[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] S/MIME native support by Mozilla support by Evolution mailer sa -s command (truncating process accounting the log file) Samhain (integrity checker) scp command mirroring set of files securely between computers options for remote file copying securely copying files between computers syntax scripts, enabling/disabling network interfaces search path, testing . (period) in relative directories in, dangers of SEC_BIN global variable (Tripwire) secret keys adding to GnuPG keyring default key for GnuPG operations listing for GnuPG secret-key encryption secure integrity checks creating bootable CD-ROM securely dual-ported disk array, using Secure Sockets Layer [See SSL] securetty file, editing to prevent root logins via terminal devices security policies [See policies] security tests [See monitoring systems for suspicious activity] security tools (Insecure.org) self-signed certificates creating generating X.509 certificate man-in-the-middle attacks, risk of setting up your own CA to issue certificates sending-filters for email (PinePGP) sendmail accepting mail from other hosts authentication mechanisms accepted as trusted daemons (visible), security risks with restriction on accepting connections from only same host, changing SSL, using to protect entire SMTP session sense keyword (PAM, listfile module) server arguments (inetd.conf file) server authentication [See Kerberos; PAM; SSH; SSL; trusted-host authentication] server keyword (xinetd) server program, OpenSSH service filter configuration file (logwatch) service filter executable (logwatch) service names conversion of port numbers to by netstat and lsof executable modifying to invoke tcpd in /etc/xinetd.d startup file PAM 2nd services file, adding service names to inetd.conf session protection for mail setgid bit on directories setgid/setuid programs security checks setgid/setuid programs, security checks finding and interactively fixing listing all files listing scripts only removing setgid/setuid bits from a file setuid programs for hostbased authentication setlogsock (Sys::Syslog) setuid root, ssh-keysign program sftp shadow directive (/etc/pam.d/system-auth) shadow password file 2nd sharing files prohibiting directory listings protecting shared directory shell command substitution, exceeding command line maximum shell item (PAM) shell prompts, standards used shell scripts in your current directory writing system log entries 2nd shell-style wildcard expansion shells bash checking for dormant accounts invoking MH commands from prompt invoking with root privileges by sudo, security risks process substitution root login shell, running root shell vs. root login shell terminating SSH agent on logout umask command shosts.equiv file show command, decrypting email displayed with shutdowns (system), records of shutting down network interfaces signature ID (Snort alerts) signed cryptographic keys signing files [See digital signatures] single computer blocking spoofed addresses firewall design single-threaded services (inetd.conf file) site key (Tripwire) creating with twinstall.sh script fingerprints, creating in secure integrity checks read-only integrity checking size, file /bin/login, changes since last Tripwire check verifying for RPM-installed files SLAC (Stanford Linear Accelerator), Network Monitoring Tools page SMTP blocking requests for mail service from a remote host capturing messages from with dsniff program mailsnarf protecting dedicated server for smtp services requiring authentication by server before relaying mail using server from arbitrary clients snapshots [See Tripwire] Snort decoding alert messages nmap port scan detected priority levels writing alerts to file instead of syslog detecting intrusions with dumping statistics to the system logger promiscuous mode, setting running in background as daemon packet sniffing with partitioning logs into separate files upgrading and tuning ruleset socket type (inetd.conf file) software packages, risk of Trojan horses in sort command -z option for null filename separators source address verification enabling enabling in kernel website information on source addresses controlling access by limiting server sessions by source name for remote file copying source quench, blocking sources for system messages spoofed addresses blocking access from MAC source addresses SquirrelMail SSH (Secure Shell) agents [See ssh-agent] authenticating between client/server by trusted host authenticating between SSH2 client/OpenSSH server authenticating by public key changing client defaults client configurations in ~/.ssh/config connecting via ssh with Kerberos authentication cryptographic authentication download site for OpenSSH fetchmail, use of important programs and files scp (client program) ssh (client program) Kerberos, using with debugging Kerberos-5 support permitting only incoming access via SSH with firewall protecting dedicated server for ssh services public-key and ssh-agent, using with Pine public-key authentication between SSH2 client/OpenSSH server public/private authentication keys remote user access by public key authentication restricting access by remote users restricting access to server by account restricting access to server by host running root commands via securing POP/IMAP with Pine sharing root privileges via SSH-2 connections, trusted-host authentication SSH2 server and OpenSSH client, authenticating between with OpenSSH key SSH2 server and OpenSSH client, authenticating between with SSH2 key superusers, authentication of tailoring per