/usr/doc/Linux-HOWTOs/NET-3-HOWTO
---------------------------------
3.1 Conventions used in this document
- use "root#" as the prompt for commands that need to run as
root so as not to confuse with comment lines in shell scripts
5.1.4 netmask = number of bits that are shared by all addresses
within a network
(to be 'bitwise AND' with the IP address to
determine the network address)
boardcast address = usually the highest address on network
^^^^^^^
----------------------------------------------------------
| Network | Netmask | Network Addresses |
| Class | | |
----------------------------------------------------------
| A | 255.0.0.0 | 0.0.0.0 - 127.255.255.255 |
| B | 255.255.0.0 | 128.0.0.0 - 191.255.255.255 |
| C | 255.255.255.0 | 192.0.0.0 - 223.255.255.255 |
|Multicast| 240.0.0.0 | 224.0.0.0 - 239.255.255.255 |
----------------------------------------------------------
-----------------------------------------------------------
| RESERVED PRIVATE NETWORK ALLOCATIONS |
-----------------------------------------------------------
| Network | Netmask | Network Addresses |
| Class | | |
-----------------------------------------------------------
| A | 255.0.0.0 | 10.0.0.0 - 10.255.255.255 |
| B | 255.255.0.0 | 172.16.0.0 - 172.31.255.255 |
| C | 255.255.255.0 | 192.168.0.0 - 192.168.255.255 |
-----------------------------------------------------------
5.2 /etc/inittab --- look for file that specify boot script
si::sysinit:/etc/init.d/boot
(Slakware 3.6 ---
si:S:sysinit:/etc/rc.d/rc.S
)
---------------------------------------------------------------------------
Distrib. | Interface Config/Routing | Server Initialization
---------------------------------------------------------------------------
Debian | /etc/init.d/network | /etc/rc2.d/*
---------------------------------------------------------------------------
Slackware| /etc/rc.d/rc.inet1 | /etc/rc.d/rc.inet2
---------------------------------------------------------------------------
RedHat | /etc/rc.d/init.d/network | /etc/rc.d/rc3.d/*
---------------------------------------------------------------------------
-----------------------------------------
Distrib | Network configuration program
-----------------------------------------
RedHat | /usr/bin/netcfg
Slackware | /sbin/netconfig
-----------------------------------------
5.4 Configuring a network interface
root# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up
IP address (that's all)
5.5.1 the complete name is called the `Fully Qualified Domain Name'
/etc/resolv.conf: (note search is in one line, no commas)
domain maths.wu.edu.au
search maths.wu.edu.au wu.edu.au
nameserver 192.168.10.1
nameserver 192.168.12.1
/etc/host.conf: look in /etc/hosts before asking name server
order hosts,bind
multi on
/etc/hosts: In a well managed system the only hostnames that
usually appear in this file are an entry for the
loopback interface and the local hosts name
5.6 by convention the IP address `127.0.0.1' has been assigned
specifically for loopback
To Configure Loopback:
root# ifconfig lo 127.0.0.1
root# route add -host 127.0.0.1 lo
5.7 Routing: based on destination address, which interface to send to
user% cat /proc/net/route
user% /sbin/route -n
user% netstat -r
To add a route:
root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0
^^^^
network route
To add default route:
root# route add default gw 192.168.1.1 eth0
5.7.1 RIP : Routing Information Protocol (routed -- distributed with Linux)
OSPF : Open Shortest Path First Protocol (gated)
To reconfigure a new route when old route fails:
root# route add -net 192.168.1.0 netmask 255.255.255.0 eth0
root# /usr/sbin/routed
5.8.1 /etc/services
name port/protocol aliases # comment
5.8.2. /etc/inetd.conf
service socket_type proto flags user server_path server_args
5.9.1. /etc/protocols: maps protocol id number to protocol names
(for programmers)
5.9.2. /etc/networks: maps network names against network addresses
(similar to /etc/hosts, but only two fields per line)
(route command display name in this file if found)
5.10.1. /etc/ftpusers: users who are not allowed to ftp in, eg. root
5.10.2. /etc/securetty: tty's which root is allowed to login
5.10.3.1. /etc/hosts.allow
5.10.3.2. /etc/hosts.deny
ALL matches every host
LOCAL matches any host whoe name does not contain a `.'
PARANOID matches any host whose name does not match its address
EXCEPT allows an exceptions list
Having an ALL: ALL default in the /etc/hosts.deny and then
specifically enabling on those services and hosts that you want in the
/etc/hosts.allow file is the safest configuration.
