Linux Security Cookbook [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Linux Security Cookbook [Electronic resources] - نسخه متنی

Daniel J. Barrett, Robert G. Byrnes, Richard Silverman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Main Page

Table of content

Copyright

Preface

A Cookbook About Security?!?

Intended Audience

Roadmap of the Book

Our Security Philosophy

Supported Linux Distributions

Trying the Recipes

Conventions Used in This Book

We'd Like to Hear from You

Acknowledgments

Chapter 1. System Snapshots with Tripwire

Recipe 1.1 Setting Up Tripwire

Recipe 1.2 Displaying the Policy and Configuration

Recipe 1.3 Modifying the Policy and Configuration

Recipe 1.4 Basic Integrity Checking

Recipe 1.5 Read-Only Integrity Checking

Recipe 1.6 Remote Integrity Checking

Recipe 1.7 Ultra-Paranoid Integrity Checking

Recipe 1.8 Expensive, Ultra-Paranoid Security Checking

Recipe 1.9 Automated Integrity Checking

Recipe 1.10 Printing the Latest Tripwire Report

Recipe 1.11 Updating the Database

Recipe 1.12 Adding Files to the Database

Recipe 1.13 Excluding Files from the Database

Recipe 1.14 Checking Windows VFAT Filesystems

Recipe 1.15 Verifying RPM-Installed Files

Recipe 1.16 Integrity Checking with rsync

Recipe 1.17 Integrity Checking Manually

Chapter 2. Firewalls with iptables and ipchains

Recipe 2.1 Enabling Source Address Verification

Recipe 2.2 Blocking Spoofed Addresses

Recipe 2.3 Blocking All Network Traffic

Recipe 2.4 Blocking Incoming Traffic

Recipe 2.5 Blocking Outgoing Traffic

Recipe 2.6 Blocking Incoming Service Requests

Recipe 2.7 Blocking Access from a Remote Host

Recipe 2.8 Blocking Access to a Remote Host

Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network

Recipe 2.10 Blocking Remote Access, but Permitting Local

Recipe 2.11 Controlling Access by MAC Address

Recipe 2.12 Permitting SSH Access Only

Recipe 2.13 Prohibiting Outgoing Telnet Connections

Recipe 2.14 Protecting a Dedicated Server

Recipe 2.15 Preventing pings

Recipe 2.16 Listing Your Firewall Rules

Recipe 2.17 Deleting Firewall Rules

Recipe 2.18 Inserting Firewall Rules

Recipe 2.19 Saving a Firewall Configuration

Recipe 2.20 Loading a Firewall Configuration

Recipe 2.21 Testing a Firewall Configuration

Recipe 2.22 Building Complex Rule Trees

Recipe 2.23 Logging Simplified

Chapter 3. Network Access Control

Recipe 3.1 Listing Your Network Interfaces

Recipe 3.2 Starting and Stopping the Network Interface

Recipe 3.3 Enabling/Disabling a Service (xinetd)

Recipe 3.4 Enabling/Disabling a Service (inetd)

Recipe 3.5 Adding a New Service (xinetd)

Recipe 3.6 Adding a New Service (inetd)

Recipe 3.7 Restricting Access by Remote Users

Recipe 3.8 Restricting Access by Remote Hosts (xinetd)

Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)

Recipe 3.10 Restricting Access by Remote Hosts (xinetd with tcpd)

Recipe 3.11 Restricting Access by Remote Hosts (inetd)

Recipe 3.12 Restricting Access by Time of Day

Recipe 3.13 Restricting Access to an SSH Server by Host

Recipe 3.14 Restricting Access to an SSH Server by Account

Recipe 3.15 Restricting Services to Specific Filesystem Directories

Recipe 3.16 Preventing Denial of Service Attacks

Recipe 3.17 Redirecting to Another Socket

Recipe 3.18 Logging Access to Your Services

Recipe 3.19 Prohibiting root Logins on Terminal Devices

Chapter 4. Authentication Techniques and Infrastructures

Recipe 4.1 Creating a PAM-Aware Application

Recipe 4.2 Enforcing Password Strength with PAM

Recipe 4.3 Creating Access Control Lists with PAM

Recipe 4.4 Validating an SSL Certificate

Recipe 4.5 Decoding an SSL Certificate

Recipe 4.6 Installing a New SSL Certificate

Recipe 4.7 Generating an SSL Certificate Signing Request (CSR)

