Free information about Linux http://e-articles.info/e/s/s/Linux/ en-us E-articles.info 2006 - 2009 Bastille is an open source program that facilitates the hardening of a Linux system. It performs many of the tasks, including downloading operating system updates and disabling services and ports that are not required for the system’s job functions.The program also offers a wider range of additional services, from installing a firewall (ipchains) to implementing secure shell (SSH)... by Greg Pregovia http://e-articles.info/e/a/title/Hardening-the-System-with-Bastille-and-Functions/ http://e-articles.info/e/a/title/Hardening-the-System-with-Bastille-and-Functions/ Tue, 18 Nov 2008 00:33:17 GMT Follow these steps to verify the signature of a gzipped tarball: 1. Add the public key of the person or organization that created the package. 2... by Greg Pregovia http://e-articles.info/e/a/title/Using-GPG-and-Md5sum-to-Verify-Signatures-on-Tarball-Packages/ http://e-articles.info/e/a/title/Using-GPG-and-Md5sum-to-Verify-Signatures-on-Tarball-Packages/ Tue, 18 Nov 2008 01:41:22 GMT Once your Red Hat system is live, you must make sure that the most current required Red Hat errata are installed.These errata include bug fixes, corrections, and updates to Red Hat products.You should always check the Red Hat site at www... by Greg Pregovia http://e-articles.info/e/a/title/Red-Hat-Linux-Errata:-Fixes-and-Advisories/ http://e-articles.info/e/a/title/Red-Hat-Linux-Errata:-Fixes-and-Advisories/ Tue, 18 Nov 2008 02:49:27 GMT TCP/IP networks assign a port to each service, such as HTTP, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol version 3 (POP3).This port is given a number, called a port number, used to link incoming data to the correct service. For example, if a client browser is requesting to view a server’s Web page, the request will be directed to port 80 on the server... by Greg Pregovia http://e-articles.info/e/a/title/Locking-Down-Ports-Under-Linux/ http://e-articles.info/e/a/title/Locking-Down-Ports-Under-Linux/ Tue, 18 Nov 2008 03:57:32 GMT Although many GUI interfaces are in the planning stage for GPG, the following steps focus on using GPG with the command line.The steps assume that you already have GPG installed on your system.Verify this by using the whereis command:whereis gpg gpg: /usr/bin/gpgIf you do not have GPG installed, you can download GPG from www... by Greg Pregovia http://e-articles.info/e/a/title/Deploying-GNU-Privacy-Guard/ http://e-articles.info/e/a/title/Deploying-GNU-Privacy-Guard/ Tue, 18 Nov 2008 04:23:37 GMT To harden a server, you must first disable any unnecessary services and ports.This process involves removing any unnecessary services, such as the Linux rlogin service, and locking down unnecessary Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports. Once these services and ports are secure, you must then regularly maintain the system... by Greg Pregovia http://e-articles.info/e/a/title/Manually-Disabling-Unnecessary-Services-and-Ports-in-Linux/ http://e-articles.info/e/a/title/Manually-Disabling-Unnecessary-Services-and-Ports-in-Linux/ Wed, 12 Nov 2008 05:31:42 GMT Gdb is the Free Software Foundation's debugger. It is a good command-line debugger, on which several tools have been built, including Emacs' gdb mode, the graphical http://e-articles.info/e/a/title/What-is-the-GNU-Debugger/ http://e-articles.info/e/a/title/What-is-the-GNU-Debugger/ Sat, 05 Jan 2008 06:39:47 GMT In 1991, Linus Torvalds, at that time a student at the University of Helsinki, started a project to teach himself about low-level Intel 80386 programming. At the time, he was running the Minix operating system, designed by Andrew Tanenbaum, so he initially kept his project compatible with the Minix system calls and on-disk file-system layout to make his work much easier. Although he released the first version of the Linux kernel to the Internet under a fairly restrictive license, he was soon convinced to change his license to the GPL... by Claude Wolfgang Stary http://e-articles.info/e/a/title/Development-of-Linux/ http://e-articles.info/e/a/title/Development-of-Linux/ Sat, 05 Jan 