5.10.4. /etc/hosts.equiv: DO NOT USE IT, allow only local host!
[ skip much of the rest ]
------------------------------------------------------------------
/usr/doc/Linux-HOWTOs/Security-HOWTO
------------------------------------
Hacker = positive image
Cracker = negative image
2.4 Security Policy, "That which is not permitted is prohibited."
2.6 Look at /var/log/messages
3.2 BIOS Security
passwd (no unattended boot up, e.g. power blackout),
prevent boot from floppy
3.3 Boot Loader Security
password
restricted: password for single for example
(if boot from floppy, can mount root partition)
(therefore, set BIOS passwd, set bios no floppy and padlock casing!)
4.2 Root Security
/etc/securetty contains list of permissable ttys root can login
--- normally set to virtual consoles (vtys)
--- also referred to in login.defs to define the CONSOLE
login.defs is a very powerful file --- READ IT
--- modify /etc/profile, /etc/csh.login for umask 077
--- create /etc/porttime if needed
sudo --- should prohibit shell escapes (e.g. editors) and /bin/cat
5. Files and Filesystem Security
nosuid in /etc/fstab for partitions writable by non-root
nodev and noexec on home directories and /var
/var/log/wtmp and /var/run/utmp --- 644 permissions
immutable bit for /etc/passwd and /etc/shadow:
--- chattr(1) and lsattr(1)
--- inconvenient if there are high user turnover
SUID & SGID files
--- root# find / -type f \( -perm -04000 -o -perm -02000 \)
world-writable files
--- root# find / -perm -2 -print
unowned files
--- root# find / -nouser -o -nogroup -print
.rhosts
--- root# find /home -name .rhosts -print
5.2 File Permissions
sticky bit t for directories: write only for owned files, e.g. /tmp
kernal does not support SUID shell scripts!
7.2 Kernel Devices
/dev/random is stronger than /dev/urandom
--- inter-interrupt times is one input
--- root# head -c 6 /dev/random | uuencode -
8.2 System services and tcp_wrappers
/etc/services: "It's usually not worth the trouble to remove services."
/etc/inetd: comment out login (rlogin), shell (rcp) and exec (rsh)
/etc/hosts.allow: used with tcp_wrapper (tcpd)
8.7 Denial of Service Attacks
SYN flood: 2.0.30 and up
Pentium "F00F" Bug: cause reboot, 2.0.32 and above work around
Ping Flood (ICMP packets)
--- smurfing: send to host with _your_machine's in return IP
--- use tcp dump to listen
--- stop at router or firewall level
Ping o' Death (incoming ICMP ECHO REQUEST): stopped long ago
Teardrop: fixed in 2.0.33
8.8 NFS Security: never export the entire root directory
8.9 NIS (formerly YP): "is not at all secure ... Anyone that can
guess the name of your NIS domain (anywhere on the net) can
get a copy of your passwd file, and use crack and john the
ripper against your users' passwords."
--- "much more secure replacement for NIS, called NIS+"
9.4 System Accounting data:
/etc/syslog.conf
--- use the @host ability to copy log entry to another host
------------------------------------------------------------------
/usr/doc/Linux-HOWTOs/Networking-Overview-HOWTO
-----------------------------------------------
GPL (General Public License)
FSF (Free Software Foundation)
IPng (IP Next Generation)
IPX/SPX (Internet Packet Exchange/Sequenced Packet Exchange)
NDS (Netware Directory Service)
PPP (Point-to-Point Protocol)
SLIP (Serial Line IP)
PLIP (Parallel Line IP)
NFS (Network File Sharing)
POP (Post Office Protocol)
IMAP (Internet Message Access Protocol)
MTA (Mail Transport Agent)
MUA (Mail User Agent)
MLM (Mail List Management)
Chapter 8 of Networking Overview
IP Masquerading: hide IPs of machine behind GATEWAY
IP Accounting
IP Aliasing: multiple IPs on one Ethernet card
Traffic Shaping: control how much bandwidth is used by each client
Port Forwarding: port re-written (bidirectionally), eg. web server
Load Balancing: NAT (Network Address Translation)
EQL: 2 modems (on each end) behaving as one)
--- ipfwadm tool kit for administration
RAID (Redundant Array of Independent Disks)
RAID Level 0: disk striping
RAID Level 1: disk mirroring
DASD (Direct Access Storage Device)
IPAT (IP Address Takeover) --- Chapter 10
(31 Dec 1998)