summaryrefslogtreecommitdiff
path: root/slackbook/html/security.html
diff options
context:
space:
mode:
Diffstat (limited to 'slackbook/html/security.html')
-rw-r--r--slackbook/html/security.html218
1 files changed, 218 insertions, 0 deletions
diff --git a/slackbook/html/security.html b/slackbook/html/security.html
new file mode 100644
index 00000000..34249a8b
--- /dev/null
+++ b/slackbook/html/security.html
@@ -0,0 +1,218 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content="HTML Tidy, see www.w3.org" />
+<title>Security</title>
+<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
+<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
+<link rel="PREVIOUS" title="Talking to Other People"
+href="basic-network-commands-talk.html" />
+<link rel="NEXT" title="Host Access Control" href="security-host.html" />
+<link rel="STYLESHEET" type="text/css" href="docbook.css" />
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+</head>
+<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
+alink="#0000FF">
+<div class="NAVHEADER">
+<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<th colspan="3" align="center">Slackware Linux Essentials</th>
+</tr>
+
+<tr>
+<td width="10%" align="left" valign="bottom"><a href="basic-network-commands-talk.html"
+accesskey="P">Prev</a></td>
+<td width="80%" align="center" valign="bottom"></td>
+<td width="10%" align="right" valign="bottom"><a href="security-host.html"
+accesskey="N">Next</a></td>
+</tr>
+</table>
+
+<hr align="LEFT" width="100%" />
+</div>
+
+<div class="CHAPTER">
+<h1><a id="SECURITY" name="SECURITY"></a>Chapter 14 Security</h1>
+
+<div class="TOC">
+<dl>
+<dt><b>Table of Contents</b></dt>
+
+<dt>14.1 <a href="security.html#SECURITY-DISABLE">Disabling Services</a></dt>
+
+<dt>14.2 <a href="security-host.html">Host Access Control</a></dt>
+
+<dt>14.3 <a href="security-current.html">Keeping Current</a></dt>
+</dl>
+</div>
+
+<p>Security on any system is important; it can prevent people launching attacks from your
+machine, as well as protect sensitive data. This chapter is all about how to start
+securing your Slackware box against script kiddies, crackers and rogue hamsters alike.
+Bear in mind that this is only the start of securing a system; security is a process, not
+a state.</p>
+
+<div class="SECT1">
+<h1 class="SECT1"><a id="SECURITY-DISABLE" name="SECURITY-DISABLE">14.1 Disabling
+Services</a></h1>
+
+<p>The first step after installing Slackware should be to disable any services you don't
+need. Any services could potentially pose a security risk, so it is important to run as
+few services as possible (i.e. only those that are needed). Services are started from two
+main places - <tt class="COMMAND">inetd</tt> and init scripts.</p>
+
+<div class="SECT2">
+<h2 class="SECT2"><a id="AEN5081" name="AEN5081">14.1.1 Services started from <tt
+class="COMMAND">inetd</tt></a></h2>
+
+<p>A lot of the daemons that come with Slackware are run from <tt
+class="COMMAND">inetd</tt>(8). <tt class="COMMAND">inetd</tt> is a daemon that listens on
+all of the ports used by services configured to be started by it and spawns an instance
+of the relevant daemon when a connection attempt is made. Daemons started from <tt
+class="COMMAND">inetd</tt> can be disabled by commenting out the relevant lines in <tt
+class="FILENAME">/etc/inetd.conf</tt>. To do this, open this file in your favorite editor
+(e.g. <tt class="COMMAND">vi</tt>) and you should see lines similar to this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
+</pre>
+</td>
+</tr>
+</table>
+
+<p>You can disable this service, and any others you don't need, by commenting them out
+(i.e. adding a <var class="LITERAL">#</var> (hash) symbol to the beginning of the line).
+The above line would then become:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
+</pre>
+</td>
+</tr>
+</table>
+
+<p>After <tt class="COMMAND">inetd</tt> has been restarted, this service will be
+disabled. You can restart <tt class="COMMAND">inetd</tt> with the command:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">kill -HUP $(cat /var/run/inetd.pid)</kbd>
+</pre>
+</td>
+</tr>
+</table>
+</div>
+
+<div class="SECT2">
+<h2 class="SECT2"><a id="AEN5102" name="AEN5102">14.1.2 Services started from init
+scripts</a></h2>
+
+<p>The rest of the services started when the machine starts are started from the init
+scripts in <tt class="FILENAME">/etc/rc.d/</tt>. These can be disabled in two different
+ways, the first being to remove the execute permissions on the relevant init script and
+the second being to comment out the relevant lines in the init scripts.</p>
+
+<p>For example, SSH is started by its own init script at <tt
+class="FILENAME">/etc/rc.d/rc.sshd</tt>. You can disable this using:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod -x /etc/rc.d/rc.sshd</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>For services that don't have their own init script, you will need to comment out the
+relevant lines in the init scripts to disable them. For example, the portmap daemon is
+started by the following lines in <tt class="FILENAME">/etc/rc.d/rc.inet2</tt>:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+# This must be running in order to mount NFS volumes.
+# Start the RPC portmapper:
+if [ -x /sbin/rpc.portmap ]; then
+ echo "Starting RPC portmapper: /sbin/rpc.portmap"
+ /sbin/rpc.portmap
+fi
+# Done starting the RPC portmapper.
+</pre>
+</td>
+</tr>
+</table>
+
+<p>This can be disabled by adding <var class="LITERAL">#</var> symbols to the beginnings
+of the lines that don't already start with them, like so:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+# This must be running in order to mount NFS volumes.
+# Start the RPC portmapper:
+#if [ -x /sbin/rpc.portmap ]; then
+# echo "Starting RPC portmapper: /sbin/rpc.portmap"
+# /sbin/rpc.portmap
+#fi
+# Done starting the RPC portmapper.
+</pre>
+</td>
+</tr>
+</table>
+
+<p>These changes will only take effect after either a reboot or changing from and back to
+runlevel 3 or 4. You can do this by typing the following on the console (you will need to
+log in again after changing to runlevel 1):</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 1</kbd>
+<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 3</kbd>
+</pre>
+</td>
+</tr>
+</table>
+</div>
+</div>
+</div>
+
+<div class="NAVFOOTER">
+<hr align="LEFT" width="100%" />
+<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<td width="33%" align="left" valign="top"><a href="basic-network-commands-talk.html"
+accesskey="P">Prev</a></td>
+<td width="34%" align="center" valign="top"><a href="index.html"
+accesskey="H">Home</a></td>
+<td width="33%" align="right" valign="top"><a href="security-host.html"
+accesskey="N">Next</a></td>
+</tr>
+
+<tr>
+<td width="33%" align="left" valign="top">Talking to Other People</td>
+<td width="34%" align="center" valign="top">&nbsp;</td>
+<td width="33%" align="right" valign="top">Host Access Control</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
+