Linux Security Cookbook |
By Daniel J. Barrett, Robert G. Byrnes, Richard Silverman |
| |
Publisher | : O'Reilly |
Pub Date | : June 2003 |
ISBN | : 0-596-00391-9 |
Pages | : 332 |
| Copyright |
| | Preface |
| | | A Cookbook About Security?!? |
| | | Intended Audience |
| | | Roadmap of the Book |
| | | Our Security Philosophy |
| | | Supported Linux Distributions |
| | | Trying the Recipes |
| | | Conventions Used in This Book |
| | | We'd Like to Hear from You |
| | | Acknowledgments |
|
| | Chapter 1. System Snapshots with Tripwire |
| | | Recipe 1.1. Setting Up Tripwire |
| | | Recipe 1.2. Displaying the Policy and Configuration |
| | | Recipe 1.3. Modifying the Policy and Configuration |
| | | Recipe 1.4. Basic Integrity Checking |
| | | Recipe 1.5. Read-Only Integrity Checking |
| | | Recipe 1.6. Remote Integrity Checking |
| | | Recipe 1.7. Ultra-Paranoid Integrity Checking |
| | | Recipe 1.8. Expensive, Ultra-Paranoid Security Checking |
| | | Recipe 1.9. Automated Integrity Checking |
| | | Recipe 1.10. Printing the Latest Tripwire Report |
| | | Recipe 1.11. Updating the Database |
| | | Recipe 1.12. Adding Files to the Database |
| | | Recipe 1.13. Excluding Files from the Database |
| | | Recipe 1.14. Checking Windows VFAT Filesystems |
| | | Recipe 1.15. Verifying RPM-Installed Files |
| | | Recipe 1.16. Integrity Checking with rsync |
| | | Recipe 1.17. Integrity Checking Manually |
|
| | Chapter 2. Firewalls with iptables and ipchains |
| | | Recipe 2.1. Enabling Source Address Verification |
| | | Recipe 2.2. Blocking Spoofed Addresses |
| | | Recipe 2.3. Blocking All Network Traffic |
| | | Recipe 2.4. Blocking Incoming Traffic |
| | | Recipe 2.5. Blocking Outgoing Traffic |
| | | Recipe 2.6. Blocking Incoming Service Requests |
| | | Recipe 2.7. Blocking Access from a Remote Host |
| | | Recipe 2.8. Blocking Access to a Remote Host |
| | | Recipe 2.9. Blocking Outgoing Access to All Web Servers on a Network |
| | | Recipe 2.10. Blocking Remote Access, but Permitting Local |
| | | Recipe 2.11. Controlling Access by MAC Address |
| | | Recipe 2.12. Permitting SSH Access Only |
| | | Recipe 2.13. Prohibiting Outgoing Telnet Connections |
| | | Recipe 2.14. Protecting a Dedicated Server |
| | | Recipe 2.15. Preventing pings |
| | | Recipe 2.16. Listing Your Firewall Rules |
| | | Recipe 2.17. Deleting Firewall Rules |
| | | Recipe 2.18. Inserting Firewall Rules |
| | | Recipe 2.19. Saving a Firewall Configuration |
| | | Recipe 2.20. Loading a Firewall Configuration |
| | | Recipe 2.21. Testing a Firewall Configuration |
| | | Recipe 2.22. Building Complex Rule Trees |
| | | Recipe 2.23. Logging Simplified |
|
| | Chapter 3. Network Access Control |
| | | Recipe 3.1. Listing Your Network Interfaces |
| | | Recipe 3.2. Starting and Stopping the Network Interface |
| | | Recipe 3.3. Enabling/Disabling a Service (xinetd) |
| | | Recipe 3.4. Enabling/Disabling a Service (inetd) |
| | | Recipe 3.5. Adding a New Service (xinetd) |
| | | Recipe 3.6. Adding a New Service (inetd) |
| | | Recipe 3.7. Restricting Access by Remote Users |
| | | Recipe 3.8. Restricting Access by Remote Hosts (xinetd) |
| | | Recipe 3.9. Restricting Access by Remote Hosts (xinetd with libwrap) |
| | | Recipe 3.10. Restricting Access by Remote Hosts (xinetd with tcpd) |
| | | Recipe 3.11. Restricting Access by Remote Hosts (inetd) |
| | | Recipe 3.12. Restricting Access by Time of Day |
| | | Recipe 3.13. Restricting Access to an SSH Server by Host |
| | | Recipe 3.14. Restricting Access to an SSH Server by Account |
| | | Recipe 3.15. Restricting Services to Specific Filesystem Directories |
| | | Recipe 3.16. Preventing Denial of Service Attacks |
| | | Recipe 3.17. Redirecting to Another Socket |
| | | Recipe 3.18. Logging Access to Your Services |
