Is it more secure to compile driver support directly into the
kernel, instead of making it a module?
Answer: Some people think it is better to disable the ability
to load device drivers using modules, because an intruder could load
a Trojan module or a module that could affect system
security.
However, in order to load modules, you must be root. The
module object files are also only writable by root. This means the
intruder would need root access to insert a module. If the intruder
gains root access, there are more serious things to worry about than
whether he will load a module.
Modules are for dynamically loading support for a particular
device that may be infrequently used. On server machines, or
firewalls for instance, this is very unlikely to happen. For this
reason, it would make more sense to compile support directly into
the kernel for machines acting as a server. Modules are also slower
than support compiled directly in the kernel.
Why does logging in as root from a remote machine always
fail?
Answer: See Section 4.2. This is done
intentionally to prevent remote users from attempting to connect via
telnet to your machine as root, which is a serious security
vulnerability, because then the root password would be transmitted,
in clear text, across the network. Don't forget: potential intruders
have time on their side, and can run automated programs to find your
password. Additionally, this is done to keep a clear record of who
logged in, not just root.
How do I enable shadow passwords on my Linux box?
Answer:
To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by
applications. If you are using RH 4.2 or above, the PAM modules will
automatically adapt to the change from using normal /etc/passwd to shadow passwords without any
other change.
Some background: shadow passwords is a mechanism for storing
your password in a file other than the normal /etc/passwd file. This has several advantages.
The first one is that the shadow file, /etc/shadow, is only readable by root, unlike
/etc/passwd, which must remain
readable by everyone. The other advantage is that as the
administrator, you can enable or disable accounts without everyone
knowing the status of other users' accounts.
The /etc/passwd file is then
used to store user and group names, used by programs like /bin/ls to map the user ID to the proper user
name in a directory listing.
The /etc/shadow file then only
contains the user name and his/her password, and perhaps accounting
information, like when the account expires, etc.
To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by
applications. Since you are using RH 4.2 or above, the PAM modules
will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any
other change.
Since you're interested in securing your passwords, perhaps
you would also be interested in generating good passwords to begin
with. For this you can use the pam_cracklib module, which is part of PAM. It
runs your password against the Crack libraries to help you decide if
it is too-easily guessable by password-cracking programs.
How can I enable the Apache SSL extensions?
Answer:
Get SSLeay 0.8.0 or later from �
Build and test and install it!
Get Apache source
Get Apache SSLeay extensions from here
Unpack it in the apache source directory and patch
Apache as per the README.
Configure and build it.
You might also try ZEDZ
net which has many pre-built packages, and is located
outside of the United States.
How can I manipulate user accounts, and still retain
security?
Answer: most distributions contain a great number of tools to
change the properties of user accounts.
The pwconv and unpwconv programs can be used to convert
between shadow and non-shadowed passwords.
The pwck and grpck programs can be used to verify
proper organization of the passwd and group files.
The useradd, usermod, and userdel programs can be used to add,
delete and modify user accounts. The groupadd, groupmod, and groupdel programs will do the same for
groups.
Group passwords can be created using gpasswd.
All these programs are "shadow-aware" -- that is, if you
enable shadow they will use /etc/shadow for password information, otherwise
they won't.
See the respective man pages for further information.
How can I password-protect specific HTML documents using
Apache?
I bet you didn't know about http://www.apacheweek.org,
did you?
You can find information on user authentication at http://www.apacheweek.com/features/userauth
as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html
