Table D-1 presents a list of issues, sorted by level of danger or importance. It should help enable you to scan for issues known to be present on your system so that the issues can be prioritized for investigation. I discussed the interpretation of these danger levels in the Introduction to Part I and tabulated them in Table 2.1, Danger Level Interpretation.
Table D.1. Danger Levels
Danger Level | Section | Description |
---|
| 2.1 | Understanding Linux Security |
| 2.1.3 | Moving to Rings of Security |
| 2.2 | The Seven Most Deadly Sins |
| 2.3 | Passwords a Key Point for Good Security |
| 2.3.1 | Avoiding Weak and Default Passwords |
| 2.4.1 | Shadowed MD5 Passwords for Good Security |
| 2.5 | Protecting the System from User Mistakes |
| 2.5.1 | Dangers of Imported Software |
| 2.5.2 | Educating Users |
| 2.6 | Forgiveness is Better than Permission |
| 2.6.2 | Finding Permission Problems |
| 2.6.3 | Using umask in Startup Scripts |
| 2.8.1 | Limit Which Terminals Root May Log In From |
| 2.8.3 | Stopping Uncontrolled Access to Data |
| 2.9 | Firewalls and the Corporate Moat |
| 2.9.1 | Stopping End Runs Around Firewalls |
| 2.9.5 | LANd Mines |
| 2.10 | Turn Off Unneeded Services |
| 2.12 | Replace These Weak Doors with Brick |
| 2.12.4 | Turn Off SNMP |
| 2.12.5 | Turn Off NFS, mountd, and portmap |
| 2.12.7 | Turn Off rsh, rcp, rlogin, and rexec |
| 2.13 | New Lamps for Old |
| 2.13.3 | Upgrade sendmail |
| 2.13.5 | Upgrade SSH |
| 2.13.6 | Upgrade WU-FTPD |
| 3.1 | X Marks the Hole |
| 3.2 | Law of the Jungle Physical Security |
| 3.3 | Physical Actions |
| 3.3.1 | Booting an Intruder's Floppy or CD-ROM |
| 3.3.2 | CMOS Reconfiguration |
| 3.4.2 | $PATH: Values of . Give Rise to Doom |
| 3.4.19 | Wireless Equivalent Privacy (WEP) |
| 3.6.1 | Truly Erasing Files |
| 3.6.2 | Destroying Old Confidential Data in Free Blocks |
| 4.1 | NFS, mountd, and portmap |
| 4.2 | Sendmail |
| 4.2.2 | Basic Sendmail Security |
| 4.3 | Telnet |
| 4.4 | FTP |
| 4.5 | The rsh, rcp, rexec, and rlogin Services |
| 4.11 | The print Service (lpd) |
| 5.1 | Rootkit Attacks (Script Kiddies) |
| 5.2 | Packet Spoofing Explained |
| 5.2.1 | Why UDP Packet Spoofing Is Successful |
| 5.7 | Buffer Overflows or Stamping on Memory with gets() |
| 6.2 | Stopping Access to I/O Devices |
| 6.3 | Scouting Out Apache (httpd) Problems |
| 6.3.1 | Apache Ownership and Permissions |
| 6.3.2 | Server Side Includes |
| 6.3.3 | ScriptAlias |
| 6.3.8 | Database Draining |
| 6.3.9 | Kicking Out Undesirables |
| 6.4 | Special Techniques for Web Servers |
| 6.4.1 | Build Separate Castles |
| 6.4.2 | Do Not Trust CGIs |
| 6.4.3 | Hidden Form Variables and Poisoned Cookies |
| 6.4.4 | Take Our Employees, Please |
| 6.4.6 | Dangerous CGI Programs Lying Around |
| 6.4.7 | CGI Query Program Exploit |
| 6.4.11 | CGI Scripts and Programs |
| 6.4.13 | Detecting Defaced Web Pages |
| 6.5 | One-Way Credit Card Data Path for Top Security |
| 6.10 | Stopping Buffer Overflows with Libsafe |
| 7.1 | General Policy |
| 7.3 | Accounts Policy |
| 7.4 | E-Mail Policy |
| 7.6 | Web Server Policy |
| 7.9 | Desktop Policy |
| 7.10 | Laptop Policy |
| 7.12 | Network Topology Policy |
| 8.2 | Trust No One The Highest Security |
| 8.6 | Firewall Vulnerabilities |
| 11.1 | Fragmentation Attacks |
| 11.5 | Cable Modems: A Cracker's Dream |