2008 07:47:52 GMT In glibc, there are a set of feature selection macros that are used to select which standards you wish glibc to comply with. Standards sometimes conflict, and so glibc allows you to select exactly which set of standards (formal, de jure, and informal, de facto) with which to comply, fully or partially. These macros are technically called feature test macros... by Humberto Mitchson http://e-articles.info/e/a/title/The-GNU-C-Library:-Feature-Selection/ http://e-articles.info/e/a/title/The-GNU-C-Library:-Feature-Selection/ Sat, 05 Jan 2008 08:55:57 GMT Although the major portions of Linux comprise code developed independently of traditional Unix source bases, the interfaces that Linux provides were influenced heavily by existing Unix systems. In the early 1980s, Unix development split into two camps, one at the University of California at Berkeley, the other at AT&T's Bell Laboratories. Each institution developed and maintained Unix operating systems that were derived from the original Unix implementation done by Bell Laboratories... by Claude Wolfgang Stary http://e-articles.info/e/a/title/Notional-Lineage-of-Unix-Systems/ http://e-articles.info/e/a/title/Notional-Lineage-of-Unix-Systems/ Sun, 30 Dec 2007 09:23:15 GMT The Linux console, like most terminals, is modal: Its response to data depends on what mode it is in. By default, it prints on the screen the characters you send to it unless it receives an escape or control character. A control character simply causes some control action to be taken, but the next character is read normally; there is no change in processing mode... by Humberto Mitchson http://e-articles.info/e/a/title/Linux-Console-Capabilities/ http://e-articles.info/e/a/title/Linux-Console-Capabilities/ Sun, 16 Dec 2007 10:31:20 GMT Unix developers have traditionally held strong and diverse preferences, especially about editors. Many programmers' editors are available for you to try; the two most common are vi and Emacs. Both have more power than they appear to have at first glance, both have a relatively steep learning curve—and they are radically different... by Claude Wolfgang Stary http://e-articles.info/e/a/title/Emax-vs.-vi-Unix-text-editors/ http://e-articles.info/e/a/title/Emax-vs.-vi-Unix-text-editors/ Sat, 08 Dec 2007 11:39:25 GMT Programs that are designed to run as system daemons need to be a little careful how they become daemons to get all of the details right. Here is a list of things that should be done: Most of the initialization work should be done before the program becomes an actual daemon. This allows any errors to be reported to the user starting the program and a meaningful exit code to be returned... by Humberto Mitchson http://e-articles.info/e/a/title/Running-a-Linux-Program-as-a-Daemon/ http://e-articles.info/e/a/title/Running-a-Linux-Program-as-a-Daemon/ Sat, 08 Dec 2007 12:47:30 GMT Now that we have looked at ways of reducing the potential impact of insecure code, we go over some of the most common programming mistakes that lead to security problems. Buffer Overflows By far the most common programming mistake that leads to local and remote exploits is a buffer overflow. Here is an example of a program with an exploitable buffer overflow: 1: /* bufferoverflow... by Humberto Mitchson http://e-articles.info/e/a/title/Common-Linux-Security-Holes/ http://e-articles.info/e/a/title/Common-Linux-Security-Holes/ Sun, 11 Nov 2007 13:55:35 GMT POSIX Required Types POSIX defines several typedefs defined in the header file <sys/types.h> and used for many arguments and return values. These typedefs are important because the standard C types can vary from machine to machine and are loosely defined by the C standard... by Humberto Mitchson http://e-articles.info/e/a/title/POSIX-Interfaces/ http://e-articles.info/e/a/title/POSIX-Interfaces/ Sat, 10 Nov 2007 14:23:40 GMT What exactly is a process? In the original Unix implementations, a process was any executing program. For each program, the kernel kept track of The current location of execution (such as waiting for a system call to return from the kernel), often called the program's