -->
     9<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/security/security.xml"/>
     10
    811<!-- &postlfs-filesystems; -->
    912<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="postlfs/filesystems/filesystems.xml"/>
     13
    1014&postlfs-editors;
    1115&postlfs-shells;
  • postlfs/security/cracklib.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY cracklib-download-http "http://www.crypticide.com/users/alecm/security/cracklib,&cracklib-version;.tar.gz">
     8  <!ENTITY cracklib-download-ftp "ftp://ftp.cerias.purdue.edu/pub/tools/unix/libs/cracklib/cracklib.&cracklib-version;.tar.gz">
     9  <!ENTITY cracklib-size      "21 KB">
     10  <!ENTITY cracklib-buildsize "17 MB">
     11  <!ENTITY cracklib-time      "0.10 SBU">
     12  <!ENTITY crackdict-size     "15.6MB">
     13  <!ENTITY alldict-size       "466KB">
     14]>
     15
    116<sect1 id="cracklib" xreflabel="cracklib-&cracklib-version;">
    217<?dbhtml filename="cracklib.html"?>
    318<title>cracklib-&cracklib-version;</title>
    419
    5 &cracklib-intro;
    6 &cracklib-inst;
    7 &cracklib-desc;
     20
     21<sect2>
     22<title>Introduction to <application>cracklib</application></title>
     23
     24<para>The cracklib package contains a library used to enforce strong passwords
     25by comparing user selected passwords to words in a chosen wordlist.</para>
     26
     27<sect3><title>Package information</title>
     28<itemizedlist spacing='compact'>
     29<listitem><para>Download (HTTP): <ulink
     30url="&cracklib-download-http;"/></para></listitem>
     31<listitem><para>Download (FTP): <ulink
     32url="&cracklib-download-ftp;"/></para></listitem>
     33<listitem><para>Download size: &cracklib-size;</para></listitem>
     34<listitem><para>Estimated Disk space required (with cracklib wordlist):
     35&cracklib-buildsize;</para></listitem>
     36<listitem><para>Estimated build time:
     37&cracklib-time;</para></listitem></itemizedlist>
     38</sect3>
     39
     40<sect3><title>Additional downloads</title>
     41<itemizedlist spacing='compact'>
     42<listitem><para>Required patch: <ulink
     43url="&patch-root;/cracklib,&cracklib-version;-blfs-1.patch"/></para></listitem>
     44<listitem><para>Recommended patch: <ulink
     45url="&patch-root;/cracklib,&cracklib-version;-heimdal-1.patch"/></para></listitem>
     46</itemizedlist>
     47
     48<para>You will also need to download a wordlist for use with cracklib.  There
     49are two wordlists to choose from at the following location.  Use the
     50<filename>cracklib</filename> word list for good security, or opt for the
     51<filename>allwords</filename> word list for lightweight machines short on
     52<acronym>RAM</acronym>.  You can of course choose any other word list that you
     53have at your disposal.</para>
     54
     55<para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para>
     56<para>allwords (&alldict-size;): <ulink url="http://www.cotse.com/wordlists/allwords"/></para>
     57
     58</sect3>
     59
     60</sect2>
     61
     62<sect2>
     63<title>Installation of <application>cracklib</application></title>
     64
     65<para>First, we need to install the chosen word list for cracklib:</para>
     66
     67<screen><userinput><command>install -d -m755 /usr/share/dict &amp;&amp;
     68install -m644 <replaceable>[wordlist]</replaceable> /usr/share/dict &amp;&amp;
     69ln -sf <replaceable>[wordlist]</replaceable> /usr/share/dict/words &amp;&amp;
     70echo $(hostname) >> /usr/share/dict/extra.words</command></userinput></screen>
     71
     72<para>Our wordlist is linked to <filename>/usr/share/dict/words</filename> as
     73historically, <filename>words</filename> is the primary wordlist in the
     74<filename class="directory">/usr/share/dict</filename> directory.  We also echo
     75the value of hostname to a file called extra.words.  This extra file is intened
     76to be a site specific list which includes easy to guess passwords such as
     77company or department name, user's names, product names, computer name, domain
     78name, etc.</para>
     79
     80<para>Now apply BLFS patch:</para>
     81
     82<screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen>
     83
     84<para>If necessary, apply the heimdal patch:</para>
     85
     86<screen><userinput><command>cp -R cracklib cracklib_krb5 &amp;&amp;
     87patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen>
     88
     89<para>Finally install the package:</para>
     90<screen><userinput><command>make install</command></userinput></screen>
     91
     92</sect2>
     93
     94<sect2>
     95<title>Contents</title>
     96
     97<para>The <application>cracklib</application> package
     98contains the <filename class="libraryfile">libcrack</filename>
     99library.</para>
     100
     101</sect2>
     102
     103<sect2><title>Description</title>
     104
     105<sect3><title>libcrack library</title>
     106<para>The <filename class="libraryfile">libcrack</filename> library
     107provides a fast dictionary lookup method for strong password
     108enforcement.</para></sect3>
     109
     110</sect2>
    8111
    9112</sect1>
  • postlfs/security/firewalling.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6]>
     7
    18<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
    29<?dbhtml filename="firewall.html"?>
     
    613have already installed iptables as described in the previous section.</para>
    714
    8 &postlfs-security-fw-intro;
    9 &postlfs-security-fw-disclaimer;
    10 &postlfs-security-fw-kernel;
    11 &postlfs-security-fw-writing;
    12 &postlfs-security-fw-finale;
    13 &postlfs-security-fw-extrainfo;
    14 
     15
     16<sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction">
     17<title>Introduction to Firewall Creation</title>
     18
     19<para>The general purpose of a firewall is to protect a network
     20against malicious access by using a single machine as a firewall.
     21This does imply that the firewall is to be considered a single point
     22of failure, but it can make the administrator's life a lot easier.</para>
     23
     24<para>In a perfect world where you knew that every daemon or service
     25on every machine was perfectly configured and was immune to, e.g.,
     26buffer-overflows and any other imaginable problem regarding its
     27security, and where you trusted every user accessing your services
     28to aim no harm, you wouldn't need to have a firewall! 
     29In the real world however, daemons may be misconfigured,
     30exploits against essential services are freely available, you
     31may wish to choose which services are accessible by certain machines,
     32you may wish to limit which machines or applications are allowed
     33to have Internet access, or you may simply  not trust some of your
     34apps or users.
     35In these situations you might  benefit by using a firewall.</para>
     36
     37<para>Don't assume however, that having a firewall makes careful
     38configuration redundant, or that it makes any negligent
     39misconfiguration harmless. It also doesn't prevent anyone from exploiting a
     40service you intentionally offer but haven't recently updated or patched
     41after an exploit went public.  Despite having a firewall, you need to
     42keep applications and daemons on your system well-configured and
     43up-to-date; a firewall is not a cure-all!</para>
     44
     45</sect2>
     46
     47<sect2>
     48<title>Meaning of the word firewall.</title>
     49
     50<para>The word firewall can have several different meanings.</para>
     51
     52<sect3><title><xref linkend="postlfs-security-fw-persFw"/></title>
     53
     54<para>This is a setup or program, for Windows commercially sold by
     55companies such as Symantec, of which they claim or pretend that it
     56secures a home or desktop-pc with Internet access. This topic is
     57highly relevant for users who do not know the methods their computers
     58might be accessed via the Internet or how to disable them,
     59especially if they are always online and connected via
     60broadband links.</para></sect3>
     61
     62<sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title>
     63<para>This is a box placed between the Internet and an intranet.
     64To minimize the risk of compromising the firewall itself it
     65should generally have only one role, that of protecting the intranet.
     66Although not completely risk free, the tasks of doing the routing
     67and eventually IP masquerading (rewriting IP-headers
     68of the packets it routes from clients with private IP-addresses onto
     69the Internet so that they seem to come from the firewall
     70itself) are commonly considered harmless.</para></sect3>
     71
     72<sect3><title><xref linkend="postlfs-security-fw-busybox"/></title>
     73<para>This is often an old box you may have retired and nearly forgotten,
     74performing masquerading or routing functions, but offering a bunch of
     75services, e.g., web-cache, mail, etc.  This may be very commonly used
     76for home networks, but can definitely not be considered as secure
     77anymore because the combining of server and router on one machine raises
     78the complexity of the setup.</para></sect3>
     79
     80<sect3><title>Firewall with a demilitarized zone [not further described
     81here]</title>
     82<para>This box performs masquerading or routing, but grants public access to
     83some branch of your network which, because of public IP's and a physically
     84separated structure, is neither considered to be part of the inter- nor
     85intranet.  These servers are those which must be easily accessible
     86from both the inter- and intranet. The firewall protects
     87them all.</para></sect3>
     88
     89<sect3><title>Packetfilter / partly accessible net [partly described
     90here, see <xref linkend="postlfs-security-fw-busybox"/>]</title>
     91<para>Doing routing or masquerading, but permitting only selected
     92services to be accessible, sometimes only by selected internal users or boxes;
     93mostly used in highly secure business contexts, sometimes by distrusting
     94employers.  This was the common configuration of a firewall at the time of
     95the Linux 2.2 kernel.  It's still possible to configure a firewall this way,
     96but it makes the rules quite complex and lengthy.</para></sect3>
     97
     98</sect2>
     99
     100<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
     101<title>Disclaimer</title>
     102
     103<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
     104ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
     105DOCUMENT.</emphasis></para> -->
     106
     107<para>This document is meant as an introduction to how to setup a firewall.  It
     108is not a complete guide to securing systems.  Firewalling is a complex issue
     109that requires careful configuration.  The scripts quoted here are simply
     110intended to give examples as to how a firewall works, they are not intended to
     111fit into any imaginable configuration and may not prevent any imaginable
     112attack.</para>
     113
     114<para>The purpose of this text is simply to give you a hint on how to get
     115started with a firewall.</para>
     116
     117<para>Customization of these scripts for your specific situation will
     118be necessary for an optimal configuration, but you should make a serious
     119study of the iptables documentation and creating firewalls in general before hacking
     120away.  Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end
     121of this section for more details.  Here you will find a list of URLs that
     122contain quite comprehensive information about building your own firewall.</para>
     123
     124</sect2>
     125
     126
     127<sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
     128<title>Getting a firewall enabled Kernel</title>
     129
     130<para>If you want your Linux-Box to have a firewall, you must first ensure
     131that your kernel has been compiled with the relevant options turned on.