| 12.1 | Protecting User Sessions with SSH |
| 12.1.3 | Using SSH |
| 12.1.4 | Wrapping SSH Around X |
| 12.1.7 | Wrapping SSH Around Other TCP-Based Services |
| 12.1.8 | Vulnerabilities SSH Cannot Protect Against |
| 12.3 | Pretty Good Privacy (PGP) |
| 12.4 | Using GPG to Encrypt Files the Easy Way |
| 12.5 | Firewalls with IP Tables and DMZ |
| 12.5.9 | Building an IP Tables based Firewall with DMZ |
| 12.6 | Firewalls with IP Chains and DMZ |
| 2.8.4 | Limiting Server Interfaces |
| 2.12.1 | Do Not Get the Finger |
| 2.12.10 | Turn Off TFTP |
| 2.13.7 | Upgrade Netscape |
| 2.14 | United We Fall, Divided We Stand |
| 3.4.1 | Cable Modems |
| 3.4.6 | /etc/mailcap |
| 3.4.21 | Shell Escapes |
| 3.6 | Disk Sniffing |
| 4.2.1 | Separate or Multiple Mail Servers for Additional Security |
| 4.2.7 | Blocking Spam |
| 4.2.9 | Allowing Controlled Relaying |
| 4.6 | DNS (named, a.k.a. BIND) |
| 4.7 | POP and IMAP Servers |
| 4.7.1 | Passwords on the Command Line, Oh My! |
| 4.8 | Doing the Samba |
| 4.12 | The ident Service |
| 5.2.3 | Session Hijacking |
| 6.1 | Configuring Netscape for Higher Security |
| 6.1.1 | Important Netscape Preferences |
| 6.1.3 | Your Users' Netscape Preferences |
| 6.1.5 | Netscape Java Security |
| 6.3.4 | Preventing Users from Altering System-Wide Settings |
| 6.3.5 | Controlling What Directories Apache May Access |
| 6.8.1 | Defeating Buffer Overflow Attacks |
| 7.15 | Policy Policy |
| 9.2.1 | Industrial Spies |
| 11.4 | Captain, We're Being Scanned! (Stealth Scans) |
| 11.11 | Stealth Trojan Horses |
| 12.1.5 | Using sftp |
| 12.1.6 | Using scp |
| 12.2 | Virtual Private Networks (VPNs) |
| 12.5.7 | SuSE 8.0's Firewall Configuration |
| 12.5.8 | Firewall Tricks and Techniques |
| 12.5.18 | SSH Dangers |
| 12.6.10 | SSH Dangers |
| 14.2 | Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap |
| 14.2.7 | Trapping Server Attacks with Port Redirection |
| 16.3 | Using Logcheck to Check the Log Files You Never Check |
| 16.4 | Using Portsentry to Lock Out Hackers |
| 2.6.1 | Directories and the Sticky Bit |
| 2.8.2 | Dialing the World (Wardialing) |
| 2.9.2 | Tunneling Through Firewalls |
| 2.9.3 | Kernel Protocol Switches |
| 2.9.4 | Egress Filtering |
| 2.9.6 | Intracompany Firewalls to Contain Fires |
| 2.12.11 | Turn Off systat and netstat |
| 2.13.1 | Upgrade Your 2.4 Kernel |
| 2.13.2 | Upgrade Your 2.2 Kernel |
| 2.13.8 | Blocking Web Ads |
| 3.3.3 | Adding a CMOS Password |
| 3.3.4 | Defending Against Single-User Mode |
| 3.3.5 | Defeating Theft by Floppy |
| 3.4.3 | Blocking IP Source Routing |
| 3.4.4 | Blocking IP Spoofing |
| 3.4.5 | Automatic Screen Locking |
| 3.4.7 | The chattr Program and the Immutable Bit |
| 3.4.8 | Secure Deletion |
| 3.4.10 | Mount Flags for Increased Security |
| 3.4.16 | Preventing ARP Cache Poisoning |
| 3.4.17 | Hacking Switches |
| 3.4.18 | Countering System and Switch Hacking Caused by ARP Attacks |
| 3.4.23 | Terminal Sniffing (ttysnoop) |
| 3.4.25 | VMware, Wine, DOSemu, and Friends |
| 3.6.3 | Erasing an Entire Disk |
| 3.6.4 | Destroying a Hard Disk |
| 4.2.3 | Sendmail Security Options |
| 4.4.2 | FTP Proxy Dangers |
| 4.6.1 | Limiting Consequences of a Named Compromise |
| 4.9 | Stop Squid from Inking Out Their Trail |
| 4.13 | INND and News |
| 4.14 | Protecting Your DNS Registration |
| 5.8.2 | MAC Attack |
| 5.8.3 | Poisoned ARP Cache |
