free sample chapters - click to visit

Learn Red Hat

Linux Security

You can browse Chapters 1 and 10

George M. Doss

Wordware Publishing, Inc.

Library of Congress Cataloging-in-Publication Data

Doss, George M.
Learn Red Hat Linux security / by George M. Doss.
p.
cm.
Includes index.
ISBN 1-55622-773-6 (pbk.)
1. Linux.
2. Operating systems (Computers).
I. Title.
QA76.76.O63 D684
2000
005.8--dc21
00-043537
CIP

2001, Wordware Publishing, Inc.

All Rights Reserved
2320 Los Rios Blvd., Suite 200
Plano, Texas 75074
No part of this book may be reproduced in any form or by any means
without permission in writing from Wordware Publishing, Inc.
Printed in the United States of America

ISBN 1-55622-773-6
10 9 8 7 6 5 4 3 2 1
0007

Linux is a registered trademark of Linus Torvalds.

Red Hat is a registered trademark of Red Hat Software, Inc. Used with permission.
UNIX is a registered trademark of The Open Group.
Microsoft and the Windows Logo are registered trademarks of Microsoft Corporation.
Other product names mentioned are used for identification purposes only and may be trademarks of their
respective companies.

All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc.,
at the above address. Telephone inquiries may be made by calling:
(972) 423-0090

To those people who give crackers nightmares:

software security analysts.

iii

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Part I: Foundation for Security

Chapter 1 General Overview of Security Threats. . . . . . . . . . . . . . . . 4
What is a Security Management System? . . . . . . . . . . . . . . . . 5
What is a Security Threat? . . . . . . . . . . . . . . . . . . . . . . . . 5
Who Causes Network Security Threats? . . . . . . . . . . . . . . . . . 7
What are Important Security Management System Terms? . . . . . . . 7
Who is Responsible for a Security Management System? . . . . . . . 10
Why Should You Have a Security Management System?. . . . . . . . 11
Where Should There be a Security Management System? . . . . . . . 11
How Should You Set Up a Security Management System? . . . . . . . 12
What are Some Specific Types of Threats? . . . . . . . . . . . . . . . 12
Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 13
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . 16
Spoofing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Scanners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 2 Security Policy Overview . . . . . . . . . . . . . . . . . . . . .
RFC 1281 and Internet Security Policies . . . . . . . . . . . . . . .
Security Accountability . . . . . . . . . . . . . . . . . . . . .
User Accountability and Security Policies . . . . . . . . . . . .
User Accountability and Security Mechanisms and Procedures .
Service Provider Accountability . . . . . . . . . . . . . . . . .
Vendor and System Developer Accountability . . . . . . . . . .
Security Cooperation . . . . . . . . . . . . . . . . . . . . . .
Use of New Internet Security Protocols . . . . . . . . . . . . .
Improving Local Security . . . . . . . . . . . . . . . . . . . .
RFC 2196 and Network Security Policies. . . . . . . . . . . . . . .
Definitions Used in RFC 2196. . . . . . . . . . . . . . . . . .
Security Policy Basics . . . . . . . . . . . . . . . . . . . . . .
Steps for Developing a Security Plan . . . . . . . . . . . . . .
Purposes of a Security Policy . . . . . . . . . . . . . . . . . .
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . .
Individuals Involved in Forming Policy . . . . . . . . . . . . .
Characteristics of a Good Security Policy . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

20
21
21
22
22
22
23
23
23
24
24
25
25
26
26
26
27
27

Contents
Components of a Good Security Policy
Policy Flexibility . . . . . . . . . . . .
Security Management System. . . . .
Services and Security Policy . . . . . .
Procedures and Security Policy . . . .
Incident Handling and Security Policy
Responsibility and Security Policy . . .
Maintenance and Security Policy . . .
Tools and Security Policy . . . . . . .
Password Security Policy Framework. . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

27
28
28
28
30
34
35
36
36
36

Chapter 3 Security Requests for Comments . . . . . . . . . . . . . . . . . . 39

Important RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Part II: Linux Security Management System

Chapter 4 Kernel, Shells, and System Calls . . . . . . . . . .
Kernel Overview . . . . . . . . . . . . . . . . . . . .
Rebuilding and Recompiling the Kernel . . . . .
Importance of Linux Kernel 2.2.x . . . . . . . . .
Basic Management Commands for the Kernel . .
Network Devices and Kernel Support . . . . . . .
Kernel Upgrade . . . . . . . . . . . . . . . . . .
The /proc File . . . . . . . . . . . . . . . . . . .
IP Masquerade . . . . . . . . . . . . . . . . . .
Shell Overview . . . . . . . . . . . . . . . . . . . . .
Basic Shell Operators . . . . . . . . . . . . . . .
System Call Overview . . . . . . . . . . . . . . . . .
Basic System Calls. . . . . . . . . . . . . . . . .
Call Prototyping . . . . . . . . . . . . . . . . . .
File Calls. . . . . . . . . . . . . . . . . . . . . .
Directory Calls. . . . . . . . . . . . . . . . . . .
Call Processing Calls. . . . . . . . . . . . . . . .
Socket Calls . . . . . . . . . . . . . . . . . . . .
Timers . . . . . . . . . . . . . . . . . . . . . . .
Filesystem Calls . . . . . . . . . . . . . . . . . .
Access Calls . . . . . . . . . . . . . . . . . . . .
User Calls . . . . . . . . . . . . . . . . . . . . .
Group Calls . . . . . . . . . . . . . . . . . . . .
Domain Calls . . . . . . . . . . . . . . . . . . .
System Initialization . . . . . . . . . . . . . . .
System and Kernel Messages . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

55
55
55
56
56
57
57
57
58
59
60
61
61
62
62
63
63
64
64
64
65
65
65
66
66
67

Chapter 5 Standalone Workstations . . . . . . . . . . . . . . . . . . . . . . 68

Standalone Workstation Capabilities . . . . . . . . . . . . . . . . . . 68
Workstation without Internet Access . . . . . . . . . . . . . . . . . . 68

vi

Contents
Workstation with Internet Access. . . . . . . . . . . . . . . . . . . . 69
The User and the Security Management System . . . . . . . . . . . . 69

Chapter 6 Servers and Services . . . . . . . . . . . . . . . . . . . . . . . . 71

Server Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Physical Server Security . . . . . . . . . . . . . . . . . . . . . . . . 74
Internet Protocol Support for Linux . . . . . . . . . . . . . . . . . . 76
E-Mail Server General Security Management . . . . . . . . . . . . . 77
Sendmail Overview . . . . . . . . . . . . . . . . . . . . . . . . 78
E-mail Support Packages . . . . . . . . . . . . . . . . . . . . . 79
E-mail Security Management Actions . . . . . . . . . . . . . . . 80
Important RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . 80
General Security File Management . . . . . . . . . . . . . . . . . . . 82
General Security Directory Management . . . . . . . . . . . . . . . . 88
News Server Security Management . . . . . . . . . . . . . . . . . . 89
Newsgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
InterNetNews (INN) . . . . . . . . . . . . . . . . . . . . . . . 92
News Readers . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Newsgroup Policy . . . . . . . . . . . . . . . . . . . . . . . . . 94
Remote Administration Server . . . . . . . . . . . . . . . . . . . . . 95
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Remote Procedure Call (RPC). . . . . . . . . . . . . . . . . . . 96
File Transfer Protocol (FTP) . . . . . . . . . . . . . . . . . . . 99
Network Information System (NIS) Management . . . . . . . . . . 102
NIC Commands . . . . . . . . . . . . . . . . . . . . . . . . . 103
Server Man Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Chapter 7 Network . . . . . . . . . . . . . . . . . . . . . .
Definitions. . . . . . . . . . . . . . . . . . . . . . .
Network . . . . . . . . . . . . . . . . . . . . .
Intranet . . . . . . . . . . . . . . . . . . . . .
Online Help . . . . . . . . . . . . . . . . . . .
Man Pages . . . . . . . . . . . . . . . . . . . .
HOWTOs . . . . . . . . . . . . . . . . . . . . .
Basic Network Security Administration . . . . . . . .
User Accounts . . . . . . . . . . . . . . . . . .
Permissions . . . . . . . . . . . . . . . . . . .
File Archiving and Compressing . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

