Securing & Optimizing Linux: A Hands on Guide for Linux Professionals

Gerhard Mourani, Opendocs Llc

ISBN:0970033001, Edition: Pap/Cdr, 2000-07

Price: $49.95

table of Contents

Introduction 8

Audience ~ 8
These installation instructions assume ~ 8
About products mentioned in this book ~ 8
Obtaining the book and example configuration files ~ 8
A note about the copyright ~ 9
Acknowledgments ~ 10
GPG Public Key for Gerhard Mourani ~ 10

Part I Installation-Related Reference 11

Chapter 1 Introduction to Linux 12
What is Linux? ~ 13
Some good reasons to use Linux ~ 13
Let's dispel some of the fear, uncertainty, and doubt about Linux ~ 13

Chapter 2 Installation of your Linux Server 15
Linux Installation ~ 16
Know your Hardware! ~ 16
Creating the Boot Disk and Booting ~ 17
Installation Class and Method (Install Type) ~ 17
Disk Setup (Disk Druid) ~ 18
Components to Install (Package Group Selection) ~ 22
Individual Package Selection ~ 23
Descriptions of programs packages we must uninstall for securities reasons ~ 24
How to use RPM Commands ~ 28
Starting and stopping daemon services ~ 29
Software that must be uninstalled after installation of the Server ~ 29
Descriptions of programs that must be uninstalled after installation of the server ~ 31
Software that must be installed after installation of the Server ~ 32
Installed programs on your Server ~ 35
Put some colors on your terminal ~ 38
Update of the latest software ~ 39

Part II Security and optimization-Related Reference 40

Chapter 3 General System Security 41
Linux General Security ~ 42

Chapter 4 General System Optimization 69
Linux General Optimization ~ 70

Chapter 5 Configuring and Building a secure, optimized Kernels 85
Linux Kernel ~ 86
Making an emergency boot floppy ~ 87
Securing the kernel ~ 89
Kernel configuration ~ 91
Installing the new kernel ~ 96
Delete program, file and lines related to modules ~ 99
Making a new rescue floppy ~ 100
Making a emergency boot floppy disk ~ 100
Update your "/dev" entries ~ 101

Part III Networking-Related Reference 103

Chapter 6 TCP/IP Network Management 104
Linux TCP/IP Network Management ~ 105
Install more than one Ethernet Card per Machine ~ 105
Files related to networking functionality ~ 106
Configuring TCP/IP Networking manually with the command line ~ 109

Chapter 7 Networking Firewall 114
Linux IPCHAINS ~ 115
Build a kernel with IPCHAINS Firewall support ~ 118
Some explanation of rules used in the firewall script files ~ 118
The firewall scripts files ~ 120
Configuration of the "/etc/rc.d/init.d/firewall" script file for the Web Server ~ 120
Configuration of the "/etc/rc.d/init.d/firewall" script file for the Mail Server ~ 130

Chapter 8 Networking Firewall with Masquerading and Forwarding support 139
Linux Masquerading and Forwarding ~ 140
Build a kernel with Firewall Masquerading and Forwarding support ~ 140
Configuration of the "/etc/rc.d/init.d/firewall" script file for the Gateway Server ~ 142
Deny access to some address ~ 155
IPCHAINS Administrative Tools ~ 155

Part IV Software-Related Reference 157

Chapter 9 Compiler Functionality 158
Linux Compiler functionality ~ 159
The necessary packages ~ 159
Why would we choose to use tarballs? ~ 160
Compiling software on your system ~ 160
Build and Install software on your system ~ 161
Editing files with the vi editor tool ~ 162
Some last comments ~ 163

Chapter 10 Securities Software (Monitoring Tools) 164
Linux sXid ~ 165
Configurations ~ 166
sXid Administrative Tools ~ 167
Linux Logcheck ~ 169
Configurations ~ 171
Linux PortSentry ~ 173
Configurations ~ 175
Start up PortSentry ~ 179

Chapter 11 Securities Software (Network Services) 181
Linux OpenSSH Client/Server ~ 182
Configurations ~ 184
Configure OpenSSH to use TCP-Wrappers inetd super server ~ 188
OpenSSH Per-User Configuration ~ 189
OpenSSH Users Tools ~ 190
Linux SSH2 Client/Server ~ 193
Configurations ~ 194
Configure sshd2 to use tcp-wrappers inetd super server ~ 199
Ssh2 Per-User Configuration ~ 200
SSH2 Users Tools ~ 201

Chapter 12 Securities Software (System Integrity) 203
Linux Tripwire 2.2.1 ~ 204
Configurations ~ 207
Securing Tripwire for Linux ~ 212
Commands ~ 213
Linux Tripwire ASR 1.3.1 ~ 216
Configurations ~ 218
Securing Tripwire ~ 220
Commands ~ 220

