Red Hat Linux Security and Optimization
9780764547546, 0764547542
Red Hat Linux Security and Optimization is a reference for power-users and administrators covering all security issues,
274
36
4MB
English
Pages 721
Year 2002
Report DMCA / Copyright
DOWNLOAD PDF FILE
Table of contents :
Red Hat® Linux® Security and Optimization......Page 1
Table of Contents......Page 14
Front of Book Information......Page 2
About the Author......Page 4
Part IV: Network Service Security......Page 7
Conventions of This Book......Page 8
Tell Us What You Think of This Book......Page 9
Acknowledgments......Page 10
Contents at a Glance......Page 12
Part I: System Performance......Page 24
Performance Basics......Page 26
Monitoring system performance with ps......Page 27
Tracking system activity with top......Page 29
Checking memory and I/O with vmstat......Page 31
Running Vtad to analyze your system......Page 32
Summary......Page 33
Downloading kernel source code ( latest distribution)......Page 34
Creating the /usr/src/linux symbolic link......Page 35
Selecting a kernel-configuration method......Page 36
Using menuconfig......Page 37
Compiling the kernel......Page 54
Booting the new kernel......Page 55
Running Demanding Applications......Page 58
Summary......Page 60
Tuning your hard disks......Page 62
Changing the block size of the ext2 filesystem......Page 67
Using e2fsprogs to tune ext2 filesystem......Page 68
Using a Journaling Filesystem......Page 71
Compiling and installing ReiserFS......Page 73
Benchmarking ReiserFS......Page 74
Compiling and installing the LVM module for kernel......Page 77
Creating a logical volume......Page 79
Adding a new disk or partition to a logical volume......Page 85
Removing a disk or partition from a volume group......Page 88
Using Linux Software RAID......Page 89
Using Storage Appliances......Page 90
Using a RAM-Based Filesystem......Page 91
Summary......Page 94
Part II: Network and Service Performance......Page 96
Tuning an Ethernet LAN or WAN......Page 98
Using network segmentation technique for performance......Page 100
Using switches in place of hubs......Page 103
Using fast Ethernet......Page 104
Using a network backbone......Page 105
Understanding and controlling network traffic flow......Page 106
IP Accounting......Page 108
IP accounting on a Linux network gateway......Page 109
Summary......Page 110
Compiling a Lean and Mean Apache......Page 112
Tuning Apache Configuration......Page 118
Controlling Apache processes......Page 119
Controlling system resources......Page 123
Speeding Up Static Web Pages......Page 126
Reducing disk I/O for faster static page delivery......Page 127
Speeding Up Web Applications......Page 128
Using mod_perl......Page 129
Using FastCGI......Page 137
Installing and configuring FastCGI module for Apache......Page 138
Using Java servlets......Page 140
Using Squid proxy-caching server......Page 141
Summary......Page 146
Choosing Your MTA......Page 148
Tuning Sendmail......Page 149
Caching Connections......Page 150
Controlling simultaneous connections......Page 153
Saving memory when processing the mail queue......Page 154
Handling the full queue situation......Page 155
Installing Postfix......Page 156
Limiting number of processes used......Page 157
Controlling queue full situation......Page 158
Using PowerMTA for High-Volume Outbound Mail......Page 159
Setting the maximum number of file descriptors......Page 160
Setting maximum concurrent SMTP connections......Page 161
Monitoring performance......Page 162
Summary......Page 163
NFS and Samba Server Performance......Page 164
Controlling TCP socket options......Page 165
Tuning NFS Server......Page 168
Optimizing read/write block size......Page 169
Running optimal number of NFS daemons......Page 172
Monitoring packet fragments......Page 173
Summary......Page 174
Part III: System Security......Page 176
Using Linux Intrusion Detection System ( LIDS)......Page 178
Building a LIDS-based Linux system......Page 179
Administering LIDS......Page 186
Using libsafe to Protect Program Stacks......Page 196
Compiling and installing libsafe......Page 198
Summary......Page 201
Managing Files, Directories, and User Group Permissions......Page 202
Understanding file ownership & permissions......Page 203
Changing ownership of files and directories using chown......Page 204
Using octal numbers to set file and directory permissions......Page 205
Changing access privileges of files and directories using chmod......Page 208
Managing symbolic links......Page 209
Managing user group permission......Page 211
Checking Consistency of Users and Groups......Page 213
Understanding filesystem hierarchy structure......Page 221
Setting system-wide default permission model using umask......Page 224
Dealing with world-accessible files......Page 226