Recipe 4.8 Creating a Self-Signed SSL Certificate

Recipe 4.9 Setting Up a Certifying Authority

Recipe 4.10 Converting SSL Certificates from DER to PEM

Recipe 4.11 Getting Started with Kerberos

Recipe 4.12 Adding Users to a Kerberos Realm

Recipe 4.13 Adding Hosts to a Kerberos Realm

Recipe 4.14 Using Kerberos with SSH

Recipe 4.15 Using Kerberos with Telnet

Recipe 4.16 Securing IMAP with Kerberos

Recipe 4.17 Using Kerberos with PAM for System-Wide Authentication

Chapter 5. Authorization Controls

Recipe 5.1 Running a root Login Shell

Recipe 5.2 Running X Programs as root

Recipe 5.3 Running Commands as Another User via sudo

Recipe 5.4 Bypassing Password Authentication in sudo

Recipe 5.5 Forcing Password Authentication in sudo

Recipe 5.6 Authorizing per Host in sudo

Recipe 5.7 Granting Privileges to a Group via sudo

Recipe 5.8 Running Any Program in a Directory via sudo

Recipe 5.9 Prohibiting Command Arguments with sudo

Recipe 5.10 Sharing Files Using Groups

Recipe 5.11 Permitting Read-Only Access to a Shared File via sudo

Recipe 5.12 Authorizing Password Changes via sudo

Recipe 5.13 Starting/Stopping Daemons via sudo

Recipe 5.14 Restricting root's Abilities via sudo

Recipe 5.15 Killing Processes via sudo

Recipe 5.16 Listing sudo Invocations

Recipe 5.17 Logging sudo Remotely

Recipe 5.18 Sharing root Privileges via SSH

Recipe 5.19 Running root Commands via SSH

Recipe 5.20 Sharing root Privileges via Kerberos su

Chapter 6. Protecting Outgoing Network Connections

Recipe 6.1 Logging into a Remote Host

Recipe 6.2 Invoking Remote Programs

Recipe 6.3 Copying Files Remotely

Recipe 6.4 Authenticating by Public Key (OpenSSH)

Recipe 6.5 Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key)

Recipe 6.6 Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)

Recipe 6.7 Authenticating by Public Key (SSH2 Client, OpenSSH Server)

Recipe 6.8 Authenticating by Trusted Host

Recipe 6.9 Authenticating Without a Password (Interactively)

Recipe 6.10 Authenticating in cron Jobs

Recipe 6.11 Terminating an SSH Agent on Logout

Recipe 6.12 Tailoring SSH per Host

Recipe 6.13 Changing SSH Client Defaults

Recipe 6.14 Tunneling Another TCP Session Through SSH

Recipe 6.15 Keeping Track of Passwords

Chapter 7. Protecting Files

Recipe 7.1 Using File Permissions

Recipe 7.2 Securing a Shared Directory

Recipe 7.3 Prohibiting Directory Listings

Recipe 7.4 Encrypting Files with a Password

Recipe 7.5 Decrypting Files

Recipe 7.6 Setting Up GnuPG for Public-Key Encryption

Recipe 7.7 Listing Your Keyring

Recipe 7.8 Setting a Default Key

Recipe 7.9 Sharing Public Keys

Recipe 7.10 Adding Keys to Your Keyring

Recipe 7.11 Encrypting Files for Others

Recipe 7.12 Signing a Text File

Recipe 7.13 Signing and Encrypting Files

Recipe 7.14 Creating a Detached Signature File

Recipe 7.15 Checking a Signature

Recipe 7.16 Printing Public Keys

Recipe 7.17 Backing Up a Private Key

Recipe 7.18 Encrypting Directories

Recipe 7.19 Adding Your Key to a Keyserver

Recipe 7.20 Uploading New Signatures to a Keyserver

Recipe 7.21 Obtaining Keys from a Keyserver

Recipe 7.22 Revoking a Key

Recipe 7.23 Maintaining Encrypted Files with Emacs

Recipe 7.24 Maintaining Encrypted Files with vim

Recipe 7.25 Encrypting Backups

Recipe 7.26 Using PGP Keys with GnuPG

Chapter 8. Protecting Email

Recipe 8.1 Encrypted Mail with Emacs

Recipe 8.2 Encrypted Mail with vim

Recipe 8.3 Encrypted Mail with Pine

Recipe 8.4 Encrypted Mail with Mozilla

Recipe 8.5 Encrypted Mail with Evolution

Recipe 8.6 Encrypted Mail with mutt

Recipe 8.7 Encrypted Mail with elm

Recipe 8.8 Encrypted Mail with MH

Recipe 8.9 Running a POP/IMAP Mail Server with SSL

Recipe 8.10 Testing an SSL Mail Connection

Recipe 8.11 Securing POP/IMAP with SSL and Pine

Recipe 8.12 Securing POP/IMAP with SSL and mutt

Recipe 8.13 Securing POP/IMAP with SSL and Evolution

Recipe 8.14 Securing POP/IMAP with stunnel and SSL

Recipe 8.15 Securing POP/IMAP with SSH

Recipe 8.16 Securing POP/IMAP with SSH and Pine

Recipe 8.17 Receiving Mail Without a Visible Server

Recipe 8.18 Using an SMTP Server from Arbitrary Clients

Chapter 9. Testing and Monitoring

Recipe 9.1 Testing Login Passwords (John the Ripper)