107
107
107
108
109
109
112
112
114
116
118

Chapter 8 Internet . . . . . . . . . . . . . . . . . . . . . . . .
Internet Overview . . . . . . . . . . . . . . . . . . . .
Basic Internet Definitions . . . . . . . . . . . . .
Basic Programs Available for the Internet Server .
Basic Steps in Setting Up an Internet Server . . .
Dial-up IP Protocol Driver (dip) Functionality . .

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

120
121
121
123
123
124

vii

Contents
Dummy Interface . . . . . . . . . . . . . . . . . . . .
Security and Serial Communication Devices . . . . . .
DNS Tools . . . . . . . . . . . . . . . . . . . . . . . .
File Transfer Protocol (FTP) Service. . . . . . . . . . .
The /etc/hosts File. . . . . . . . . . . . . . . . . . . .
The /etc/services File . . . . . . . . . . . . . . . . . .
Important File Locations for Internet Services . . . . .
Red Hat Linux Packages that Support Internet Services.
Firewall Server Overview . . . . . . . . . . . . . . . . . . .
Important Networking Options for a Firewall . . . . . .
Firewall Security . . . . . . . . . . . . . . . . . . . . .
Basic Steps for Masquerading a Firewall . . . . . . . .
File Transfer Protocol (FTP) Security . . . . . . . . . . . . .
Mail Security . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet Security . . . . . . . . . . . . . . . . . . . . . . . .
Security for Web Development . . . . . . . . . . . . . . . .
Web Protocols and Security . . . . . . . . . . . . . . .
TCP/IP Considerations. . . . . . . . . . . . . . . . . .
Serial Line Internet Protocol (SLIP) . . . . . . . . . . .
Basic Steps for IP Interface Configuration. . . . . . . .
Parallel Internet Protocol (PLIP). . . . . . . . . . . . .
Adding an Ethernet Interface . . . . . . . . . . . . . .
Point-to-Point Protocol (PPP) Considerations . . . . . .
Documentation . . . . . . . . . . . . . . . . . . . . . . . .
DNS RFCs . . . . . . . . . . . . . . . . . . . . . . . .
Firewalling RFCs . . . . . . . . . . . . . . . . . . . .
IPv6 RFCs . . . . . . . . . . . . . . . . . . . . . . . .
PPP RFCs . . . . . . . . . . . . . . . . . . . . . . . .
TCP/IP RFCs . . . . . . . . . . . . . . . . . . . . . .
WWW Server RFCs . . . . . . . . . . . . . . . . . . .
HOWTOs and Internet Functionality . . . . . . . . . .

Chapter 9 Peripherals . . . . . . . . . . . . . . . . . . . . .
Printers . . . . . . . . . . . . . . . . . . . . . . . .
Fax Machines . . . . . . . . . . . . . . . . . . . . .
General Hardware Information . . . . . . . . . . . .
Identifying the Mouse . . . . . . . . . . . . . .
Setting up Serial Communication Devices. . . .
Modems . . . . . . . . . . . . . . . . . . . . .
Checking for the CD-ROM Driver . . . . . . . .
Ethernet Devices . . . . . . . . . . . . . . . . .
HOWTOs on Hardware Devices . . . . . . . . .
Hardware Device Man Pages . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

124
125
125
126
128
128
128
129
130
131
131
134
135
135
137
137
138
142
146
147
147
147
148
149
149
150
150
150
151
151
152

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

153
154
155
155
157
157
158
159
159
159
160

Chapter 10 Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

viii

Contents
Network File System (NFS) Management. . . . . . . . . . . . . . . 162
Remote (r-) Commands . . . . . . . . . . . . . . . . . . . . . . . . 167

Chapter 11 Networking . . . . . . . . . . . . . . . . . . . . .
Overview of the tcpd System . . . . . . . . . . . . .
Secure Shell (SSH) . . . . . . . . . . . . . . . . . .
Service and Process Management . . . . . . . . . . .
Important Networking Commands . . . . . . . . . .
Networking Daemons . . . . . . . . . . . . . . . . .
Automating Tasks . . . . . . . . . . . . . . . . . . .
Using the linuxconf Tool . . . . . . . . . . . . . . .
Shutting Down a Network. . . . . . . . . . . . . . .
Preparing for a System Crash . . . . . . . . . . . . .
Checking the Storage Space. . . . . . . . . . . . . .
Basic Strategy for Keeping a System Up to Date . . .
Networking Requests for Comments . . . . . . . . .
Package Support for Basic Networking . . . . . . . .
Man Pages and Networking Management. . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

169
170
171
172
176
177
178
178
178
179
180
180
180
185
185

Chapter 12 System Tools . . . . . . . . . . . . . . . . . . . .

The Most Important System ToolYou . . . . . . . .
Intrusion Detection . . . . . . . . . . . . . . . . . .
Important filesystem Tools . . . . . . . . . . . . . .
Beyond the Basic Tools . . . . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

188
188
190
190
192

Chapter 13 Standards . . . . . . . . . . . . . . . . . . . . . .
ISO Standards . . . . . . . . . . . . . . . . . . . . .
BS7799 Information Security Management. . . . . .
NIST Special Publication 800-7 . . . . . . . . . . . .
Federal Information Processing Standards (FIPS) . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

195
195
196
196
202

Chapter 14 Audits . . . . .
Audit Plan . . .
Auditing Tools .
Data Collecting
Audit Process .
Important RFCs

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

204
205
208
209
210
211

Chapter 15 Authentication . . . . . . . . . . . . . . . . . . .
Authentication Defined . . . . . . . . . . . . . . . .
Authentication Techniques . . . . . . . . . . . . . .
Basic HTTP Authentication . . . . . . . . . . . . . .
Host-Based Authentication . . . . . . . . . . . . . .

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

214
214
215
218
218

Part III: Security Management Tools

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

. . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .

Part IV: Advanced Security Techniques

ix

Contents
Pluggable Authentication Modules . . .
Authentication RFCs . . . . . . . . . .
Future Development of Authentication .
Biometrics . . . . . . . . . . . . .
Smart Cards . . . . . . . . . . . .
Internet Authentication Security Issues .

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.

218
219
221
221
222
222

Chapter 16 Encryption . . . . . . . . . . . . . . . . . . . . .
Encryption Defined . . . . . . . . . . . . . . . . . .
Cryptographic Software Criteria . . . . . . . . . . .
Encryption Software Benefits . . . . . . . . . . . . .
Secure Shell (SSH) . . . . . . . . . . . . . . . . . .
Data Encryption Standard (DES) . . . . . . . . . . .
Password Shadowing . . . . . . . . . . . . . . . . .
Encryption in a Mixed OS Environment . . . . . . .
Internet Sites and Resources . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

224
224
225
226
226
227
228
231
232

Chapter 17 Pretty Good Privacy . . . . . . . . . . . . . . . .

