Red Hat Enterprise Linux 3 Security Guide
Total Page:16
File Type:pdf, Size:1020Kb
Red Hat Enterprise Linux 3 Security Guide Red Hat Enterprise Linux 3: Security Guide Copyright © 2003 by Red Hat, Inc. Red Hat, Inc. 1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA rhel-sg(EN)-3-Print-RHI (2003-07-25T17:12) Copyright © 2003 by Red Hat, Inc. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder. Red Hat, Red Hat Network, the Red Hat "Shadow Man" logo, RPM, Maximum RPM, the RPM logo, Linux Library, PowerTools, Linux Undercover, RHmember, RHmember More, Rough Cuts, Rawhide and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. Motif and UNIX are registered trademarks of The Open Group. Intel and Pentium are a registered trademarks of Intel Corporation. Itanium and Celeron are trademarks of Intel Corporation. AMD, Opteron, Athlon, Duron, and K6 are registered trademarks of Advanced Micro Devices, Inc. Netscape is a registered trademark of Netscape Communications Corporation in the United States and other countries. Windows is a registered trademark of Microsoft Corporation. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. FireWire is a trademark of Apple Computer Corporation. IBM, AS/400, OS/400, RS/6000, S/390, and zSeries are registered trademarks of International Business Machines Corporation. eServer, iSeries, and pSeries are trademarks of International Business Machines Corporation. All other trademarks and copyrights referred to are the property of their respective owners. The GPG fingerprint of the [email protected] key is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E Table of Contents Introduction..........................................................................................................................................i 1. Document Conventions.........................................................................................................ii 2. More to Come ...................................................................................................................... iv 2.1. Send in Your Feedback ......................................................................................... iv I. A General Introduction to Security ................................................................................................i 1. Security Overview................................................................................................................. 1 1.1. What is Computer Security? .................................................................................. 1 1.2. Security Controls ................................................................................................... 5 1.3. Conclusion ............................................................................................................. 6 2. Attackers and Vulnerabilities................................................................................................ 7 2.1. A Quick History of Hackers .................................................................................. 7 2.2. Threats to Network Security .................................................................................. 7 2.3. Threats to Server Security...................................................................................... 8 2.4. Threats to Workstation and Home PC Security ................................................... 10 II. Configuring Red Hat Enterprise Linux for Security................................................................ 11 3. Security Updates ................................................................................................................. 13 3.1. Updating Packages............................................................................................... 13 4. Workstation Security........................................................................................................... 19 4.1. Evaluating Workstation Security ......................................................................... 19 4.2. BIOS and Boot Loader Security .......................................................................... 19 4.3. Password Security................................................................................................ 22 4.4. Administrative Controls....................................................................................... 27 4.5. Available Network Services................................................................................. 33 4.6. Personal Firewalls................................................................................................ 35 4.7. Security Enhanced Communication Tools........................................................... 36 5. Server Security.................................................................................................................... 37 5.1. Securing Services With TCP Wrappers and xinetd .......................................... 37 5.2. Securing Portmap................................................................................................. 40 5.3. Securing NIS........................................................................................................ 40 5.4. Securing NFS....................................................................................................... 42 5.5. Securing the Apache HTTP Server...................................................................... 43 5.6. Securing FTP ....................................................................................................... 44 5.7. Securing Sendmail ............................................................................................... 47 5.8. Verifying Which Ports Are Listening .................................................................. 48 6. Virtual Private Networks..................................................................................................... 51 6.1. VPNs and Red Hat Enterprise Linux................................................................... 51 6.2. Crypto IP Encapsulation (CIPE).......................................................................... 51 6.3. Why Use CIPE? ................................................................................................... 52 6.4. CIPE Installation.................................................................................................. 53 6.5. CIPE Server Configuration .................................................................................. 53 6.6. Configuring Clients for CIPE .............................................................................. 54 6.7. Customizing CIPE ............................................................................................... 56 6.8. CIPE Key Management ....................................................................................... 57 6.9. IPsec..................................................................................................................... 57 6.10. IPsec Installation................................................................................................ 58 6.11. IPsec Host-to-Host Configuration...................................................................... 58 6.12. IPsec Network-to-Network configuration.......................................................... 60 7. Firewalls.............................................................................................................................. 65 7.1. Netfilter and IPTables .......................................................................................... 66 7.2. Using IPTables ..................................................................................................... 66 7.3. Common iptables Filtering.............................................................................. 68 7.4. FORWARD and NAT Rules..................................................................................... 69 7.5. DMZs and iptables .......................................................................................... 70 7.6. Viruses and Spoofed IP Addresses ...................................................................... 70 7.7. IP6Tables.............................................................................................................. 70 7.8. Additional Resources........................................................................................... 71 III. Assessing Your Security............................................................................................................. 73 8. Vulnerability Assessment.................................................................................................... 75 8.1. Thinking Like the Enemy .................................................................................... 75 8.2. Defining Assessment and Testing .......................................................................