Recipe 9.2 Testing Login Passwords (CrackLib)

Recipe 9.3 Finding Accounts with No Password

Recipe 9.4 Finding Superuser Accounts

Recipe 9.5 Checking for Suspicious Account Use

Recipe 9.6 Checking for Suspicious Account Use, Multiple Systems

Recipe 9.7 Testing Your Search Path

Recipe 9.8 Searching Filesystems Effectively

Recipe 9.9 Finding setuid (or setgid) Programs

Recipe 9.10 Securing Device Special Files

Recipe 9.11 Finding Writable Files

Recipe 9.12 Looking for Rootkits

Recipe 9.13 Testing for Open Ports

Recipe 9.14 Examining Local Network Activities

Recipe 9.15 Tracing Processes

Recipe 9.16 Observing Network Traffic

Recipe 9.17 Observing Network Traffic (GUI)

Recipe 9.18 Searching for Strings in Network Traffic

Recipe 9.19 Detecting Insecure Network Protocols

Recipe 9.20 Getting Started with Snort

Recipe 9.21 Packet Sniffing with Snort

Recipe 9.22 Detecting Intrusions with Snort

Recipe 9.23 Decoding Snort Alert Messages

Recipe 9.24 Logging with Snort

Recipe 9.25 Partitioning Snort Logs Into Separate Files

Recipe 9.26 Upgrading and Tuning Snort's Ruleset

Recipe 9.27 Directing System Messages to Log Files (syslog)

Recipe 9.28 Testing a syslog Configuration

Recipe 9.29 Logging Remotely

Recipe 9.30 Rotating Log Files

Recipe 9.31 Sending Messages to the System Logger

Recipe 9.32 Writing Log Entries via Shell Scripts

Recipe 9.33 Writing Log Entries via Perl

Recipe 9.34 Writing Log Entries via C

Recipe 9.35 Combining Log Files

Recipe 9.36 Summarizing Your Logs with logwatch

Recipe 9.37 Defining a logwatch Filter

Recipe 9.38 Monitoring All Executed Commands

Recipe 9.39 Displaying All Executed Commands

Recipe 9.40 Parsing the Process Accounting Log

Recipe 9.41 Recovering from a Hack

Recipe 9.42 Filing an Incident Report

Colophon

Index

Index SYMBOL

Index A

Index B

Index C

Index D

Index E

Index F

Index G

Index H

Index I

Index J

Index K

Index L

Index M

Index N

Index O

Index P

Index Q

Index R

Index S

Index T

Index U

Index V

Index W

Index X
توضیحات
افزودن یادداشت جدید

[SYMBOL]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[W]
[X]

packet filtering

Linux, website for

stateful

stateless

packet sniffers

dsniff, for switched networks

enabling unconfigured network interfaces with ifconfig

network intrusion detection system (NIDS)

ngrep, using for

observing network traffic with

promiscuous mode on network interfaces

unconfigured interface for stealth sniffer

Snort, using as

packets, refusing with DROP or REJECT

PAM (Pluggable Authentication Modules)

access control lists (ACLs), creating
2nd

controlling imapd password validation

creating PAM-aware application

enforcing password strength

imapd validation of passwords, controlling

Kerberos, using with

Linux Developers Guide

Linux-PAM, web site

modules

pam_stack module

passphrases

backing up for GnuPG private keys

caching SSH private keys to avoid typing

forcing erasure by Mailcrypt with mc-deactivate-passwd

secret, for GnuPG public keys

SSH

passwd file, DES-based crypt( ) hashes in

passwd program

passwords

authorizing changes via sudo

dsniff program

captured from FTP and Telnet sessions

using libnids to reassemble

encrypting files with

enforcing strength with PAM

interactive authentication without (ssh-agent)

keeping track of

Kerberos (kpasswd command)

local, authentication via (Kerberos with PAM)