     132<!-- <footnote><para>If you needed assistance how to configure, compile and install
     133a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
     134<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink>
     135 and eventually
     136<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink>
     137; note, that you'll need to reboot
     138to actually run your new kernel.</para></footnote>-->
     139</para>
     140
     141<para>How to configure your kernel, with enabling the options to be
     142either compiled into the kernel or as modules, depends on your personal
     143preferences and experience. Note, that for the quoted scripts it is assumed
     144that the modules need to be loaded at first.</para>
     145
     146<screen>Network options menu
     147  Network packet filtering:                         Y
     148  Unix domain sockets:                         Y or M
     149  TCP/IP networking:                                Y
     150  IP: advanced router:                              Y
     151  IP: verbose route monitoring:                     Y
     152  IP: TCP Explicit Congestion Notification support: Y
     153  IP: TCP syncookie support:                        Y
     154  IP: Netfilter Configuration menu
     155    Every option except:                       Y or M
     156      ipchains (2.2-style) support                  N
     157      ipfwadm (2.0-style) support                   N
     158  Fast switching:                                   N</screen>
     159
     160<!--
     161<table frame='none'>
     162<title>Essential config-options for a firewall enabled Kernel</title>
     163
     164<tgroup cols='5'>
     165<colspec colnum='1' colwidth='8*'  align='center'/>
     166<colspec colnum='2' colwidth='19*' align='left'/>
     167<colspec colnum='3' colwidth='11*' align='center'/>
     168<colspec colnum='4' colwidth='1*'  align='center'/>
     169<colspec colnum='5' colwidth='14*' align='left'/>
     170
     171<tbody>
     172
     173<row>
     174<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
     175<entry><userinput>Network packet filtering</userinput></entry>
     176<entry></entry>
     177<entry>=</entry>
     178<entry>CONFIG_NETFILTER</entry>
     179</row>
     180
     181<row>
     182<entry></entry>
     183<entry><userinput>Unix domain sockets</userinput></entry>
     184<entry></entry>
     185<entry>=</entry>
     186<entry>CONFIG_UNIX</entry>
     187</row>
     188
     189<row>
     190<entry></entry>
     191<entry><userinput>IP: TCP/IP networking</userinput></entry>
     192<entry></entry>
     193<entry>=</entry>
     194<entry>CONFIG_INET</entry>
     195</row>
     196
     197<row>
     198<entry></entry>
     199<entry><userinput>IP: advanced router</userinput></entry>
     200<entry></entry>
     201<entry>=</entry>
     202<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
     203</row>
     204
     205<row>
     206<entry></entry>
     207<entry><userinput>IP: verbose route monitoring</userinput></entry>
     208<entry></entry>
     209<entry>=</entry>
     210<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
     211</row>
     212
     213<row>
     214<entry></entry>
     215<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
     216<entry></entry>
     217<entry>=</entry>
     218<entry>CONFIG_INET_ECN</entry>
     219</row>
     220
     221<row>
     222<entry></entry>
     223<entry><userinput>IP: TCP syncookie support</userinput></entry>
     224<entry></entry>
     225<entry>=</entry>
     226<entry>CONFIG_SYN_COOKIES</entry>
     227</row>
     228
     229<row>
     230<entry></entry>
     231<entry align='center'>
     232<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
     233<entry align='left'><userinput>every option</userinput></entry>
     234<entry>=</entry>
     235<entry>CONFIG_IP_NF_*</entry>
     236</row>
     237
     238<row>
     239<entry></entry>
     240<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
     241<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
     242ipfw-adm (2.0-style) support</userinput></literallayout></entry>
     243<entry>w\</entry>
     244<entry>CONFIG_IP_NF_COMPAT_*</entry>
     245</row>
     246
     247<row>
     248<entry></entry>
     249<entry><userinput>Fast switching</userinput></entry>
     250<entry>Make sure to disable it because it would setup a bypass around
     251your firewall rules.</entry>
     252<entry>w\</entry>
     253<entry>CONFIG_NET_FASTROUTE</entry>
     254</row>
     255
     256</tbody>
     257
     258</tgroup>
     259
     260</table> -->
     261
     262</sect2>
     263
     264
     265<sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts">
     266<title>Now you can start to build your Firewall</title>
     267
     268
     269<sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall">
     270<title>Personal Firewall</title>
     271
     272<para>A Personal Firewall is supposed to let you access all the services
     273offered on the Internet, but keep your box secure and your data private.</para>
     274
     275<para>Below is a slightly modified version of Rusty Russell's recommendation
     276from the <ulink
     277url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux
     2782.4 Packet Filtering HOWTO</ulink>:</para>
     279
     280<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
     281#!/bin/sh
     282
     283# Begin $rc_base/init.d/firewall
     284
     285# Insert connection-tracking modules (not needed if built into the kernel).
     286modprobe ip_tables
     287modprobe iptable_filter
     288modprobe ip_conntrack
     289modprobe ip_conntrack_ftp
     290modprobe ipt_state
     291modprobe ipt_LOG
     292
     293# allow local-only connections
     294iptables -A INPUT  -i lo -j ACCEPT
     295# free output on any interface to any ip for any service (equal to -P ACCEPT)
     296iptables -A OUTPUT -j ACCEPT
     297
     298# permit answers on already established connections
     299# and permit new connections related to established ones (eg active-ftp)
     300iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     301
     302# Log everything else:  What's Windows' latest exploitable vulnerability?
     303iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     304
     305# set a sane policy:    everything not accepted &gt; /dev/null
     306iptables -P INPUT    DROP
     307iptables -P FORWARD  DROP
     308iptables -P OUTPUT   DROP
     309
     310# be verbose on dynamic ip-addresses     (not needed in case of static IP)
     311echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     312
     313# disable ExplicitCongestionNotification - too many routers are still ignorant
     314echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     315
     316# End $rc_base/init.d/firewall
     317<command>EOF</command></userinput></screen>
     318
     319<para>His script is quite simple, it drops all traffic coming in into your
     320computer that wasn't initiated from your box, but as long as you are simply
     321surfing the Internet you are unlikely to exceed its limits.</para>
     322
     323<para>If you frequently encounter certain delays at accessing ftp-servers,
     324please have a look at <xref linkend="postlfs-security-fw-busybox"/> -
     325<xref linkend="postlfs-security-fw-BB-4"/>.</para>
     326
     327<para>Even if you have daemons or services running on your box, these
     328should be inaccessible everywhere but from your box itself.
     329If you want to allow access to services on your machine, such as ssh or pinging,
     330take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para>
     331
     332</sect3>
     333
     334
     335<sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router">
     336<title>Masquerading Router</title>
     337
     338<para>A true Firewall has two interfaces, one connected to an intranet,
     339in this example, <emphasis role="strong">eth0</emphasis>, and one
     340connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
     341To provide the maximum security against the box itself being broken into,
     342make sure that there are no servers running on it, especially not
     343<application>X11</application> et
     344al.  And, as a general principle, the box itself should not access any untrusted
     345service (Think of a name server giving answers that make your
     346bind crash, or, even worse, that implement a worm via a
     347buffer-overflow).</para>
     348
     349<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
     350#!/bin/sh
     351
     352# Begin $rc_base/init.d/firewall
     353
     354echo
     355echo "You're using the example-config for a setup of a firewall"
     356echo "from the firewalling-hint written for LinuxFromScratch."
     357echo "This example is far from being complete, it is only meant"
     358echo "to be a reference."
     359echo "Firewall security is a complex issue, that exceeds the scope"
     360echo "of the quoted configuration rules."
     361echo "You can find some quite comprehensive information"
     362echo "about firewalls in Chapter 4 of the BLFS book."
     363echo "http://www.linuxfromscratch.org/blfs"
     364echo
     365
     366# Insert iptables modules (not needed if built into the kernel).
     367
     368modprobe ip_tables
     369modprobe iptable_filter
     370modprobe ip_conntrack
     371modprobe ip_conntrack_ftp
     372modprobe ipt_state
     373modprobe iptable_nat
     374modprobe ip_nat_ftp
     375modprobe ipt_MASQUERADE
     376modprobe ipt_LOG
     377modprobe ipt_REJECT
     378
     379# allow local-only connections
     380iptables -A INPUT  -i lo -j ACCEPT
     381iptables -A OUTPUT -o lo -j ACCEPT
     382
     383# allow forwarding
     384iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     385iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
     386
     387# do masquerading    (not needed if intranet is not using private ip-addresses)
     388iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
     389
     390# Log everything for debugging (last of all rules, but before DROP/REJECT)
     391iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
     392iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
     393iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     394
     395# set a sane policy
     396iptables -P INPUT   DROP
     397iptables -P FORWARD DROP
     398iptables -P OUTPUT  DROP
     399
     400# be verbose on dynamic ip-addresses (not needed in case of static IP)
     401echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     402
     403# disable ExplicitCongestionNotification
     404echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     405
     406# activate TCPsyncookies
     407echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     408
     409# activate Route-Verification = IP-Spoofing_protection
     410for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
     411        echo 1 &gt; $f
     412done
     413
     414# activate IP-Forwarding
     415echo 1 &gt; /proc/sys/net/ipv4/ip_forward
     416<command>EOF</command></userinput></screen>
     417
     418<para>With this script your intranet should be sufficiently secure against
     419external attacks. No one should be able to setup a new connection to any
     420internal service and, if it's masqueraded, it's even invisible. Furthermore,
     421your firewall should be nearly immune because there are no services running
     422that a cracker could attack.</para>
     423
     424<para>Note: if the interface you're connecting to the Internet
     425doesn't connect via ppp, you will need to change
     426<replaceable>ppp+</replaceable> to the name of the interface which you are
     427using.  If you are using the same interface type to connect to both your
     428intranet and the Internet, you need to use the actual name of the
     429interface such as <emphasis role="strong">eth0</emphasis>,
     430on both interfaces.</para>
     431
     432<para>If you need stronger security (e.g., against DOS, connection
     433highjacking, spoofing, etc.), have a look at the list of
     434<xref linkend="postlfs-security-fw-library"/> at the end of this section.</para>
     435
     436</sect3>
     437
     438<sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
     439<title>BusyBox</title>
     440
     441<para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
     442but in this case you want to offer some services to your intranet.
     443Examples of this can be when you want to admin your box from another host
     444on your intranet or use it as a proxy or a name server. Note: Outlining a true
     445concept of how to protect a server that offers services on the Internet
     446goes far beyond the scope of this document,
     447see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
     448
     449<para>Be cautious.  Every service you offer and have enabled makes your
     450setup more complex and your box less secure. You induce the risks of
     451misconfigured services or running a service with an exploitable bug.  A firewall
     452should generally not run any extra services.  See the introduction to
     453<xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
     454
     455<para>If the services you'd like to offer do not need to access the Internet
     456themselves, like internal-only samba- or name-servers, it's quite
     457simple and should still be acceptable from a security standpoint.
     458Just add the following lines <emphasis>before</emphasis> the logging-rules
     459into the script.</para>
     460
     461<screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
     462iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
     463
     464<para>If your daemons have to access the web themselves, like squid would need
     465to, you could open OUTPUT generally and restrict INPUT.</para>
     466
     467<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
     468iptables -A OUTPUT                                      -j ACCEPT</screen>
     469
     470<para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose
     471any control over trojans who'd like to "call home", and a bit of redundancy in case
     472you've (mis-)configured a service so that it does broadcast its existence to the
     473world.</para>
     474
     475<para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
     476on all ports except those that it's absolutely necessary to have open.
     477Which ports you have to open depends on your needs: mostly you will find them
     478by looking for failed accesses in your log-files.</para>
     479<itemizedlist spacing="compact">
     480<!-- <orderedlist numeration="arabic" spacing="compact"> -->
     481<title>Have a look at the following examples:</title>
     482
     483<listitem><para>Squid is caching the web:</para>
     484<screen>iptables -A OUTPUT -p tcp --dport 80                              -j ACCEPT
     485iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
     486
     487<listitem><para>Your caching name server (e.g., dnscache) does its
     488lookups via udp:</para>
     489<screen>iptables -A OUTPUT -p udp --dport 53                              -j ACCEPT
     490iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
     491
     492<listitem><para>Alternatively, if you want to be able to ping your box to ensure
     493it's still alive:</para>
     494<screen>iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
     495iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT</screen></listitem>
     496
     497<listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
     498frequently accessing ftp-servers or enjoy chatting, you might notice certain
     499delays because some implementations of these daemons have the feature of
     500querying an identd on your box for logging usernames.