context Which files the program had access to The program's credentials (which user and group owned the process, for example) The program's current directory Which memory space the program had access to and how it was laid out A process was also the basic scheduling unit for the operating system. Only processes were allowed to run on the CPU... by Claude Wolfgang Stary http://e-articles.info/e/a/title/What's-a-Linux-Process/ http://e-articles.info/e/a/title/What's-a-Linux-Process/ Sat, 03 Nov 2007 15:31:45 GMT The seeds of UNIX were sown in 1965 when Bell Labs, General Electric Company, and Massachusetts Institute of Technology designed an operating system called Multics. From the outset, this was designed to be a multiuser system supporting multiple concurrent users, data storage, and data sharing. By 1969, with the project failing, Bell Labs quit the project... by Andreas Schmidt http://e-articles.info/e/a/title/UNIX-History/ http://e-articles.info/e/a/title/UNIX-History/ Sat, 15 Sep 2007 16:39:50 GMT Consider the following key security factors when selecting a UNIX distribution: · Understand the intended use of the system. What threats must the system defend against? Consider physical, human, and technological threats. · Gauge the technical security competence and awareness of the primary administrator(s)... by Andreas Schmidt http://e-articles.info/e/a/title/Security-Considerations-in-Choosing-a-UNIX-Distribution/ http://e-articles.info/e/a/title/Security-Considerations-in-Choosing-a-UNIX-Distribution/ Sat, 15 Sep 2007 17:47:55 GMT This article reviews fundamental filesystem and privilege concepts. When it comes to input and output, UNIX treats everything as a file. In fact, the term file has multiple meanings in UNIX—it can be a · Regular file... by Andreas Schmidt http://e-articles.info/e/a/title/UNIX-Filesystem-Security/ http://e-articles.info/e/a/title/UNIX-Filesystem-Security/ Sat, 15 Sep 2007 18:55:15 GMT With the theory out of the way, let's examine the risks. The primary risks are · Data disclosure. I don't want to belabor an obvious point, but this is so incredibly common that it deserves some attention... by Andreas Schmidt http://e-articles.info/e/a/title/UNIX-Filesystem-Risks/ http://e-articles.info/e/a/title/UNIX-Filesystem-Risks/ Sat, 15 Sep 2007 19:23:20 GMT Here are some things you can do to minimize your filesystem exposures. · Give clear direction in your security policy about the need to protect the organization's data. Classify information by sensitivity and define what access controls are required... by Andreas Schmidt http://e-articles.info/e/a/title/UNIX-Filesystem-Countermeasures/ http://e-articles.info/e/a/title/UNIX-Filesystem-Countermeasures/ Sat, 15 Sep 2007 20:31:25 GMT Programming mistakes in set-uid programs have been a real source of security headaches. A single security hole in just one set-uid root program can be all that is needed for an attacker to gain root access. The problem is widespread... by Andreas Schmidt http://e-articles.info/e/a/title/The-Set-uid-Problem/ http://e-articles.info/e/a/title/The-Set-uid-Problem/ Sat, 15 Sep 2007 21:39:30 GMT Our contemplation of filesystem security isn't complete without a mention of rootkits. After a successful root compromise, attackers might upload and install a rootkit, which is a collection of replacement system programs that enable attackers to hide their tracks and easily reconnect to the system at a later time. It is not unusual for an attacker to patch the hole that enabled him to gain access, to avoid losing the system to another attacker... by Andreas Schmidt http://e-articles.info/e/a/title/Rootkits-and-Defenses/ http://e-articles.info/e/a/title/Rootkits-and-Defenses/ Wed, 12 Sep 2007 22:47:35 GMT Programs written to listen on a port number lower than 1024 must be executed with root privilege (that is, UID 0). This rule protects sensitive system services because these run on ports lower in number than 1024 (that is, the reserved ports). The UNIX kernel enforces this restriction to prevent non-privileged users from launching fake network server processes on idle ports... by Andreas