PGP Defined . . . . . . . . . . . . . . . . . . . . . .
Basic Uses of PGP . . . . . . . . . . . . . . . . . . .
Pass Phrase . . . . . . . . . . . . . . . . . . . . . .
PGP Signature . . . . . . . . . . . . . . . . . . . . .
PGP Resources. . . . . . . . . . . . . . . . . . . . .
URLs . . . . . . . . . . . . . . . . . . . . . . .
Privacy RFCs . . . . . . . . . . . . . . . . . . .
Books . . . . . . . . . . . . . . . . . . . . . .
Newsgroups . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

233
233
234
234
234
235
235
235
236
236

Appendix A Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 237

Appendix B Important Linux Security Commands. . . . . . . . . . . . . . . 251
Appendix C Linux Security Weaknesses . . . . . . . . . . . . . . . . . . . . 259
Appendix D Security and the Web . . . . . . . . . . . . . . . . . . . . . . . 263
Appendix E Listing of Networking HOWTOs . . . . . . . . . . . . . . . . . 273
Appendix F Networking Requests for Comments (RFCs) . . . . . . . . . . . 281
Appendix G Listing of Man Pages for Networking Administration and
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

This is the third book in this series on Red Hat Linux. I would
like to thank the very fine people at Wordware Publishing in
their professional efforts to take my draft and make an
engaging viewing experience. The two people responsible for
this are Martha McCuller, interior design; and Alan McCuller,
cover design. In addition, editor Beth Kohler, has to be
thanked many times in many languages. Finally, to Jim Hill,
the publisher, who had faith in my writing skills.
Any omissions or technical misinterpretations are, of course,
mine.

xi

Introduction
This book is based on the premise that the system administrator who
does not enforce an integrated network security system is the weakest
link in the system. Security is more than the technical aspects of using a
Linux operating system such as permissions or TCP/IP wrappers. There
are the human aspects that may be in the end more important than the
technical. The simplest human error, such as posting a password on an
office wall, can do in the best technical security efforts. The fundamental word in the first sentence is integrated. Integration here means
bringing all the parts of a system together to act as one. The sum of the
parts should be greater than the whole.
The technical security architecture must have a supporting set of policies that define user actions both on and off the computer or terminal.
The broad foundation of any Linux technical security architecture
includes the following:
n Encryption and decryption
n Intrusion detection
n Logs
n Managed access control
n Network access control
n User and group accounts
Another basis of the book is the recognition that in many cases there is
no single way to do a security action. Similar commands can be used to
achieve a function. Commands have multiple options based on multiple
requirements. As no two Linux filesystems are identical because of basic
hardware and software network configurations, once an administrator
makes one change to the original installation of a Red Hat Linux distribution, the change can ripple through the system in a manner similar to
a pebble being thrown into a pool of water.
A potential confusion exists because since Linux is UNIX-like one might
think the security issues are the same. They are similar. Because Linux
has been developed in a freelance environment, there is a need to make
a conscious decision to have a security management system. The book
tries to detail the meaning of a security management system. It does
imply that security is not a group of actions done in separate moments
of time but a set of integrated actions that has a continuous thread of

xiii

Introduction
action. Because of Linuxs UNIX heritage, there is a potential for similar
security threats. The heritage includes the following:
n Common development language of C
n Multitasking support
n Multi-user sessions
n Hierarchical directory and file systems
n Internet protocol support

How the Book Is Organized

The book shows a process of implementing Red Hat Linux into a security management system. You do not design, develop, test, and
implement a security management system by starting at the root command level and setting up permissions and passwords; you have to have
a plan. It is more difficult to make your network more secure after the
fact rather than by starting from scratch. It is recognized that many
readers will already have an established system. This means you have
to do more audits and tests to find holes, gaps, or oversights in the
network.
The book looks at four areas:
n Basic thinking on security from threats to standards
n Security for seven components of the Red Hat Linux filesystem
n Three security tools (system tools, standards, and audits)
n Three security techniques from general to specific (authentication,
encryption, and Pretty Good Privacy (PGP))

Part I: Foundation for Security

This part looks at the foundations of electronic security thinking, which
is based on types of threats, policy development (local security standards), and Requests for Comments (Internet security and network
standards).
Chapter 1: General Overview of Security Threats This chapter
gives the first answers to the following questions. The rest of the chapters detail the answers.
n What is a security management system?
n Who is responsible for a security management system?
n Why should you have a security management system?
n Where should there be a security management system?
n How should you set up a security management system?

xiv

Introduction
n
n

What is a security threat?

Who causes security threats?

Chapter 2: Security Policy Overview This chapter discusses the

design, development, and implementation of a security policy as the
backbone for a Linux security management system. Areas discussed
include:
n Design considerations
n General recommendations
n Essential components
n Implementation ideas
n Maintenance methods
The chapter outlines two important Requests for Changes (RFCs) for
developing security policies: 1281 and 2196. RFC1281 is Guidelines for
the Secure Operation of the Internet. RFC 2196 is Site Security Handbook. The chapter uses these RFCs to outline a general Red Hat Linux
security policy for passwords.
Chapter 3: Security Requests for Comments The chapter briefly
describes over 50 Requests for Comments that have become the standards and backbone of Internet security thinking. In addition, certain
informational RFCs are described. The chapter is primarily for
advanced network administrators.

Part II: Linux Security Management System

This part looks at the seven major components of a Red Hat Linux
filesystem (operating system) for the design, development, and implementation of an integrated security management system. In addition,
the idea of networking and the integration of these components is
discussed.
Chapter 4: Kernel, Shells, and System Calls The chapter discusses security issues about the basics of the operating system, that is,
the kernel, shells, and system calls. In addition, related configuration
techniques are discussed.
Chapter 5: Standalone Workstations The chapter discusses security issues for the two types of standalone workstations: those with no
connection to any other environment and a single workstation connected to the Internet. In addition, this chapter looks at the user and
the security management system.

xv

Introduction
Chapter 6: Servers and Services The chapter discusses security
issues about intranet servers and services. When appropriate, the
related configuration techniques are suggested. Some of the servers and
services included in the chapter are the following:
n E-mail
n Newsgroups
n DNS
n Web
n FTP
n SAMBA
n Apache
Chapter 7: Network The chapter discusses security issues about the
network and the related configuration techniques. Network management as used here means secure access control (passwords and
permissions) and the correct configuration of the infrastructure. The
ideas discussed in the chapter include:
n Passwords
n Permissions
n User and group accounts
n File archiving and compressing
n Logging
Chapter 8: Internet The chapter discusses security issues about the
Internet connection and the related configuration techniques. A primary
concern in having an Internet server is security. With Internet access,
you open your intranet (network) in an uncontrolled, ubiquitous, and
unmanageable environment. This is where firewalls and gateways come
into play. The areas discussed in the chapter include security for:
n Internet server
n Firewalls
n FTP
n Mail
n Telnet
n Web protocols
Chapter 9: Peripherals The chapter highlights certain information
that is relevant to the security management of two peripherals that are
ignored, but can generate security threats: printers and fax machines.
General hardware information and specific devices are also highlighted.

xvi

Introduction
Chapter 10: Remote Access The chapter discusses security issues
about remote access and the related configuration techniques. The
chapter looks at Network File System management and the use of rcommands.
Chapter 11: Networking The chapter discusses security issues for
networking and the related configuration techniques. Networking management as used here means secure data transmission from one point
to another or process control and the administration of the status and
usage of this transmission.

