Linux Security Cookbook [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Linux Security Cookbook [Electronic resources] - نسخه متنی

Daniel J. Barrett, Robert G. Byrnes, Richard Silverman

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Main Page

Table of content

Copyright

Preface

A Cookbook About Security?!?

Intended Audience

Roadmap of the Book

Our Security Philosophy

Supported Linux Distributions

Trying the Recipes

Conventions Used in This Book

We'd Like to Hear from You

Acknowledgments

Chapter 1. System Snapshots with Tripwire

Recipe 1.1 Setting Up Tripwire

Recipe 1.2 Displaying the Policy and Configuration

Recipe 1.3 Modifying the Policy and Configuration

Recipe 1.4 Basic Integrity Checking

Recipe 1.5 Read-Only Integrity Checking

Recipe 1.6 Remote Integrity Checking

Recipe 1.7 Ultra-Paranoid Integrity Checking

Recipe 1.8 Expensive, Ultra-Paranoid Security Checking

Recipe 1.9 Automated Integrity Checking

Recipe 1.10 Printing the Latest Tripwire Report

Recipe 1.11 Updating the Database

Recipe 1.12 Adding Files to the Database

Recipe 1.13 Excluding Files from the Database

Recipe 1.14 Checking Windows VFAT Filesystems

Recipe 1.15 Verifying RPM-Installed Files

Recipe 1.16 Integrity Checking with rsync

Recipe 1.17 Integrity Checking Manually

Chapter 2. Firewalls with iptables and ipchains

Recipe 2.1 Enabling Source Address Verification

Recipe 2.2 Blocking Spoofed Addresses

Recipe 2.3 Blocking All Network Traffic

Recipe 2.4 Blocking Incoming Traffic

Recipe 2.5 Blocking Outgoing Traffic

Recipe 2.6 Blocking Incoming Service Requests

Recipe 2.7 Blocking Access from a Remote Host

Recipe 2.8 Blocking Access to a Remote Host

Recipe 2.9 Blocking Outgoing Access to All Web Servers on a Network

Recipe 2.10 Blocking Remote Access, but Permitting Local

Recipe 2.11 Controlling Access by MAC Address

Recipe 2.12 Permitting SSH Access Only

Recipe 2.13 Prohibiting Outgoing Telnet Connections

Recipe 2.14 Protecting a Dedicated Server

Recipe 2.15 Preventing pings

Recipe 2.16 Listing Your Firewall Rules

Recipe 2.17 Deleting Firewall Rules

Recipe 2.18 Inserting Firewall Rules

Recipe 2.19 Saving a Firewall Configuration

Recipe 2.20 Loading a Firewall Configuration

Recipe 2.21 Testing a Firewall Configuration

Recipe 2.22 Building Complex Rule Trees

Recipe 2.23 Logging Simplified

Chapter 3. Network Access Control

Recipe 3.1 Listing Your Network Interfaces

Recipe 3.2 Starting and Stopping the Network Interface

Recipe 3.3 Enabling/Disabling a Service (xinetd)

Recipe 3.4 Enabling/Disabling a Service (inetd)

Recipe 3.5 Adding a New Service (xinetd)

Recipe 3.6 Adding a New Service (inetd)

Recipe 3.7 Restricting Access by Remote Users

Recipe 3.8 Restricting Access by Remote Hosts (xinetd)

Recipe 3.9 Restricting Access by Remote Hosts (xinetd with libwrap)

Recipe 3.10 Restricting Access by Remote Hosts (xinetd with tcpd)

Recipe 3.11 Restricting Access by Remote Hosts (inetd)

Recipe 3.12 Restricting Access by Time of Day

Recipe 3.13 Restricting Access to an SSH Server by Host

Recipe 3.14 Restricting Access to an SSH Server by Account

Recipe 3.15 Restricting Services to Specific Filesystem Directories

Recipe 3.16 Preventing Denial of Service Attacks

Recipe 3.17 Redirecting to Another Socket

Recipe 3.18 Logging Access to Your Services

Recipe 3.19 Prohibiting root Logins on Terminal Devices

Chapter 4. Authentication Techniques and Infrastructures

Recipe 4.1 Creating a PAM-Aware Application

Recipe 4.2 Enforcing Password Strength with PAM

Recipe 4.3 Creating Access Control Lists with PAM

Recipe 4.4 Validating an SSL Certificate

Recipe 4.5 Decoding an SSL Certificate

Recipe 4.6 Installing a New SSL Certificate

Recipe 4.7 Generating an SSL Certificate Signing Request (CSR)

