Fedora 11 Security Guide: A Guide to Securing Fedora Linux (Edition 1.0)

Security Guide
Table of Contents
Preface
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. We Need Feedback!
Chapter 1. Security Overview
1.1. Introduction to Security
1.1.1. What is Computer Security?
1.1.1.1. How did Computer Security Come about?
1.1.1.2. Security Today
1.1.1.3. Standardizing Security
1.1.2. SELinux
1.1.3. Security Controls
1.1.3.1. Physical Controls
1.1.3.2. Technical Controls
1.1.3.3. Administrative Controls
1.1.4. Conclusion
1.2. Vulnerability Assessment
1.2.1. Thinking Like the Enemy
1.2.2. Defining Assessment and Testing
1.2.2.1. Establishing a Methodology
1.2.3. Evaluating the Tools
1.2.3.1. Scanning Hosts with Nmap
1.2.3.1.1. Using Nmap
1.2.3.2. Nessus
1.2.3.3. Nikto
1.2.3.4. VLAD the Scanner
1.2.3.5. Anticipating Your Future Needs
1.3. Attackers and Vulnerabilities
1.3.1. A Quick History of Hackers
1.3.1.1. Shades of Gray
1.3.2. Threats to Network Security
1.3.2.1. Insecure Architectures
1.3.2.1.1. Broadcast Networks
1.3.2.1.2. Centralized Servers
1.3.3. Threats to Server Security
1.3.3.1. Unused Services and Open Ports
1.3.3.2. Unpatched Services
1.3.3.3. Inattentive Administration
1.3.3.4. Inherently Insecure Services
1.3.4. Threats to Workstation and Home PC Security
1.3.4.1. Bad Passwords
1.3.4.2. Vulnerable Client Applications
1.4. Common Exploits and Attacks
1.5. Security Updates
1.5.1. Updating Packages
1.5.2. Verifying Signed Packages
1.5.3. Installing Signed Packages
1.5.4. Applying the Changes
Chapter 2. Securing Your Network
2.1. Workstation Security
2.1.1. Evaluating Workstation Security
2.1.2. BIOS and Boot Loader Security
2.1.2.1. BIOS Passwords
2.1.2.1.1. Securing Non-x86 Platforms
2.1.2.2. Boot Loader Passwords
2.1.2.2.1. Password Protecting GRUB
2.1.3. Password Security
2.1.3.1. Creating Strong Passwords
2.1.3.1.1. Secure Password Creation Methodology
2.1.3.2. Creating User Passwords Within an Organization
2.1.3.2.1. Forcing Strong Passwords
2.1.3.2.2. Passphrases
2.1.3.2.3. Password Aging
2.1.4. Administrative Controls
2.1.4.1. Allowing Root Access
2.1.4.2. Disallowing Root Access
2.1.4.2.1. Disabling the Root Shell
2.1.4.2.2. Disabling Root Logins
2.1.4.2.3. Disabling Root SSH Logins
2.1.4.2.4. Disabling Root Using PAM
2.1.4.3. Limiting Root Access
2.1.4.3.1. The su Command
2.1.4.3.2. The sudo Command
2.1.5. Available Network Services
2.1.5.1. Risks To Services
2.1.5.2. Identifying and Configuring Services
2.1.5.3. Insecure Services
2.1.6. Personal Firewalls
2.1.7. Security Enhanced Communication Tools
2.2. Server Security
2.2.1. Securing Services With TCP Wrappers and xinetd
2.2.1.1. Enhancing Security With TCP Wrappers
2.2.1.1.1. TCP Wrappers and Connection Banners
2.2.1.1.2. TCP Wrappers and Attack Warnings
2.2.1.1.3. TCP Wrappers and Enhanced Logging
2.2.1.2. Enhancing Security With xinetd
2.2.1.2.1. Setting a Trap
2.2.1.2.2. Controlling Server Resources
2.2.2. Securing Portmap
2.2.2.1. Protect portmap With TCP Wrappers
2.2.2.2. Protect portmap With iptables
2.2.3. Securing NIS
2.2.3.1. Carefully Plan the Network
2.2.3.2. Use a Password-like NIS Domain Name and Hostname