Part III: Security Management Tools

This part looks at the three major management tools for maintaining a
Red Hat Linux security management system: system tools, standards,
and audits.
Chapter 12: System Tools The chapter discusses using system tools
for security. An important point to remember is that any interface is
static. Additionally, as a security toolkit is developed, it should be an
integrated one. A system tool is a tool that is an interface to the whole
system; however, since there is no one system tool, a security toolkit of
multiple tools has to be developed.
Chapter 13: Standards The chapter points to standards organizations rather than discussing standards because they are highly
specialized in many cases and require thorough readings rather than
just highlighted descriptions. Chapter 3 discusses the most common
used standards for Internet access, Requests for Comments (RFCs).
Chapter 14: Audits The chapter discusses using audits to protect
the system. An audit is an organized and objective review of the whole
security management system, usually done by an external organization.
In contrast, auditing is an ongoing process of checking the parts of a
security management system.

Part IV: Advanced Security Techniques

This part looks at three advanced security techniques that can be used
to enhance a Linux security management system: authentication,
encryption, and Pretty Good Privacy.
Chapter 15: Authentication The chapter discusses what authentication is and can do in a Linux security management system. Some of
the ideas discussed are:
n Techniques

xvii

Introduction
n
n
n
n
n

Basic HTTP authentication

Host-based authentication
Pluggable Authentication Modules (PAMs)
References
Future development

Chapter 16: Encryption The chapter discusses in general what

encryption is and can do in a Linux security management system. The
specific areas discussed are:
n Cryptographic software criteria
n Encryption software benefits
n Secure Shell (SSH)
n Data Encryption Standard (DES)
n Password shadowing
n Encryption in a mixed OS environment
n Internet sites and resources
Chapter 17: Pretty Good Privacy The chapter briefly discusses
what Pretty Good Privacy (PGP) is and its place in a Linux security
management system. The basic functionality of PGP is that it allows
multiple entries to sign a key for e-mail messages. Some of the ideas
discussed are:
n Uses
n Pass phrase
n PGP signature
n References

Appendices
Appendix A: Terms and Acronyms The appendix defines some of
the common words used in network and Internet security in the context
of a Red Hat Linux filesystem.
Appendix B: Important Linux Security Commands The appendix gives some of the commands important to a security management
system.
Appendix C: Linux Security Weaknesses The appendix briefly
discusses some of the known security holes in Red Hat Linux. Special
lists are given for Linux 6.0 and 6.1.

xviii

Introduction
Appendix D: Security and the Web The appendix lists some of
the World Wide Web sites that focus on issues related to the concepts,
ideas, tools, and techniques discussed in the book.
Appendix E: Listing of Networking HOWTOs The appendix
gives a list of HOWTOs that are relevant to a security management system for Linux.
Appendix F: Networking Requests for Comments (RFCs) The
appendix gives a list of Requests for Comments that are relevant to a
security management system.
Appendix G: Listing of Man Pages for Networking Administration and Maintenance The appendix gives a list of networking
man pages that are relevant to a security management system for Red
Hat Linux.

xix

Foundation
Part I36
for Security
This part of the book looks at the foundation of electronic
security thinking, which is based on types of threats, policy
development (local security standards), and Requests for
Comments (Internet security standards). Specifically the
chapters cover:

Chapter 1: General Overview of Security Threats

This chapter addresses security management systems, specifically what a security management system is, who is responsible
for it, why you should have one, and how to set it up. Security
threats are also discussed.

Chapter 2: Security Policy Overview

The chapter outlines two important Requests for Changes
(RFCs) for developing security policies: 1281 and 2196.
RFC1281 is Guidelines for the Secure Operation of the
Internet. RFC 2196 is Site Security Handbook. The third
section of the chapter uses these RFCs to outline a general
Red Hat Linux security policy for passwords.

Chapter 3: Security Requests for Comments

The chapter looks at more than 50 of the important
Requests for Comments that have become the standards
and backbone of Internet security thinking.

Chapter 1

General Overview of
Security Threats
This chapter gives the first answers to the following questions. The rest
of the chapters detail the answers.
n

What is a security management system?

What is a network security threat?

Who causes network security threats?

What are important security management system terms?

Who is responsible for a security management system?

Why should you have a security management system?

Where should there be a security management system?

How should you set up a security management system?

What are some specific types of threats?

The essential question of any security management system is When do

I know I have too much security? You have too much security when
you try to subvert the system because of the security management
framework. You have too much security when the solution costs more
than the problem in money or time. You have too much security when
you try to protect unnecessary hardware or software.

General Overview of Security Threats

What is a Security Management System?

A security management system is an organized and integrated process
that is directed toward the goal of protecting something. In this case,
the something is an electronic network that uses as its backbone Red
Hat Linux, that is, its operating system. The system is supplemented by
add-ons, special applications used to make a network more secure than
the normal available utilities. A security management system is an
all-inclusive protection environment, from preventing the posting of
passwords on a users office wall to the use of intrusion detection tools.
This books focus is to identify the policies, components, tools, and
techniques that are identifiable with Red Hat Linux 6.x. However, any
security management system has a foundation based on public
benchmarks and standards, especially those written for the Internet. To
develop a Red Hat Linux security management system these public standards must become a part of the process.
Like other operating systems or networking systems that have file protection mechanisms, Linux has its own, although it is based on UNIX. It
is important for someone new to Linux and unaware of the UNIX environment to know that UNIX security was an evolving process that was
enhanced as new types of threats occurred.
Linux security requires holistic comprehension (awareness of the interdependence of the parts to the whole) of a Linux filesystem
infrastructure, that is software, hardware, and the abstract elements
such as integrity and interoperability. The comprehension requires
knowledge of two points of the Linux command and file structure:
n Certain commands and files must be used together.
n There are commands that perform similar, but not the same,
functions.

Note: Part II gives examples of the differences between same

and similar commands.

What is a Security Threat?

A security threat is an unauthorized entry or intrusion into a network
that cause grave or significant harm to the network. The harm can be
either the theft of corporate data or actual damage to the network.
There may be lesser intrusions or misuse of the network, but they may
be labeled as security nuisances or annoyances.

Chapter 1
A security misuse such as posting ones user password on the computer
or on the office wall may at first be a security nuisance that can become
a potential security threat. In addition, not having an enforced password policy such as a maximum length of time of validity or having an
easy, identifiable password can lead to a security threat.
As used in this book, a hacker is a person who finds just entering a network is the challenge. A hacker thus is a security nuisance. A cracker is
a person who has a malicious intent when entering a network from
theft to destruction. A cracker thus is a security threat.
The following are examples of potential security nuisances:
n An abuse is any prohibited use of a system such as going to
non-business related URLs.
n An attack is any attempt to breach or disable your security system.
n A bug is a weakness in a program, usually human error.
n A compromise is a security breach in which data has been exposed.
n An intruder is an individual who gains unauthorized access into a
network.

Note:

degree.