Chapter 13 Securities Software (Management & Limitation) 223
Linux GnuPG ~ 224
Commands ~ 225
Set Quota on your Linux system ~ 230
Build a kernel with Quota support ~ 230
Modify the "/etc/fstab" file ~ 230
Creation of the "quota.user" and "quota.group" files ~ 231
Assigning Quota for Users and Groups ~ 232
Commands ~ 234

Chapter 14 Server Software (BIND/DNS Network Services) 236
Linux DNS and BIND Server ~ 237
Configurations ~ 239
Caching-only name Server ~ 240
Primary master name Server ~ 242
Secondary slave name Server ~ 245
Securing ISC BIND/DNS ~ 247
DNS Administrative Tools ~ 253
DNS Users Tools ~ 254

Chapter 15 Server Software (Mail Network Services) 258
Linux Sendmail Server ~ 259
Configurations ~ 263
Securing Sendmail ~ 274
Sendmail Administrative Tools ~ 278
Sendmail Users Tools ~ 279
Linux IMAP & POP Server ~ 281
Configurations ~ 284
Enable IMAP or POP via the tcp-wrappers inetd super server ~ 285
Securing IMAP/POP ~ 285

Chapter 16 Server Software (Encrypting Network Services) 288
Linux OPENSSL Server ~ 289
Configurations ~ 293
Commands ~ 298
Securing OpenSSL ~ 301
Linux FreeS/WAN VPN ~ 304
Configure RSA private keys secrets ~ 313
Requiring network setup for IPSec ~ 318
Testing the installation ~ 321

Chapter 17 Server Software (Database Network Services) 326
Linux OpenLDAP Server ~ 327
Configurations ~ 330
Securing OpenLDAP ~ 333
OpenLDAP Creation and Maintenance Tools ~ 334
OpenLDAP Users Tools ~ 336
The Netscape Address Book client for LDAP ~ 337
Linux PostgreSQL Database Server ~ 340
Create the database installation from your Postgres superuser account ~ 343
Configurations ~ 344
Commands ~ 346

Chapter 18 Server Software (Proxy Network Services) 350
Linux Squid Proxy Server ~ 351
Using GNU malloc library to improve cache performance of Squid ~ 353
Configurations ~ 355
Securing Squid ~ 363
Optimizing Squid ~ 363
The cachemgr.cgi program utility of Squid ~ 364
The Netscape Proxies Configuration for Squid ~ 366

Chapter 19 Server Software (Web Network Services) 369
Linux MM - Shared Memory Library for Apache ~ 370
Linux Apache Web Server ~ 372
Configurations ~ 378
PHP4 server-side scripting language ~ 385
Perl module Devel::Symdump ~ 387
CGI.pm Perl library ~ 389
Securing Apache ~ 390
Running Apache in a chroot jail ~ 392
Optimizing Apache ~ 399

Chapter 20 Optional component to install with Apache 406
Linux Webalizer ~ 407
Configurations ~ 408
Inform Apache about the output directory of Webalizer ~ 410
Running Webalizer manually for the first time ~ 410
Running Webalizer automatically with a cron job ~ 411
Linux FAQ-O-Matic ~ 413
Inform Apache about the location of Faq-O-Matic files ~ 414
Configure your FAQ-O-Matic software ~ 415
Linux Webmail IMP ~ 419
Setting up PHPLib which is requires by Horde program of Webmail IMP ~ 420
Configure and create Webmail IMP SQL database ~ 421
Configure your "php.ini" configuration file of PHP4 ~ 423
Configure Apache to recognize Webmail IMP ~ 424
Configure Webmail IMP via your web browser ~ 424

Chapter 21 Server Software (File Sharing Network Services) 427
Linux Samba Server ~ 428
Configurations ~ 431
Create an encrypted Samba password file for your clients ~ 436
Securing Samba ~ 439
Optimizing Samba ~ 439
Samba Administrative Tools ~ 441
Samba Users Tools ~ 442
Linux FTP Server ~ 444
Setup an FTP user account for each user without shells ~ 446
Setup a chroot user environment ~ 447
Configurations ~ 450
Configure ftpd to use tcp-wrappers inetd super server ~ 455
FTP Administrative Tools ~ 455
Securing FTP ~ 456

Part V Backup-Related reference 459

Chapter 22 Backup and restore procedures 460
Linux Backup and Restore ~ 461
The tar backup program ~ 461
Making backups with tar ~ 462
Automating tasks of backups made with tar ~ 463
Restoring files with tar ~ 465
The dump backup program ~ 466
Making backups with dump ~ 468
Restoring files with dump ~ 470
Backing up and restoring over the network ~ 472

Part VI Appendixes 474

Appendix A 475
Tweaks, Tips and Administration tasks ~ 476

ppendix B 479
Obtaining Requests for Comments (RFCs) ~ 480