     501Although there's really no harm in this, having an identd running is not
     502recommended because some implementations are known to be vulnerable.</para>
     503
     504<para>To avoid these delays you could reject the requests
     505with a 'tcp-reset':</para>
     506
     507<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
     508iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
     509
     510<listitem><para>To log and drop invalid packets (harmless packets
     511that came in after netfilter's timeout or some types of network scans):</para>
     512
     513<screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
     514"FIREWALL:INVALID"
     515iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
     516
     517<listitem><para>Anything coming from the outside should not have a
     518private address, this is a common attack called IP-spoofing:</para>
     519
     520<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
     521iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
     522iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
     523
     524<listitem><para>To simplify debugging and be fair to anyone who'd like to
     525access a service you have disabled, purposely or by mistake, you should REJECT
     526those packets that are dropped.</para>
     527
     528<para>Obviously this must be done directly after logging as the very
     529last lines before the packets are dropped by policy:</para>
     530
     531<screen>iptables -A INPUT                        -j REJECT
     532iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
     533</itemizedlist>
     534<!--</orderedlist>-->
     535
     536<para>These are only examples to show you some of the capabilities of the new
     537firewall code in Linux-Kernel 2.4. Have a look at the man page of
     538iptables.
     539There you will find more of them. The port-numbers you'll need for this
     540can be found in <filename>/etc/services</filename>, in case you didn't
     541find them by trial and error in your log file.</para>
     542
     543<para>If you add any of your offered or accessed services such as the above,
     544maybe even in FORWARD and for intranet-communication, and delete the
     545general clauses, you get an old fashioned packet filter.</para>
     546
     547
     548</sect3>
     549
     550</sect2>
     551
     552
     553<sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion">
     554<title>Conclusion</title>
     555
     556<para>Finally, I'd like to remind you of one fact we must not forget:
     557The effort spent attacking a system corresponds to the value the cracker
     558expects to gain from it.
     559If you are responsible for such valuable assets that you expect great
     560effort to be made by potential crackers, you hopefully won't be in the
     561need of this hint!</para>
     562
     563<!-- <para><literallayout>Be cautious!
     564
     565    Henning Rohde
     566<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
     567
     568<para>PS: And always do remember:
     569SecureIT is not a matter of a status-quo but one of never stopping
     570to take care!</para>
     571
     572<para>PPS: If any of these scripts fail, please tell me. I will try to trace
     573any faults.</para> -->
     574
     575</sect2>
     576
     577
     578<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
     579<title>Extra Information</title>
     580
     581<sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading">
     582<title>Where to start with further reading on firewalls.</title>
     583
     584<para><blockquote><literallayout>
     585<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
     586<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
     587<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
     588<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
     589<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
     590<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
     591<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
     592<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
     593<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
     594<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
     595<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
     596<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
     597<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
     598<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
     599<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
     600<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
     601<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
     602<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
     603<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
     604<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
     605<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
     606<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
     607<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
     608</literallayout></blockquote></para>
     609
     610<!-- <para>If a link proves to be dead or if you think I missed one,
     611please mail!</para> -->
     612
     613</sect3>
     614
     615<sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
     616<title>firewall.status</title>
     617
     618<para>If you'd like to have a look at the chains your firewall consists of and
     619the order in which the rules take effect:</para>
     620
     621<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
     622#!/bin/sh
     623
     624# Begin $rc_base/init.d/firewall.status
     625
     626echo "iptables.mangling:"
     627iptables -t mangle  -v -L -n --line-numbers
     628
     629echo
     630echo "iptables.nat:"
     631iptables -t nat     -v -L -n --line-numbers
     632
     633echo
     634echo "iptables.filter:"
     635iptables            -v -L -n --line-numbers
     636<command>EOF</command></userinput></screen>
     637</sect3>
     638
     639<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
     640<title>firewall.stop</title>
     641
     642<para>If you need to turn the firewall off, this script will do it:</para>
     643
     644<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
     645#!/bin/sh
     646
     647# Being $rc_base/init.d/firewall.stop
     648
     649# deactivate IP-Forwarding
     650echo 0 > /proc/sys/net/ipv4/ip_forward
     651
     652iptables -Z
     653iptables -F
     654iptables -t nat         -F PREROUTING
     655iptables -t nat         -F OUTPUT
     656iptables -t nat         -F POSTROUTING
     657iptables -t mangle      -F PREROUTING
     658iptables -t mangle      -F OUTPUT
     659iptables -X
     660iptables -P INPUT       ACCEPT
     661iptables -P FORWARD     ACCEPT
     662iptables -P OUTPUT      ACCEPT
     663<command>EOF</command></userinput></screen>
     664
     665</sect3>
     666
     667</sect2>
    15668</sect1>
    16669
  • postlfs/security/gnupg.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2">
     8  <!ENTITY gnupg-download-ftp  "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2">
     9  <!ENTITY gnupg-size          "2.3 MB">
     10  <!ENTITY gnupg-buildsize     "26 MB">
     11  <!ENTITY gnupg-time          "0.44 SBU">
     12]>
     13
    114<sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;">
    215<?dbhtml filename="gnupg.html"?>
    316<title>GnuPG-&gnupg-version;</title>
    417
    5 &gnupg-intro;
    6 &gnupg-inst;
    7 &gnupg-exp;
    8 &gnupg-desc;
     18<sect2>
     19<title>Introduction to <application>GnuPG</application></title>
     20
     21<para>The <application>GnuPG</application> package contains a public/private
     22key encryptor. This is
     23becoming useful for signing files or emails as proof of identity and
     24preventing tampering with contents of the file or email.</para>
     25
     26<sect3><title>Package information</title>
     27<itemizedlist spacing='compact'>
     28<listitem><para>Download (HTTP): <ulink
     29url="&gnupg-download-http;"/></para></listitem>
     30<listitem><para>Download (FTP): <ulink
     31url="&gnupg-download-ftp;"/></para></listitem>
     32<listitem><para>Download size: &gnupg-size;</para></listitem>
     33<listitem><para>Estimated Disk space required:
     34&gnupg-buildsize;</para></listitem>
     35<listitem><para>Estimated build time:
     36&gnupg-time;</para></listitem></itemizedlist>
     37</sect3>
     38
     39<sect3><title><application>GnuPG</application> dependencies</title>
     40<sect4><title>Optional</title>
     41<para><xref linkend="openldap"/></para></sect4>
     42</sect3>
     43
     44</sect2>
     45
     46<sect2>
     47<title>Installation of <application>GnuPG</application></title>
     48
     49<para>Install <application>GnuPG</application> by running the following commands:</para>
     50
     51<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
     52make &amp;&amp;
     53make install &amp;&amp;
     54chmod 4755 /usr/bin/gpg</command></userinput></screen>
     55
     56</sect2>
     57
     58<sect2>
     59<title>Command explanations</title>
     60
     61<para><parameter>--libexecdir=/usr/lib</parameter>: This command
     62creates a <filename class="directory">gnupg</filename> directory in
     63<filename class="directory">/usr/lib</filename> instead of
     64<filename class="directory">/usr/libexec</filename>.</para>
     65
     66<para><command>chmod 4755 /usr/bin/gpg</command>: We install
     67<command>gpg</command> setuid root to avoid swapping out of
     68sensitive data.</para>
     69
     70</sect2>
     71
     72<sect2>
     73<title>Contents</title>
     74
     75<para>The <application>GnuPG</application> package contains <command>gpg</command>,
     76<command>gpgsplit</command> and <command>gpgv</command>.</para>
     77
     78</sect2>
     79
     80<sect2><title>Description</title>
     81
     82<sect3><title>gpg</title>
     83<para><command>gpg</command> is the backend (command-line interface) for
     84this Open<acronym>PGP</acronym>
     85implementation.</para></sect3>
     86
     87<sect3><title>gpgsplit</title>
     88<para><command>gpgsplit</command> separates key rings.</para></sect3>
     89
     90<sect3><title>gpgv</title>
     91<para><command>gpgv</command> is a verify only version of
     92<command>gpg</command>.</para></sect3>
     93
     94</sect2>
    995
    1096</sect1>
  • postlfs/security/heimdal.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
     8  <!ENTITY heimdal-download-ftp  "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
     9  <!ENTITY heimdal-size          "3.2 MB">
     10  <!ENTITY heimdal-buildsize     "142 MB">
     11  <!ENTITY heimdal-time          "2.55 SBU">
     12]>
     13
    114<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
    215<?dbhtml filename="heimdal.html"?>
    316<title>Heimdal-&heimdal-version;</title>
    417
    5 &heimdal-intro;
    6 &heimdal-inst;
    7 &heimdal-exp;
    8 &heimdal-config;
    9 &heimdal-desc;
     18<sect2>
     19<title>Introduction to <application>Heimdal</application></title>
     20
     21<para> <application>Heimdal</application> is a free implementation of Kerberos
     225, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
     23compatible with krb4. Kerberos is a network authentication protocol. Basically
     24it preserves the integrity of passwords in any untrusted network (like the
     25Internet). Kerberized applications work hand-in-hand with sites that support
     26Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
     27will make changes to the authentication mechanisms on your network and will
     28overwrite several programs and daemons from the Coreutils, Inetutils, Qpopper
     29and Shadow packages.  </para>
     30
     31<sect3><title>Package information</title>
     32<itemizedlist spacing='compact'>
     33<listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
     34<listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
     35<listitem><para>Download size: &heimdal-size;</para></listitem>
     36<listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem>
     37<listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
     38</sect3>
     39
     40<sect3><title>Additional downloads</title>
     41<itemizedlist spacing='compact'>
     42<listitem><para>Required patch: <ulink
     43url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para>
     44</listitem>
     45<listitem><para>Required patch for cracklib: <ulink
     46url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
     47</listitem>
     48</itemizedlist>
     49
     50</sect3>
     51
     52<sect3><title><application>Heimdal</application> dependencies</title>
     53<sect4><title>Required</title>
     54<para>
     55<xref linkend="openssl"/> and
     56<xref linkend="db"/>
     57</para></sect4>
     58<sect4><title>Optional</title>
     59<para>
     60<xref linkend="readline"/>,
     61<xref linkend="Linux_PAM"/>,
     62<xref linkend="openldap"/>,
     63X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
     64<xref linkend="cracklib"/> and
     65<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink>
     66</para>
     67
     68<note><para>
     69Some sort of time synchronization facility on your system (like <xref
     70linkend="ntp"/>) is required since Kerberos won't authenticate if the
     71time differential between a kerberized client and the
     72<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
     73</sect4>
     74
     75</sect3>
     76
     77</sect2>
     78
     79<sect2>
     80<title>Installation of <application>Heimdal</application></title>
     81
     82<para>
     83Before installing the package, you may want to preserve the
     84<command>ftp</command> program from the Inetutils package. This is
     85because using the Heimdal <command>ftp</command> program to connect to
     86non kerberized ftp servers may not work properly. It will allow you to
     87connect (letting you know that transmission of the password is clear
     88text) but will have problems doing puts and gets.
     89</para>
     90
     91<screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
     92
     93<para>
     94If you wish the Heimdal package to link against the cracklib library,
     95you must apply a patch:
     96</para>
     97
     98<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
     99
     100<para>Install <application>Heimdal</application> by running the following commands:</para>
     101
     102<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch &amp;&amp;
     103./configure --prefix=/usr --sysconfdir=/etc/heimdal \
     104    --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
     105    --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
     106    --enable-shared --with-openssl=/usr &amp;&amp;
     107make &amp;&amp;
     108make install &amp;&amp;
     109mv /bin/login /bin/login.shadow &amp;&amp;
     110mv /bin/su /bin/su.coreutils &amp;&amp;
     111mv /usr/bin/{login,su} /bin &amp;&amp;
     112ln -sf ../../bin/login /usr/bin &amp;&amp;
     113mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib &amp;&amp;
     114mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib &amp;&amp;
     115mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib &amp;&amp;
     116mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib &amp;&amp;
     117ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib &amp;&amp;
     118ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib &amp;&amp;
     119ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib &amp;&amp;
     120ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib &amp;&amp;
     121ldconfig</command></userinput></screen>
     122
     123</sect2>
     124
     125<sect2>
     126<title>Command explanations</title>
     127
     128<para><parameter>--libexecdir=/usr/sbin</parameter>:
     129This switch puts the daemon programs into <filename
     130class="directory">/usr/sbin</filename>.