Recipe 4.8 Creating a Self-Signed SSL Certificate

Recipe 4.9 Setting Up a Certifying Authority

Recipe 4.10 Converting SSL Certificates from DER to PEM

Recipe 4.11 Getting Started with Kerberos

Recipe 4.12 Adding Users to a Kerberos Realm

Recipe 4.13 Adding Hosts to a Kerberos Realm

Recipe 4.14 Using Kerberos with SSH

Recipe 4.15 Using Kerberos with Telnet

Recipe 4.16 Securing IMAP with Kerberos

Recipe 4.17 Using Kerberos with PAM for System-Wide Authentication

Chapter 5. Authorization Controls

Recipe 5.1 Running a root Login Shell

Recipe 5.2 Running X Programs as root

Recipe 5.3 Running Commands as Another User via sudo

Recipe 5.4 Bypassing Password Authentication in sudo

Recipe 5.5 Forcing Password Authentication in sudo

Recipe 5.6 Authorizing per Host in sudo

Recipe 5.7 Granting Privileges to a Group via sudo

Recipe 5.8 Running Any Program in a Directory via sudo

Recipe 5.9 Prohibiting Command Arguments with sudo

Recipe 5.10 Sharing Files Using Groups

Recipe 5.11 Permitting Read-Only Access to a Shared File via sudo

Recipe 5.12 Authorizing Password Changes via sudo

Recipe 5.13 Starting/Stopping Daemons via sudo

Recipe 5.14 Restricting root's Abilities via sudo

Recipe 5.15 Killing Processes via sudo

Recipe 5.16 Listing sudo Invocations

Recipe 5.17 Logging sudo Remotely

Recipe 5.18 Sharing root Privileges via SSH

Recipe 5.19 Running root Commands via SSH

Recipe 5.20 Sharing root Privileges via Kerberos su

Chapter 6. Protecting Outgoing Network Connections

Recipe 6.1 Logging into a Remote Host

Recipe 6.2 Invoking Remote Programs

Recipe 6.3 Copying Files Remotely

Recipe 6.4 Authenticating by Public Key (OpenSSH)

Recipe 6.5 Authenticating by Public Key (OpenSSH Client, SSH2 Server, OpenSSH Key)

Recipe 6.6 Authenticating by Public Key (OpenSSH Client, SSH2 Server, SSH2 Key)

Recipe 6.7 Authenticating by Public Key (SSH2 Client, OpenSSH Server)

Recipe 6.8 Authenticating by Trusted Host

Recipe 6.9 Authenticating Without a Password (Interactively)