host transferring email from another ISP over tunnel tunneling NNTP with tunneling TCP connection through web site ssh command -t option (for pseudo-tty) -X option (for X forwarding) using with rsync to mirror set of files between computers ssh file ssh-add ssh-agent automatic authentication (without password) invoking between backticks (` `) public-key authentication without passphrase terminating on logout ssh-keygen conversion of SSH2 private key into OpenSSH private key with -i (import) option ssh-keysign setuid root on client ssh_config file ~/.ssh file, using instead of client configuration keywords HostbasedAuthentication, enabling ssh_known_hosts file OpenSSH client, using ~/.ssh file instead of sshd AllowUsers keyword authorizing users to restart restricting access from specific remote hosts TCP wrappers support sshd_config file AllowUsers keyword HostbasedAuthentication, enabling HostbasedUsesNameFromPacketOnly KerberosTgtPassing, enabling ListenAddress statements, adding PermitRootLogin, setting PublicAuthentication, permitting X11Forwarding setting SSL (Secure Sockets Layer) connection problems, server-side debugging converting certificates from DER to PEM creating self-signed certificate decoding SSL certificates generating Certificate Signing Request (CSR) installing new certificate OpenSSL web site POP/IMAP security mail server, running with mail sessions for Evolution mutt mail client, using with stunnel, using with pine mail client setting up CA and issuing certificates STARTTLS command (IMAP), negotiating protection for mail STLS command (POP), negotiating protection for email validating a certificate verifying connection to secure POP or IMAP server SSL-port on mail servers POP or IMAP connections for mutt client testing use in pine mail client standard input, redirecting from /dev/null Stanford Linear Accelerator (SLAC) Network Monitoring Tools page starting network interfaces STARTTLS command (IMAP) mail server support for SSL mutt client connection over IMAP, testing testing use in pine mail client startup scripts (bootable CD-ROM), disabling networking stateful stateless sticky bit set on world-writable directories setting on world-writable directory STLS command (POP) 2nd strace command 2nd strings matching with fgrep command searching network traffic for strings command strong authentication for email sessions strong session protection for mail (by SSL) stunnel, securing POP/IMAP with SSL su command invoking with root privileges by sudo, security risks ksu (Kerberized su) authentication via Kerberos sharing root privileges via su -, running root login shell su configuration (PAM) subject (certificates) components of certificate subject name self-signed sudo command bypassing password authentication careful practices for using forcing password authentication killing processes via listing invocations logging remotely password changes, authorizing via prohibiting command-line arguments for command run via read-only access to shared file running any program in a directory running commands as another user starting/stopping daemons user authorization privileges, allowing per host sudoers file argument lists for each command, specifying meticulously editing with visudo program listing permissible commands for root privileges running commands as another user timestamp_timeout variable user authorization to kill certain processes superdaemons inetd [See inetd] xinetd [See xinetd] superuser 2nd [See also root] assigning privileges via ssh without disclosing root password finding all accounts on system ksu (Kerberized su) processes owned by others, examining SuSE Linux firewall rules, building Heimdal Kerberos inetd superdaemon loading firewall rules at boot time process accounting RPM script allowing users to start/stop daemons Snort, starting automatically at boot SSL certificates 2nd TCP wrappers 2nd switched networks packet sniffers and simulated attacks with dsniff symbolic links for encrypted files on separate system inability to verify with manual integrity check permission bits, ignoring scp command and symmetric encryption file encryption with gpg -c files encrypted with GnuPG, decrypting problems with single encrypted file containing all files in directory SYN_RECV state, large numbers of network connections in synchronizing files on two machines (rsync) integrity checking with Sys::Lastlog and Sys::Utmp modules (Perl) Sys::Syslog module syslog function using in C program syslog-ng (Ònew generationÓ) syslog.conf file directing messages to different log files by facility and priority remote logging, configuring 2nd RPM-installed, verifying with Tripwire setting up for local logging signaling system logger about changes in tracing configuration errors in syslogd -r flag to receive remote messages signaling to pick up changes in syslog.conf system accounts, login activity on 2nd system calls, tracing on network system logger combining log files debugging SSL connections directing system messages to log files log files created by, permissions and logging messages remotely programs not using scanning log files for problem reports sending messages to signaling changes in syslog.conf standard API, functions provided by testing and monitoring writing system log entries in C 2nd in Perl in shell scripts xinetd, logging to system-wide authentication (Kerberos with PAM) system_auth (/etc/pam.d startup file) forbidding local password validation Kerberos in systems authentication methods and policies (authconfig) security tests on [See monitoring systems for suspicious activity] |