     131</para>
     132
     133<note><para>
     134If you want to preserve all your existing Inetutils package daemons,
     135install the Heimdal daemons into <filename
     136class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
     137Since these programs will be called from <command>(x)inetd</command> or
     138<command>rc</command> scripts, it really doesn't matter where they live,
     139as long as they are correctly specified in the
     140<filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
     141scripts. If you choose something other than <filename
     142class="directory">/usr/sbin</filename>, you may want to move some of the
     143user programs (such as <command>kadmin</command>) to <filename
     144class="directory">/usr/sbin</filename> manually.
     145</para></note>
     146
     147<para>
     148<screen><command>mv /bin/login /bin/login.shadow
     149mv /bin/su /bin/su.coreutils
     150mv /usr/bin/{login,su} /bin
     151ln -sf ../../bin/login /usr/bin</command></screen>
     152The <command>login</command> and <command>su</command> programs
     153installed by Heimdal belong in the <filename
     154class="directory">/bin</filename> directory. The
     155<command>login</command> program is symlinked because Heimdal is expecting
     156to find it in <filename class="directory">/usr/bin</filename>. We
     157preserve the old executables before the move to keep things sane should
     158breaks occur.
     159</para>
     160
     161<para>
     162<screen><command>mv /usr/lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /lib
     163mv /usr/lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /lib
     164mv /usr/lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /lib
     165mv /usr/lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /lib
     166ln -sf ../../lib/lib{otp.so.0,otp.so.0.1.4,kafs.so.0,kafs.so.0.4.0} /usr/lib
     167ln -sf ../../lib/lib{krb5.so.17,krb5.so.17.3.0,asn1.so.6,asn1.so.6.0.2} /usr/lib
     168ln -sf ../../lib/lib{roken.so.16,roken.so.16.0.3,crypto.so.0.9.7} /usr/lib
     169ln -sf ../../lib/lib{com_err.so.2,com_err.so.2.1,db-4.1.so} /usr/lib</command></screen>
     170The <command>login</command> and <command>su</command> programs
     171installed by Heimdal link against Heimdal libraries as well as crypto
     172and db libraries. We move these libraries to <filename
     173class="directory">/lib</filename> to be <acronym>FHS</acronym>
     174compliant and in case when <filename
     175class="directory">/usr</filename> is located on a separate partition which
     176may not always be mounted.
     177</para>
     178
     179</sect2>
     180
     181<sect2>
     182<title>Configuring Heimdal</title>
     183
     184<sect3><title>Config files</title>
     185<para><filename>/etc/heimdal/*</filename></para>
     186</sect3>
     187
     188<sect3><title>Configuration Information</title>
     189
     190<sect4><title>Master KDC Server Configuration</title>
     191
     192<para>
     193Create the Kerberos configuration file with the following command:
     194</para>
     195
     196<screen><userinput><command>install -d /etc/heimdal &amp;&amp;
     197cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
     198# Begin /etc/heimdal/krb5.conf
     199       
     200[libdefaults]
     201    default_realm = <replaceable>[LFS.ORG]</replaceable>
     202    encrypt = true
     203
     204[realms]
     205    <replaceable>[LFS.ORG]</replaceable> = {
     206        kdc = <replaceable>[belgarath.lfs.org]</replaceable>
     207        admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
     208        kpasswd_server = <replaceable>[belgarath.lfs.org]</replaceable>
     209    }
     210
     211[domain_realm]
     212    .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
     213
     214[logging]
     215    kdc = FILE:/var/log/kdc.log
     216    admin_server = FILE:/var/log/kadmin.log
     217    default = FILE:/var/log/krb.log
     218
     219# End /etc/heimdal/krb5.conf
     220<command>EOF</command></userinput></screen>
     221
     222<para>
     223You will need to substitute your domain and proper hostname for the
     224occurances of the belgarath and lfs.org names.
     225</para>
     226
     227<para>
     228<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
     229This isn't required, but both Heimdal and <acronym>MIT</acronym>
     230recommend it.
     231</para>
     232
     233<para>
     234<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
     235clients and servers. It's not necessary and can be left off. If you
     236leave it off, you can encrypt all traffic from the client to the server
     237using a switch on the client program instead.
     238</para>
     239
     240<para>
     241The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
     242<acronym>KDC</acronym> authentication services.
     243</para>
     244
     245<para>
     246The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
     247</para>
     248
     249<para>
     250Store the master password in a key file using the following commands:
     251</para>
     252
     253<screen><userinput><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
     254kstash</command></userinput></screen>
     255
     256<para>
     257Create the <acronym>KDC</acronym> database:
     258</para>
     259
     260<screen><userinput><command>kadmin -l</command></userinput></screen>
     261
     262<para>
     263Choose the defaults for now. You can go in later and change the
     264defaults, should you feel the need. At the
     265<userinput>kadmin&gt;</userinput> prompt, issue the following statement:
     266</para>
     267
     268<screen><userinput><command>init <replaceable>[LFS.ORG]</replaceable></command></userinput></screen>
     269
     270<para>
     271Now we need to populate the database with principles (users). For now,
     272just use your regular login name or root.
     273</para>
     274
     275<screen><userinput><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
     276
     277<para>
     278The <acronym>KDC</acronym> server and any machine running kerberized
     279server daemons must have a host key installed:
     280</para>
     281
     282<screen><userinput><command>add --random-key host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     283
     284<para>
     285After choosing the defaults when prompted, you will have to export the
     286data to a keytab file:
     287</para>
     288
     289<screen><userinput><command>ext host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     290
     291<para>
     292This should have created two files in
     293<filename class="directory">/etc/heimdal</filename>;
     294<filename>krb5.keytab</filename> (Kerberos 5) and
     295<filename>srvtab</filename> (Kerberos 4). Both files should have 600
     296(root rw only) permissions. Keeping the keytab files from public access
     297is crucial to the overall security of the Kerberos installation.
     298</para>
     299
     300<para>
     301Eventually, you'll want to add server daemon principles to the database
     302and extract them to the keytab file. You do this in the same way you
     303created the host principles. Below is an example:
     304</para>
     305
     306<screen><userinput><command>add --random-key ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     307
     308<para>
     309(choose the defaults)
     310</para>
     311
     312<screen><userinput><command>ext ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     313
     314<para>
     315Exit the <command>kadmin</command> program (use <command>quit</command>
     316or <command>exit</command>) and return back to the shell prompt. Start
     317the <acronym>KDC</acronym> daemon manually, just to test out the
     318installation:
     319</para>
     320
     321<screen><userinput><command>/usr/sbin/kdc &amp;</command></userinput></screen>
     322
     323<para>
     324Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with the
     325following command:
     326</para>
     327
     328<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
     329
     330<para>
     331You will be prompted for the password you created. After you get your
     332ticket, you should list it with the following command:
     333</para>
     334
     335<screen><userinput><command>klist</command></userinput></screen>
     336
     337<para>
     338Information about the ticket should be displayed on the screen.
     339</para>
     340
     341<para>
     342To test the functionality of the keytab file, issue the following
     343command:
     344</para>
     345
     346<screen><userinput><command>ktutil list</command></userinput></screen>
     347
     348<para>
     349This should dump a list of the host principals, along with the encryption
     350methods used to access the principals.
     351</para>
     352
     353<para>
     354At this point, if everything has been successful so far, you can feel
     355fairly confident in the installation and configuration of the package.
     356</para>
     357
     358<para>Install the <filename>/etc/rc.d/init.d/heimdal</filename> init script
     359included in the <xref linkend="intro-important-bootscripts"/>
     360package.</para>
     361
     362<screen><userinput><command>make install-heimdal</command></userinput></screen>
     363
     364</sect4>
     365
     366<sect4><title>Using Kerberized Client Programs</title>
     367
     368<para>
     369To use the kerberized client programs (<command>telnet</command>,
     370<command>ftp</command>, <command>rsh</command>,
     371<command>rxterm</command>, <command>rxtelnet</command>,
     372<command>rcp</command>, <command>xnlock</command>), you first must get
     373a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
     374get the ticket. After you've acquired the ticket, you can use the
     375kerberized programs to connect to any kerberized server on the network.
     376You will not be prompted for authentication until your ticket expires
     377(default is one day), unless you specify a different user as a command
     378line argument to the program.
     379</para>
     380
     381<para>
     382The kerberized programs will connect to non kerberized daemons, warning
     383you that authentication is not encrypted. As mentioned earlier, only the
     384<command>ftp</command> program gives any trouble connecting to non
     385kerberized daemons.
     386</para>
     387
     388<para>
     389For additional information consult <ulink
     390url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
     391Heimdal hint</ulink> on which the above instructions are based.
     392</para>
     393
     394</sect4>
     395
     396</sect3>
     397
     398</sect2>
     399
     400<sect2>
     401<title>Contents</title>
     402
     403<para>The <application>Heimdal</application> package contains
     404<command>afslog</command>,
     405<command>dump_log</command>,
     406<command>ftp</command>,
     407<command>ftpd</command>,
     408<command>hprop</command>,
     409<command>hpropd</command>,
     410<command>ipropd-master</command>,
     411<command>ipropd-slave</command>,
     412<command>kadmin</command>,
     413<command>kadmind</command>,
     414<command>kauth</command>,
     415<command>kdc</command>,
     416<command>kdestroy</command>,
     417<command>kf</command>,
     418<command>kfd</command>,
     419<command>kgetcred</command>,
     420<command>kinit</command>,
     421<command>klist</command>,
     422<command>kpasswd</command>,
     423<command>kpasswdd</command>,
     424<command>krb5-config</command>,
     425<command>kstash</command>,
     426<command>ktutil</command>,
     427<command>kx</command>,
     428<command>kxd</command>,
     429<command>login</command>,
     430<command>mk_cmds</command>,
     431<command>otp</command>,
     432<command>otpprint</command>,
     433<command>pagsh</command>,
     434<command>pfrom</command>,
     435<command>popper</command>,
     436<command>push</command>,
     437<command>rcp</command>,
     438<command>replay_log</command>,
     439<command>rsh</command>,
     440<command>rshd</command>,
     441<command>rxtelnet</command>,
     442<command>rxterm</command>,
     443<command>string2key</command>,
     444<command>su</command>,
     445<command>telnet</command>,
     446<command>telnetd</command>,
     447<command>tenletxr</command>,
     448<command>truncate_log</command>,
     449<command>verify_krb5_conf</command>,
     450<command>xnlock</command>,
     451<filename class="libraryfile">libasn1</filename>,
     452<filename class="libraryfile">libeditline</filename>,
     453<filename class="libraryfile">libgssapi</filename>,
     454<filename class="libraryfile">libhdb</filename>,
     455<filename class="libraryfile">libkadm5clnt</filename>,
     456<filename class="libraryfile">libkadm5srv</filename>,
     457<filename class="libraryfile">libkafs</filename>,
     458<filename class="libraryfile">libkrb5</filename>,
     459<filename class="libraryfile">libotp</filename>,
     460<filename class="libraryfile">libroken</filename>,
     461<filename class="libraryfile">libsl</filename> and
     462<filename class="libraryfile">libss</filename>.