Any security nuisance can be a threat. It is a matter of

The following are examples of security threats:

n Denial of service (DoS) is a malicious technique that renders computer services of the Internet unavailable for users.
n Finger is a technique of gathering data on a specific user. When the
technique is allowed it becomes a potential malign security
opportunity.
n IP spoofing is the malicious use of an IP address to gain unauthorized access.
n Packet sniffer is a tool used by crackers to listen on an Ethernet port
for such things as passwords and login data.
n Sniffing is a technique used to capture datagrams across a network.
It is both legitimate and illegitimate.
n Spamming is a technique for flooding (usually) mailing servers with
thousands of e-mails, commonly advertisements.
n Spoofing is the technique that involves impersonating another user
or host to gain unauthorized access.
n Trapdoor is an undocumented access point into an application.
n Trojan horse is a malicious application used to perform unauthorized
tasks that can compromise a network's security system.

General Overview of Security Threats

n
n

Virus is a self-replicating or propagating program that infects a

network.
Worm is a self-replicating program that can also send itself across
networks.

Who Causes Network Security Threats?

The thief is not the cause of the threat; the careless network administrator or user is. This statement might sound harsh. The point is that if
you leave the door to your house open in an area known for thieves and
when the thieves walk into your house easily, who is responsible? Now
if you have an activated security system for your house and the thieves
break in, who is responsible? The thief takes any opportunity to break
into a network because of malicious goals.

What are Important Security Management System

Terms?
As there are words for security intrusions and intruders, there are terms
that are relevant to the security management system. The following definitions and terms are the foundation for the discussions in this book:
n Access control is any technique, such as the granting or denying of
permissions, to control the use of system resources.
n Account policy defines the manner, time, and type of uses of system
resources by a given user such as the length of time a password is
valid.
n Accreditation is a seal of approval by an external source that your
security system and practices have met a rigorous evaluation.
n An administrator is the person responsible for controlling the network that includes managing the security system.
n An audit is an objective and systematic evaluation of a system and
its practices using benchmarks and standards, and usually done by
an external group.
n Authentication is the process of verifying a unique user or host. It
can be as simple as only asking for a password to being as complex
as the use of challenge-response dialogs using encryption or
algorithms.
n Authorization is a user's rights to access resources based an acceptable use policy.
n A benchmark is a defined level of acceptance or non-acceptance or a
variance in the system such as a distinction between a hacking and a

Chapter 1

n
n
n
n
n
n
n
n
n

n
n

n
n
n
n

cracking intrusion. In a technical sense, a benchmark is an acceptable or unacceptable level of performance.

BIOS security is the security concern for the lowest level of software,
the operating system, that configures your hardware, especially the
booting process.
Boot loader security is the security concern that prevents unauthorized users from rebooting the system; this includes disabling
booting from a floppy.
Certification is the result of meeting external accreditation for a system. For example, it may mean a person has successfully completed
a series of network courses.
A cipher is an algorithm for encryption and decryption.
Command-line tools use commands rather than menus in graphical
tools.
A compromise is a security breach in which data has been exposed.
Confidentiality is the level of sensitivity of data, that is, the degree
to which the data can be known.
Configuration management is the process by which the system configuration is managed to ensure security integrity.
Connection accounting is the technique of tracking current user sessions and user logins and logouts.
A countermeasure is a safeguard used to prevent, minimize, or eliminate a security challenge to the network.
Cryptography is the science of writing secrets. One technique of
cryptography is encryption and decryption.
Data Encryption Standard (DES) is the federal governments standard for encrypting non-classified data based on a 1974 standard
from IBM.
Decryption is the process of making unreadable data readable.
Discretionary Access Control (DAC) provides control from a central
authority that determines access attributes of any user or host on a
network.
Display security is a security administration concern to prevent the
display of passwords and confidential documents on a monitor.
Encryption is the process of making data unreadable unless you have
the proper deciphering processing. It is used to enhance privacy.
Filtering is the process of using network packets for adherence to
security policies using granularity.
A firewall, in general terms, is a device that prevents unauthorized
users access to a network or a part of a network.

General Overview of Security Threats

n
n
n

n
n
n
n
n
n
n

n
n
n

n
n
n

Granularity is the degree of security processing used to apply access

control.
Graphical tools are user-interface tools such as usercfg that are used
in a security management system to define user access.
Host security is the security administration concerned with passwords, network services security, accounting records, and upgrades
that enhance security administration.
Identification is the process for establishing a user profile.
Integrity is the correctness of transmitted data that includes application and configuration data.
An intruder is an individual who gains unauthorized access into a
network.
Intrusion is an automated process for unauthorized entry into a
network.
Kernel security is the security concern to prevent unauthorized entry
into the kernel that controls your networking.
A key is a unique value that identifies a user, usually derived from an
algorithmic process.
Local security is the security administration concern for unauthorized actions by local users especially when ways are found to
exploit the root account.
Logging is a technique for reviewing network transactions; however,
there are ways to tamper with logs so unauthorized transactions do
not appear.
Mirroring is a process that can be used in security management to
duplicate disk volumes for redundancy.
Network security is the security administration concerned with firewalls, encryption, and authorized users and machines.
One-time passwords are passwords that are only effective once when
used over the network so a cracker cannot use a captured static
password.
A permission is the method of the Linux filesystem for limiting user
access to files and directories based on read, write, and execute
attributes
Physical security is a concern for door locks, cables, locked cabinets,
and other types of protections for hardware.
Pluggable authentication modules (PAM) are a unified authentication scheme that eases the process for the authentication changes.
A policy gives the why, what, when, where, and how for a specific
set of guidelines for action such as use of passwords.

Chapter 1
n
n
n
n
n
n
n
n
n

n
n

n
n

Pretty Good Privacy (PGP) is a public-key cryptographic application

that uses different keys for encryption and decryption.
Process accounting is the bookkeeping of process activity.
A protocol is a standard that consists of rules governing such things
as data communication or security management.
A proxy is a server that fronts for a client, thus protecting the client.
Reliability is the way a network is supposed to behave all the time
and can especially be affected with denial of service attacks.
Requests for Comments (RFCs) are a series of documents written by
the Internet community that in many cases serve as standards.
Risk management is the management of events that can do critical
damage to a system, especially unauthorized security access.
Secure Electronic Transaction (SET) is a standard of security protocols for protecting e-commerce transactions, especially credit cards.
Secure Shell (SSH) is a client/server application that provides secure
communications through encryption, RSA-based host authentication,
and user authentication options.
Secure Socket Layer (SSL) is a security protocol developed by
Netscape Communications Corp. that is concerned with protecting
client/server applications from eavesdropping.
A security audit is a formal examination by a third party of your
security management system.
A standard is a definition of a process that includes conditions,
benchmarks, general procedures, and sequence of events in a network security program.
A technique is a systematic process to achieve a specific goal.
A tool is a utility used to accomplish something.

Who is Responsible for a Security Management

System?
The network or system administrator is responsible for the security
management system. However, every user of the system is personally
responsible for individual misuses of the system. The question is What
is a responsibility?
A responsibility is any action worthy of rebuke. The rebuke comes in
degrees from going to a non-business related Internet site to damaging
the network. An effective security management system has a policy that
defines responsibilities for security breaches to the system from minor
to major and the actions the corporation will take. For example, at one

10

General Overview of Security Threats

company an individual who goes to certain types of Internet sites
receives an e-mail stating if the person goes to this type of site again it
is grounds for immediate termination. This sounds harsh, but the company pays for the network usage, and this misuse of the network is a
form of theft.