| | | Recipe 3.19. Prohibiting root Logins on Terminal Devices |
|
| | Chapter 4. Authentication Techniques and Infrastructures |
| | | Recipe 4.1. Creating a PAM-Aware Application |
| | | Recipe 4.2. Enforcing Password Strength with PAM |
| | | Recipe 4.3. Creating Access Control Lists with PAM |
| | | Recipe 4.4. Validating an SSL Certificate |
| | | Recipe 4.5. Decoding an SSL Certificate |
| | | Recipe 4.6. Installing a New SSL Certificate |
| | | Recipe 4.7. Generating an SSL Certificate Signing Request (CSR) |
| | | Recipe 4.8. Creating a Self-Signed SSL Certificate |
| | | Recipe 4.9. Setting Up a Certifying Authority |
| | | Recipe 4.10. Converting SSL Certificates from DER to PEM |
| | | Recipe 4.11. Getting Started with Kerberos |
| | | Recipe 4.12. Adding Users to a Kerberos Realm |
| | | Recipe 4.13. Adding Hosts to a Kerberos Realm |
| | | Recipe 4.14. Using Kerberos with SSH |
| | | Recipe 4.15. Using Kerberos with Telnet |
| | | Recipe 4.16. Securing IMAP with Kerberos |
| | | Recipe 4.17. Using Kerberos with PAM for System-Wide Authentication |
|
| | Chapter 5. Authorization Controls |
| | | Recipe 5.1. Running a root Login Shell |
| | | Recipe 5.2. Running X Programs as root |
| | | Recipe 5.3. Running Commands as Another User via sudo |
| | | Recipe 5.4. Bypassing Password Authentication in sudo |
| | | Recipe 5.5. Forcing Password Authentication in sudo |
| | | Recipe 5.6. Authorizing per Host in sudo |
| | | Recipe 5.7. Granting Privileges to a Group via sudo |
| | | Recipe 5.8. Running Any Program in a Directory via sudo |
| | | Recipe 5.9. Prohibiting Command Arguments with sudo |
| | | Recipe 5.10. Sharing Files Using Groups |
| | | Recipe 5.11. Permitting Read-Only Access to a Shared File via sudo |
| | | Recipe 5.12. Authorizing Password Changes via sudo |
| | | Recipe 5.13. Starting/Stopping Daemons via sudo |
| | | Recipe 5.14. Restricting root's Abilities via sudo |
| | | Recipe 5.15. Killing Processes via sudo |
| | | Recipe 5.16. Listing sudo Invocations |
| | | Recipe 5.17. Logging sudo Remotely |
| | | Recipe 5.18. Sharing root Privileges via SSH |
| | | Recipe 5.19. Running root Commands via SSH |
| | | Recipe 5.20. Sharing root Privileges via Kerberos su |
|
| | Chapter 6. Protecting Outgoing Network Connections |
| | | Recipe 6.1. Logging into a Remote Host |
| | | Recipe 6.2. Invoking Remote Programs |
| | | Recipe 6.3. Copying Files Remotely |
| | | Recipe 6.4. Authenticating by Public Key (OpenSSH) |
| | | Recipe 6.5. Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key) |
| | | Recipe 6.6. Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key) |
| | | Recipe 6.7. Authenticating by Public Key (SSH2 Client, OpenSSH Server) |
| | | Recipe 6.8. Authenticating by Trusted Host |
| | | Recipe 6.9. Authenticating Without a Password (Interactively) |
| | | Recipe 6.10. Authenticating in cron Jobs |
| | | Recipe 6.11. Terminating an SSH Agent on Logout |
| | | Recipe 6.12. Tailoring SSH per Host |
| | | Recipe 6.13. Changing SSH Client Defaults |
| | | Recipe 6.14. Tunneling Another TCP Session Through SSH |
| | | Recipe 6.15. Keeping Track of Passwords |
|
| | Chapter 7. Protecting Files |
| | | Recipe 7.1. Using File Permissions |
| | | Recipe 7.2. Securing a Shared Directory |
| | | Recipe 7.3. Prohibiting Directory Listings |
| | | Recipe 7.4. Encrypting Files with a Password |
| | | Recipe 7.5. Decrypting Files |
| | | Recipe 7.6. Setting Up GnuPG for Public-Key Encryption |
| | | Recipe 7.7. Listing Your Keyring |
| | | Recipe 7.8. Setting a Default Key |
| | | Recipe 7.9. Sharing Public Keys |
| | | Recipe 7.10. Adding Keys to Your Keyring |
| | | Recipe 7.11. Encrypting Files for Others |
| | | Recipe 7.12. Signing a Text File |
| | | Recipe 7.13. Signing and Encrypting Files |
| | | Recipe 7.14. Creating a Detached Signature File |