     463
     464</para>
     465
     466</sect2>
     467
     468<sect2><title>Description</title>
     469
     470<sect3><title>afslog</title>
     471<para><command>afslog</command> obtains AFS tokens for a number of
     472cells.</para></sect3>
     473
     474<sect3><title>hprop</title>
     475<para><command>hprop</command> takes a principal database in a specified
     476format and converts it into a stream of Heimdal database
     477records.</para></sect3>
     478
     479<sect3><title>hpropd</title>
     480<para><command>hpropd</command> receives a database sent by
     481<command>hprop</command> and writes it as a local
     482database.</para></sect3>
     483
     484<sect3><title>kadmin</title>
     485<para><command>kadmin</command> is an utility used to make modifications
     486to the Kerberos database.</para></sect3>
     487
     488<sect3><title>kadmind</title>
     489<para><command>kadmind</command> is a server for administrative access
     490to Kerberos database.</para></sect3>
     491
     492<sect3><title>kauth, kinit</title>
     493<para><command>kauth</command> and <command>kinit</command> are used to
     494authenticate to the Kerberos server as principal and acquire a ticket
     495granting ticket that can later be used to obtain tickets for other
     496services.</para></sect3>
     497
     498<sect3><title>kdc</title>
     499<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
     500
     501<sect3><title>kdestroy</title>
     502<para><command>kdestroy</command> removes the current set of
     503tickets.</para></sect3>
     504
     505<sect3><title>kf</title>
     506<para><command>kf</command> is a program which forwards tickets to a
     507remote host through an authenticated and encrypted
     508stream.</para></sect3>
     509
     510<sect3><title>kfd</title>
     511<para><command>kfd</command> receives forwarded tickets.</para></sect3>
     512
     513<sect3><title>kgetcred</title>
     514<para><command>kgetcred</command> obtains a ticket for a
     515service.</para></sect3>
     516
     517<sect3><title>klist</title>
     518<para><command>klist</command> reads and displays the current tickets in
     519the credential cache.</para></sect3>
     520
     521<sect3><title>kpasswd</title>
     522<para><command>kpasswd</command> is a program for changing Kerberos 5
     523passwords.</para></sect3>
     524
     525<sect3><title>kpasswdd</title>
     526<para><command>kpasswdd</command> is a Kerberos 5 password changing
     527server.</para></sect3>
     528
     529<sect3><title>krb5-config</title>
     530<para><command>krb5-config</command> gives information on how to link
     531programs against Heimdal libraries.</para></sect3>
     532
     533<sect3><title>kstash</title>
     534<para><command>kstash</command> stores the <acronym>KDC</acronym> master
     535password in a file.</para></sect3>
     536
     537<sect3><title>ktutil</title>
     538<para><command>ktutil</command> is a program for managing Kerberos
     539keytabs.</para></sect3>
     540
     541<sect3><title>kx</title>
     542<para><command>kx</command> is a program which securely forwards X
     543connections.</para></sect3>
     544
     545<sect3><title>kxd</title>
     546<para><command>kxd</command> is the daemon for
     547<command>kx</command>.</para></sect3>
     548
     549<sect3><title>otp</title>
     550<para><command>otp</command> manages one-time passwords.</para></sect3>
     551
     552<sect3><title>otpprint</title>
     553<para><command>otpprint</command> prints lists of one-time
     554passwords.</para></sect3>
     555
     556<sect3><title>rxtelnet</title>
     557<para><command>rxtelnet</command> program starts an
     558<command>xterm</command> window with a telnet to given host and forwards
     559X connections.</para></sect3>
     560
     561<sect3><title>rxterm</title>
     562<para><command>rxterm</command> starts a secure remote
     563<command>xterm</command>.</para></sect3>
     564
     565<sect3><title>string2key</title>
     566<para><command>string2key</command> maps a password into a
     567key.</para></sect3>
     568
     569<sect3><title>tenletxr</title>
     570<para><command>tenletxr</command> forwards X connections
     571backwards.</para></sect3>
     572
     573<sect3><title>verify_krb5_conf</title>
     574<para><command>verify_krb5_conf</command> checks
     575<filename>krb5.conf</filename> file for obvious errors.</para></sect3>
     576
     577<sect3><title>xnlock</title>
     578<para><command>xnlock</command> is a program that acts as a secure screen
     579saver for workstations running X.</para></sect3>
     580
     581</sect2>
    10582
    11583</sect1>
  • postlfs/security/iptables.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
     8  <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
     9  <!ENTITY iptables-size          "183 KB">
     10  <!ENTITY iptables-buildsize     "3.4 MB">
     11  <!ENTITY iptables-time          "0.13 SBU">
     12]>
     13
    114<sect1 id="postlfs-security-iptables">
    215<?dbhtml filename="iptables.html"?>
    316<title>iptables-&iptables-version;</title>
    417
    5 <para>The next part of this chapter deals with firewalls.  The
    6 principle firewall tool for Linux, as of the 2.4 kernel series, is
     18<para>The next part of this chapter deals with firewalls.  The principle
     19firewall tool for Linux, as of the 2.4 kernel series, is
    720<application>iptables</application>.  It replaces
    821<application>ipchains</application> from the 2.2 series and
    9 <application>ipfwadm</application> from the
    10 2.0 series. You will need to install <application>iptables</application> if
    11 you intend on using any form of a firewall.</para>
     22<application>ipfwadm</application> from the 2.0 series. You will need to
     23install <application>iptables</application> if you intend on using any form of
     24a firewall.</para>
    1225
    13 &iptables-intro;
    14 &iptables-inst;
    15 &iptables-exp;
    16 &iptables-desc;
     26<sect2>
     27<title>Introduction to <application>iptables</application></title>
     28
     29<para>To use a firewall, as well as installing
     30<application>iptables</application>, you will need
     31to configure the relevant options into your kernel.  This is discussed
     32in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>
     33
     34<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
     35the kernel by running <command>make patch-o-matic</command> in the top-level
     36directory of the sources of <application>iptables</application>.  If you are
     37going to do this, on a freshly untarred kernel, you need to run
     38<command>yes "" | make config &amp;&amp; make dep</command> first because
     39otherwise the patch-o-matic command is likely to fail while setting up
     40some dependencies.</para>
     41
     42<para>If you are going to patch the kernel, you need to do it before you
     43compile <application>iptables</application>, because during the compilation,
     44the kernel source tree is checked (if it is available at <filename
     45class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
     46</filename>) to see which features are available.  Support will only be compiled
     47into <application>iptables</application> for the features recognized at
     48compile-time.  Applying a kernel patch may result in errors, often because the
     49hooks for the patches have changed or because the runme script doesn't
     50recognize that a patch has already been incorporated.</para>
     51
     52<para>Note that for most people, patching the kernel is unnecessary.
     53With the later 2.4.x kernels, most functionality is already available
     54and those who need to patch it are generally those who need a specific
     55feature; if you don't know why you need to patch the kernel, you're
     56unlikely to need to!</para>
     57
     58<sect3><title>Package information</title>
     59<itemizedlist spacing='compact'>
     60<listitem><para>Download (HTTP): <ulink
     61url="&iptables-download-http;"/></para></listitem>
     62<listitem><para>Download (FTP): <ulink
     63url="&iptables-download-ftp;"/></para></listitem>
     64<listitem><para>Download size: &iptables-size;</para></listitem>
     65<listitem><para>Estimated Disk space required:
     66&iptables-buildsize;</para></listitem>
     67<listitem><para>Estimated build time:
     68&iptables-time;</para></listitem></itemizedlist>
     69</sect3>
     70
     71</sect2>
     72
     73
     74<sect2>
     75<title>Installation of <application>iptables</application></title>
     76
     77<para>Install <application>iptables</application> by running the following commands:</para>
     78
     79<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin &amp;&amp;
     80make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>
     81
     82</sect2>
     83
     84
     85<sect2>
     86<title>Command explanations</title>
     87
     88<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs
     89<application>iptables</application> libraries into <filename
     90class="directory">/lib</filename>, binaries into <filename
     91class="directory">/sbin</filename> and the remainder into the
     92<filename class="directory">/usr</filename> hierarchy instead of
     93<filename class="directory">/usr/local</filename>. Firewalls are
     94generally set during the boot process and <filename
     95class="directory">/usr</filename> may not be mounted at that time.</para>
     96
     97</sect2>
     98
     99<sect2>
     100<title>Contents</title>
     101
     102<para>The <application>iptables</application> package contains <command>iptables</command>,
     103<command>iptables-restore</command>, <command>iptables-save</command>,
     104<command>ip6tables</command> and some libraries.</para>
     105
     106</sect2>
     107
     108<sect2><title>Description</title>
     109
     110<sect3><title>iptables</title>
     111<para><command>iptables</command> is used to set up, maintain, and inspect the
     112tables of <acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
     113</sect3>
     114
     115<sect3><title>iptables-restore, iptables-save</title>
     116<para>These are used to save and to restore your elaborated set of chains and
     117rules. Until <application>iptables</application>-1.2.5, they were declared
     118experimental.</para>
     119</sect3>
     120
     121<sect3 id="ip6tables" xreflabel="ip6tables"><title>ip6tables</title>
     122<para>This is the same as <command>iptables</command> but for use with
     123<acronym>IP</acronym>v6.  As of v1.2.5, it is not as complete as the standard
     124<acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para>
     125</sect3>
     126
     127<sect3><title>libip*.so</title>
     128<para>These are various modules (implemented as dynamic libraries) which
     129extend the core functionality of <command>iptables</command>.</para>
     130</sect3>
     131
     132</sect2>
    17133
    18134</sect1>
  • postlfs/security/linux_pam.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7
     8  <!ENTITY Linux_PAM-download-http "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
     9  <!ENTITY Linux_PAM-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
     10  <!ENTITY Linux_PAM-size      "332 KB">
     11  <!ENTITY Linux_PAM-buildsize "4.1 MB">
     12  <!ENTITY Linux_PAM-time      "0.07 SBU">
     13]>
     14
    115<sect1 id="Linux_PAM" xreflabel="Linux-PAM-&Linux_PAM-version;">
    216<?dbhtml filename="linux_pam.html"?>
    317<title>Linux-PAM-&Linux_PAM-version;</title>
    418
    5 &Linux_PAM-intro;
    6 &Linux_PAM-inst;
    7 &Linux_PAM-exp;
    8 &Linux_PAM-config;
    9 &Linux_PAM-desc;
     19<sect2>
     20<title>Introduction to <application>Linux-<acronym>PAM</acronym></application>
     21</title>
     22
     23<para>The <application>Linux-<acronym>PAM</acronym></application> package
     24contains Pluggable Authentication Modules. This is useful to enable the local
     25system administrator to choose how applications authenticate users.</para>
     26
     27<sect3><title>Package information</title>
     28<itemizedlist spacing='compact'>
     29<listitem><para>Download (HTTP): <ulink
     30url="&Linux_PAM-download-http;"/></para></listitem>
     31<listitem><para>Download (FTP): <ulink
     32url="&Linux_PAM-download-ftp;"/></para></listitem>
     33<listitem><para>Download size: &Linux_PAM-size;</para></listitem>
     34<listitem><para>Estimated Disk space required:
     35&Linux_PAM-buildsize;</para></listitem>
     36<listitem><para>Estimated build time:
     37&Linux_PAM-time;</para></listitem></itemizedlist>
     38</sect3>
     39
     40<sect3><title>Additional download</title>
     41<itemizedlist spacing='compact'>
     42<listitem><para>Required patch:
     43<ulink url="&patch-root;/Linux-PAM-0.77-linkage-3.patch"/></para></listitem></itemizedlist>
     44</sect3>
     45
     46<sect3><title><application>Linux-<acronym>PAM</acronym></application> dependencies</title>
     47<sect4><title>Optional</title>
     48<para><xref linkend="cracklib"/></para></sect4>
     49</sect3>
     50
