| Contents | 6 |
---|
| About the Author | 14 |
---|
| About the Technical Reviewer | 15 |
---|
| Acknowledgments | 16 |
---|
| Introduction | 17 |
---|
| Chapter 1 Hardening the Basics | 24 |
---|
| Installing Your Distribution Securely | 25 |
| Some Answers to Common Installation Questions | 25 |
| Install Only What You Need | 25 |
| Secure Booting, Boot Loaders, and Boot-Time Services | 27 |
| Securing Your Boat Loader | 28 |
| Init, Starting Services, and Boot Sequencing | 31 |
| Consoles, Virtual Terminals, and Login Screens | 38 |
| Securing the Console | 39 |
| The Red Hat Console | 39 |
| Securing Virtual Terminals | 40 |
| Securing Login Screens | 41 |
| Users and Groups | 42 |
| Shadow Passwording | 45 |
| Groups | 46 |
| Adding Users | 47 |
| Adding Groups | 49 |
| Deleting Unnecessary Users and Groups | 51 |
| Passwords | 54 |
| Password Aging | 58 |
| User Accounting | 65 |
| Process Accounting | 67 |
| Pluggable Authentication Modules (PAM) | 69 |
| PAM Module Stacking | 71 |
| The PAM “Other” Service | 72 |
| Restricting su Using PAM | 73 |
| Setting Limits with PAM | 74 |
| Restricting Users to Specific Login Times with PAM | 76 |
| Package Management, File Integrity, and Updating | 79 |
| Ensuring File Integrity | 80 |
| Downloading Updates and Patches | 84 |
| Compilers and Development Tools | 87 |
| Removing the Compilers and Development Tools | 87 |
| Restricting the Compilers and Development Tools | 88 |
| Hardening and Securing Your Kernel | 89 |
| Getting Your Kernel Source | 89 |
| The Openwall Project | 91 |
| Other Kernel-Hardening Options | 97 |
| Keeping Informed About Security | 98 |
| Security Sites and Mailing Lists | 98 |
| Vendor and Distribution Security Sites | 99 |
| Resources | 99 |
| Mailing Lists | 99 |
| Sites | 100 |
| Chapter 2 Firewalling Your Hosts | 101 |
---|
| So, How Does a Linux Firewall Work? | 102 |
| Tables | 104 |
| Chains | 104 |
| Policies | 104 |
| Adding Your First Rules | 105 |
| Choosing Filtering Criteria | 108 |
| The iptables Command | 109 |
| Creating a Basic Firewall | 113 |
| Creating a Firewall for a Bastion Host | 119 |
| Kernel Modules and Parameters | 139 |
| Patch-o-Matic | 139 |
| Kernel Parameters | 146 |
| Managing iptables and Your Rules | 151 |
| iptables-save and iptables-restore | 152 |
| iptables init Scripts | 153 |
| Testing and Troubleshooting | 154 |
| Resources | 158 |
| Mailing Lists | 158 |
| Sites | 158 |
| Books | 158 |
| Chapter 3 Securing Connections and Remote Administration | 159 |
---|
| Public-Key Encryption | 159 |
| SSL, TLS, and OpenSSL | 162 |
| Stunnel | 174 |
| IPSec,VPNs, and Openswan | 181 |
| inetd and xinetd-Based Connections | 189 |
| Remote Administration | 191 |
| ssh-agent and Agent Forwarding | 199 |
| The sshd Daemon | 201 |
| Configuring ssh and sshd | 202 |
| Port Forwarding with OpenSSH | 205 |
| Forwarding X with OpenSSH | 206 |
| Resources | 207 |
| Mailing Lists | 207 |
| Sites | 207 |
| Chapter 4 Securing Files and File Systems | 208 |
---|
| Basic File Permissions and File Attributes | 209 |
| Access Permissions | 209 |
| Ownership | 219 |
| Immutable Files | 219 |
| Capabilities and lcap | 221 |
| Encrypting Files | 223 |
| Securely Mounting File Systems | 225 |
| Securing Removable Devices | 228 |
| Creating an Encrypted File System | 229 |
| Installing the Userland Tools | 230 |
| Enabling the Functionality | 230 |
| Encrypting a Loop File System | 231 |
| Unmounting Your Encrypted File System | 235 |
| Remounting | 236 |
| Maintaining File Integrity with Tripwire | 236 |
| Configuring Tripwire | 237 |
| Explaining Tripwire Policy | 239 |
| Network File System (NFS) | 250 |
| Resources | 252 |
| Mailing Lists | 252 |
| Sites | 252 |
| Sites About ACLs | 252 |
| Chapter 5 Understanding Logging and Log Monitoring | 253 |
---|
| Syslog | 253 |
| Configuring Syslog | 255 |
| Starting syslogd and Its Options | 259 |
| syslog-NG | 261 |
| Installing and Configuring syslog-NG | 261 |
| The contrib Directory |
|