LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
How would you rate the importance of default settings in security?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
Emily Ratliff: OS Security
DanWalsh LiveJournal
Security Bloggers Network
Latest Newsletters
Linux Advisory Watch: May 16th, 2008
Linux Security Week: May 13th, 2008
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Security HOWTO

Linux Security HOWTO

Kevin Fenzi

tummy.com, ltd.

Dave Wreski

linuxsecurity.com

v2.4, January 2006

This document is a general overview of security issues that face the administrator of Linux systems. It covers general security philosophy and a number of specific examples of how to better secure your Linux system from intruders. Also included are pointers to security-related material and programs. Improvements, constructive criticism, additions and corrections are gratefully accepted. Please mail your feedback to both authors, with "Security HOWTO" in the subject.

Table of Contents
1. Introduction
1.1. New Versions of this Document
1.2. Feedback
1.3. Disclaimer
1.4. Copyright Information
2. Overview
2.1. Why Do We Need Security?
2.2. How Secure Is Secure?
2.3. What Are You Trying to Protect?
2.4. Developing A Security Policy
2.5. Means of Securing Your Site
2.5.1. Host Security
2.5.2. Local Network Security
2.5.3. Security Through Obscurity
2.6. Organization of This Document
3. Physical Security
3.1. Computer locks
3.2. BIOS Security
3.3. Boot Loader Security
3.4. xlock and vlock
3.5. Security of local devices
3.6. Detecting Physical Security Compromises
4. Local Security
4.1. Creating New Accounts
4.2. Root Security
5. Files and File system Security
5.1. Umask Settings
5.2. File Permissions
5.3. Integrity Checking
5.4. Trojan Horses
6. Password Security and Encryption
6.1. PGP and Public-Key Cryptography
6.2. SSL, S-HTTP and S/MIME
6.3. Linux IPsec Implementations
6.4. Secure Shell
6.5. Pluggable Authentication Modules (PAM)
6.6. Cryptographic IP Encapsulation (CIPE)
6.7. Kerberos
6.8. Shadow Passwords.
6.9. "Crack" and "John the Ripper"
6.10. Linux Cryptographic Filesystems
6.11. X11, SVGA and display security
6.11.1. X11
6.11.2. SVGA
6.11.3. GGI (Generic Graphics Interface project)
7. Kernel Security
7.1. 2.0 Kernel Compile Options
7.2. 2.2 Kernel Compile Options
7.3. Kernel Devices
8. Network Security
8.1. Packet Sniffers
8.2. System services and tcp_wrappers
8.3. Verify Your DNS Information
8.4. identd
8.5. Configuring and Securing the Postfix MTA
8.6. SATAN, ISS, and Other Network Scanners
8.6.1. Detecting Port Scans
8.7. sendmail, qmail and MTA's
8.8. Denial of Service Attacks
8.9. NFS (Network File System) Security.
8.10. Network Information Service (NIS)
8.11. Firewalls
8.12. Netfilter - Linux Kernel v2.4 & v2.6 Firewalling
9. Security-Enhanced Linux
9.1. Discretionary Access Control vs. Mandatory Access Control
9.2. SELinux Security Resources
10. Security Preparation (before you go on-line)
10.1. Make a Full Backup of Your Machine
10.2. Choosing a Good Backup Schedule
10.3. Testing your backups
10.4. Backup Your RPM or Debian File Database
10.5. Keep Track of Your System Accounting Data
10.6. Apply All New System Updates.
11. What To Do During and After a Breakin
11.1. Security Compromise Underway.
11.2. Security Compromise has already happened
11.2.1. Closing the Hole
11.2.2. Assessing the Damage
11.2.3. Backups, Backups, Backups!
11.2.4. Tracking Down the Intruder.
12. Security Sources
12.1. LinuxSecurity.com References
12.2. Web Sites
13. Glossary
14. Frequently Asked Questions
15. Conclusion
16. Acknowledgments

1. Introduction

This document covers some of the main issues that affect Linux security. General philosophy and net-born resources are discussed. This is the seventh year of production of this HOWTO. Dave and Kevin have worked quite hard to make this informative, easy to read, and succinct. It's much easier to Google for a topic than it was back in 1998, but hopefully this document will give you direction on where to go for information, and authoritative advice on what's real and what's snake oil.

A number of other HOWTO documents overlap with security issues, and those documents have been pointed to wherever appropriate.

This document is not meant to be a up-to-date exploits document. Large numbers of new exploits happen all the time. This document will tell you where to look for such up-to-date information, and will give some general methods to prevent such exploits from taking place.

1.1. New Versions of this Document

New versions of this document will be periodically posted to comp.os.linux.answers. They will also be added to the various sites that archive such information, including:

http://www.tldp.org/

The very latest version of this document should also be available in various formats from:

1.2. Feedback

All comments, error reports, additional information and criticism of all sorts should be directed to:

kevin-securityhowto@tummy.com

and

dave@linuxsecurity.com

Note: Please send your feedback to both authors. Also, be sure and include "Linux" "security", or "HOWTO" in your subject to avoid Kevin's spam filter.

1.3. Disclaimer

No liability for the contents of this document can be accepted. Use the concepts, examples and other content at your own risk. Additionally, this is an early version, possibly with many inaccuracies or errors.

A number of the examples and descriptions use the Red Hat package layout and system setup. Your mileage may vary.

As far as we know, only programs that, under certain terms may be used or evaluated for personal purposes will be described. Most of the programs will be available, complete with source, under GNU terms.

1.4. Copyright Information

This document is copyrighted (c)1998-2006 Kevin Fenzi and Dave Wreski, and distributed under the following terms:

  • Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium, physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the authors would like to be notified of any such distributions.

  • All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.

  • If you have questions, please contact Tim Bynum, the Linux HOWTO coordinator, at tjbynum@metalab.unc.edu.

  
  Overview
    
Partner:

 
Latest Features
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Open Source Tool of March: ZoneMinder
Meet the Anti-Nmap: PSAD
Open Source Tool of February: Nmap!
HowTo: Secure your Ubuntu Apache Web Server
SSH: Best Practices
Yesterday's Edition
Strong passwords no panacea as SSH Brute-Force Attacks Rise
Tools circulate that crack Debian, Ubuntu keys

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital

(c)Copyright 2008 Guardian Digital, Inc. All rights reserved.