| | | Recipe 7.15. Checking a Signature |
| | | Recipe 7.16. Printing Public Keys |
| | | Recipe 7.17. Backing Up a Private Key |
| | | Recipe 7.18. Encrypting Directories |
| | | Recipe 7.19. Adding Your Key to a Keyserver |
| | | Recipe 7.20. Uploading New Signatures to a Keyserver |
| | | Recipe 7.21. Obtaining Keys from a Keyserver |
| | | Recipe 7.22. Revoking a Key |
| | | Recipe 7.23. Maintaining Encrypted Files with Emacs |
| | | Recipe 7.24. Maintaining Encrypted Files with vim |
| | | Recipe 7.25. Encrypting Backups |
| | | Recipe 7.26. Using PGP Keys with GnuPG |
|
| | Chapter 8. Protecting Email |
| | | Recipe 8.1. Encrypted Mail with Emacs |
| | | Recipe 8.2. Encrypted Mail with vim |
| | | Recipe 8.3. Encrypted Mail with Pine |
| | | Recipe 8.4. Encrypted Mail with Mozilla |
| | | Recipe 8.5. Encrypted Mail with Evolution |
| | | Recipe 8.6. Encrypted Mail with mutt |
| | | Recipe 8.7. Encrypted Mail with elm |
| | | Recipe 8.8. Encrypted Mail with MH |
| | | Recipe 8.9. Running a POP/IMAP Mail Server with SSL |
| | | Recipe 8.10. Testing an SSL Mail Connection |
| | | Recipe 8.11. Securing POP/IMAP with SSL and Pine |
| | | Recipe 8.12. Securing POP/IMAP with SSL and mutt |
| | | Recipe 8.13. Securing POP/IMAP with SSL and Evolution |
| | | Recipe 8.14. Securing POP/IMAP with stunnel and SSL |
| | | Recipe 8.15. Securing POP/IMAP with SSH |
| | | Recipe 8.16. Securing POP/IMAP with SSH and Pine |
| | | Recipe 8.17. Receiving Mail Without a Visible Server |
| | | Recipe 8.18. Using an SMTP Server from Arbitrary Clients |
|
| | Chapter 9. Testing and Monitoring |
| | | Recipe 9.1. Testing Login Passwords (John the Ripper) |
| | | Recipe 9.2. Testing Login Passwords (CrackLib) |
| | | Recipe 9.3. Finding Accounts with No Password |
| | | Recipe 9.4. Finding Superuser Accounts |
| | | Recipe 9.5. Checking for Suspicious Account Use |
| | | Recipe 9.6. Checking for Suspicious Account Use, Multiple Systems |
| | | Recipe 9.7. Testing Your Search Path |
| | | Recipe 9.8. Searching Filesystems Effectively |
| | | Recipe 9.9. Finding setuid (or setgid) Programs |
| | | Recipe 9.10. Securing Device Special Files |
| | | Recipe 9.11. Finding Writable Files |
| | | Recipe 9.12. Looking for Rootkits |
| | | Recipe 9.13. Testing for Open Ports |
| | | Recipe 9.14. Examining Local Network Activities |
| | | Recipe 9.15. Tracing Processes |
| | | Recipe 9.16. Observing Network Traffic |
| | | Recipe 9.17. Observing Network Traffic (GUI) |
| | | Recipe 9.18. Searching for Strings in Network Traffic |
| | | Recipe 9.19. Detecting Insecure Network Protocols |
| | | Recipe 9.20. Getting Started with Snort |
| | | Recipe 9.21. Packet Sniffing with Snort |
| | | Recipe 9.22. Detecting Intrusions with Snort |
| | | Recipe 9.23. Decoding Snort Alert Messages |
| | | Recipe 9.24. Logging with Snort |
| | | Recipe 9.25. Partitioning Snort Logs Into Separate Files |
| | | Recipe 9.26. Upgrading and Tuning Snort's Ruleset |
| | | Recipe 9.27. Directing System Messages to Log Files (syslog) |
| | | Recipe 9.28. Testing a syslog Configuration |
| | | Recipe 9.29. Logging Remotely |
| | | Recipe 9.30. Rotating Log Files |
| | | Recipe 9.31. Sending Messages to the System Logger |
| | | Recipe 9.32. Writing Log Entries via Shell Scripts |
| | | Recipe 9.33. Writing Log Entries via Perl |
| | | Recipe 9.34. Writing Log Entries via C |
| | | Recipe 9.35. Combining Log Files |
| | | Recipe 9.36. Summarizing Your Logs with logwatch |
| | | Recipe 9.37. Defining a logwatch Filter |
| | | Recipe 9.38. Monitoring All Executed Commands |
| | | Recipe 9.39. Displaying All Executed Commands |
| | | Recipe 9.40. Parsing the Process Accounting Log |
| | | Recipe 9.41. Recovering from a Hack |
| | | Recipe 9.42. Filing an Incident Report |
|
| | Colophon |
| | Index |