Table Of Content4754-2 cover 10/25/01 1:37 PM Page 1
Your Official Red Hat® Linux® Guide to Security and Optimization ® ®
R
eviewed and approved by the experts at Red Hat, this comprehensive
®
guide delivers the know-how you need to improve the performance of
your Red Hat Linux system—and protect it from attacks and break-ins. ®
Red Hat Linux expert Mohammed Kabir starts by showing you how to P R E S S™
tune the kernel and filesystems and optimize network services, from
speeding up Web servers to boosting the performance of Samba. He then aR Mohammed J. Kabir
explains how to secure your Red Hat Linux system, offering hands-on n
e
techniques for network and Internet security as well as in-depth coverage
dd
of Linux firewalls and virtual private networks.
Complete with security utilities and ready-to-run scripts on CD-ROM,
OH
this official Red Hat Linux guide is an indispensable resource.
CD-ROM FEATURES
pa
Security tools, including
Proven Red Hat Linux Performance and Security Solutions
cgichk.pl, gShield, IP tt
(cid:1) Upgrade and configure your hardware to boost performance Filter, John the Ripper, i ®
mL
(cid:1)Customize the kernel and tune the filesystem for optimal results Lids, LSOF, Nessus,
(cid:1) Use JFS and LVM to enhance the filesystem reliability and manageability Netcat, Ngrep, Nmap, i
(cid:1) Tweak Apache, Sendmail, Samba, and NFS servers for increased speed OpenSSH, OpenSSL, in
(cid:1) Protect against root compromises by enabling LIDS and Libsafe in the Postfix, SAINT trial z
u
kernel version, SARA, Snort, a
(cid:1) Use PAM, OpenSSL, shadow passwords, OpenSSH, and xinetd to enhance Swatch, tcpdump, tx
network security Tripwire Open Source i ®
(cid:1) Set up sensible security on Apache and reduce CGI and SSI risks Linux Edition, Vetescan, oS
(cid:1) Secure BIND, Sendmail, ProFTPD, Samba, and NFS servers and Whisker n
e
(cid:1) Create a highly configurable packet filtering firewall to protect your
network Scripts from the book c
(cid:1) Build a secure virtual private network with FreeS/WAN u
Plus a searchable
(cid:1) Use port scanners, password crackers, and CGI scanners to locate vulner- r
e-version of the book
abilities before the hackers do
i
t
MOHAMMED J. KABIR is the founder and CEO of Evoknow, Inc., a company Reader Level y
specializing in customer relationship management software development. IntAerdmveadnicaetde to (cid:17) T Y T O OLS ON
His books include Red Hat Linux 7 Server, Red Hat Linux Administrator’s I C
Handbook, Red Hat Linux Survival Guide, and Apache Server 2 Bible. Shelving Category UR D-
C R
Networking E O
Reviewed and Approved by the Experts at Red Hat S M
$49.99 USA
$74.99 Canada SECURITY TOOLS Linux Solutions from the Experts at Red Hat
ISBN 0-7645-4754-2 £39.99 UK incl.VAT ON CD-ROM
54999
Cover design by
Michael J. Freeland
www.redhat.com Kabir
Cover photo © ®
www.hungryminds.com P R E S S™
H. Armstrong Roberts ®
9 780764 547546 7 85555 04474 6
014754-2 FM.F 11/5/01 9:03 AM Page i
Red Hat Linux
Security and
Optimization
Mohammed J. Kabir
Hungry Minds, Inc.
New York, NY (cid:2)Indianapolis, IN (cid:2)Cleveland, OH
014754-2 FM.F 11/5/01 9:03 AM Page ii
Red HatLinuxSecurity and Optimization Philippines; by Contemporanea de Ediciones for
Published by Venezuela; by Express Computer Distributors for the
Hungry Minds, Inc. Caribbean and West Indies; by Micronesia Media
909 Third Avenue Distributor, Inc. for Micronesia; by Chips
New York, NY 10022 Computadoras S.A. de C.V. for Mexico; by Editorial
Norma de Panama S.A. for Panama; by American
www.hungryminds.com
Bookshops for Finland.
Copyright © 2002 Hungry Minds, Inc. All rights
For general information on Hungry Minds’ products
reserved. No part of this book, including interior
and services please contact our Customer Care
design, cover design, and icons, may be reproduced
department within the U.S. at 800-762-2974, outside
or transmitted in any form, by any means
the U.S. at 317-572-3993 or fax 317-572-4002.
