- •About the Author
- •Credits
- •How This Book Is Organized
- •Part I: Linux Basics
- •Part II: Installation
- •Part III: Configuration
- •Part IV: Administration
- •Part V: Maintaining the Linux System
- •How Each Chapter Is Structured
- •How to Use This Book
- •Conventions Used in This Book
- •What is Linux?
- •The origin of UNIX
- •Who started Linux?
- •Understanding Open Source
- •Understanding Closed Source
- •Understanding Artistic License
- •Is Freeware really free?
- •Is Shareware never free?
- •A comparison and contrast of licensing methods
- •The Growth of Linux
- •Linux on a Personal Computer
- •Graphical installation
- •Hardware detection
- •Graphical user interface
- •Linux limitations on the PC
- •Linux succeeds on the PC
- •Linux on workstations
- •Linux on servers
- •Summary
- •Assessment Questions
- •Scenarios
- •Answers to Chapter Questions
- •Assessment Questions
- •Scenarios
- •Linux Kernel
- •Kernel versions
- •Kernel availability
- •Linux Distributions
- •Beehive
- •BlueCat
- •Caldera OpenLinux
- •Debian
- •Corel
- •DragonLinux
- •Elfstone
- •Gentoo
- •Hard Hat Linux
- •KRUD
- •LinuxPPC
- •Mandrake
- •Phat Linux
- •Slackware
- •StormLinux
- •SuSE
- •TurboLinux
- •Yellow Dog Linux
- •Mini and Specialty Distributions
- •Astaro
- •KYZO
- •FlightLinux
- •NetMAX
- •Packages and Packaging Solutions
- •Red Hat Package Manager
- •Debian Package Management System
- •Tarball
- •Linux Resources
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Assessment Questions
- •Scenarios
- •Linux In the Real World
- •Word Processing
- •Spreadsheets and databases
- •Web browsing
- •File transfer
- •More, more, and more applications
- •The Server and DNS
- •A Linux Web server
- •Linux e-mail server
- •File servers
- •Proxy, news, and search servers
- •FTP servers
- •Firewalls
- •Determining Linux Roles and Services
- •Comparing Linux with other operating systems
- •Hardware compatibility
- •Summary
- •Assessment Questions
- •Scenarios
- •Answers to Chapter Questions
- •Assessment Questions
- •Scenarios
- •Installing Linux
- •Final Preparations for Installation
- •Verification
- •Package selection
- •Final hardware verification
- •Pre-installation partitioning planning
- •Installing Linux
- •Text or GUI installation
- •Basic setup of Linux
- •Selecting the machine type
- •Partitioning the hard disk drive
- •Installing a boot manager
- •Creating the Boot Diskette
- •Networking
- •Additional installation information
- •Accounts and passwords
- •Additional packages to install
- •GUI installation
- •Obtaining video card information
- •Configuring the X windows system
- •Selecting the windows manager or desktop environment
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Answers to Assessment Questions
- •Scenarios
- •Alternative to the GUI Installation
- •Command Line installation
- •Install the Linux system
- •Network installations of Linux
- •Review of a Linux Installation
- •Installation media
- •Initial selections
- •Installation type or class
- •Disk partitioning and formatting
- •Installing LILO
- •Network configuration
- •User accounts
- •Authentication methods
- •Package selection and installation
- •A Dual-Boot Installation of Linux
- •Linux with Microsoft Windows
- •Linux with Microsoft Windows NT and 2000
- •Linux and Solaris
- •Linux and other operating systems
- •Installing Additional Software with gzip and tar
- •Installing Additional Software with RPM
- •Removing software with RPM
- •Upgrading software with RPM
- •Query the RPM software
- •Verify the RPM software
- •Verify the package files
- •Upgrading the Kernel
- •Upgrading a Linux Kernel
- •System Log Files
- •The Final Test of the Installation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •What is the X Window System?
- •The X Window System
- •X Client and Server communications
- •X Window Manager
- •Configuring X Window Systems
- •Custom X Window System Programs
- •Manual Configuration of the X Window System
- •Documentation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Basic Network Services
- •TCP/IP Protocol Suite
- •Connection protocols needed
- •Other network protocols
- •Configuring Basic Network Services
- •Host name
- •IP addressing
- •DHCP
- •Netmask
- •Hardware resources
- •Routing and gateways
- •PPP, SLIP and PLIP connections
- •Server Tasks with
- •IP aliases for virtual hosts
- •Apache Web Server
- •Samba File Server
- •Home directories
- •Disk shares
- •Configuring Client Services
- •SMB/CIFS
- •NIS client configuration
- •NFS client configuration
- •Configuring Internet Services
- •Web browser
- •POP and SMTP
- •TFTP
- •SNMP
- •Remote Access
- •Rlogin
- •Telnet
- •OpenSSH
- •Documentation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Adding Hardware
- •Memory
- •Swap
- •Adding a hard drive
- •Video and monitor
- •Printers
- •Configuration files
- •Setting environment variables
- •BASH
- •Documentation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Basic User and Group Administration
- •What are users and groups?