Why Should You Have a Security Management

System?
You should have a security management system because you would not
build a house in an urban area without doors and locks. The doors and
locks are an integrated part of the design of the house. Also, there is a
difference between a security system and a security management system. A system is a group of interacting components. The Mississippi
River is a complex water system with many tributaries but it is managed by the U.S. Army Corps of Engineers.
You can have a firewall, use file permissions, and have password guidelines and you have a security system because the network components
directly or indirectly interact. However, unless you direct the interactions you do not have a security management system. One cannot say
Linux security is just using TCP Wrappers. First, it is the integration of
external actions of users with the impacts on the internal network. Second, it is the actions required to protect and to detect network
intrusion, which include doing audits, using authentication, and having
security standards. It is having both external components to the network, such as standards, and internal components, such as a permission
policy, in a managed environment.

Where Should There be a Security Management

System?
A security management system exists both inside the network and outside the electronic network. The external components include
standards (Chapter 3), policies (Chapter 2), certain types of audits
(Chapter 14), and activity enforcement. The internal components for a
Red Hat Linux security management system discussed in detail in Part II
of the book (Chapters 4-11) are the following:
n Kernel, shells, and system calls
n Workstations
n Servers and services

11

Chapter 1
n
n
n
n
n

Network
Internet
Peripherals
Remote access
Networking

How Should You Set Up a Security Management

System?
You should set up a security management system in an organized manner. When you try to set up a security system in a haphazard manner,
you will have gaps or holes that will not be closed after a threat is identified. The book outlines a process for setting up a security management
system that includes the following twelve steps:
n Comprehending the difference between a security threat and a security nuisance
n Developing policies
n Using security Requests for Comments
n Developing security policies for each component of the Linux
filesystem
n Integrating the policies of the filesystem components
n Developing user security guidelines and policies
n Integrating network policies and user policies
n Using available security system tools
n Doing audits
n Using authentication
n Using encryption
n Using a special security application such as Pretty Good Privacy
(PGP)

What are Some Specific Types of Threats?

Any threat is really a system threat. The nature of Linux is such that
what may appear a workstation threat may have its origin in how the
kernel security is managed. Threats have labels such as Trojan horse,
but the comprehension of the types of threats or technique is important
to the system administrator. Six of the basic types of threats are:
n Password attacks
Most primitive and common on
/etc/passwd

12

General Overview of Security Threats

n

Denial of service (DoS)

Spoofing
Sniffers
Malicious code

Scanners

System overload for hardware,

software, or both
Subversive machine authentication
Stealthy data gathering
Unauthorized code (Trojan horse
and viruses)
Stealthy searching for system
susceptibilities

Remember: An absolutely secure network does not exist. A security

management system can only make the door harder to open. The basis
of these types of threats is the use of automated tools by crackers.

Password Attacks
A password attack tries to circumvent, decrypt, delete, or even change
passwords. The security approach is to have add-on tools to harden
passwords, to change default product passwords, to have a password
policy that educates users on password usage, and to enforce the policy.
The potential consequence is total system compromise, that is, root
access and host control. Password attacks are where budding crackers
sharpen their fangs. This technique requires minimal technical
expertise.
In early distributions of Linux readable passwords were found in
/etc/passwd and thus were unsafe. Any user can do a concatenate, $ cat
/etc/passwd, to display the file. There are seven fields per record in
/etc/passwd:
n username
Maximum of eight lowercase characters
n passwd
Version dependent (encryption or
shadowing)
n userID
User identification number that attaches to
the users processes
n groupID
Group identification number that reflects
the users native group
n real name
Identifier that can optionally be the users
name
n user home
Users home directory
n user shell
Users default shell
When /etc/passwd is concatenated the result is similar to the following:
$ cat /etc/passwd

13

Chapter 1
root:y19tryT6:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:11:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/var/spool/news:
uucp:*:10:14:uucp:/var/spool/uucp:
operator:*:11:0:operator:/root:
games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/home/ftp:
nobody:*:99:99:Nobody:/:
postgres:!!:100:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash
Beginning of user information
jdoe:HL47Cc6VzGJN:501:501:Jane Doe:/home/jdoe:/bin/bash
The password, the second field, is encrypted or scrambled. Encryption
is discussed in more detail in Chapter 16. If shadowing was used the
first line would read root:x:0:0:root:/root:/bin/bash.
A common type of password attack is the dictionary attack. Dictionary
attacks are made easy using weak user passwords and the short length
of Linux passwords. A dictionary attack uses a long list of encryption
words with a high-speed cracking tool and compares the passwords in
/etc/passwd until a match is found. The more hardened the passwords
the better.

Note: Perhaps the best-known password auditing tool is

Crack. It can be downloaded at
http://www.users.dircon.co.uk/~crypto/index.html.
One technique of hardening the password process is to use password
shadowing. Passwords are removed from /etc/passwd and stored in
/etc/shadow. The Red Hat Linux distribution includes the shadow-utils
package. The important commands of the package include the
following:
n pwconv
n pwunconv
n pwck

14

General Overview of Security Threats

n
n
n
n
n
n
n

lastlog
useradd
userdel
usermod
groupadd
groupdel
groupmod

The first three commands are used to convert and to unconvert shadow
passwords. The fourth command checks for password integrity. The
next three commands are used to manage user passwords. The final
three commands are used to manage group passwords. The
/etc/shadow file consists of one record per line with nine fields:
n Username
n User password
n Number of days since January 1, 1970, that the password was
changed
n Number of days left before user is permitted to change password
n Number of days left before user is forced to change password
n Number of days to change password warning
n Number of days left before password is disabled
n Number of days since January 1, 1970, that the account has been
disabled
n Reserved
The shadow suite has two important password maintenance techniques:
n Password aging
n Automatic account lockout

Note: The shadow suite is also vulnerable to attacks, so the

latest version of the package should be acquired. The active
word is to be vigilant.
There are other types of password security issues beyond the ones for
/etc/passwd and /etc/shadow. In all cases, the aim is to seize the root.

15

Chapter 1

Denial of Service
While denial of service (DoS) has the attention of the various journalistic media these days, it has been around in either an intentional form or
unintentional form since late 1980. In October 1980, ARPANET, an
early form of the Internet, may have experienced the first DoS when
there was a hardware malfunction that caused a major sequence of malformed network control packets. Unfortunately, since that time there
have been cracker tools developed that can generate software DoS.
These tools can be used easily by a very inexperienced cracker.

Note: For details on the ARPANET DoS, see Eric C. Rosens

Request for Comments 789, Vulnerabilities of Network Control
Protocols: An Example.
Denial of service renders a hosts or servers hardware, software, or
both unreachable, thus the name. The attack denies any service to a
user. DoS is always malicious and is unlawful.
DoS attacks are common and persistent. DoS attacks might even be
more common than dictionary attacks because of their popularity
among new crackers. Popularity is based on two factors: easy to generate and easily makes the news.
However, the success of DoS attacks is not based on popularity, but
security management system issues. DoS attacks take advantage of
errors, limitations, or inconsistencies in vendor TCP/IP implementations. A network administrator has to be continually vigilant for vendor
patches in this area. There are requirements to reconfigure hardware,
patch software, or filter affected ports.
DoS attacks were once considered nuisances. Today, when a service is
lost for an hour there can be a loss of thousands and thousands of dollars. DoS attacks can be very expensive events, not just in dollars but in
business reputation.
Hardware attacks are more vendor specific than Linux specific so this
topic is not discussed here. A network administrator has to be vigilant
about vendor updates. Four types of DoS attacks that can also affect
hardware because of software attacks are:
n A unit is flooded with malformed packets.
n Login routines are caused to overflow.
n IP addresses cannot be resolved.
n All available sessions are engaged.