Schmidt http://e-articles.info/e/a/title/Privileged-Ports-of-a-UNIX-machine/ http://e-articles.info/e/a/title/Privileged-Ports-of-a-UNIX-machine/ Sun, 09 Sep 2007 23:55:40 GMT Standard UNIX distributions ship with a raft of network services. That should come as no surprise—after all, they are sold as general-purpose operating systems. Unfortunately, all distributions—barring OpenBSD—ship with nonessential network services enabled... by Andreas Schmidt http://e-articles.info/e/a/title/The-Risks-of-Running-Network-Services/ http://e-articles.info/e/a/title/The-Risks-of-Running-Network-Services/ Sat, 08 Sep 2007 01:23:45 GMT Do you know what network services are enabled on your systems? Many administrators simply don't know. They've never bothered to question it—they never thought it was a problem. Hopefully by now you realize that not every program your system runs is necessarily healthy for it (or you) from a security point of view... by Andreas Schmidt http://e-articles.info/e/a/title/Disabling-Network-Services-in-UNIX/LINUX/ http://e-articles.info/e/a/title/Disabling-Network-Services-in-UNIX/LINUX/ Sun, 02 Sep 2007 02:31:50 GMT The easiest way to use a shared library is to ignore the fact that it is a shared library. The C compiler automatically uses shared libraries instead of static ones unless it is explicitly told to link with static libraries. However, there are three other ways to use shared libraries... by Lorent Konenbal http://e-articles.info/e/a/title/Using-Shared-Libraries/ http://e-articles.info/e/a/title/Using-Shared-Libraries/ Sat, 04 Aug 2007 03:39:55 GMT The ldconfig program does all the hard work of installing a shared library. You just need to put the files in place and run ldconfig. Follow these steps: 1... by Lorent Konenbal http://e-articles.info/e/a/title/Installing-Shared-Libraries/ http://e-articles.info/e/a/title/Installing-Shared-Libraries/ Wed, 01 Aug 2007 04:47:15 GMT Shared libraries have several advantages over static libraries: Linux shares the memory used for executable code among all the processes that use the shared library, so whenever you have more than one program using the same code, it is to your advantage, and to your users' advantage, to put the code in a shared library. Because shared libraries save system memory, they can make the whole system work faster, especially in situations in which memory is not plentiful. Because code in a shared library is not copied into the executable, only one copy of the library code resides on disk, saving both disk space and the computer's time spent copying the code from disk to memory when programs are run... by Lorent Konenbal http://e-articles.info/e/a/title/Shared-Libraries/ http://e-articles.info/e/a/title/Shared-Libraries/ Wed, 25 Jul 2007 05:55:20 GMT One of the best strategies for making a program secure against attempts to exploit their privileges is to make the parts of a program that can be attacked as simple as possible. While this strategy can be difficult to employ for network programs and system daemons, programs that must be run with special permissions (via the setuid or setgid bits, or run by the root user) can usually use a few common mechanisms to limit their areas of vulnerability. Giving Up Permissions Many programs that need special privileges use those privileges only at startup time... by Humberto Mitchson http://e-articles.info/e/a/title/Minimizing-the-Risk-for-Software-Attack-under-Linux-Platforms/ http://e-articles.info/e/a/title/Minimizing-the-Risk-for-Software-Attack-under-Linux-Platforms/ Wed, 25 Jul 2007 06:23:25 GMT The purpose of this article is to give a few useful tips for OpenBSD including information on how to make a bootable CD from the OpenBSD files downloadable on the Internet. The BSD systems differ from Linux in several aspects. They are incredibly stable and also have a different history... by Juraj Sipos http://e-articles.info/e/a/title/A-FEW-QUICK-TIPS-FOR-OPENBSD/ http://e-articles.info/e/a/title/A-FEW-QUICK-TIPS-FOR-OPENBSD/ Sat, 21 Jul 2007 07:31:30 GMT Building shared libraries is only marginally harder than building normal static libraries. There are a few