(electronic, photocopying, recording, or otherwise)
without the prior written permission of the publisher. For sales inquiries and reseller information,
including discounts, premium and bulk quantity
Library of Congress Control Number: 2001092938
sales, and foreign-language translations, please
ISBN: 0-7645-4754-2 contact our Customer Care department at
Printed in the United States of America 800-434-3422, fax 317-572-4002 or write to Hungry
10 9 8 7 6 5 4 3 2 1 Minds, Inc., Attn: Customer Care Department, 10475
1B/SX/RR/QR/IN Crosspoint Boulevard, Indianapolis, IN 46256.
Distributed in the United States by Hungry Minds, For information on licensing foreign or domestic
Inc. rights, please contact our Sub-Rights Customer Care
department at 212-884-5000.
Distributed by CDG Books Canada Inc. for Canada;
by Transworld Publishers Limited in the United For information on using Hungry Minds’ products
Kingdom; by IDG Norge Books for Norway; by IDG and services in the classroom or for ordering
Sweden Books for Sweden; by IDG Books Australia examination copies, please contact our Educational
Publishing Corporation Pty. Ltd. for Australia and Sales department at 800-434-2086 or fax
New Zealand; by TransQuest Publishers Pte Ltd. for 317-572-4005.
Singapore, Malaysia, Thailand, Indonesia, and Hong For press review copies, author interviews, or other
Kong; by Gotop Information Inc. for Taiwan; by ICG publicity information, please contact our Public
Muse, Inc. for Japan; by Intersoft for South Africa; Relations department at 317-572-3168 or fax
by Eyrolles for France; by International Thomson 317-572-4168.
Publishing for Germany, Austria, and Switzerland; For authorization to photocopy items for corporate,
by Distribuidora Cuspide for Argentina; by LR personal, or educational use, please contact
International for Brazil; by Galileo Libros for Chile; Copyright Clearance Center, 222 Rosewood Drive,
by Ediciones ZETA S.C.R. Ltda. for Peru; by WS Danvers, MA 01923, or fax 978-750-4470.
Computer Publishing Corporation, Inc., for the
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND AUTHOR HAVE USED THEIR
BEST EFFORTS IN PREPARING THIS BOOK. THE PUBLISHER AND AUTHOR MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS
BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. THERE ARE NO WARRANTIES WHICH EXTEND BEYOND THE
DESCRIPTIONS CONTAINED IN THIS PARAGRAPH. NO WARRANTY MAY BE CREATED OR EXTENDED BY
SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ACCURACY AND COMPLETENESS OF
THE INFORMATION PROVIDED HEREIN AND THE OPINIONS STATED HEREIN ARE NOT GUARANTEED OR
WARRANTED TO PRODUCE ANY PARTICULAR RESULTS, AND THE ADVICE AND STRATEGIES
CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY INDIVIDUAL. NEITHER THE PUBLISHER NOR
AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES,
INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.
FULFILLMENT OF EACH COUPON OFFER IS THE SOLE RESPONSIBILITY OF THE OFFEROR.
Trademarks:are trademarks or registered trademarks of Hungry Minds, Inc. All other trademarks are the
property of their respective owners. Hungry Minds, Inc., is not associated with any product or vendor
mentioned in this book.
is a trademark of Hungry Minds, Inc.
014754-2 FM.F 11/5/01 9:03 AM Page iii
Credits
ACQUISITIONS EDITOR PROJECT COORDINATOR
Debra Williams Cauley Maridee Ennis
PROJECT EDITOR GRAPHICS AND PRODUCTION
Pat O’Brien SPECIALISTS
Karl Brandt
TECHNICAL EDITORS Stephanie Jumper
Matthew Hayden Laurie Petrone
Sandra “Sam” Moore BrianTorwelle
ErinZeltner
COPY EDITORS
Barry Childs-Helton QUALITY CONTROL TECHNICIANS
Stephanie Provines Laura Albert
Andy Hollandbeck
EDITORIAL MANAGER Carl Pierce
Kyle Looper
PERMISSIONS EDITOR
RED HAT PRESS LIAISON Carmen Krikorian
Lorien Golaski, Red Hat
Communications Manager MEDIA DEVELOPMENT SPECIALIST
Marisa Pearman
SENIOR VICE PRESIDENT, TECHNICAL
PUBLISHING PROOFREADING AND INDEXING
Richard Swadley TECHBOOKS Production Services
VICE PRESIDENT AND PUBLISHER
Mary Bednarek
About the Author
MohammedKabiristhefounderandCEOofEvoknow,Inc.Hiscompanyspecializes
in open-source solutions and customer relationship management software develop-
ment. When he is not busy managing software projects or writing books, he enjoys
traveling around the world. Kabir studied computer engineering at California State
University, Sacramento. He is also the author of Red Hat Linux Server and Apache
Server Bible.He can be reached at kabir@evoknow.com.