16

General Overview of Security Threats

The two types of DoS attacks are against Linux networking and against
applications for Linux. Since Linux is open sourced, new types of
attacks are developed frequently. Here are some of the types of consequences of Linux networking DoS attacks:
n IP connectivity killed.
n Kernel panic because sockets limit is exceeded.
n Printer hanged.
n RPC services killed.
n System crashed.
n Too many openings of ident requests occurred.
Here are some of the types of consequences of DoS attacks on Linux
applications:
n Exclusive lock on wtmp occurs.
n IRC server clogs.
n Local display dies.
n Message box for Netscape overflows.
n Netscape freezes.
There may be no absolute defense against a DoS attack, but some
actions can be taken. The first is to keep current on vendor patches.
Other actions include the following:
n Use packet filters to protect against suspicious source IP addresses.
n Disable broadcasting.
n Use TCP interception on any router.
n Filter incoming PING traffic.
n Limit the time-out period on dropping unresolved connections for
non-firewalled servers.

Spoofing
Another type of threat is spoofing. Spoofing is when an intruder
authenticates one host to another using forged packets from a trusted
host. A broader definition is any type of subversion using authentication. Three major spoofing techniques involve TCP/IP, Address
Resolution Protocol (ARP), and Domain Name Service (DNS).
The major source of security for TCP/IP is the IP address as an identifier. It is commonly used in access control for most, if not all, Internet
applications. One technique for some protection against spoofing is
good management of TCP connections and data transfers.

17

Chapter 1
IP spoofing does not affect all services. Some of the vulnerable services
include:
n Services that use IP address authentication
n Remote Procedure Call (RPC) services
n R services (rshd, rlogin, rwhod, and rexec)
n X Window System
The significance of IP authentication is that most network services use
it. The best countermeasure is to avoid using the source address for
authentication. Beyond using cryptographic authentication on the system, three additional countermeasures might be used:
n Configure the network router to reject packets from the Internet that
claim local address origination.
n Stop TCP at the firewall.
n Enable encryption at the router for any outside connections from
trusted hosts.
ARP spoofing uses a hardware address rather than an IP address. An
intruder keeps a hardware address, but assumes the IP address of a
trusted host. This is done by using false mapping information. The false
mapping information is sent to the target and the cache. Since the
cache entries expire quickly, the window of opportunity is narrow. A
form of protection is to use static ARP tables by using the arp command.
DNS spoofing compromises the DNS server and alters the host name IP
address tables. When a client requests a lookup, the user is given a
bogus address that is under the crackers control. While this type of
attack is rare, it still can lead to system-wide compromise. DNS spoofing can be detected by polling other authoritative DNS servers and
looking for a server with variant results as compared to the other
servers.

Sniffers
A fourth technique of attack is the use of sniffers. The actual name of
sniffers is protocol analyzers. Header files are used in sniffing. A sniffer
establishes a workstation condition so that it can monitor and capture
all network traffic and packets. Sniffers are dangerous because they
can:
n Capture passwords
n Capture proprietary information
n Breach the security of neighboring networks

18

General Overview of Security Threats

Because sniffers are passive, they are difficult to detect. For example,
they do not generate logs. To detect a sniffer, a determination of a network interface in promiscuous mode is required. A tool available for
this determination is ifconfig.

Malicious Code
The malicious code technique probably gets the most press because the
two most common kinds are viruses and Trojan horses. The two most
common types of viruses are boot and file. A Trojan horse can only be
propagated through human intervention to insert hidden and unauthorized code in an application.
A technique for detecting malicious code is object reconciliation. This is
comparing what was last determined as authorized against what is the
present state of the system. Because this technique is not sufficient in
and of itself, the use of checksums should be considered.

Note:

A tool that can be used for malicious code threats is

Tripwire. It is found on the application CD sold as a part of the
official boxed version of the Red Hat Linux distribution.

Scanners
The sixth and final technique is the use of scanners. A scanner is a tool
that can detect system vulnerabilities. A scanner is a security tool and a
security threat. It all depends on which side of the table you sit.
A scanner can detect the obvious and the less than obvious vulnerabilities in a system. There are two types of scanners: system and network.
Examples of system problems that can be identified by a scanner
include erroneous file permissions, erroneous UID entries, and default
accounts. A network scanner tests hosts over network connections. A
scanner is used to get a system baseline, so frequent comparisons
should be done. Be sure to gain authorization to scan another host
before doing so. While a scanner is not an attack in the sense of the
other attacks, it still permits an intruder to gain valuable network system information, especially the weaknesses.

19

Chapter 10

Remote Access
This chapter discusses security issues about remote access and the
related configuration techniques. The chapter looks at Network File
System management and the use of r- commands.

Note: To see available options for the commands discussed,

you need to do a man command-name command.

Network File System (NFS) Management

Network File System is a means for connecting disks on a remote system to a local system and giving the appearance they are located in the
same physical site. It allows you to mount files from different computers over a TCP/IP network. It is a convenient application to use on
internal networks as it permits you to share files using a central directory hierarchy.
A use for NFS is that you could mount a computer with all home directories so all the users might access their home directories from any
computer.
However, if you do use NFS there are some steps you must take to
ensure some level of security. The steps are:
1. Never export your root file system.
2. Never change the NFS configuration default that denies access to
remote users to log in as the root.
3. Limit portmapper access to trusted hosts.
4. Export file system read-only.
5. Use a separate partition for file systems to be exported, and enable
the nosuid option.

162

Remote Access

Note: For step 3, add portmapper and the approved host list
to /etc/hosts.all. Next, add portmapper to /etc/hosts.deny and
specify ALL.
The core characteristic of NFS is that it is a stateless protocol. Each client and server request is unique or complete unto itself. This means
NFS has a robust nature. A server can go down and the clients do not
have to reboot.

Warning: Where there is strength, there is weakness. By its

design, NFS is an insecure environment. If you need to share
data and disk space and be secure, you need to consider an
alternative to NFS.
There are three basic components of an NFS:
n TCP/IP suite of protocols
n Server that uses the process known as exporting the file system
n Client that might be automatically mounted using /etc/fstab file at
boot time
There is a special requirement for mounting NFS. You must use the syntax of host name:/file/system/path within /etc/fstab. For example, you
might use mailserver:/var/spool/mail. In addition, you need to have
rpc.mountd and rpc.nfsd running on your server.
To start these daemons, you need two lines in a script located in
/etc/rc.d/init/nfs. They are:
n daemon rpc.mountd
n daemon rpc.nfsd
The rpc.mountd daemon handles mount and unmount requests. This
rpc.nfsd daemon translates the NFS requests to actual requests on the
local filesystem server.

Caution:

These daemons must start only after rpc.portmap is

running. The NFS must be entered in the configuration file
/etc/exports.