Dealing with set-UID and set-GID programs......Page 227
Using ext2 Filesystem Security Features......Page 231
Using chattr......Page 232
Using a home-grown file integrity checker......Page 233
Using Tripwire Open Source, Linux Edition......Page 238
Setting up AIDE......Page 253
Setting up ICU......Page 254
Setting configuration file permissions for users......Page 262
Summary......Page 263
What is PAM?......Page 264
Working with a PAM configuration file......Page 266
Establishing a PAM-aware Application......Page 268
Using Various PAM Modules to Enhance Security......Page 271
Controlling access by time......Page 278
Restricting access to everyone but root......Page 280
Managing system resources among users......Page 281
Securing console access using mod_console......Page 283
Summary......Page 284
Understanding How SSL Works......Page 286
SSL as a protocol for data encryption......Page 287
Uses of OpenSSL......Page 289
OpenSSL prerequisites......Page 290
Compiling and installing OpenSSL......Page 291
What is a certificate?......Page 293
What is a Certificate Authority (CA)?......Page 294
Self-certified, private CA......Page 295
Getting a Server Certificate from a Commercial CA......Page 296
Creating a Private Certificate Authority......Page 298
Summary......Page 299
Shadow Passwords and OpenSSH......Page 300
Understanding User Account Risks......Page 301
Securing User Accounts......Page 302
Using shadow passwords and groups......Page 303
Checking password consistency......Page 305
Eliminating risky shell services......Page 306
Getting and installing OpenSSH......Page 308
Configuring OpenSSH service......Page 309
Connecting to an OpenSSH server......Page 316
Managing the root Account......Page 321
Limiting root access......Page 322
Using su to become root or another user......Page 323
Using sudo to delegate root access......Page 325
Monitoring Users......Page 330
Finding who is on the system......Page 331
Creating a User-Access Security Policy......Page 332
Creating a User-Termination Security Policy......Page 333
Summary......Page 334
Setting Up Secure Remote Password Support......Page 336
Establishing Exponential Password System ( EPS)......Page 337
Using the EPS PAM module for password authentication......Page 338
Converting standard passwords to EPS format......Page 339
Using SRP-Enabled Telnet Service......Page 340
Using SRP-Enabled FTP Service......Page 342
Summary......Page 345
What Is xinetd?......Page 346
Compiling and installing xinetd......Page 348
Configuring xinetd for services......Page 352
Starting, Reloading, and Stopping xinetd......Page 356
Strengthening the Defaults in / etc/ xinetd. conf......Page 357
Running an Internet Daemon Using xinetd......Page 358
Controlling Access by Name or IP Address......Page 360
Limiting the number of servers......Page 361
Limiting load......Page 362
Limiting the rate of connections......Page 363
Creating an Access- Discriminative Service......Page 364
Redirecting and Forwarding Clients......Page 365
Running sshd as xinetd......Page 368
Using xadmin......Page 369
Summary......Page 371
Part IV: Network Service Security......Page 372
Understanding Web Risks......Page 374
Using a safe directory structure......Page 375
Using appropriate file and directory permissions......Page 377
Using directory index file......Page 379
Disabling user overrides......Page 381
Using Paranoid Configuration......Page 382
Consumption of system resources......Page 383
Keeping user input from making system calls unsafe......Page 384
User modification of hidden data in HTML pages......Page 389
suEXEC......Page 395
CGIWrap......Page 398
Hide clues about your CGI scripts......Page 400
Reducing SSI Risks......Page 401
Logging Everything......Page 402
Using IP or hostname......Page 405
Using an HTTP authentication scheme......Page 408
Controlling Web Robots......Page 413
Content Publishing Guidelines......Page 415
Compiling and installing Apache-SSL patches......Page 417
Creating a certificate for your Apache-SSL server......Page 418
Configuring Apache for SSL......Page 419
Summary......Page 421
Understanding DNS Spoofing......Page 422
Checking DNS Configuring Using Dlint......Page 423
Installing Dlint......Page 424
Running Dlint......Page 425
Using Transaction Signatures (TSIG) for zone transfers......Page 428
Hiding the BIND version number......Page 432
Limiting Queries......Page 433
Turning off glue fetching......Page 434
Using DNSSEC (signed zones)......Page 435
Summary......Page 437
What Is Open Mail Relay?......Page 438
Is My Mail Server Vulnerable?......Page 440
Securing Sendmail......Page 442
Controlling mail relay......Page 445
Enabling MAPS Realtime Blackhole List ( RBL) support......Page 448
Sanitizing incoming e-mail using procmail......Page 452
Outbound-only Sendmail......Page 460
