eBooks-IT.org 4444_FM_final.qxd 1/5/05 12:39 AM Page i eBooks-IT.org Hardening Linux JAMES TURNBULL 4444_FM_final.qxd 1/5/05 12:39 AM Page ii eBooks-IT.org Hardening Linux Copyright © 2005 by James Turnbull All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN (pbk): 1-59059-444-4 Printed and bound in the United States of America 987654321 Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. Lead Editor: Jim Sumser Technical Reviewer: Judith Myerson Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore, Chris Mills, Dominic Shakeshaft, Jim Sumser Project Manager: Kylie Johnston Copy Edit Manager: Nicole LeClerc Copy Editor: Kim Wimpsett Production Manager: Kari Brooks-Copony Production Editor: Kelly Winquist Compositor: Linda Weidemann Proofreader: Lori Bring Indexer: Kevin Broccoli Artist: Kinetic Publishing Services, LLC Cover Designer: Kurt Krames Manufacturing Manager: Tom Debolski Distributed to the book trade in the United States by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor, New York, NY 10013, and outside the United States by Springer-Verlag GmbH & Co. KG, Tiergartenstr. 17, 69112 Heidelberg, Germany. In the United States: phone 1-800-SPRINGER, fax 201-348-4505, e-mail [email protected], or visit http://www.springer-ny.com. Outside the United States: fax +49 6221 345229, e-mail [email protected], or visit http://www.springer.de. For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA 94710. Phone 510-549-5930, fax 510-549-5939, e-mail [email protected], or visit http://www.apress.com. The information in this book is distributed on an “as is” basis, without warranty. Although every precau- tion has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liabil- ity to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. The source code for this book is available to readers at http://www.apress.com in the Downloads section. 4444_FM_final.qxd 1/5/05 12:39 AM Page iii eBooks-IT.org For Lucinda, who put up with having an absentee husband for many months and without whose love and support I would not have been able to write this book. For my grandparents, Alice and Jim Turnbull, whose love and support is greatly missed. 4444_FM_final.qxd 1/5/05 12:39 AM Page iv eBooks-IT.org 4444_FM_final.qxd 1/5/05 12:39 AM Page v eBooks-IT.org Contents at a Glance About the Author . xv About the Technical Reviewer. xvii Acknowledgments . xix Introduction. xxi CHAPTER 1 Hardening the Basics . 1 CHAPTER 2 Firewalling Your Hosts . 79 CHAPTER 3 Securing Connections and Remote Administration . 137 CHAPTER 4 Securing Files and File Systems . 187 CHAPTER 5 Understanding Logging and Log Monitoring . 233 CHAPTER 6 Using Tools for Security Testing . 281 CHAPTER 7 Securing Your Mail Server . 321 CHAPTER 8 Authenticating and Securing Your Mail . 373 CHAPTER 9 Hardening Remote Access to E-mail. 403 CHAPTER 10 Securing an FTP Server. 443 CHAPTER 11 Hardening DNS and BIND . 463 APPENDIX A The Bastion Host Firewall Script . 511 APPENDIX B BIND Configuration Files . 517 APPENDIX C Checkpoints . 525 INDEX. 533 v 4444_FM_final.qxd 1/5/05 12:39 AM Page vi eBooks-IT.org 4444_FM_final.qxd 1/5/05 12:39 AM Page vii eBooks-IT.org Contents About the Author . xv About the Technical Reviewer. xvii Acknowledgments . xix Introduction. xxi ICHAPTER 1 Hardening the Basics . 1 Installing Your Distribution Securely. 2 Some Answers to Common Installation Questions. 2 Install Only What You Need. 2 Secure Booting, Boot Loaders, and Boot-Time Services . 4 Securing Your Boat Loader . 5 Init, Starting Services, and Boot Sequencing . 8 Consoles, Virtual Terminals, and Login Screens. 15 Securing the Console . 16 The Red Hat Console. 16 Securing Virtual Terminals . 17 Securing Login Screens . 18 Users and Groups . 19 Shadow Passwording . 22 Groups . 23 Adding Users. 24 Adding Groups . 26 Deleting Unnecessary Users and Groups. 28 Passwords. 31 Password Aging . 35 sudo . 37 User Accounting . 42 Process Accounting. 44 Pluggable Authentication Modules (PAM) . 46 PAM Module Stacking . 48 The PAM “Other” Service . 49 Restricting su Using PAM . 50 vii 4444_FM_final.qxd 1/5/05 12:39 AM Page viii viii ICONTENTS eBooks-IT.org Setting Limits with PAM . 51 Restricting Users to Specific Login Times with PAM . 53 Package Management, File Integrity, and Updating . 56 Ensuring File Integrity . 57 Downloading Updates and Patches . 61 Compilers and Development Tools . 64 Removing the Compilers and Development Tools . 64 Restricting the Compilers and Development Tools. 65 Hardening and Securing Your Kernel . 66 Getting Your Kernel Source. 66 The Openwall Project . 68 Other Kernel-Hardening Options . 74 Keeping Informed About Security . 75 Security Sites and Mailing Lists . 75 Vendor and Distribution Security Sites. 76 Resources. 76 Mailing Lists . 76 Sites . 77 ICHAPTER 2 Firewalling Your Hosts. 79 So, How Does a Linux Firewall Work? . 80 Tables. 82 Chains . 82 Policies. ..
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages584 Page
-
File Size-