2.2.3.3. Edit the /var/yp/securenets File
2.2.3.4. Assign Static Ports and Use iptables Rules
2.2.3.5. Use Kerberos Authentication
2.2.4. Securing NFS
2.2.4.1. Carefully Plan the Network
2.2.4.2. Beware of Syntax Errors
2.2.4.3. Do Not Use the no_root_squash Option
2.2.4.4. NFS Firewall Configuration
2.2.5. Securing the Apache HTTP Server
2.2.6. Securing FTP
2.2.6.1. FTP Greeting Banner
2.2.6.2. Anonymous Access
2.2.6.2.1. Anonymous Upload
2.2.6.3. User Accounts
2.2.6.3.1. Restricting User Accounts
2.2.6.4. Use TCP Wrappers To Control Access
2.2.7. Securing Sendmail
2.2.7.1. Limiting a Denial of Service Attack
2.2.7.2. NFS and Sendmail
2.2.7.3. Mail-only Users
2.2.8. Verifying Which Ports Are Listening
2.3. Single Sign-on (SSO)
2.3.1. Introduction
2.3.1.1. Supported Applications
2.3.1.2. Supported Authentication Mechanisms
2.3.1.3. Supported Smart Cards
2.3.1.4. Advantages of Fedora Single Sign-on
2.3.2. Getting Started with your new Smart Card
2.3.2.1. Troubleshooting
2.3.3. How Smart Card Enrollment Works
2.3.4. How Smart Card Login Works
2.3.5. Configuring Firefox to use Kerberos for SSO
2.3.5.1. Troubleshooting
2.4. Pluggable Authentication Modules (PAM)
2.4.1. Advantages of PAM
2.4.2. PAM Configuration Files
2.4.2.1. PAM Service Files
2.4.3. PAM Configuration File Format
2.4.3.1. Module Interface
2.4.3.1.1. Stacking Module Interfaces
2.4.3.2. Control Flag
2.4.3.3. Module Name
2.4.3.4. Module Arguments
2.4.4. Sample PAM Configuration Files
2.4.5. Creating PAM Modules
2.4.6. PAM and Administrative Credential Caching
2.4.6.1. Removing the Timestamp File
2.4.6.2. Common pam_timestamp Directives
2.4.7. PAM and Device Ownership
2.4.7.1. Device Ownership
2.4.7.2. Application Access
2.4.8. Additional Resources
2.4.8.1. Installed PAM Documentation
2.4.8.2. Useful PAM Websites
2.5. TCP Wrappers and xinetd
2.5.1. TCP Wrappers
2.5.1.1. Advantages of TCP Wrappers
2.5.2. TCP Wrappers Configuration Files
2.5.2.1. Formatting Access Rules
2.5.2.1.1. Wildcards
2.5.2.1.2. Patterns
2.5.2.1.3. Portmap and TCP Wrappers
2.5.2.1.4. Operators
2.5.2.2. Option Fields
2.5.2.2.1. Logging
2.5.2.2.2. Access Control
2.5.2.2.3. Shell Commands
2.5.2.2.4. Expansions
2.5.3. xinetd
2.5.4. xinetd Configuration Files
2.5.4.1. The /etc/xinetd.conf File
2.5.4.2. The /etc/xinetd.d/ Directory
2.5.4.3. Altering xinetd Configuration Files
2.5.4.3.1. Logging Options
2.5.4.3.2. Access Control Options
2.5.4.3.3. Binding and Redirection Options
2.5.4.3.4. Resource Management Options
2.5.5. Additional Resources
2.5.5.1. Installed TCP Wrappers Documentation
2.5.5.2. Useful TCP Wrappers Websites
2.5.5.3. Related Books
2.6. Kerberos
2.6.1. What is Kerberos?
2.6.1.1. Advantages of Kerberos
2.6.1.2. Disadvantages of Kerberos
2.6.2. Kerberos Terminology
2.6.3. How Kerberos Works
2.6.4. Kerberos and PAM
2.6.5. Configuring a Kerberos 5 Server
2.6.6. Configuring a Kerberos 5 Client
2.6.7. Domain-to-Realm Mapping
2.6.8. Setting Up Secondary KDCs
2.6.9. Setting Up Cross Realm Authentication
2.6.10. Additional Resources
2.6.10.1. Installed Kerberos Documentation
2.6.10.2. Useful Kerberos Websites