Recipe 6.10 Authenticating in cron Jobs

Recipe 6.11 Terminating an SSH Agent on Logout

Recipe 6.12 Tailoring SSH per Host

Recipe 6.13 Changing SSH Client Defaults

Recipe 6.14 Tunneling Another TCP Session Through SSH

Recipe 6.15 Keeping Track of Passwords

Chapter 7. Protecting Files

Recipe 7.1 Using File Permissions

Recipe 7.2 Securing a Shared Directory

Recipe 7.3 Prohibiting Directory Listings

Recipe 7.4 Encrypting Files with a Password

Recipe 7.5 Decrypting Files

Recipe 7.6 Setting Up GnuPG for Public-Key Encryption

Recipe 7.7 Listing Your Keyring

Recipe 7.8 Setting a Default Key

Recipe 7.9 Sharing Public Keys

Recipe 7.10 Adding Keys to Your Keyring

Recipe 7.11 Encrypting Files for Others

Recipe 7.12 Signing a Text File

Recipe 7.13 Signing and Encrypting Files

Recipe 7.14 Creating a Detached Signature File

Recipe 7.15 Checking a Signature

Recipe 7.16 Printing Public Keys

Recipe 7.17 Backing Up a Private Key

Recipe 7.18 Encrypting Directories

Recipe 7.19 Adding Your Key to a Keyserver

Recipe 7.20 Uploading New Signatures to a Keyserver

Recipe 7.21 Obtaining Keys from a Keyserver

Recipe 7.22 Revoking a Key

Recipe 7.23 Maintaining Encrypted Files with Emacs

Recipe 7.24 Maintaining Encrypted Files with vim

Recipe 7.25 Encrypting Backups

Recipe 7.26 Using PGP Keys with GnuPG

Chapter 8. Protecting Email

Recipe 8.1 Encrypted Mail with Emacs

Recipe 8.2 Encrypted Mail with vim

Recipe 8.3 Encrypted Mail with Pine

Recipe 8.4 Encrypted Mail with Mozilla

Recipe 8.5 Encrypted Mail with Evolution

Recipe 8.6 Encrypted Mail with mutt

Recipe 8.7 Encrypted Mail with elm

Recipe 8.8 Encrypted Mail with MH

Recipe 8.9 Running a POP/IMAP Mail Server with SSL

Recipe 8.10 Testing an SSL Mail Connection

Recipe 8.11 Securing POP/IMAP with SSL and Pine

Recipe 8.12 Securing POP/IMAP with SSL and mutt

Recipe 8.13 Securing POP/IMAP with SSL and Evolution

Recipe 8.14 Securing POP/IMAP with stunnel and SSL

Recipe 8.15 Securing POP/IMAP with SSH

Recipe 8.16 Securing POP/IMAP with SSH and Pine

Recipe 8.17 Receiving Mail Without a Visible Server

Recipe 8.18 Using an SMTP Server from Arbitrary Clients

Chapter 9. Testing and Monitoring

Recipe 9.1 Testing Login Passwords (John the Ripper)

Recipe 9.2 Testing Login Passwords (CrackLib)

Recipe 9.3 Finding Accounts with No Password

Recipe 9.4 Finding Superuser Accounts

Recipe 9.5 Checking for Suspicious Account Use

Recipe 9.6 Checking for Suspicious Account Use, Multiple Systems

Recipe 9.7 Testing Your Search Path

Recipe 9.8 Searching Filesystems Effectively

Recipe 9.9 Finding setuid (or setgid) Programs

Recipe 9.10 Securing Device Special Files

Recipe 9.11 Finding Writable Files

Recipe 9.12 Looking for Rootkits

Recipe 9.13 Testing for Open Ports

Recipe 9.14 Examining Local Network Activities

Recipe 9.15 Tracing Processes

Recipe 9.16 Observing Network Traffic

Recipe 9.17 Observing Network Traffic (GUI)

Recipe 9.18 Searching for Strings in Network Traffic

Recipe 9.19 Detecting Insecure Network Protocols

Recipe 9.20 Getting Started with Snort

Recipe 9.21 Packet Sniffing with Snort

Recipe 9.22 Detecting Intrusions with Snort

Recipe 9.23 Decoding Snort Alert Messages

Recipe 9.24 Logging with Snort

Recipe 9.25 Partitioning Snort Logs Into Separate Files

Recipe 9.26 Upgrading and Tuning Snort's Ruleset

Recipe 9.27 Directing System Messages to Log Files (syslog)

Recipe 9.28 Testing a syslog Configuration

Recipe 9.29 Logging Remotely

Recipe 9.30 Rotating Log Files

Recipe 9.31 Sending Messages to the System Logger

Recipe 9.32 Writing Log Entries via Shell Scripts

Recipe 9.33 Writing Log Entries via Perl

Recipe 9.34 Writing Log Entries via C

Recipe 9.35 Combining Log Files

Recipe 9.36 Summarizing Your Logs with logwatch

Recipe 9.37 Defining a logwatch Filter

Recipe 9.38 Monitoring All Executed Commands

Recipe 9.39 Displaying All Executed Commands

Recipe 9.40 Parsing the Process Accounting Log

Recipe 9.41 Recovering from a Hack

Recipe 9.42 Filing an Incident Report

Colophon

Index

Index SYMBOL

Index A

Index B

Index C

Index D

Index E

Index F

Index G

Index H

Index I

Index J

Index K

Index L

Index M

Index N

Index O

Index P

Index Q

Index R

Index S

Index T

Index U

Index V

Index W

Index X
توضیحات
افزودن یادداشت جدید

[SYMBOL]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[W]
[X]

S/MIME

native support by Mozilla

support by Evolution mailer

sa -s command (truncating process accounting the log file)

Samhain (integrity checker)

scp command

mirroring set of files securely between computers

options for remote file copying

securely copying files between computers

syntax

scripts, enabling/disabling network interfaces

search path, testing

. (period) in

relative directories in, dangers of

SEC_BIN global variable (Tripwire)

secret keys

adding to GnuPG keyring

default key for GnuPG operations

listing for GnuPG

secret-key encryption

secure integrity checks

creating bootable CD-ROM securely

dual-ported disk array, using

Secure Sockets Layer
[See SSL]

securetty file, editing to prevent root logins via terminal devices

security policies
[See policies]

security tests
[See monitoring systems for suspicious activity]

security tools (Insecure.org)

self-signed certificates

creating

generating X.509 certificate

man-in-the-middle attacks, risk of

setting up your own CA to issue certificates

sending-filters for email (PinePGP)