Running Sendmail without root privileges......Page 461
Keeping out spam......Page 463
Summary......Page 465
Securing WU-FTPD......Page 466
Restricting FTP access by username......Page 468
Setting default file permissions for FTP......Page 470
Using a chroot jail for FTP sessions......Page 471
Securing WU-FTPD using options in /etc/ftpaccess......Page 475
Using ProFTPD......Page 478
Configuring ProFTPD......Page 479
Securing ProFTPD......Page 485
Summary......Page 494
Choosing an appropriate security level......Page 496
Avoiding plain-text passwords......Page 499
Controlling Samba access by network interface......Page 500
Controlling Samba access by hostname or IP addresses......Page 501
Using pam_smb to authenticate all users via a Windows NT server......Page 502
Using OpenSSL with Samba......Page 504
Securing NFS Server......Page 506
Summary......Page 510
Part V: Firewalls......Page 512
Packet-Filtering Firewalls......Page 514
Enabling netfilter in the kernel......Page 519
Appending a rule......Page 521
Listing the rules......Page 522
Replacing a rule within a chain......Page 523
Creating SOHO Packet-Filtering Firewalls......Page 524
Allowing users at private network access to external Web servers......Page 527
Allowing external Web browsers access to a Web server on your firewall......Page 528
DNS client and cache-only services......Page 529
POP3 client service......Page 531
Passive-mode FTP client service......Page 532
Other new client service......Page 533
Creating a Simple Firewall......Page 534
Creating Transparent, proxy- arp Firewalls......Page 535
Creating Corporate Firewalls......Page 537
Purpose of the primary firewall......Page 538
Setting up the internal firewall......Page 539
Setting up the primary firewall......Page 541
Secure Virtual Private Network......Page 551
Compiling and installing FreeS/WAN......Page 552
Creating a VPN......Page 553
Securing IMAP......Page 559
Securing POP3......Page 561
Summary......Page 562
Using SAINT to Perform a Security Audit......Page 564
SARA......Page 572
Performing Footprint Analysis Using nmap......Page 573
Using PortSentry to Monitor Connections......Page 575
Using Nessus Security Scanner......Page 581
Using Strobe......Page 584
Using logcheck for detecting unusual log entries......Page 585
IPTraf......Page 588
Using cgichk.pl......Page 589
Using Whisker......Page 591
Using Password Crackers......Page 592
John The Ripper......Page 593
LIDS......Page 594
Snort......Page 595
Using Netcat......Page 598
Tcpdump......Page 603
LSOF......Page 604
Ngrep......Page 609
Summary......Page 610
Class A IP network addresses......Page 612
Subnetting IP networks......Page 613
Basics of wildcards......Page 616
Basics of regular expressions......Page 618
How to Use Online man Pages......Page 619
cat......Page 621
chown......Page 622
cmp......Page 623
cut......Page 624
diff......Page 625
du......Page 627
emacs......Page 628
fgrep......Page 629
find......Page 630
head......Page 631
ls......Page 632
mv......Page 633
rm......Page 634
sort......Page 635
stat......Page 636
touch......Page 637
uniq......Page 638
vi......Page 639
wc......Page 640
which......Page 641
compress......Page 642
rpm......Page 643
tar......Page 645
uudecode......Page 646
dd......Page 647
df......Page 648
mkfs......Page 649
swapoff......Page 650
DOS-Compatible Commands......Page 651
mformat......Page 652
shutdown......Page 653
uname......Page 654
groups......Page 655
su......Page 656
User Commands for Accessing Network Services......Page 657
lynx......Page 658
mail......Page 659
rlogin......Page 660
wall......Page 661
ifconfig......Page 662
netstat......Page 663
nslookup......Page 664
ping......Page 665
route......Page 666
tcpdump......Page 667
traceroute......Page 668
bg......Page 669
bc......Page 670
cal......Page 671
write......Page 672
history......Page 673
source......Page 674
lpr......Page 675
lprm......Page 676
The comp.os.linux hierarchy......Page 678
Miscellaneous Linux newsgroups......Page 680
General lists......Page 681
General resources......Page 682
User Groups......Page 683
Notify Appropriate Authorities......Page 684
Analyze the Compromised System Data......Page 685
Restoring the system......Page 686
Sample Book Scripts in Text Format......Page 688
Troubleshooting......Page 691
A......Page 692
B - C......Page 693
D......Page 695
E......Page 696
F......Page 697
G......Page 698
H - I......Page 699
J - L......Page 700
M......Page 701
N......Page 703
O - P......Page 704
Q - R......Page 706
S......Page 707
T......Page 710
U......Page 711
V - W......Page 712
X - Z......Page 713
Preamble......Page 714
Terms and Conditions for Copying, Distribution, and Modification......Page 715
No Warranty......Page 719
Red Hat Certified Engineer......Page 720
Red Hat™ Press......Page 721