/usr/local/apache/htdocs/lib/public_html/book/SECURITY/linuxsec.txt Meta.Ua Linux
<META>

Linux Security  X-  su - user -c "xauth add `xauth list $DISPLAY`; exec env DISPLAY=$DISPLAY program"  TCP- netstat -an netstat -an | grep LISTEN netstat -a | grep ESTABLISH : lsof -i tcp:3128  tcp-wrapper' : /etc/hosts.deny ALL : ALL 195.0.1.0 /etc/hosts.allow ALL : \ 127.0.0.1 ALL : \ 195.0.1.0/255.255.255.0 Inetd Xinetd RedHat 7.3 inetd xinetd, /etc/inetd.conf /etc/xinetd.d/ - , : /etc/xinetd.d/swat service swat { disable = yes port = 901 socket_type = stream wait = no only_from = 127.0.0.1 www.lib.ru 195.0.0.0/24 # only_from = 195.0.0.0/255.255.255.0 127.0 - user = root server = /usr/sbin/swat log_on_failure += USERID } # service russianproxy { port = 8888 bind = 195.0.0.3 socket_type = stream protocol = tcp user = root group = root redirect = 195.0.0.1 80 type = UNLISTED wait = no only_from = 195.0.0.0/24 127.0.0.0/24 } # , # /etc/xinetd.conf # log_type = SYSLOG auth HTTPS stunnel HTTPS , SSL-wrapper stunnel: xinetd.conf service https { port = 443 socket_type = stream protocol = tcp user = root wait = no disable = no type = UNLISTED server = /usr/sbin/stunnel server_args = -p /etc/webmin/miniserv.pem -r 80 }  sendmail, pop3, imap4 SSL stunnel -d 465 -r smtp stunnel -d 993 -r localhost:imap stunnel -d 993 -l /usr/sbin/imapd imapd stunnel -d 995 -l /usr/sbin/in.pop3d -- in.pop3d -s -d port - daemon mode -r port - connect to port -l programm - start inetd-style programm /etc/services https 443/tcp smtps 465/tcp imaps 993/tcp pop3s 995/tcp /etc/hosts.allow localhost.imap : ALL PPP over SSL Server (-L for pty mode) stunnel -d 2020 -L /usr/sbin/pppd -- pppd local Client system stunnel -c -r server:2020 -L /usr/sbin/pppd -- pppd local  sendmail ? Date: 10 97 CERT Sendmail 8.8.5. .  * Linux *  : 0. 1. single user mode 2. init 3. root-partition 1. Booting to single-user mode LILO: linux single LILO: linux 1 Debian /etc/initab, RedHat - # What to do in single-user mode. ~~:S:wait:/sbin/sulogin 2. init : LILO: linux init=/bin/bash mount -o remount,rw / 3. root-partition LILO: linux root=/dev/hda1 , . , , /tmp . UMS DOS .  BIOS-setting . LILO-prompt A workaround can be achieved by using PASSWORD and RESTRICT options in /etc/lilo.conf. : /etc/lilo.conf root.root 600, .  * kerneld and ifconfig *  /sbin/ifconfig module-name __ /lib/modules kerneld. : . kerneld , , .  X Xserver -xkbdir 'id > /tmp/I_WAS_HERE;' Quick fix: 1. as usual chmod u-s,g-s all installed Xserver binaries (*) 2. use xdm or a SAFE and PARANOID wrapper to start Xserver Security lilo , lilo root- shell? Lilo boot: linux init=/bin/sh rw  RedHat 5.2 chmod 700 /usr/sbin chmod 700 /usr/X11R6 chmod -s /usr/lib/emacs/20.3/i386-redhat-linux/movemail rm /usr/libexec/mail.local # -- ? , procmail . rm /usr/sbin/userhelper # - - GUI rpm -Uvf lpr-0.48-0.5.2.i386.rpm # updates http://www.openwall.com/bind/ rpm -U vixie-cron-3.0.1-37.5.2.i386.rpm ps axuw|grep -i cron root 1151 0.0 0.1 864 416 ? S 21:03 0:00 CROND root 1804 1.5 0.1 864 496 ? S 21:04 0:00 crond crontab -rwsr-x--- 1 root crontab 20200 Aug 27 19:12 crontab crontab root.crontab, chmod 4710 /usr./bin/crontab crond'. ftpaccess' regex ( . .forward) , - . sendmail ( .forward )  services:  netstat -an | egrep -v ':80 |udp|:53 ' lsof: fuser ( , .. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ sockstat: (, ) http://packetstorm.securify.com/UNIX/IDS/sockstat.c fuser -v 6012/tcp http://www.bog.pp.ru/work/linux.html#firewall http://www.bog.pp.ru/work/linux.html#firewall  ssh2 : 1) ssh-keygen -t dsa -b 2048 -f ~/.ssh/id_dsa 2) Host * # ssh AddressFamily inet # BindAddress - ChallengeResponseAuthentication no HostKeyAlgorithms ssh-dss PreferredAuthentications publickey,password Protocol 2 RSAAuthentication no StrictHostKeyChecking yes ForwardAgent yes ForwardX11 yes # ף publickey t02 PasswordAuthentication no PreferredAuthentications publickey 3) known_hosts dsa (ssh-keyscan -t dsa ) 1) .ssh/authorized_keys ~/.ssh/id_dsa.pub : http://bog.pp.ru/work/ssh.html#config http://bog.pp.ru/work/ssh.html#config /etc/ssh/ssh_config ~/.ssh/config




:
:
:  

...
:
| | | Copyright © 1998-2018 <META>