- •Creating users
- •Change user information
- •Deleting users
- •Creating groups
- •Getting Around Linux
- •Navigating Linux
- •Common file and directory commands
- •Setting File and Directory Permissions
- •Mounting and Managing File Systems
- •Mount
- •Umount
- •Mounted file systems
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Multi-User Environment
- •The creation of Virtual Consoles
- •The Linux Terminal Server Project
- •Configurations for remote systems
- •Monitoring remote connections
- •Common Shell Commands
- •Basic shell scripts
- •Caution using root access
- •Navigating the GUI interface
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Linux Runlevels
- •init
- •Shutting down Linux
- •Managing Linux Services
- •Configuring Linux Printing
- •lpd daemon
- •/etc/printcap
- •Printing management
- •Using the vi Editor
- •vi operation modes
- •Editing text files
- •Using the
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Disk and File System Management
- •Repairing Partitions
- •System Automation and Scheduling
- •cron
- •Core Dumps
- •Analyzing core dumps
- •GNU Debugger
- •Managing Networking Interfaces
- •Installing System Packages and Patches
- •Compressed archive
- •Debian Package Installer
- •Slackware Package Installation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Linux Processes
- •Core services versus non-critical services
- •Process administration
- •Process control
- •Monitoring Log Files
- •Maintaining Documentation
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Linux Security
- •Securing the Environment
- •Location
- •Environment
- •System Security
- •System/user files
- •Permissions
- •Log auditing
- •Backups
- •Linux Security Best Practices
- •Network security
- •Firewall
- •System security
- •Securing a Web server
- •Securing an FTP server
- •FTP program version
- •FTP configuration files
- •Process security
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Disaster Recovery Planning
- •Types of data
- •Frequency and Scheduling
- •Storage and media types
- •Recovering data
- •Offsite storage
- •Linux Backup Tools and Commands
- •Third party tools
- •Tape devices
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Identifying the Problem
- •Methodology and Best Practices
- •Troubleshooting Resources
- •Documentation resources
- •Internet resources
- •System Log Files
- •Tools for Log Files
- •Output to another file
- •Locating files
- •Process Configuration and Management
- •Stopping, Starting, and Restarting Processes
- •Configuration Files
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Examining the Startup Process
- •Boot process steps
- •Analyzing Boot Process Errors
- •Common Boot Problems
- •Using System Status Tools
- •File System Check
- •System Resource Commands
- •Using the System Boot Disk
- •Types of boot disks
- •Creating a boot disk
- •Creating a rescue/utility disk
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Common User Problems
- •Login problems
- •File and directory permissions
- •Printing problems
- •Mail problems
- •Software Package Problems
- •Package dependencies
- •Software and version conflicts
- •Backup and Restore Errors
- •Backup hardware
- •Backup software
- •File restore errors
- •Application Failures
- •Log files
- •Process and daemon errors
- •Web server errors
- •Telnet
- •Mail services
- •Basic Networking Troubleshooting
- •Networking connectivity
- •Network hardware problems
- •Summary
- •Assessment Questions
- •Scenarios
- •Lab Exercises
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •Mainboard Components
- •BIOS
- •System memory
- •System Resources
- •I/O addresses
- •Direct memory access
- •Laptop Considerations
- •PCMCIA
- •Linux Peripheral Configuration
- •Installing and Configuring SCSI Devices
- •SCSI definitions
- •SCSI technologies
- •SCSI cabling and termination
- •SCSI device configuration
- •Linux SCSI devices
- •ATA/IDE Devices
- •IDE drive configuration
- •Linux ATA/IDE Drive configuration
- •Linux Support for Other Devices
- •IEEE 1394 (Firewire)
- •Summary
- •Assessment Questions
- •Scenarios
- •Answers to Chapter Questions
- •Chapter Pre-test
- •Assessment Questions
- •Scenarios
- •What’s on the CD-ROM
- •System Requirements
- •Using the CD with Microsoft Windows
- •Using the CD with Linux
- •Microsoft Windows applications
- •Linux applications
- •Troubleshooting
- •Sample Exam
- •Exam Questions
- •Exam Answers
- •Taking a CompTIA Exam
- •How to register for an exam
- •What to expect at the testing center
- •Your exam results
- •If you don’t receive a passing score
- •About the Linux + Exam
- •Preparing for the Linux+ Exam
- •For More Information
- •Preamble
- •No Warranty
- •Glossary
- •Index
Chapter 14 Linux Security 443
finger
This command is used to find out information about a particular user or host. You should disable the finger service because it allows an outside user to gain valuable information about your system. Disable the service in the inetd.conf file, specifically the daemons fingerd and cfingerd.
nmap
nmap is a special utility that you can use to see what open ports you have on your system. Commonly called a port scanner, you can use it to determine what services you are currently enabling for the outside world. This tool is very useful because it lets you know exactly what services you are providing from your system. You can then decide which ones you want to keep, and then disable the others that aren’t being used, which pose a security risk.