sendmail

accepting mail from other hosts

authentication mechanisms accepted as trusted

daemons (visible), security risks with

restriction on accepting connections from only same host, changing

SSL, using to protect entire SMTP session

sense keyword (PAM, listfile module)

server arguments (inetd.conf file)

server authentication
[See Kerberos; PAM; SSH; SSL; trusted-host authentication]

server keyword (xinetd)

server program, OpenSSH

service filter configuration file (logwatch)

service filter executable (logwatch)

service names

conversion of port numbers to by netstat and lsof

executable

modifying to invoke tcpd in /etc/xinetd.d startup file

PAM
2nd

services file, adding service names to inetd.conf

session protection for mail

setgid bit on directories

setgid/setuid programs

security checks

setgid/setuid programs, security checks

finding and interactively fixing

listing all files

listing scripts only

removing setgid/setuid bits from a file

setuid programs for hostbased authentication

setlogsock (Sys::Syslog)

setuid root, ssh-keysign program

sftp

shadow directive (/etc/pam.d/system-auth)

shadow password file
2nd

sharing files

prohibiting directory listings

protecting shared directory

shell command substitution, exceeding command line maximum

shell item (PAM)

shell prompts, standards used

shell scripts

in your current directory

writing system log entries
2nd

shell-style wildcard expansion

shells

bash

checking for dormant accounts

invoking MH commands from prompt

invoking with root privileges by sudo, security risks

process substitution

root login shell, running

root shell vs. root login shell

terminating SSH agent on logout

umask command

shosts.equiv file

show command, decrypting email displayed with

shutdowns (system), records of

shutting down network interfaces

signature ID (Snort alerts)

signed cryptographic keys

signing files
[See digital signatures]

single computer

blocking spoofed addresses

firewall design

single-threaded services (inetd.conf file)

site key (Tripwire)

creating with twinstall.sh script

fingerprints, creating in secure integrity checks

read-only integrity checking

size, file

/bin/login, changes since last Tripwire check

verifying for RPM-installed files

SLAC (Stanford Linear Accelerator), Network Monitoring Tools page

SMTP

blocking requests for mail service from a remote host

capturing messages from with dsniff program mailsnarf

protecting dedicated server for smtp services

requiring authentication by server before relaying mail

using server from arbitrary clients

snapshots
[See Tripwire]

Snort

decoding alert messages

nmap port scan detected

priority levels

writing alerts to file instead of syslog

detecting intrusions with

dumping statistics to the system logger

promiscuous mode, setting

running in background as daemon

packet sniffing with

partitioning logs into separate files

upgrading and tuning ruleset

socket type (inetd.conf file)

software packages, risk of Trojan horses in

sort command

-z option for null filename separators

source address verification

enabling

enabling in kernel

website information on

source addresses

controlling access by

limiting server sessions by

source name for remote file copying

source quench, blocking

sources for system messages

spoofed addresses

blocking access from

MAC

source addresses

SquirrelMail

SSH (Secure Shell)

agents
[See ssh-agent]

authenticating between client/server by trusted host

authenticating between SSH2 client/OpenSSH server

authenticating by public key

changing client defaults

client configurations in ~/.ssh/config

connecting via ssh with Kerberos authentication

cryptographic authentication

download site for OpenSSH

fetchmail, use of

important programs and files

scp (client program)

ssh (client program)

Kerberos, using with

debugging

Kerberos-5 support

permitting only incoming access via SSH with firewall

protecting dedicated server for ssh services

public-key and ssh-agent, using with Pine

public-key authentication between SSH2 client/OpenSSH server

public/private authentication keys

remote user access by public key authentication

restricting access by remote users

restricting access to server by account

restricting access to server by host

running root commands via

securing POP/IMAP

with Pine

sharing root privileges via

SSH-2 connections, trusted-host authentication

SSH2 server and OpenSSH client, authenticating between with OpenSSH key

SSH2 server and OpenSSH client, authenticating between with SSH2 key

superusers, authentication of

tailoring per host

transferring email from another ISP over tunnel

tunneling NNTP with

tunneling TCP connection through

web site

ssh command

-t option (for pseudo-tty)