The /etc/exports file is used by rpc.mountd and rpc.nfsd to determine

the files that are to be exported and their restrictions. It consists of a
list of file systems, one per line. Each line consists of
n Mount point for a local file system
n Allowable computers that might be mounted
n Mount options separated by commas

163

Chapter 10
The 16 mount options for /etc/exports options are:
all-squash
Maps to the anonymous user all user IDs (UIDs) and
group IDs (GIDs)
anongid
Sets the GID for the anonymous account
anonuid
Sets the UID for the anonymous account
insecure
Permits non-authenticated access
link_absolute
Does not convert absolute symbolic links to relative
links
link_relative
Converts absolute symbolic links to relative links
map_daemon Maps local and remote names and numeric IDs
no_root_squash Does not do mapping from the root (default)
noaccess
Excludes subdirectories from a client
no-all-squash
Opposite of all-squash (default)
ro
Mounts the file system as read-only (default)
root-squash
Does mapping from the root
rw
Mounts the file system as read-write
secure
Requires authenticated access
squash-gids
Specifies the GIDs subject to anonymous mapping
squash-uids
Specifies the UIDs subject to anonymous mapping
The basic NFS mount options are as follows:
hard
Does a hard mount (default)
intr
Does an NFS interrupt
rsize=n
Specifies the datagram size in bytes for read requests
(default is 1024 bytes)
soft
Does a soft mount
timeo=n
Specifies the wait time for a request in tenths of a
second (default is 0.7)
wsize=n
Specifies the datagram size in bytes for write requests
(default is 1024 bytes)
With a hard mount, when a client has a major timeout of 60 seconds
there is a continuous remount process until there is success. With a soft
mount, the client gets an I/O error and call processing continues without trying to do a remount.
Some of the NFS commands are the following:
domainname
Sets or displays name of current domain
rpc.portmap
Maps RPC program number to IP mapper

164

Remote Access
rpc.yppasswdd
rpcinfo
showmount
ypbind
ypcat
ypinit
ypmatch
yppasswd
yppoll
yppush
ypset

Server for modifying the password file

Reports RPC information
Shows information about the server
Daemon that lets client processes on a single node
communicate with a ypserv process
Prints values in a database specified by mname
Builds and installs a database on a server
Prints value of one or more keys from a map specified
by mname
Changes login password in network information
system
Determines map version on server
Forces propagation of changed server
Points ypbind at a particular server

NFS integrity can be checked automatically or manually. For automatic

check, NFS is checked at boot time to see if the pass number field of
/etc/fstab has a value greater than 0 (zero). Manual check uses the fsck
command. First, check the root filesystem by using the command fsck
-0V -a /. Second, check all the other filesystems including NFS by using
the command fsck -R -A -V -a. This command means all filesystems
should be checked except the root, informational (verbose) messages
are given, and no interactive process (repairs are automatic) is done.
To check for the presence of NFS daemons use the command rpcinfo -p.
The command displays all running registered RPC programs.
To start an NFS service at the root level, enter /etc/rc.d/init.d/nfs start.
To stop the service, enter /etc/rc.d/init.d/nfs stop.
Four ports are involved in firewalling NFS. They are the following:
n The nfsd operates at port 2049, both TCP/IP and UDP protocols
n The portmapper at port 111, both TCP/IP and UDP
n The mountd at port 745 and 747, TCP/IP and UDP

Caution:

You should check the ports with the rpcinfo -p

command periodically for unauthorized access.

Note: TCP/IP stands for Transmission Control Protocol and

Internet Protocol. UDP stands for User Datagram Protocol.

165

Chapter 10
The NFS mount daemon is mountd. Some of the options include:
-d
Verbose logging (debugging)
-f
Specifies the export files
-h
Short help
-n
Any incoming mount request accepted
-p
Puts server into a promiscuous mode; serves any network host
-r
Allows imported NFS filesystems to be exported
-v
Reports current program version number
The rpcinfo command makes an RPC call to an RPC server and reports
what it finds. Its syntax is:
rpcinfo -p [host]
rpcinfo [-n portnum] -u host program [version]
rpcinfo [-n portnum] -t host program [version]
rpcinfo -b program version
rpcinfo -d program version
The options are:
-b
RPC broadcast to procedure 0
-d
Deletes registration for the specified RPC service
-n
Uses portnum for the -t and -u options
-p
Probes the port mapper for all registered RPC programs and
prints a list
-t
Uses TCP to make an RPC call to the specified host program
-u
Uses UDP to make an RPC call to the specified host program
The showmount command shows mount information for an NFS server.
Some of its options include:
-a
Lists the client host name and mounted directory in host:dir
format
-d
Lists directories of specified clients
-e
Shows the NFS servers export list
-h
Provides short help summary
-v
Displays current program version number

166

Remote Access
Two Requests for Comments (RFCs) are the following:
n RFC 1094 NFS: Network File System Protocol Specification. Sun
Microsystems, Inc. (March 1989)
n RFC 1813 NFS Version 3 Protocol Specification. B Callaghan, B.
Pawlowski, and P. Staubach. (June 1995)
The NFS HOWTO is by Nicolai Langfeldt (janl@math.uio.no).
For additional information, see man page nfs(5). Other man pages for
NFS are portmap, mountd, nfsd, and exports.
Three tools available for a more secure NFS are:
n Nfsbug, which locates misconfigurations and bugs to limit unauthorized access.
n Nfstrace, which monitors Ethernet traffic and collects activity data.
n Nfswatch, which monitors and provides statistics on traffic.

Remote (r-) Commands

The r- commands (rlogin, rsh, rcp, etc.) are for executing requests on
remote hosts. It is recommended they be disabled under most circumstances. They propagate a shell on the remote host and allow the user
to execute commands. For these commands to work the user must be
authorized, have an account, and on the host machine. Use the remote
host check in the /etc/host.equiv file to see if a local host is listed.

Caution:

While you might disable authorization, it is not

recommended. Only administrative users should be given this
privilege.
The basic r- commands are the following:
rcmd
The command permits users to execute commands on remote
hosts. It should be disabled.
rcp
The remote copy command is used to copy between machines,
with either being on a remote host. There are two syntax
forms for the command: rcp [-px] [-k realm] filename1
filename2 and rcp [-px] [-r] [-k realm] file(s) directory.
The options are:
-p
Preserves the modification times and modes of the source file
-x
Turns on DES encryption
-k
Requests a Kerberos ticket for the remote host

167

Chapter 10
-r
rdist
rexecd
ristd
rlogin

Caution:
enabled.
rlogind
rquota

Recursively copies the source directory tree into the

destination directory
This remote file distribution client program maintains
identical copies of files over multiple hosts.
This daemon provides remote authentication facilities.
This is a remote file distribution server (daemon) program.
The command that connects the current local terminal to a
designated remote host. It is similar to the Telnet command.
The syntax is rlogin rhost [options], where the options are:
-ec
Specifies escape character c
-E
Does not interpret any character as an escape
character
-d
Starts the debugging mode
-k
Attempts to get tickets from remote host
-K
Suppresses Kerberos authentication
-l username Specifies a username other than the default,
which is the same as your local username
-L
Allows a rlogin session without any output
postprocessing
-x
Turns on DES encryption
There should be a reason for this command to be

The daemon provides a remote login facility.

Implements quotas on remote machines. It is used in
conjunction with NFS.
rquotad An RPC remote quota daemon or server. It returns quotas
over NFS for a remote machine.
rsh
This command is an execute command on a remote host. If
no argument is specified, it begins an interactive shell on
the remote host using rlogin.
rup
Displays remote status of one or more hosts.
rusers
This command lists users logged in on RPC machines.

168