     51</sect2>
     52
     53<sect2>
     54<title>Installation of <application>Linux-<acronym>PAM</acronym></application>
     55</title>
     56
     57<para>Install <application>Linux-<acronym>PAM</acronym></application> by
     58running the following commands:</para>
     59
     60<screen><userinput><command>patch -Np1 -i ../Linux-PAM-0.77-linkage-3.patch &amp;&amp;
     61autoconf &amp;&amp;
     62./configure --enable-static-libpam --with-mailspool=/var/mail \
     63    --enable-read-both-confs --sysconfdir=/etc &amp;&amp;
     64make &amp;&amp;
     65make install &amp;&amp;
     66mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib &amp;&amp;
     67ln -sf ../../lib/libpam.so.&Linux_PAM-version; /usr/lib/libpam.so &amp;&amp;
     68ln -sf ../../lib/libpam_misc.so.&Linux_PAM-version; /usr/lib/libpam_misc.so &amp;&amp;
     69ln -sf ../../lib/libpamc.so.&Linux_PAM-version; /usr/lib/libpamc.so</command></userinput></screen>
     70
     71</sect2>
     72
     73
     74<sect2>
     75<title>Command explanations</title>
     76
     77<para><command>autoconf</command>:  This is necessary as in the patch, we
     78change where <acronym>PAM</acronym> looks for the cracklib libs.  This
     79requires that the configure script be recreated.</para>
     80
     81<para><option>--enable-static-libpam</option>: This switch builds
     82static <acronym>PAM</acronym> libraries as well as the dynamic libraries.</para>
     83
     84<para><parameter>--with-mailspool=/var/mail</parameter>: This switch makes
     85the mailspool directory <acronym>FHS</acronym> compliant.</para>
     86
     87<para><option>--enable-read-both-confs</option>: This switch lets the local
     88administrator choose which configuration file setup to use.</para>
     89
     90<para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a
     91/usr/lib</command>: This command moves the static libraries to
     92<filename>/usr/lib</filename> to comply with <acronym>FHS</acronym>.</para>
     93
     94</sect2>
     95
     96
     97<sect2>
     98<title>Configuring <application>Linux-<acronym>PAM</acronym></application>
     99</title>
     100
     101<sect3><title>Config files</title>
     102<para><filename>/etc/pam.d</filename> or <filename>/etc/pam.conf</filename>
     103</para></sect3>
     104
     105<sect3><title>Configuration Information</title>
     106
     107<para>Configuration information is placed in <filename>/etc/pam.d</filename> or
     108<filename>/etc/pam.conf</filename> depending on user preference.  Below are
     109example files of each type:</para>
     110
     111<screen># Begin /etc/pam.d/other
     112
     113auth            required        pam_unix.so     nullok
     114account         required        pam_unix.so
     115session         required        pam_unix.so
     116password        required        pam_unix.so     nullok
     117
     118# End /etc/pam.d/other
     119
     120# Begin /etc/pam.conf
     121
     122other           auth            required        pam_unix.so     nullok
     123other           account         required        pam_unix.so
     124other           session         required        pam_unix.so
     125other           password        required        pam_unix.so     nullok
     126
     127# End /etc/pam.conf</screen>
     128
     129<para>The <application><acronym>PAM</acronym></application> man page
     130(<command>man pam</command>) provides a good starting point for descriptions
     131of fields and allowable entries.  The
     132<ulink url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html">
     133Linux-PAM guide for system administrators</ulink>
     134is recommended for further reading.</para>
     135
     136<para>Refer to <ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/>
     137for a list of various modules available.</para>
     138
     139</sect3>
     140
     141</sect2>
     142
     143<sect2>
     144<title>Contents</title>
     145
     146<para>The <application>Linux-<acronym>PAM</acronym></application> package
     147contains <command>unix-chkpwd</command> and <filename
     148class="libraryfile">libpam</filename>
     149libraries.</para>
     150
     151</sect2>
     152
     153<sect2><title>Description</title>
     154
     155<sect3><title>unix-chkpwd</title>
     156<para>No description available.</para></sect3>
     157
     158<sect3><title>libpam libraries</title>
     159<para><filename class="libraryfile">libpam</filename> libraries provide the interfaces between
     160applications and the modules included with <acronym>PAM</acronym>.</para></sect3>
     161
     162</sect2>
     163
    10164
    11165</sect1>
  • postlfs/security/mitkrb.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.3/krb5-&mitkrb-version;.tar">
     8  <!ENTITY mitkrb-download-ftp " ">
     9  <!ENTITY mitkrb-size "6.2 MB">
     10  <!ENTITY mitkrb-buildsize "137.4 MB">
     11  <!ENTITY mitkrb-time "2.55 SBU">
     12]>
     13
     14
    115<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
    216<?dbhtml filename="mitkrb.html"?>
    317<title>MIT krb5-&mitkrb-version;</title>
    418
    5 &mitkrb-intro;
    6 &mitkrb-inst;
    7 &mitkrb-exp;
    8 &mitkrb-config;
    9 &mitkrb-desc;
     19<sect2>
     20<title>Introduction to <application><acronym>MIT</acronym> krb5</application></title>
     21
     22<para>
     23<application>MIT krb5</application> is a free implementation of Kerberos
     245. Kerberos is a network authentication protocol. It centralizes the
     25authentication database and uses kerberized applications to work with
     26servers or services that support Kerberos allowing single logins and
     27encrypted communication over internal networks or the Internet.</para>
     28
     29<sect3><title>Package information</title>
     30<itemizedlist spacing='compact'>
     31<listitem><para>Download (HTTP): <ulink url="&mitkrb-download-http;"/></para></listitem>
     32<listitem><para>Download (FTP): <ulink url="&mitkrb-download-ftp;"/></para></listitem>
     33<listitem><para>Download size: &mitkrb-size;</para></listitem>
     34<listitem><para>Estimated Disk space required: &mitkrb-buildsize;</para></listitem>
     35<listitem><para>Estimated build time: &mitkrb-time;</para></listitem></itemizedlist>
     36</sect3>
     37
     38<sect3><title><application><acronym>MIT</acronym> krb5</application> dependencies</title>
     39<sect4><title>Optional</title>
     40<para>
     41<xref linkend="xinetd"/> (services servers only),
     42<xref linkend="Linux_PAM"/> (for xdm based logins) and
     43<xref linkend="openldap"/> (alternative for krb5kdc password database)
     44</para>
     45
     46<note><para>
     47Some sort of time synchronization facility on your system (like <xref
     48linkend="ntp"/>) is required since Kerberos won't authenticate if there
     49is a time difference between a kerberized client and the
     50<acronym>KDC</acronym> server.</para></note>
     51</sect4>
     52
     53</sect3>
     54
     55</sect2>
     56
     57<sect2>
     58<title>Installation of <application>MIT krb5</application></title>
     59
     60<para>Install <application>MIT krb5</application> by running the following commands:</para>
     61
     62<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
     63    --localstatedir=/var/lib --enable-dns --enable-shared --mandir=/usr/share/man &amp;&amp;
     64make &amp;&amp;
     65make install &amp;&amp;
     66mv /bin/login /bin/login.shadow &amp;&amp;
     67cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
     68mv /usr/bin/ksu /bin &amp;&amp;
     69mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
     70mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
     71mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
     72mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
     73mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
     74ln -sf ../../lib/libkrb5.so /usr/lib &amp;&amp;
     75ln -sf ../../lib/libkrb4.so /usr/lib &amp;&amp;
     76ln -sf ../../lib/libdes425.so /usr/lib &amp;&amp;
     77ln -sf ../../lib/libk5crypto.so /usr/lib &amp;&amp;
     78ln -sf ../../lib/libcom_err.so /usr/lib &amp;&amp;
     79ldconfig</command></userinput></screen>
     80
     81</sect2>
     82
     83<sect2>
     84<title>Command explanations</title>
     85
     86<para><parameter>--enable-dns</parameter>: This switch allows realms to
     87be resolved using the <acronym>DNS</acronym> server.</para>
     88
     89<para><screen><command>mv /bin/login /bin/login.shadow
     90cp /usr/sbin/login.krb5 /bin/login
     91mv /usr/bin/ksu /bin</command></screen>
     92Preserves <application>Shadow</application>'s <command>login</command>
     93command, moves <command>ksu</command> and <command>login</command> to
     94the <filename class="directory">/bin</filename> directory.</para>
     95
     96<para><screen><command>mv /usr/lib/libkrb5.so.3* /lib
     97mv /usr/lib/libkrb4.so.2* /lib
     98mv /usr/lib/libdes425.so.3* /lib
     99mv /usr/lib/libk5crypto.so.3* /lib
     100mv /usr/lib/libcom_err.so.3* /lib
     101ln -sf ../../lib/libkrb5.so /usr/lib
     102ln -sf ../../lib/libkrb4.so /usr/lib
     103ln -sf ../../lib/libdes425.so /usr/lib
     104ln -sf ../../lib/libk5crypto.so /usr/lib
     105ln -sf ../../lib/libcom_err.so /usr/lib</command></screen>
     106The <command>login</command> and <command>ksu</command> programs
     107are linked against these libraries, therefore we move these libraries to
     108<filename class="directory">/lib</filename> to allow logins without mounting <filename class="directory">/usr</filename>.</para>
     109
     110</sect2>
     111
     112<sect2>
     113<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
     114
     115<sect3><title>Config files</title>
     116<para><filename>/etc/krb5.conf</filename> and
     117<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
     118</sect3>
     119
     120<sect3><title>Configuration Information</title>
     121
     122<sect4><title>Kerberos Configuration</title>
     123
     124<para>
     125Create the Kerberos configuration file with the following command:
     126</para>
     127
     128<screen><userinput><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
     129# Begin /etc/krb5.conf
     130       
     131[libdefaults]
     132    default_realm = <replaceable>[LFS.ORG]</replaceable>
     133    encrypt = true
     134
     135[realms]
     136    <replaceable>[LFS.ORG]</replaceable> = {
     137        kdc = <replaceable>[belgarath.lfs.org]</replaceable>
     138        admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
     139    }
     140
     141[domain_realm]
     142    .<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
     143
     144[logging]
     145    kdc = SYSLOG[:INFO[:AUTH]]
     146    admin_server = SYSLOG[INFO[:AUTH]]
     147    default = SYSLOG[[:SYS]]
     148
     149# End /etc/krb5.conf
     150<command>EOF</command></userinput></screen>
     151
     152<para>
     153You will need to substitute your domain and proper hostname for the
     154occurances of the belgarath and lfs.org names.
     155</para>
     156
     157<para>
     158<userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
     159This isn't required, but both Heimdal and <acronym>MIT</acronym>
     160recommend it.
     161</para>
     162
     163<para>
     164<userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
     165clients and servers. It's not necessary and can be left off. If you
     166leave it off, you can encrypt all traffic from the client to the server
     167using a switch on the client program instead.
     168</para>
     169
     170<para>
     171The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
     172<acronym>KDC</acronym> authentication services.
     173</para>
     174
     175<para>
     176The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
     177</para>
     178
     179<para>
     180Create the <acronym>KDC</acronym> database:
     181</para>
     182
     183<screen><userinput><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
     184
     185<para>
     186Now we need to populate the database with principles (users). For now,
     187just use your regular login name or root.
     188</para>
     189
     190<screen><userinput><command>kadmin.local</command></userinput>
     191<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
     192
     193<para>
     194The <acronym>KDC</acronym> server and any machine running kerberized
     195server daemons must have a host key installed:
     196</para>
     197
     198<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     199
     200<para>
     201After choosing the defaults when prompted, you will have to export the
     202data to a keytab file:
     203</para>
     204
     205<screen><prompt>kadmin:</prompt><userinput><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     206
     207<para>
     208This should have created a file in
     209<filename class="directory">/etc</filename> named
     210<filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
     211(root rw only) permissions. Keeping the keytab files from public access
     212is crucial to the overall security of the Kerberos installation.