-X option (for X forwarding)

using with rsync to mirror set of files between computers

ssh file

ssh-add

ssh-agent

automatic authentication (without password)

invoking between backticks (` `)

public-key authentication without passphrase

terminating on logout

ssh-keygen

conversion of SSH2 private key into OpenSSH private key with -i (import) option

ssh-keysign

setuid root on client

ssh_config file

~/.ssh file, using instead of

client configuration keywords

HostbasedAuthentication, enabling

ssh_known_hosts file

OpenSSH client, using ~/.ssh file instead of

sshd

AllowUsers keyword

authorizing users to restart

restricting access from specific remote hosts

TCP wrappers support

sshd_config file

AllowUsers keyword

HostbasedAuthentication, enabling

HostbasedUsesNameFromPacketOnly

KerberosTgtPassing, enabling

ListenAddress statements, adding

PermitRootLogin, setting

PublicAuthentication, permitting

X11Forwarding setting

SSL (Secure Sockets Layer)

connection problems, server-side debugging

converting certificates from DER to PEM

creating self-signed certificate

decoding SSL certificates

generating Certificate Signing Request (CSR)

installing new certificate

OpenSSL

web site

POP/IMAP security

mail server, running with

mail sessions for Evolution

mutt mail client, using with

stunnel, using

with pine mail client

setting up CA and issuing certificates

STARTTLS command (IMAP), negotiating protection for mail

STLS command (POP), negotiating protection for email

validating a certificate

verifying connection to secure POP or IMAP server

SSL-port

on mail servers

POP or IMAP connections for mutt client

testing use in pine mail client

standard input, redirecting from /dev/null

Stanford Linear Accelerator (SLAC) Network Monitoring Tools page

starting network interfaces

STARTTLS command (IMAP)

mail server support for SSL

mutt client connection over IMAP, testing

testing use in pine mail client

startup scripts (bootable CD-ROM), disabling networking

stateful

stateless

sticky bit

set on world-writable directories

setting on world-writable directory

STLS command (POP)
2nd

strace command
2nd

strings

matching with fgrep command

searching network traffic for

strings command

strong authentication for email sessions

strong session protection for mail (by SSL)

stunnel, securing POP/IMAP with SSL

su command

invoking with root privileges by sudo, security risks

ksu (Kerberized su)

authentication via Kerberos

sharing root privileges via

su -, running root login shell

su configuration (PAM)

subject (certificates)

components of certificate subject name

self-signed

sudo command

bypassing password authentication

careful practices for using

forcing password authentication

killing processes via

listing invocations

logging remotely

password changes, authorizing via

prohibiting command-line arguments for command run via

read-only access to shared file

running any program in a directory

running commands as another user

starting/stopping daemons

user authorization privileges, allowing per host

sudoers file

argument lists for each command, specifying meticulously

editing with visudo program

listing permissible commands for root privileges

running commands as another user

timestamp_timeout variable

user authorization to kill certain processes

superdaemons

inetd
[See inetd]

xinetd
[See xinetd]

superuser
2nd
[See also root]

assigning privileges via ssh without disclosing root password

finding all accounts on system

ksu (Kerberized su)

processes owned by others, examining

SuSE Linux

firewall rules, building

Heimdal Kerberos

inetd superdaemon

loading firewall rules at boot time

process accounting RPM

script allowing users to start/stop daemons

Snort, starting automatically at boot

SSL certificates
2nd

TCP wrappers
2nd

switched networks

packet sniffers and

simulated attacks with dsniff

symbolic links

for encrypted files on separate system

inability to verify with manual integrity check

permission bits, ignoring

scp command and

symmetric encryption

file encryption with gpg -c

files encrypted with GnuPG, decrypting

problems with

single encrypted file containing all files in directory

SYN_RECV state, large numbers of network connections in

synchronizing files on two machines (rsync)

integrity checking with

Sys::Lastlog and Sys::Utmp modules (Perl)

Sys::Syslog module

syslog function

using in C program

syslog-ng (Ònew generationÓ)

syslog.conf file

directing messages to different log files by facility and priority

remote logging, configuring
2nd

RPM-installed, verifying with Tripwire

setting up for local logging

signaling system logger about changes in

tracing configuration errors in

syslogd

-r flag to receive remote messages

signaling to pick up changes in syslog.conf

system accounts, login activity on
2nd

system calls, tracing on network

system logger

combining log files

debugging SSL connections

directing system messages to log files

log files created by, permissions and

logging messages remotely

programs not using

scanning log files for problem reports

sending messages to

signaling changes in syslog.conf

standard API, functions provided by

testing and monitoring

writing system log entries

in C
2nd

in Perl

in shell scripts

xinetd, logging to

system-wide authentication (Kerberos with PAM)

system_auth (/etc/pam.d startup file)

forbidding local password validation

Kerberos in

systems

authentication methods and policies (authconfig)

security tests on
[See monitoring systems for suspicious activity]

/ 247