Next Previous Contents

17. Frequently Asked Questions

17.1 Is Linux a secure Operating System?

For you to determine whether you think Linux is a secure operating system, there are a few pieces of information you should be aware of before making your decision:

17.2 Loadable modules versus compiled kernel?

Is it more secure to compile driver support directly into the kernel, instead of making it a module?

Answer: Some people think it is better to disable the ability to load device drivers using modules, because an intruder could load a trojan module or himself load a module that could affect system security.

However, in order to load modules, you must be root. The module object files are also only writable by root. This means the intruder would need root access to insert a module. If the intruder gains root access, there are more serious things to worry about than whether he will load a module.

Modules are for dynamically loading support for a particular device that may be infrequently used. On server machines, or firewalls for instance, this is very unlikely to happen. For this reason, it would make more sense to compile support directly into the kernel for machines acting as a server. Modules are also slower than support compiled directly in the kernel.

17.3 How can I securely use the Apache Front Page Extensions?

Answer: Well, you've taken the first step, and admitted that it has been a cause of exploit in the past. There have been several papers written on it's insecurity. Their new version, FrontPage 98 apparently hasn't gotten much better. Read this article, for an interesting overview of the issues at hand http://www.mr.net/~fritchie/frontpage.html

Also, the Microsoft FrontPage Security Hell is available here http://www.worldgate.com/~marcs/fp/

Instructions for installing and configuring, as well as building awareness, is available at the FrontPage Awareness Site available at http://frontpage.netnation.com/

17.4 How do I know whether my machine is secure?

Answer: Well, the obvious answer is to read and follow the procedures outlined in this document.

Assuming you have done that, and you are not currently aware of one of your machines already being exploited, and perhaps less obviously, download some of the exploits from http://www.rootshell.com and see if they work on your machine.

17.5 What are the arguments for ipfwadm(8)?

Answer: This information is covered in the Firewall-HOWTO, as well as in the Firewalls and Border Patrol section of this document. You should keep in mind that the ipfwadm(8) command is specific to the 2.0 release of the kernel. Version 2.2 will feature a much improved firewall, called IP Chains. You can find more information on IP Chains in the Firewalls section of this document.

17.6 Where do I find the most secure version of program XYZ?

Answer: The best thing you can do here is to check your Linux vendor's errata for any preconfigured packages in their updates archive for your current distribution.

You should also already be subscribed to one of the informational security mailing lists, or at least the announce list from your vendor, describing the procedure for finding the proper updates.

17.7 Logging in as root from a remote machine always fails.

Answer: See the section on root security. This is done intentionally to prevent remote users from attempting to connect via telnet to your machine as root, which is a serious security vulnerability. Don't forget, potential intruders have time on their side, and can run automated programs to find your password.

17.8 How do I enable shadow passwords?

How do I enable shadow passwords on my Red Hat 4.2 or 5.x system?

Answer: Shadow passwords is a mechanism for storing your password in a file other than the normal /etc/passwd file. This has several advantages. The first one is that the shadow file, /etc/shadow, is only readable by root, unlike /etc/passwd, which must remain readable by everyone. The other advantage is that as the administrator, you can enable or disable accounts without everyone knowing the status of other users accounts.

The /etc/passwd file is then used to store user and group names, used by programs like /bin/ls to map the user ID to the proper username in a directory listing.

The /etc/shadow file then only contains the username and his/her password, and perhaps accounting information, like when the account expires, etc.

To enable shadow passwords, run /usr/bin/pwconv as root, and /etc/shadow should now exist, and be used by applications. Since you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any other change.

Since you are interested in securing your passwords, perhaps you would also be interested in generating good passwords to begin with. For this you can use the pam_cracklib module, which is part of PAM. It runs your password against the Crack libraries to help you decide if it is too easily guessable by password cracking programs.

17.9 How can I enable the Apache SSL extensions?

Answer:

1.Get the latest version of SSLeay from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL

2.Build and test and install it!

3.Get the latest version of the Apache source

4.Get Apache SSLeay extensions from ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.5+ssl_1.13.tar.gz

5. Unpack it in the apache-1.2.5 source directory and patch Apache as per the README.

6.Configure and build it.

You might also try http://www.replay.com which has many pre-built packages, and is located outside of the United States.

17.10 How can I securely manipulate user accounts?

Answer: The Red Hat distribution, especially RH5.0, contains a great number of tools to change the properties of user accounts.

All these programs are ``shadow-aware'' -- if you enable shadow it will use /etc/shadow for password information, otherwise it won't.

See the respective man pages for further information.

17.11 How can I password protect specific HTML documents?

Answer: I bet you didn't know about http://www.apacheweek.org did you?

You can find information on User Authentication at http://www.apacheweek.com/features/userauth as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html

17.12 My Set-User-ID shell script does not work!

Any shell script set to run as root can gain unauthorized root access to ordinary users. It is therefore disabled in the kernel from operating. The details about how one can break a setuid shell script are posted regularly on Usenet. Set-User-ID programs are one of the most common methods of intrusion, especially by means of buffer overflow.

See the UNIX FAQ for more information on how this actually works.



Next Previous Contents