     213</para>
     214
     215<para>
     216Eventually, you'll want to add server daemon principles to the database
     217and extract them to the keytab file. You do this in the same way you
     218created the host principles. Below is an example:
     219</para>
     220
     221<screen><prompt>kadmin:</prompt><userinput><command>addprinc --randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
     222<prompt>kadmin:</prompt><userinput><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
     223
     224<para>
     225Exit the <command>kadmin</command> program (use <command>quit</command>
     226or <command>exit</command>) and return back to the shell prompt. Start
     227the <acronym>KDC</acronym> daemon manually, just to test out the
     228installation:
     229</para>
     230
     231<screen><userinput><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
     232
     233<para>
     234Attempt to get a ticket with the following command:
     235</para>
     236
     237<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
     238
     239<para>
     240You will be prompted for the password you created. After you get your
     241ticket, you can list it with the following command:
     242</para>
     243
     244<screen><userinput><command>klist</command></userinput></screen>
     245
     246<para>
     247Information about the ticket should be displayed on the screen.
     248</para>
     249
     250<para>
     251To test the functionality of the keytab file, issue the following
     252command:
     253</para>
     254
     255<screen><userinput><command>ktutil</command></userinput>
     256<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
     257<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
     258
     259<para>
     260This should dump a list of the host principal, along with the encryption
     261methods used to access the principal.
     262</para>
     263
     264<para>
     265At this point, if everything has been successful so far, you can feel
     266fairly confident in the installation and configuration of the package.
     267</para>
     268
     269<para>Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
     270included in the <xref linkend="intro-important-bootscripts"/>
     271package.</para>
     272
     273<screen><userinput><command>make install-kerberos</command></userinput></screen>
     274
     275</sect4>
     276
     277<sect4><title>Using Kerberized Client Programs</title>
     278
     279<para>
     280To use the kerberized client programs (<command>telnet</command>,
     281<command>ftp</command>, <command>rsh</command>,
     282<command>rcp</command>, <command>rlogin</command>), you first must get
     283an authentication ticket. Use the <command>kinit</command> program to
     284get the ticket. After you've acquired the ticket, you can use the
     285kerberized programs to connect to any kerberized server on the network.
     286You will not be prompted for authentication until your ticket expires
     287(default is one day), unless you specify a different user as a command
     288line argument to the program.
     289</para>
     290
     291<para>
     292The kerberized programs will connect to non kerberized daemons, warning
     293you that authentication is not encrypted.</para></sect4>
     294
     295
     296<sect4><title>Using Kerberized Server Programs</title>
     297
     298<para>Using kerberized server programs (<command>telnetd</command>,
     299<command>kpropd</command>,
     300<command>klogind</command> and <command>kshd</command>) requires two additional configuration steps.
     301First the <filename>/etc/services</filename> file must be updated to
     302include  eklogin and krb5_prop. Second, the
     303<filename>inetd.conf</filename> or <filename>xinetd.conf</filename> must
     304be modified for each server that will be activated, usually replacing
     305the server from <application>inetutils</application>.</para></sect4>
     306
     307<sect4><title>Additional Information</title>
     308<para>
     309For additional information consult <ulink
     310url="http://web.mit.edu/kerberos/www/krb5-1.3/#documentation">Documentation
     311for krb-&mitkrb-version;</ulink> on which the above instructions are based.
     312</para>
     313
     314</sect4>
     315
     316</sect3>
     317
     318</sect2>
     319
     320<sect2>
     321<title>Contents</title>
     322
     323<para>The <application>MIT krb5</application> package contains
     324<command>compile-et</command>,
     325<command>ftp</command>,
     326<command>ftpd</command>,
     327<command>gss-client</command>,
     328<command>gss-server</command>,
     329<command>k5srvutil</command>,
     330<command>kadmin</command>,
     331<command>kadmin.local</command>,
     332<command>kadmind</command>,
     333<command>kadmind4</command>,
     334<command>kdb5_util</command>
     335<command>kdestroy</command>,
     336<command>kinit</command>,
     337<command>klist</command>,
     338<command>klogind</command>,
     339<command>kpasswd</command>,
     340<command>kprop</command>,
     341<command>kpropd</command>,
     342<command>krb5-send-pr</command>,
     343<command>krb5-config</command>,
     344<command>krb524d</command>,
     345<command>krb524init</command>,
     346<command>krb5kdc</command>,
     347<command>kshd</command>,
     348<command>ksu</command>,
     349<command>ktutil</command>,
     350<command>kvno</command>,
     351<command>login.krb5</command>,
     352<command>rcp</command>,
     353<command>rlogin</command>,
     354<command>rsh</command>,
     355<command>rshd</command>,
     356<command>rxtelnet</command>,
     357<command>rxterm</command>,
     358<command>sclient</command>,
     359<command>sim_client</command>,
     360<command>sim_server</command>,
     361<command>sserver</command>,
     362<command>telnet</command>,
     363<command>telnetd</command>,
     364<command>uuclient</command>,
     365<command>uuserver</command>,
     366<command>v5passwd</command>,
     367<command>v5passwdd</command>,
     368<filename class="libraryfile">libcom_err</filename>,
     369<filename class="libraryfile">libdes425</filename>,
     370<filename class="libraryfile">libgssapi</filename>,
     371<filename class="libraryfile">libgssrpc</filename>,
     372<filename class="libraryfile">lib5crypto</filename>,
     373<filename class="libraryfile">libkadm5clnt</filename>,
     374<filename class="libraryfile">libkadm5srv</filename>,
     375<filename class="libraryfile">libkdb5</filename>,
     376<filename class="libraryfile">libkrb4</filename>,
     377<filename class="libraryfile">libkrb5</filename>.</para>
     378
     379</sect2>
     380
     381<sect2><title>Description</title>
     382
     383<sect3><title>compile_et</title>
     384<para><command>compile_et</command> converts the table listing
     385error-code names into a <application>C</application> source file.</para></sect3>
     386
     387<sect3><title>k5srvutil</title>
     388<para><command>k5srvutil</command> is a host keytable manipulation
     389utility.</para></sect3>
     390
     391<sect3><title>kadmin</title>
     392<para><command>kadmin</command> is an utility used to make modifications
     393to the Kerberos database.</para></sect3>
     394
     395<sect3><title>kadmind</title>
     396<para><command>kadmind</command> is a server for administrative access
     397to Kerberos database.</para></sect3>
     398
     399<sect3><title>kinit</title>
     400<para><command>kinit</command> is used to
     401authenticate to the Kerberos server as principal and acquire a ticket
     402granting ticket that can later be used to obtain tickets for other
     403services.</para></sect3>
     404
     405<sect3><title>krb5kdc</title>
     406<para><command>kdc</command> is a Kerberos 5 server.</para></sect3>
     407
     408<sect3><title>kdestroy</title>
     409<para><command>kdestroy</command> removes the current set of
     410tickets.</para></sect3>
     411
     412<sect3><title>kdb5_util</title>
     413<para><command>kdb5_util</command> is the <acronym>KDC</acronym>
     414database utility.</para></sect3>
     415
     416<sect3><title>klist</title>
     417<para><command>klist</command> reads and displays the current tickets in
     418the credential cache.</para></sect3>
     419
     420<sect3><title>klogind</title>
     421<para><command>klogind</command> is the server that responds to rlogin
     422requests.</para></sect3>
     423
     424<sect3><title>kpasswd</title>
     425<para><command>kpasswd</command> is a program for changing Kerberos 5
     426passwords.</para></sect3>
     427
     428<sect3><title>kprop</title>
     429<para><command>kprop</command> takes a principal database in a specified
     430format and converts it into a stream of database
     431records.</para></sect3>
     432
     433<sect3><title>kpropd</title>
     434<para><command>kpropd</command> receives a database sent by
     435<command>hprop</command> and writes it as a local
     436database.</para></sect3>
     437
     438<sect3><title>krb5-config</title>
     439<para><command>krb5-config</command> gives information on how to link
     440programs against libraries.</para></sect3>
     441
     442<sect3><title>ksu</title>
     443<para><command>ksu</command> is the super user program using Kerberos
     444protocol. Requires a properly configured
     445<filename>/etc/shells</filename> and <filename>~/.k5login</filename>
     446containing principals authorized to become super users.</para></sect3>
     447
     448<sect3><title>ktutil</title>
     449<para><command>ktutil</command> is a program for managing Kerberos
     450keytabs.</para></sect3>
     451
     452<sect3><title>kvno</title>
     453<para><command>kvno</command> prints keyversion numbers of Kerberos
     454principals.</para></sect3>
     455
     456
     457</sect2>
    10458
    11459</sect1>
  • postlfs/security/security.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6]>
     7
    18<chapter id="postlfs-security">
    29<?dbhtml filename="security.html"?>
     
    2330"signatures" and compares for files that have been changed.</para>
    2431
    25 &cracklib;
    26 &Linux_PAM;
    27 &shadow;
    28 &iptables;
    29 &postlfs-security-fw;
    30 &gnupg;
    31 &tripwire;
    32 &heimdal;
    33 &mitkrb;
    34 <!--&postlfs-security-syslog;-->
     32<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/>
     33<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="linux_pam.xml"/>
     34<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="shadow.xml"/>
     35<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="iptables.xml"/>
     36<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="firewalling.xml"/>
     37<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnupg.xml"/>
     38<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tripwire.xml"/>
     39<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/>
     40<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/>
    3541
    3642</chapter>
  • postlfs/security/shadow.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6]>
     7
    18<sect1 id="shadow">
    29<?dbhtml filename="shadow.html"?>
     
    2431</sect2>
    2532-->
    26 &shadow-intro;
    27 &shadow-inst;
    28 &shadow-exp;
    29 &shadow-config;
     33
     34
     35<sect2>
     36<title>Introduction to <application>Shadow</application></title>
     37
     38<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
     39no reason to reinstall it unless you installed
     40<application>Linux-<acronym>PAM</acronym></application>.  If you did,
     41this will allow programs like <command>login</command> and
     42<command>su</command> to utilize
     43<acronym>PAM</acronym>.</para>
     44
     45<sect3><title>Additional downloads</title>
     46<itemizedlist spacing='compact'>
     47<listitem><para>Patch to fix linking against PAM:
     48<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para></listitem>
     49</itemizedlist>
     50</sect3>
     51
     52<sect3><title><application>Shadow</application> dependencies</title>
     53<sect4><title>Required</title>
     54<para><xref linkend="Linux_PAM"/></para></sect4>
     55</sect3>
     56</sect2>
     57
     58
     59<sect2>
     60<title>Installation of <application>shadow</application></title>
     61
     62<para>Reinstall shadow by running the following commands:</para>
     63
     64<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
     65LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
     66    --enable-shared --with-libpam --without-libcrack &amp;&amp;
     67echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
     68make &amp;&amp;
     69make install &amp;&amp;
     70mv /bin/sg /usr/bin &amp;&amp;
     71mv /bin/vigr /usr/sbin &amp;&amp;
     72rm /bin/groups &amp;&amp;
     73mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
     74ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
     75ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
     76
     77</sect2>
     78
     79
     80<sect2>
     81<title>Command explanations</title>
     82
     83<para><parameter>--without-libcrack</parameter>: This switch tells shadow
     84not to use libcrack. This is desired as
     85<application>Linux-<acronym>PAM</acronym></application> already
     86contains libcrack.</para>
     87
     88<!--  Leftover from older instructions????
     89<para><command>cp debian/securetty /etc/securetty</command>: This
     90command sets the tty's that allow logins through <acronym>PAM</acronym>.</para>
     91-->
     92
     93</sect2>
     94
     95
     96<sect2>
     97<title>Configuring <application><acronym>PAM</acronym></application> to work
     98with <application>shadow</application></title>
     99
     100<sect3><title>Config files</title>
     101<para><filename>/etc/pam.d/login</filename>,
     102<filename>/etc/pam.d/passwd</filename>,
     103<filename>/etc/pam.d/su</filename>,
     104<filename>/etc/pam.d/shadow</filename>, and
     105<filename>/etc/pam.d/useradd</filename></para>
     106</sect3>
     107
     108<sect3><title>Configuration Information</title>
     109
     110<para>Add the following <application><acronym>PAM</acronym></application>
     111configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
     112<filename>/etc/pam.conf</filename> with the additional field for the program).