| 5.8.4 | Poisoned DNS Cache |
| 5.9 | Man-in-the-Middle Attack |
| 6.1.2 | Snatching Your Own Cookies |
| 6.2.2 | Virtual Console Buffer Vulnerability |
| 6.3.6 | Controlling What File Extensions Apache May Access |
| 6.3.7 | Miscellaneous |
| 6.4.8 | Unhexing Encoded URLs |
| 6.4.9 | CGI Counterfiglet Program Exploit |
| 6.4.10 | CGI phf Program Exploit |
| 6.6 | Hardening for Very High Security |
| 6.7 | Restricting Login Location and Times |
| 6.9 | Defeating Login Simulators |
| 7.2 | Personal Use Policy |
| 7.5 | Instant Messenger (IM) Policy |
| 7.11 | Disposal Policy |
| 7.14 | Ownership Policy |
| 8.3 | Linux and UNIX Systems Within Your Control |
| 8.4 | Mainframes Within Your Control |
| 8.5 | A Window Is Worth a Thousand Cannons |
| 8.8 | Viruses and Linux |
| 9.1 | Mission Impossible Techniques |
| 11.2 | IP Masquerading Fails for ICMP |
| 11.6 | Using Sendmail to Block E-Mail Attacks |
| 11.12 | Linuxconf via TCP Port 98 |
| 11.13 | Evil HTML Tags and Script |
| 11.14 | Format Problems with syslog() |
| 12.5.6 | Red Hat 7.3's Firewall Configuration |
| 12.5.15 | Routing Secrets |
| 12.5.16 | IP Tables: Lesser Used Features |
| 12.5.17 | Stateful Firewalls |
| 12.5.19 | Encrypted Mail Access |
| 12.6.9 | Stateful Firewalls |
| 12.6.11 | Encrypted Mail Access |
| 14.2.8 | Using Portsentry with the Cracker Trap |
| 16.5 | HostSentry |
| 16.10 | Using Arpwatch to Catch ARP and MAC Attacks |
| 2.12.2 | Turn Off rwhod |
| 2.12.3 | Turn Off rwalld |
| 2.12.8 | Turn Off Echo and Chargen |
| 2.12.9 | Turn Off talk and ntalk |
| 2.12.12 | Turn Off Internal xinetd Services |
| 2.13.4 | Fortify Sendmail to Resist DoS Attacks |
| 3.3.6 | Defeating Control-Alt-Delete Attacks |
| 3.4.9 | Synchronous I/O |
| 3.4.11 | Wrapping UDP in TCP and SSH |
| 3.4.12 | Cat Scratches Man |
| 3.4.13 | Limiting Your Success with *limit |
| 3.4.14 | Shell History on Public Display |
| 3.4.22 | Your ISP |
| 3.4.24 | Star Office |
| 3.5 | Terminal Device Attacks |
| 3.5.2 | Compose Key Vulnerability |
| 4.2.4 | Forging Mail and News Sender's Address |
| 4.2.5 | Where Is All That Spam Coming From? |
| 4.2.6 | Drop-Shipping Spam (Relaying Spam) |
| 4.2.12 | Sendmail DoS by Filling the Disk Up |
| 4.10 | The syslogd Service |
| 5.2.2 | TCP Sequence Spoofing Explained |
| 5.3 | SYN Flood Attack Explained |
| 5.4 | Defeating SYN Flood Attacks |
| 5.5 | Defeating TCP Sequence Spoofing |
| 5.6 | Packet Storms, Smurf Attacks, and Fraggles |
| 5.8.1 | Mail Spoofing |
| 6.1.4 | The Netscape Personal Security Manager |
| 6.3.10 | Links to Your Site |
| 6.4.5 | Robot Exclusion of Web Pages |
| 6.4.12 | Enforcing URL Blocking |
| 6.8.2 | Defeating the chroot() Vulnerability |
| 6.8.3 | Symlink Attack |
| 6.8.5 | The rm -r Race |
| 9.2 | Spies |
| 9.3 | Fanatics and Suicide Attacks |
| 11.7 | Sendmail Account Guessing |
| 11.8 | The Mysterious Ingreslock |
| 11.10 | Distributed Denial of Service (Coordinated) Attacks |
| 2.7 | Dangers and Countermeasures During Initial System Setup |
| 3.4.20 | Hacking LEDs |
| 3.5.1 | Function Key Hijacking |
| 3.5.3 | The xterm Change Log File Vulnerability |
| 6.8.4 | The lost+found=hole Problem |
| 11.3 | The Ping of Death Sinks Dutch Shipping Company |
| 11.9 | You're Being Tracked |
| 11.9.1 | The Pentium III Serial Number |
| 11.9.2 | Microsoft's GUID Allows Spying on You |