constraints, all of which are easy to manage. There is also one major feature, designed to manage binary compatibility across library versions, that is unique to shared libraries... by Lorent Konenbal http://e-articles.info/e/a/title/Designing-Shared-Libraries/ http://e-articles.info/e/a/title/Designing-Shared-Libraries/ Sat, 21 Jul 2007 08:39:35 GMT Once you have grasped the concept of sonames, the rest is easy. Just follow a few simple rules. Build your sources with gcc's -fPIC flag... by Lorent Konenbal http://e-articles.info/e/a/title/Building-Shared-Libraries/ http://e-articles.info/e/a/title/Building-Shared-Libraries/ Sun, 15 Jul 2007 09:47:40 GMT Static libraries are simply collections of object files arranged by the ar (archiver) utility. ar collects object files into one archive file and adds a table that tells which object files in the archive define what symbols. The linker, ld, then binds references to a symbol in one object file to the definition of that symbol in an object file in the archive... by Lorent Konenbal http://e-articles.info/e/a/title/Static-Libraries/ http://e-articles.info/e/a/title/Static-Libraries/ Wed, 11 Jul 2007 10:55:45 GMT rlogind and rshd are the remote login and remote shell daemon. These so-called r services use TCP ports 513 and 514, respectively. The RLOGIN protocol is described in RFC 1282 and RSH in RFC... by Andreas Schmidt http://e-articles.info/e/a/title/LINUX-r-Services/ http://e-articles.info/e/a/title/LINUX-r-Services/ Mon, 04 Jun 2007 11:23:50 GMT A buffer overflow occurs when a program or process tries to store more data in a temporary data storage area than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Buffer overflows are a fertile source of bugs and malicious attacks... by Suhas Desai http://e-articles.info/e/a/title/Buffer-Overflow/ http://e-articles.info/e/a/title/Buffer-Overflow/ Thu, 19 Apr 2007 12:31:55 GMT Problem: Many times administrators will find themselves on a Windows machine with no way to access a remote server securely since Microsoft does not yet package an SSH client. There are a number of excellent tools available that provide SSH client connectivity from a Windows platform. A list of these tools is available at http://e-articles.info/e/a/title/Install-SSH-Windows-Clients-to-Access-Remote-Machines-Securely/ http://e-articles.info/e/a/title/Install-SSH-Windows-Clients-to-Access-Remote-Machines-Securely/ Wed, 28 Mar 2007 13:39:15 GMT Problem: Using public key authentication makes logging in to a server with SSH more secure, but less convenient due to having to type in a longer and more complex passphrase. STEP1: Use ssh-agent and ssh-add to store your private keys in memory To make public key authentication more convenient to use, the OpenSSH developers created the ssh-agent and ssh-add programs. These programs are designed to keep your private keys decrypted in memory for your current session... by Neal Canny http://e-articles.info/e/a/title/How-to-use-OpenSSH-Passphrase-Agents/ http://e-articles.info/e/a/title/How-to-use-OpenSSH-Passphrase-Agents/ Wed, 28 Mar 2007 14:47:20 GMT A second method to transfer files from a Windows command line prompt is to use PSCP. Unlike PSFTP, PSCP is not interactive and is designed to transfer files "in one shot" and then exit, much like OpenSSH's scp command. PSCP also allows you to specify wildcards within filenames (PSFTP does not)... by Allan Servedio http://e-articles.info/e/a/title/Transfer-files-from-the-command-line-with-PSCP/ http://e-articles.info/e/a/title/Transfer-files-from-the-command-line-with-PSCP/ Tue, 27 Mar 2007 15:55:25 GMT There are multiple ways to create an SSH session from the command line using PuTTY. The first way involves using the PuTTY program itself. PuTTY comes with a number of options that can be used to invoke the graphical PuTTY terminal from the command line... by Allan Servedio http://e-articles.info/e/a/title/Create-an-SSH-session-from-the-command-line-using-PuTTY/ http://e-articles.info/e/a/title/Create-an-SSH-session-from-the-command-line-using-PuTTY/ Tue, 27 Mar 2007 16:23:30 GMT Problem: How can a key-pair be created in OpenSSH?STEP1: Generating your public/private key-pairThe ssh-keygen command is utilized to generate your public and private keys. OpenSSH provides authentication methods via a choice of three public key "cryptosystems": RSA1, RSA, and DSA. RSA1 works with SSHv1 while RSA and DSA are for SSHv2... by Neal Canny http://e-articles.info/e/a/title/How-to-Generate-a-Key-Pair-Using-OpenSSH/ http://e-articles.info/e/a/title/How-to-Generate-a-Key-Pair-Using-OpenSSH/ Sun, 25 Mar 2007 17:31:35 GMT Using PuTTY from the command line will create an SSH interactive session. This may not be what we want if for example we need to remain at the Windows command line or we want to issue an SSH command from within a script. In order to satisfy these types of needs, PuTTY provides a tool called Plink... by Allan Servedio http://e-articles.info/e/a/title/Using-Plink-to-initiate-an-SSH-session-from-the-command-line-or-a-script/ http://e-articles.info/e/a/title/Using-Plink-to-initiate-an-SSH-session-from-the-command-line-or-a-script/ Sat, 17 Mar 2007 18:39:40 GMT One method to transfer files from the Windows command line is to use PSFTP. PSFTP creates an interactive SFTP file transfer session where you can use many of the commands available within a normal FTP session. Since PSFTP uses the SFTP protocol, which is only available with servers running protocol SSHv2, you may not be able to run it on every server... by Allan Servedio http://e-articles.info/e/a/title/Interactively-transfer-files-from-the-command-line-with-PSFTP/ http://e-articles.info/e/a/title/Interactively-transfer-files-from-the-command-line-with-PSFTP/ Mon, 12 Mar 2007 19:47:45 GMT STEP1: Use Pageant to store your private keys in memory To make public key authentication more convenient, the developers of PuTTY created Pageant. Pageant is a program included with PuTTY that will keep your decrypted private keys in memory so you only have to enter your passphrase once rather than every time you authenticate to a server using public key authentication. While this will make your day-to-day use more convenient, please keep in mind that it also poses a slight risk, since other applications (including viruses) might be able to access these decrypted keys in memory... by Neal Canny http://e-articles.info/e/a/title/How-to-use-PuTTY-Passphrase-Agents/ http://e-articles.info/e/a/title/How-to-use-PuTTY-Passphrase-Agents/ Wed, 28 Feb 2007 20:55:50 GMT Problem: Since many programs use services that send clear-text data over the network, it is desirable to find something that can be used to encrypt the network traffic for these services while minimizing any change to end users. SSH provides this functionality with port forwarding. Port forwarding allows a user to create an encrypted session from a client to a remote server for any TCP-based service by tunneling the service through SSH... by Neal Canny http://e-articles.info/e/a/title/Port-Forwarding-with-SSH/ http://e-articles.info/e/a/title/Port-Forwarding-with-SSH/ Mon, 26 Feb 2007 21:23:55 GMT Problem: The common UNIX remote access protocols - telnet, FTP and the Berkeley r-commands -- are unencrypted. Account and password information can easily be sniffed by unauthorized intruders and others who have been granted access to the same network. OpenSSH can be used to encrypt all remote sessions, thereby eliminating this vulnerability... by Allan Servedio http://e-articles.info/e/a/title/Install-OpenSSH-to-Replace-the-Remote-Access-Protocols-with-Encrypted-Versions/ http://e-articles.info/e/a/title/Install-OpenSSH-to-Replace-the-Remote-Access-Protocols-with-Encrypted-Versions/ Tue, 02 Jan 2007 22:31:15 GMT Problem: Automated scripts and file transfers cannot decrypt password-protected public keys. It is possible to use public key authentication to automatically transfer files from one machine to another. While this is usually not recommended, it may be desirable for batch scripts... by Neal Canny http://e-articles.info/e/a/title/Using-Public-Key-Authentication-for-Automated-File-Transfers/ http://e-articles.info/e/a/title/Using-Public-Key-Authentication-for-Automated-File-Transfers/ Thu, 28 Dec 2006 23:39:20 GMT