     113</para>
     114<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
     115# Begin /etc/pam.d/login
     116
     117auth        requisite      pam_securetty.so
     118auth        requisite      pam_nologin.so
     119auth        required       pam_env.so
     120auth        required       pam_unix.so
     121account     required       pam_access.so
     122account     required       pam_unix.so
     123session     required       pam_motd.so
     124session     required       pam_limits.so
     125session     optional       pam_mail.so     dir=/var/mail standard
     126session     optional       pam_lastlog.so
     127session     required       pam_unix.so
     128
     129# End /etc/pam.d/login
     130<command>EOF
     131cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
     132# Begin /etc/pam.d/passwd
     133
     134password    required       pam_unix.so     md5 shadow
     135
     136# End /etc/pam.d/passwd
     137<command>EOF
     138cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
     139# Begin /etc/pam.d/shadow
     140
     141auth        sufficient      pam_rootok.so
     142auth        required        pam_unix.so
     143account     required        pam_unix.so
     144session     required        pam_unix.so
     145password    required        pam_permit.so
     146
     147# End /etc/pam.d/shadow
     148<command>EOF
     149cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
     150# Begin /etc/pam.d/su
     151
     152auth        sufficient      pam_rootok.so
     153auth        required        pam_unix.so
     154account     required        pam_unix.so
     155session     required        pam_unix.so
     156
     157# End /etc/pam.d/su
     158<command>EOF
     159cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
     160# Begin /etc/pam.d/useradd
     161
     162auth        sufficient      pam_rootok.so
     163auth        required        pam_unix.so
     164account     required        pam_unix.so
     165session     required        pam_unix.so
     166password    required        pam_permit.so
     167
     168# End /etc/pam.d/useradd
     169<command>EOF
     170cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
     171# Begin /etc/pam.d/chage
     172
     173auth        sufficient      pam_rootok.so
     174auth        required        pam_unix.so
     175account     required        pam_unix.so
     176session     required        pam_unix.so
     177password    required        pam_permit.so
     178
     179# End /etc/pam.d/chage
     180<command>EOF</command></userinput></screen>
     181
     182<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
     183allow anyone with an account on the machine to use programs
     184that do not specifically have a configuration file of their own. After
     185testing <application><acronym>PAM</acronym></application> for proper
     186configuration, it can be changed to the following:</para>
     187
     188<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
     189# Begin /etc/pam.d/other
     190
     191auth        required        pam_deny.so
     192auth        required        pam_warn.so
     193account     required        pam_deny.so
     194session     required        pam_deny.so
     195password    required        pam_deny.so
     196password    required        pam_warn.so
     197
     198# End /etc/pam.d/other
     199<command>EOF</command></userinput></screen>
     200
     201<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
     202to the beginning of the following lines:</para>
     203<screen>LASTLOG_ENAB
     204MAIL_CHECK_ENAB
     205PORTTIME_CHECKS_ENAB
     206CONSOLE
     207MOTD_FILE
     208NOLOGINS_FILE
     209PASS_MIN_LEN
     210SU_WHEEL_ONLY
     211MD5_CRYPT_ENAB
     212CONSOLE_GROUPS
     213ENVIRON_FILE</screen>
     214
     215<para>This stops <command>login</command> from performing these functions, as
     216they will now be performed by <acronym>PAM</acronym> modules.</para>
     217
     218</sect3>
     219
     220</sect2>
    30221
    31222</sect1>
  • postlfs/security/tripwire.xml

    rf8d632a rb4b71892  
     1<?xml version="1.0" encoding="ISO-8859-1"?>
     2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
     3   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
     4  <!ENTITY % general-entities SYSTEM "../../general.ent">
     5  %general-entities;
     6
     7  <!ENTITY tripwire-download-http "http://prdownloads.sourceforge.net/tripwire/tripwire-&tripwire-version;.tar.gz">
     8  <!ENTITY tripwire-download-ftp  "ftp://ftp.fu-berlin.de/unix/security/tripwire/tripwire-&tripwire-version;.tar.gz">
     9  <!ENTITY tripwire-size          "1.4 MB">
     10  <!ENTITY tripwire-buildsize     "63 MB">
     11  <!ENTITY tripwire-time          "2.35 SBU">
     12]>
     13
    114<sect1 id="tripwire" xreflabel="Tripwire-&tripwire-version;">
    215<?dbhtml filename="tripwire.html"?>
    316<title>Tripwire-&tripwire-version;</title>
    417
    5 &tripwire-intro;
    6 &tripwire-inst;
    7 &tripwire-exp;
    8 &tripwire-config;
    9 &tripwire-desc;
     18<sect2>
     19<title>Introduction to <application>Tripwire</application></title>
     20
     21<para>The <application>Tripwire</application> package contains the programs
     22used by <application>Tripwire</application> to verify the integrity of the
     23files on a given system.</para>
     24
     25<sect3><title>Package information</title>
     26<itemizedlist spacing='compact'>
     27<listitem><para>Download (HTTP): <ulink
     28url="&tripwire-download-http;"/></para></listitem>
     29<listitem><para>Download (FTP): <ulink
     30url="&tripwire-download-ftp;"/></para></listitem>
     31<listitem><para>Download size: &tripwire-size;</para></listitem>
     32<listitem><para>Estimated Disk space required:
     33&tripwire-buildsize;</para></listitem>
     34<listitem><para>Estimated build time:
     35&tripwire-time;</para></listitem></itemizedlist>
     36</sect3>
     37
     38<sect3><title>Additional downloads</title>
     39<itemizedlist spacing='compact'>
     40<listitem><para>Required patch to fix multiple build issues (see patch for more information):
     41<ulink url="&patch-root;/tripwire-&tripwire-version;-gcc3-build-fixes.patch"/></para></listitem>
     42</itemizedlist>
     43</sect3>
     44
     45<sect3><title><application>Shadow</application> dependencies</title>
     46<sect4><title>Optional</title>
     47<para>MTA (See <xref linkend="server-mail"/>)</para></sect4>
     48</sect3>
     49
     50</sect2>
     51
     52
     53<sect2>
     54<title>Installation of <application>Tripwire</application></title>
     55
     56<para>Compile <application>Tripwire</application> by running the following
     57commands:</para>
     58
     59<screen><userinput><command>patch -Np1 -i ../tripwire-&tripwire-version;-gcc3-build-fixes.patch &amp;&amp;
     60make -C src release &amp;&amp;
     61cp install/install.{sh,cfg} .</command></userinput></screen>
     62
     63<para>The default configuration is to use a local MTA. If you don't have
     64a MTA installed and have no wish to install one, modify the
     65<filename>install.cfg</filename> to use an SMTP server instead.
     66Install <application>Tripwire</application> by running the following
     67commands:</para>
     68
     69<screen><userinput><command>./install.sh &amp;&amp;
     70cp /etc/tripwire/tw.cfg /usr/sbin &amp;&amp;
     71cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen>
     72
     73</sect2>
     74
     75<sect2>
     76<title>Command explanations</title>
     77
     78<para><command>make release</command>: This command creates the
     79<application>Tripwire</application> binaries.</para>
     80
     81<para><command>cp install.{sh,cfg} .</command>: These are copied to the main
     82<application>Tripwire</application> directory so that the script can be used to
     83install the package.</para>
     84
     85<para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command
     86installs the documentation.</para>
     87
     88</sect2>
     89
     90<sect2>
     91<title>Configuring <application>Tripwire</application></title>
     92
     93<sect3><title>Config files</title>
     94<para><filename class="directory">/etc/tripwire</filename></para>
     95</sect3>
     96
     97<sect3><title>Configuration Information</title>
     98
     99<para><application>Tripwire</application> uses a policy file to determine which
     100files integrity are checked. The default policy file (<filename>twpol.txt
     101</filename> found in <filename class="directory">/etc/tripwire/</filename>) is for a default
     102installation of Redhat 7.0 and is woefully outdated.</para>
     103
     104<para>Policy files are also a custom thing and should be tailored to each
     105individual distribution and/or installation. Some custom policy files can be
     106found below: </para>
     107<screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt</ulink>
     108Checks integrity of all files
     109<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt</ulink>
     110Custom policy file for Base LFS 3.0 system
     111<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt">http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt</ulink>
     112Custom policy file for SuSE 7.2 system</screen>
     113
     114<para>Download the custom policy file you'd like to try, copy it into
     115<filename class="directory">/etc/tripwire/</filename>, and use it instead of
     116<filename>twpol.txt</filename>. It is, however, recommended that you make your own policy file.
     117Get ideas from the examples above and read <filename>
     118/usr/share/doc/tripwire/policyguide.txt</filename>. <filename>twpol.txt
     119</filename> is a good policy file for beginners as it will note any changes to
     120the file system and can even be used as an annoying way of keeping track of
     121changes for uninstallation of software.</para>
     122
     123<para>After your policy file has been transferred to <filename
     124class="directory">/etc/tripwire/</filename> you may begin the configuration steps:</para>
     125
     126<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
     127tripwire -m i</command></userinput></screen>
     128
     129<para>During installation <application>Tripwire</application> will create two
     130(2) keys: a site key and a local key which will be stored in <filename
     131class="directory">/etc/tripwire/</filename>.</para>
     132
     133</sect3>
     134
     135<sect3><title>Usage Information</title>
     136<para>To use <application>Tripwire</application> after this and run a report,
     137use the following command:</para>
     138
     139<screen><userinput><command>tripwire -m c &gt; /etc/tripwire/report.txt</command></userinput></screen>
     140
     141<para>View the output to check the integrity of your files. An automatic
     142integrity report can be produced by using a cron facility to schedule
     143the runs. </para>
     144
     145<para>Please note that after you run an integrity check, you must check
     146the report or email and then modify the
     147<application>Tripwire</application> database of the files
     148on your system so that <application>Tripwire</application> will not continually notify you that
     149files you intentionally changed are a security violation. To do this you
     150must first <command>ls -l /var/lib/tripwire/report/</command> and note
     151the name of the newest file which starts with <filename>linux-</filename> and
     152ends in <filename>.twr</filename>. This encrypted file was created during the
     153last report creation and is needed to update the
     154<application>Tripwire</application> database of your
     155system. Then, type in the following command making the appropriate
     156substitutions for '?':</para>
     157<screen><userinput><command>tripwire -m u -r /var/lib/tripwire/report/linux-???????-??????.twr </command></userinput></screen>
     158
     159<para>You will be placed into vim with a copy of the report in front of you. If
     160all the changes were good, then just type <command>:x</command> and after
     161entering your local key, the database will be updated. If there are files which
     162you still want to be warned about, please remove the x before the filename in
     163the report and type <command>:x</command>. </para>
     164
     165</sect3>
     166
     167<sect3><title>Changing the Policy File</title>
     168
     169<para>If you are unhappy with your policy file and would like to modify it or
     170use a new one, modify the policy file and then execute the following
     171commands:</para>
     172<screen><userinput><command>twadmin -m P /etc/tripwire/twpol.txt &amp;&amp;
     173tripwire -m i</command></userinput></screen>
     174
     175</sect3>
     176
     177</sect2>
     178
     179<sect2>
     180<title>Contents</title>
     181
     182<para>The <application>Tripwire</application> package contains <command>siggen
     183</command>,
     184<command>tripwire</command>, <command>twadmin</command>
     185and <command>twprint</command>.</para>
     186
     187</sect2>
    10188
    11189</sect1>
Note: See TracChangeset for help on using the changeset viewer.