Securing a Web server
The most widely used Web server for Linux is the Apache Web server. It currently runs on approximately 60 percent of all Web servers on the Internet. Web server attacks have become increasingly common in the last few years, and hacking or disabling a Web site has become an everyday occurrence. To prevent this from happening, there are number of precautions that you can take to protect your web server.
Apache versions
You must ensure that you are using the most recent version of Apache. The most recent version, as of July 2001, is 1.3.20. You can always obtain the latest release of Apache from www.apache.org.
Modifying httpd.conf
The configuration file for Apache is usually located in /usr/local/apache/conf/ httpd.conf, or in /etc/httpd/conf/httpd.conf. You can modify a number of settings to make your server more secure than the default installation.
User/Group
The httpd.conf configuration file contains a user and group directive, which tells the Apache Web server which server to use when running its service daemon. By default, these directives are set to nobody, which is a special user with only limited rights. You can set the user to anyone, but this poses a security risk. If you run the Web server as user root, malicious users may be able to gain root access to your machine via the Web server. If you need to switch it from the default, ensure that the user has only read and execute permissions for only your Web directories.
DocumentRoot
This directive sets the initial root directory for your Web pages. Ensure that this value is not a different directory. For example, if it is set to /etc, any user connecting to the Web server is able to see all the system configuration files.
444 Part V Maintaining the Linux System
Indexes
By removing the indexes directive, you can prevent users from seeing an index of a directory if they access a URL that doesn’t point to a specific document.
CGI scripts
Some default installations of Apache come with a set of example CGI scripts. Delete these because some of these scripts contain known security holes.
Modules
Apache comes with a system of loadable modules for extra functionality, which you can add and remove as needed. Ensure that only the modules that you need are loaded, and remove all others. Having extra modules increases the complexity of your system, and thereby increases the number of possible security holes.
Securing an FTP server
Along with Web servers, FTP servers are one of the most popular applications that can be easily run from Linux. Unfortunately, many FTP server software configurations contain a number of security holes that can be easily compromised. There are a number of ways in which you can increase security for your FTP server — especially by utilizing the FTP configuration files to reduce the risk of being compromised.
FTP program version
Ensure that you are using the most recent version of your FTP server. The most recent release will always have updated security patches that have fixed previous holes in the system. Check the website of your particular Linux distribution, or the web page of the FTP program you are using for the most recent updates.
FTP configuration files
The FTP daemon uses several configuration files to control access to the FTP server. Adding and removing certain users from these files will greatly enhance the security on your system because you can ensure that only a select group of user accounts can get access. These files are located in the /etc directory.
ftpusers
This file contains a list of user names that are not allowed to log in to the FTP server (this file is usually blank by default). Copy all special accounts (such as root, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, lists, and xfs) so they can’t access FTP services.
Chapter 14 Linux Security 445
ftphosts
This file allows access to the FTP server from a selected set of hosts. They can be identified either by IP addresses or hostnames. The default file is blank, which allows any host to access the system. For example, if you want to give access to only machines from your own domain, add the following line to the ftphosts file:
allow * *.mycompany.com
You can also deny specific hosts by using the deny command within the configuration file:
deny * *.hackers.org
Anonymous users
Depending on your FTP server setup, you may not want anonymous users to have access, especially if the FTP files are for your company use only. Disable the anonymous account, which is usually the ftp user.
The most vulnerable applications are any type of Internet application, such as Web and FTP servers. They are the most commonly hacked services, and therefore, you must give special attention to the security of these systems.
Process security
5.13 Set daemon and process permissions (e.g., SUID - SGID - Owner/groups)
Every process and daemon that is running on your system employs a user ID to create its permission base. Many important system services need to use the root user ID to perform their functions, which may involve killing and starting other processes. Other less important daemons employ user IDs with limited rights, such as nobody or daemon.
Any service or daemon running as a root user poses a security risk to your system. If that service can be interrupted or be directed to perform other activities not related to its function, it will do so as the root user. Effectively, this gives the unauthorized person control of the daemon root access to your machine.
Ensure that all services and daemons are using the most appropriate user ID for their function, and that they have the least amount of permission rights possible.
Set-user-ID permission (SUID) is a special permission that can be set on executable files. It allows any user that is executing the file to run that file as if they were the file’s owner. The Set-Group-ID permission (GUID) performs the same function, but for groups.