2.7. Virtual Private Networks (VPNs)
2.7.1. How Does a VPN Work?
2.7.2. VPNs and Fedora
2.7.3. IPsec
2.7.4. Creating an IPsec Connection
2.7.5. IPsec Installation
2.7.6. IPsec Host-to-Host Configuration
2.7.6.1. Host-to-Host Connection
2.7.6.2. Manual IPsec Host-to-Host Configuration
2.7.6.2.1. The Racoon Configuration File
2.7.7. IPsec Network-to-Network Configuration
2.7.7.1. Network-to-Network (VPN) Connection
2.7.7.2. Manual IPsec Network-to-Network Configuration
2.7.8. Starting and Stopping an IPsec Connection
2.8. Firewalls
2.8.1. Netfilter and IPTables
2.8.1.1. IPTables Overview
2.8.2. Basic Firewall Configuration
2.8.2.1. Firewall Configuration Tool
2.8.2.2. Enabling and Disabling the Firewall
2.8.2.3. Trusted Services
2.8.2.4. Other Ports
2.8.2.5. Saving the Settings
2.8.2.6. Activating the IPTables Service
2.8.3. Using IPTables
2.8.3.1. IPTables Command Syntax
2.8.3.2. Basic Firewall Policies
2.8.3.3. Saving and Restoring IPTables Rules
2.8.4. Common IPTables Filtering
2.8.5. FORWARD and NAT Rules
2.8.5.1. Postrouting and IP Masquerading
2.8.5.2. Prerouting
2.8.5.3. DMZs and IPTables
2.8.6. Malicious Software and Spoofed IP Addresses
2.8.7. IPTables and Connection Tracking
2.8.8. IPv6
2.8.9. Additional Resources
2.8.9.1. Installed Firewall Documentation
2.8.9.2. Useful Firewall Websites
2.8.9.3. Related Documentation
2.9. IPTables
2.9.1. Packet Filtering
2.9.2. Differences Between IPTables and IPChains
2.9.3. Command Options for IPTables
2.9.3.1. Structure of IPTables Command Options
2.9.3.2. Command Options
2.9.3.3. IPTables Parameter Options
2.9.3.4. IPTables Match Options
2.9.3.4.1. TCP Protocol
2.9.3.4.2. UDP Protocol
2.9.3.4.3. ICMP Protocol
2.9.3.4.4. Additional Match Option Modules
2.9.3.5. Target Options
2.9.3.6. Listing Options
2.9.4. Saving IPTables Rules
2.9.5. IPTables Control Scripts
2.9.5.1. IPTables Control Scripts Configuration File
2.9.6. IPTables and IPv6
2.9.7. Additional Resources
2.9.7.1. Installed IP Tables Documentation
2.9.7.2. Useful IP Tables Websites
Chapter 3. Encryption
3.1. Data at Rest
3.2. Full Disk Encryption
3.3. File Based Encryption
3.4. Data in Motion
3.5. Virtual Private Networks
3.6. Secure Shell
3.7. LUKS Disk Encryption
3.7.1. LUKS Implementation in Fedora
3.7.2. Manually Encrypting Directories
3.7.3. Step-by-Step Instructions
3.7.4. What you have just accomplished.
3.7.5. Links of Interest
3.8. 7-Zip Encrypted Archives
3.8.1. 7-Zip Installation in Fedora
3.8.2. Step-by-Step Installation Instructions
3.8.3. Step-by-Step Usage Instructions
3.8.4. Things of note
3.9. Using GNU Privacy Guard (GnuPG)
3.9.1. Creating GPG Keys in GNOME
3.9.2. Creating GPG Keys in KDE
3.9.3. Creating GPG Keys Using the Command Line
3.9.4. About Public Key Encryption
Chapter 4. General Principles of Information Security
4.1. Tips, Guides, and Tools
Chapter 5. Secure Installation
5.1. Disk Partitions
5.2. Utilize LUKS Partition Encryption
Chapter 6. Software Maintenance
6.1. Install Minimal Software
6.2. Plan and Configure Security Updates
6.3. Adjusting Automatic Updates
6.4. Install Signed Packages from Well Known Repositories
Chapter 7. References