LINUX® NETWORK
SECURITY
PETER G. SMITH
CHARLES
•
• Contents
Preface xvii 1 Introduction: The Need For Security 1
1.1 Introducing the Enemy 1 The Hacker Myth 3 1.2 Just Who Is at Risk? 3 1.3 The Implications of a Compromise 5 1.4 Hackers and Crackers 8 Crackers 9 Summary 10 Endnotes 11 References 11
2 Understanding the Problem 13
vl Contents
Contents v i i
Gateways, Routers, and Firewalls 79 Wireless Networking 81 Network Address Translation (NAT) 83 The DMZ 86 3.2 A Detour into Iptables 89 Preparation 89 Patch-O-Matic 89 Installation 89 The Life Cycle of a Packet 91 Using Iptables 93 General Syntax 94 3.3 Implementing the Three-Legged Model 103 Firewall Rulesets 103 Traffic Routing 109 3.4 Network Tuning with the / p ro c Filesystem 110
Sysctl 111 Routing Options 113 Security Settings 115 ICMP Messages 116 TCP Settings 118 3.5 Virtual Private Networks and IP Security 120 Virtual Private Networking (VPN) 120 Road Warriors 120 IPsec 121 Implementing a VPN with IPsec 125 Summary 129 Endnotes 130 References 131
4 Assessing the Network 133
viii Contents
Nmap in Use
4.2 Vulnerability Auditing with Nessus Installing Nessus
4.3 Web Site Auditing with Nikto Summary
Endnotes References
5 Packet Filtering with Iptables
5.1 The Components of an Iptables Rule Generic Matches TCP-Specific Matches UDP-Specific Matches ICMP-Specific Matches Matching Extensions Targets
5.2 Creating a Firewall Ruleset Protecting the Firewall Protecting the DMZ ICMP Messages TTL Rewriting
Blocking Unwanted Hosts Filtering Illegal Addresses Local Packet Filtering
5.3 Firewall Management: Dealing with Dynamic IP Addresses DHCPCD
Contents ix
6 Basic System Security Measures 205
Contents The BIOS 254 Summary 257 Endnotes 258 References 259 7 Desktop Security 261
Contents x l
Unnecessary Binaries 301 Compilers and Interpreters 302 Other Tools 303 Placing System Utilities on CD-ROM 303 Choosing Applications During Installation 304 Post-Installation Package Management 305 8.4 Memory Protection 307 StackGuard™ 307 MemGuard 308 Stack-Smashing Protector 309 Bounds Checking 311 CRED 312 Libsafe 313 PaX 315 Nonexecutable Memory (NOEXEC) 315 Address Space Layout Randomization (ASLR) 316 Buffer Overflow Detection 320 Conclusion 322 8.5 Policing System Call with Systrace 323 Installation 323 Components of a Policy File 324 Policy File Creation 327 Automatic Policy Generation 327 Policy Enforcement 329 Interactive Policy Enforcement 330 Third-Party Policy Files 331 Summary 332 Endnotes 333 References 334
9 Access Control 335
xii Contents
Contents xiii
Endnotes 385 Reference 385
10 Securing Services 387
10.1 Web Services and Apache 388 Configuration 388 Version Hiding 389 Resource Limiting 391 Access Control 391 Web Scripting 398 Secure Perl-CGI Programming 399 CGIWrap 405 PHP 406 Ch rooting Apache 407 10.2 SSH 412
Contents XV
Appendix A Recompiling the Linux Kernel 493
Obtaining the Kernel Source Code 494 Configuring the Kernel 495 Compiling the Kernel 495 Installing the Kernel 496 LILO 496 GRUB 497 Endnote 498
Appendix B Kernel Configuration Options for Networking 499
Network Support -> Networking Options 500 Networking Support -> Networking Options -> TCP/IP Networking 500 Networking Support -> Networking Options -> Network Packet
Filtering -> IP: Netfilter Configuration 501 Networking Support -> Networking Options -> Network Packet
Filtering -> IP: Netfilter Configuration -> Connection Tracking 502 Networking Support -> Networking Options -> Network Packet
Filtering -> IP: Netfilter Configuration -> Iptables Support 502 Networking Support -> Networking Options -> Network Packet
Filtering -> IP: Netfilter Configuration -> ARP Tables Support 503
Appendix C NAT Firewall Script 505 Appendix D Complete Firewall Script 509 Appendix E Cryptography 517
XVi Contents
DES 519 Double DES and 3DES 519 AES 519 RC2™ 519 RC4™ 521 RC5™ 521 RC6™ 521 RSA® 521 Blowfish 522 IDEA™ 522 Hash Algorithms 522 MD2 523 MD4 523 MD5 523 SHA 524 Public Key Cryptography (PKC) 524 Digital Signatures 525 PGP, PGPI, OPENPGP, and GNUPG 525 Security 526 References 526
Appendix F About the CD-ROM 527