014754-2 FM.F 11/5/01 9:03 AM Page iv
014754-2 FM.F 11/5/01 9:03 AM Page v
This book is dedicated to my wife, who proofs my writing, checks my facts,
and writes my dedications.
014754-2 FM.F 11/5/01 9:03 AM Page vi
Preface
This book is focused on two major aspects of Red Hat Linux system administration:
performance tuning and security. The tuning solutions discussed in this book will
help your Red Hat Linux system to have better performance. At the same time, the
practical security solutions discussed in the second half of the book will allow you
to enhance your system security a great deal. If you are looking for time saving,
practical solutions to performance and security issues, read on!
How This Book is Organized
The book has five parts, plus several appendixes.
Part I: System Performance
This part of the book explains the basics of measuring system performance, cus-
tomizing your Red Hat Linux kernel to tune the operating system, tuning your
hard disks, and journaling your filesystem to increase file system reliability and
robustness.
Part II: Network and Service Performance
This part of the book explains how to tune your important network services,
including Apache Web server, Sendmail and postfix mail servers, and Samba and
NFS file and printer sharing services.
Part III: System Security
This part of the book covers how to secure your system using kernel-based Linux
Intrusion Detection System (LIDS) and Libsafe buffer overflow protection mecha-
nisms. Once you have learned to secure your Red Hat Linux kernel, you can secure
your file system using various tools. After securing the kernel and the file system,
you can secure user access to your system using such tools as Pluggable
Authentication Module (PAM), Open Source Secure Socket Layer (OpenSSL), Secure
Remote Password (SRP), and xinetd.
Part IV: Network Service Security
This part of the book shows how to secure your Apache Web server, BIND DNS
server, Sendmail and postfix SMTP server, POP3 mail server, Wu-FTPD and
ProFTPD FTP servers, and Samba and NFS servers.
vi
014754-2 FM.F 11/5/01 9:03 AM Page vii
Preface vii
Part V: Firewalls
This part of the book shows to create packet filtering firewall using iptables, how to
create virtual private networks, and how to use SSL based tunnels to secure access
to system and services. Finally, you will be introduced to an wide array of security
tools such as security assessment (audit) tools, port scanners, log monitoring and
analysis tools, CGI scanners, password crackers, intrusion detection tools, packet
filter tools, and various other security administration utilities.
Appendixes
These elements include important references for Linux network users, plus an
explanation of the attached CD-ROM.
Conventions of This Book
You don’t have to learn any new conventions to read this book. Just remember the
usual rules:
(cid:3) When you are asked to enter a command, you need press the Enter or the
Return key after you type the command at your command prompt.
(cid:3) A monospacedfont is used to denote configuration or code segment.
(cid:3) Text in italic needs to be replaced with relevant information.
Watch for these icons that occasionally highlight paragraphs.
The Note icon indicates that something needs a bit more explanation.
The Tip icon tells you something that is likely to save you some time and
effort.
014754-2 FM.F 11/5/01 9:03 AM Page viii
viii Red Hat Linux Security and Optimization
The Caution icon makes you aware of a potential danger.
The cross-reference icon tells you that you can find additional information
in another chapter.
Tell Us What You Think of This Book
Both Hungry Minds and I want to know what you think of this book. Give us your
feedback. If you are interested in communicating with me directly, send e-mail
messages to kabir@evoknow.com. I will do my best to respond promptly.
014754-2 FM.F 11/5/01 9:03 AM Page ix
Acknowledgments
While writing this book, I often needed to consult with many developers whose
tools I covered in this book. I want to specially thank a few such developers who
have generously helped me present some of their great work.
Huagang Xie is the creator and chief developer of the LIDS project. Special
thanks to him for responding to my email queries and also providing me with a
great deal of information on the topic.
Timothy K. Tsai, Navjot Singh, and Arash Baratloo are the three members of the
Libsafe team who greatly helped in presenting the Libsafe information. Very special
thanks to Tim for taking the time to promptly respond to my emails and providing
me with a great deal of information on the topic.
I thank both the Red Hat Press and Hungry Minds teams who made this book a
reality. It is impossible to list everyone involved but I must mention the following
kind individuals.
Debra Williams Cauley provided me with this book opportunity and made sure I
saw it through to the end. Thanks, Debra.
Terri Varveris, the acquisitions editor, took over in Debra’s absence. She made
sure I had all the help needed to get this done. Thanks, Terri.
Pat O’Brien, the project development editor, kept this project going. I don’t know
how I could have done this book without his generous help and suggestions every
step of the way. Thanks, Pat.
Matt Hayden, the technical reviewer, provided numerous technical suggestions,
tips, and tricks — many of which have been incorporated in the book. Thanks, Matt.
Sheila Kabir, my wife, had to put up with many long work hours during the few
months it took to write this book. Thank you, sweetheart.
ix