login, testing for strength

CrackLib, using

John the Ripper, using

mail servers (IMAP/POP), protection by SSL

master password for KDC database

storage of

protection with SSH

root

sudo command

bypassing password authentication

forcing authentication with

testing and monitoring on system

PATH environment variable, splitting with Perl script

pathnames

mutation in attacks against protocols

in remote file copying

paths

search path, testing

to server executable (inetd.conf)

pattern matching
[See regular expressions]

payload, observing

PEM format (certificates)

converting DER format to

per_source keyword (xinetd)

performance, effects of promiscuous mode

period (.), in search path

Perl scripts

CA.pl

canonical hostname for SSH client, finding

CrackLib, using with module

functions provided by system logger API

merging lastlog databases from several systems

merging log files

process accounting records, reading and unpacking

writing system log entries
2nd

permissions
2nd

changes since last Tripwire check

examining carefully for security

inability to track with manual integrity check

log files

preventing directory listings

Snort logging directory

world-writable files and directories, finding

PermitRootLogin (sshd_config)

PGP (Pretty Good Privacy)

Evolution mailer, using with

integrating with MH

keys, using in GnuPG operations

setting in mutt mailer headers

PID (process ID)

adding to system log messages

looking up

pidof command, killing all processes with given name

Pine

securing POP/IMAP with SSH and Pine

securing POP/IMAP with SSL and

sending/receiving encrypted email

PinePGP

pings

nmap, use of TCP and ICMP pings for host discovery

preventing responses to

plaintext keys

including in system backups, security risks of

using with forced command

Pluggable Authentication Modules
[See PAM]

policies

default, for ipchains and iptables

Tripwire

displaying

generating in human-readable format and adding file to

modifying

signing with site key

POP

capturing messages from with dsniff mailsnarf command

enabling POP daemon within xinetd or inetd

Kerberos authentication, using with

mail server, running with SSL

running mail server with SSL

securing email session with SSL and mutt

securing mail server with SSH

securing mail server with SSH and Pine

securing mail server with stunnel and SSL

securing with SSL and pine

STLS command

testing SSL connection to server

port forwarding

disabling for authorized keys

SSH

tunneling TCP session through SSH

port numbers, conversion to service names by netstat and lsof

port scanners, presence evidenced by SYN_RECV state

portmappers

displaying registrations with lsof +M

querying from a different machine

ports

assigned to RPC services

default, IMAP and POP over SSL

nonstandard, used by network protocols

SSL-port on mail servers

testing for open

nc command, using

nmap command, port scanning capabilities

port scans with nmap

TCP port, testing with telnet connection

TCP RST packets returned by firewalls blocking ports

UDP ports, problems with

preprocessors, Snort

alert messages produced by

enabling or tuning

prerotate and postrotate scripts

Pretty Good Privacy
[See PGP]

principals, Kerberos

adding another principal to your ~/.k5login file

adding new with ank command

adding to IMAP service on server host

database for

records for users and hosts

database, creating for KDC

host principal, testing for new host

ksu authentication

new host, adding to KDC database

POP, adding to

setting up with admin privileges and host principal for KDC host

priority

levels for Snort alerts

for system messages

private keys
[See cryptographic authentication]2nd

GnuPG, backing up

PGP, exporting and using in GnuPG

process accounting

displaying all executed commands

lastcomm utility, using

dump-acct command

enabling with accton command

process IDs

adding to system log messages

looking up

process substitution

processes

/proc/<pid> directories

killing

with pidof command

with sudo command

listing

all open files (and network connections) for all processes

all open files for specific

command name (lsof -c)

by ID (lsof -p)

network connections for all

by username (lsof -u)

owned by others, examination by superuser

that use RPC services, examining with losf +M

tracing

strace command, using

promiscuous mode (for network interfaces)

enabling for specific interfaces with ifconfig

performance and

setting for Snort

prosum (integrity checker)

protocol tree for selected packet (Ethereal)

protocols

attacks on, detection by Snort preprocessors

insecure, detecting use of with ngrep

matching a filter expression, searching network traffic for

network, detecting insecure

ps command, reading /proc files

psacct RPM
2nd

pseudo-ttys

disabling allocation of for authorized keys

forcing ssh to allocate

PubkeyAuthentication (sshd_config)

public keys

adding to GnuPG keyring

inserting into current mail buffer with mc-insert-public-key

keyserver, storing and retrieving with

listing for GnuPG

PGP, exporting and using in GnuPG

public-key authentication
[See cryptographic authentication]

public-key encryption

decrypting files encrypted with GNUPG

expiration for keys

find method, use by

GnuPG
2nd

bit length of keys

generating key pair

secret passphrase for keys

sharing public keys

unique identifier for keys

/ 247