Linux Administrator’s Security Guide LASG - 0.1.2 By Kurt Seifried ([email protected]) copyright 1999, All rights reserved. Available at: https://www.seifried.org/lasg/. This document is free for most non commercial uses, the license follows the table of contents, please read it if you have any concerns. If you have any questions email [email protected]. A mailing list is available, send an email to [email protected], with "subscribe lasg-announce" in the body (no quotes) and you will be automatically added. 1 Table of contents License Preface Forward by the author Contributing What this guide is and isn't How to determine what to secure and how to secure it Safe installation of Linux Choosing your install media It ain't over 'til... General concepts, server verses workstations, etc Physical / Boot security Physical access The computer BIOS LILO The Linux kernel Upgrading and compiling the kernel Kernel versions Administrative tools Access Telnet SSH LSH REXEC NSH Slush SSL Telnet Fsh secsh Local YaST sudo Super Remote Webmin Linuxconf COAS PAM 2 System Files /etc/passwd /etc/shadow /etc/groups /etc/gshadow /etc/login.defs /etc/shells /etc/securetty Log files and other forms of monitoring General log security sysklogd / klogd secure-syslog next generation syslog Log monitoring logcheck colorlogs WOTS swatch Kernel logging auditd Shell logging bash Password security Cracking passwords John the ripper Crack Saltine cracker VCU Software Management RPM dpkg tarballs / tgz Checking file integrity RPM dpkg PGP MD5 Automatic updates RPM AutoRPM rhlupdate RpmWatch dpkg apt tarballs / tgz 3 Tracking changes installwatch instmon Converting formats alien File / Filesystem security Secure file deletion wipe ([email protected]) wipe ([email protected]) TCP-IP and network security IPSec IPv6 TCP-IP attack programs HUNT Project PPP security IP Security Routing routed gated zebra Basic network service security What is running and who is it talking to? PS Output Netstat Output lsof Basic network services config files inetd.conf TCP_WRAPPERS Network services Telnetd SSHD Fresh Free FiSSH Tera Term putty mindterm LSH Secure CRT RSH, REXEC, RCP Webmin FTP WU-FTPD ProFTPD 4 HTTP / HTTPS Apache / Apache-SSL Red Hat Secure Server Roxen SQUID SMTP Sendmail Qmail Postfix Zmailer DMail POPD WU IMAPD (stock popd) Cyrus IDS POP IMAPD WU IMAPD (stock imapd) Cyrus WWW based mail readers Non Commercial IMP AtDot Commercial DmailWeb WebImap Coconut WebMail Pro DNS Bind Dents NNTP INN Diablo DNews Cyclone Typhoon DHCPD NFSD tftp tftp utftpd bootp cu-snmp Finger Identd ntpd CVS rsync lpd LPRng pdq 5 CUPS SAMBA SWAT File sharing methods SAMBA NFS Coda Drall AFS Network based authentication NIS / NIS+ SRP Kerberos Encrypting services / data Encrypting network services SSL HTTP - SSL Telnet - SSL FTP - SSL Virtual private network solutions IPSec PPTP CIPE ECLiPt Encrypting data PGP GnuPG CFS Sources of random data Firewalling IPFWADM IPCHAINS Rule Creation ipfwadm2ipchains mason firewall.sh Mklinuxfw kfirewall Scanning / intrusion testing tools Host scanners Cops SBScan Network scanners Strobe nmap 6 MNS Bronc Buster vs. Michael Jackson Leet scanner Soup scanner Portscanner Queso Intrusion scanners Nessus Saint Cheops Ftpcheck / Relaycheck SARA Firewall scanners Firewalk Exploits Scanning and intrusion detection tools Logging tools Logcheck Port Sentry Host based attack detection Firewalling TCP_WRAPPERS Klaxon Host Sentry Pikt Network based attack detection NFR Host monitoring tools check.pl bgcheck Sxid Viperdb Pikt DTK Packet sniffers tcpdump sniffit Ethereal Other sniffers Virii, Trojan Horses, and Worms Disinfection of virii / worms / trojans Virus scanners for Linux Sophos Anti-Virus AntiVir Scanning Email AMaViS 7 Sendmail Postfix Password storage Gpasman Conducting baselines / system integrity Tripwire L5 Gog&Magog Confcollect Backups Conducting audits Backups Tar and Gzip Noncommercial Backup programs for Linux Amanda afbackup Commercial Backup Programs for Linux BRU Quickstart CTAR CTAR:NET Backup Professional PC ParaChute Arkeia Legato Networker Pro's and Con's of Backup Media Dealing with attacks Denial of service attacks Examples of attacks Distribution specific documentation Red Hat 6.0 SuSE 6.1 Caldera 2.2 Debian 2.1 Slackware 4.0 Distribution specific errata and security lists Red Hat Debian Slackware Caldera SuSE 8 WWW server specifics FTP access Samba access WWW based access FrontPage access Internet connection checklist Contributors Appendix A: Books and magazines Appendix B: URL listing for programs Appendix C: Other Linux security documentation Appendix D: Online security documentation Appendix E: General security sites Appendix F: General Linux sites Version History 9 License Terms and Conditions for Copying, Distributing, and Modifying Items other than copying, distributing, and modifying the Content with which this license was distributed (such as using, etc.) are outside the scope of this license. The 'guide' is defined as the documentation and knowledge contained in this file. 1. You may copy and distribute exact replicas of the guide as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the guide a copy of this License along with the guide. You may at your option charge a fee for the media and/or handling involved in creating a unique copy of the guide for use offline, you may at your option offer instructional support for the guide in exchange for a fee, or you may at your option offer warranty in exchange for a fee. You may not charge a fee for the guide itself. You may not charge a fee for the sole service of providing access to and/or use of the guide via a network (e.g. the Internet), whether it be via the world wide web, FTP, or any other method. 2. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to copy, distribute or modify the guide. These actions are prohibited by law if you do not accept this License. Therefore, by distributing or translating the guide, or by deriving works herefrom, you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or translating the guide. NO WARRANTY 3. BECAUSE THE GUIDE IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE GUIDE, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE GUIDE "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK OF USE OF THE GUIDE IS WITH YOU. SHOULD THE GUIDE PROVE FAULTY, INACCURATE, OR OTHERWISE UNACCEPTABLE YOU ASSUME THE COST OF ALL NECESSARY REPAIR OR CORRECTION. 4. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MIRROR AND/OR REDISTRIBUTE THE GUIDE AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE GUIDE, EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 10