os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add 50 new indexterms

Browse source 
Submitted by:	Valentino Vaschetto <valentino.vaschetto@windriver.com>
This commit is contained in:
Murray Stokely 2001-06-30 14:31:14 +00:00
parent e755684595
commit be1a1a425d
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=9771
1 changed files with 146 additions and 3 deletions

149
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1,11 +1,12 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.52 2001/06/29 12:26:06 tom Exp $
$FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v 1.53 2001/06/29 13:34:34 tom Exp $
-->
<chapter id="security">
<title>Security</title>
<indexterm><primary>security</primary></indexterm>
<para><emphasis>Much of this chapter has been taken from the
&man.security.7; man page, originally written by
@ -76,6 +77,13 @@
</listitem>
</orderedlist>
<indexterm><primary>DOS attacks</primary></indexterm>
<indexterm>
<primary>security</primary>
<secondary>DOS attacks</secondary>
</indexterm>
<indexterm><primary>Denial of Service</primary></indexterm>
<para>A denial of service attack is an action that deprives the
machine of needed resources. Typically, D.O.S. attacks are
brute-force mechanisms that attempt to crash or otherwise make a
@ -91,6 +99,11 @@
able to take your machine down, but it can saturate your
Internet connection.</para>
<indexterm>
<primary>security</primary>
<secondary>account compromises</secondary>
</indexterm>
<para>A user account compromise is even more common than a D.O.S.
attack. Many sysadmins still run standard telnetd, rlogind, rshd,
and ftpd servers on their machines. These servers, by default, do
@ -112,6 +125,11 @@
User account compromises are very common because users tend not to
take the precautions that sysadmins take.</para>
<indexterm>
<primary>security</primary>
<secondary>backdoors</secondary>
</indexterm>
<para>System administrators must keep in mind that there are
potentially many ways to break root on a machine. The attacker
may know the root password, the attacker may find a bug in a
@ -131,6 +149,7 @@
close off the hole the attacker found to break in the first
place.</para>
<para>Security remedies should always be implemented with a
multi-layered <quote>onion peel</quote> approach and can be
categorized as follows:</para>
@ -172,6 +191,11 @@
items in greater depth.</para>
</sect1>
<indexterm>
<primary>security</primary>
<secondary>securing</secondary>
</indexterm>
<sect1 id="securing-freebsd">
<title>Securing FreeBSD</title>
@ -181,6 +205,7 @@
<sect2 id="securing-root-and-staff">
<title>Securing the root account and staff accounts</title>
<indexterm><primary><command>su</command></primary></indexterm>
<para>First off, do not bother securing staff accounts if you have
not secured the root account. Most systems have a password
@ -199,6 +224,9 @@
are disabled there as well. Consider every access method &ndash;
services such as FTP often fall through the cracks. Direct root
logins should only be allowed via the system console.</para>
<indexterm>
<primary><groupname>wheel</groupname></primary>
</indexterm>
<para>Of course, as a sysadmin you have to be able to get to root,
so we open up a few holes. But we make sure these holes require
@ -277,6 +305,7 @@
vast majority of break-ins occur remotely, over a network, from
people who do not have physical access to your workstation or
servers.</para>
<indexterm><primary>Kerberos</primary></indexterm>
<para>Using something like kerberos also gives you the ability to
disable or change the password for a staff account in one place
@ -294,6 +323,31 @@
<sect2>
<title>Securing Root-run Servers and SUID/SGID Binaries</title>
<indexterm>
<primary><application>ntalk</application></primary>
</indexterm>
<indexterm>
<primary><application>comsat</application></primary>
</indexterm>
<indexterm>
<primary><application>finger</application></primary>
</indexterm>
<indexterm>
<primary><application>sandboxes</application></primary>
</indexterm>
<indexterm>
<primary><application>sshd</application></primary>
</indexterm>
<indexterm>
<primary><application>telnetd</application></primary>
</indexterm>
<indexterm>
<primary><application>rshd</application></primary>
</indexterm>
<indexterm>
<primary><application>rlogind</application></primary>
</indexterm>
<para>The prudent sysadmin only runs the servers he needs to, no
more, no less. Be aware that third party servers are often the
most bug-prone. For example, running an old version of imapd or
@ -329,6 +383,9 @@
used by these sandboxes may not be installed. The prudent
sysadmin would research and implement sandboxes for servers
whenever possible.</para>
<indexterm>
<primary><application>sendmail</application></primary>
</indexterm>
<para>There are a number of other servers that typically do not run
in sandboxes: <application>sendmail</application>,
@ -414,6 +471,9 @@
machine. You do not need to give the intruder the capability and
most systems should not have the bpf device compiled in.</para>
<indexterm>
<primary><application>sysctl</application></primary>
</indexterm>
<para>But even if you turn off the bpf device, you still have
<filename>/dev/mem</filename> and <filename>/dev/kmem</filename>
to worry about. For that matter, the intruder can still write to
@ -557,6 +617,7 @@
<sect2>
<title>Denial of Service Attacks</title>
<indexterm><primary>DOS attacks</primary></indexterm>
<para>This section covers Denial of Service attacks. A DOS attack
is typically a packet attack. While there is not much you can do
@ -648,6 +709,8 @@
(except for certain specific Internet-accessible ports, of
course).</para>
<indexterm><primary>ICMP_BANDLIM</primary></indexterm>
<para>Another common DOS attack is called a springboard attack
&ndash; to attack a server in a manner that causes the server to
generate responses which then overload the server, the local
@ -717,6 +780,8 @@
<sect2>
<title>Access Issues with Kerberos and SSH</title>
<indexterm><primary>SSH</primary></indexterm>
<indexterm><primary>Kerberos</primary></indexterm>
<para>There are a few issues with both kerberos and
<application>ssh</application> that need to be addressed if
@ -759,6 +824,14 @@
<sect1 id="crypt">
<title>DES, MD5, and Crypt</title>
<indexterm>
<primary>security</primary>
<secondary>crypt</secondary>
</indexterm>
<indexterm><primary>crypt</primary></indexterm>
<indexterm><primary>DES</primary></indexterm>
<indexterm><primary>MD5</primary></indexterm>
<para><emphasis>Parts rewritten and updated by &a.unfurl;, 21 March
2000.</emphasis></para>
@ -844,6 +917,11 @@ lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -&gt; libdescrypt_p.a</s
<sect1 id="skey">
<title>S/Key</title>
<indexterm><primary>S/Key</primary></indexterm>
<indexterm>
<primary>security</primary>
<secondary>S/Key</secondary>
</indexterm>
<para>S/Key is a one-time password scheme based on a one-way hash
function. FreeBSD uses the MD4 hash for compatibility but other
@ -1136,6 +1214,7 @@ permit port ttyd0</programlisting>
<sect1 id="kerberos">
<title>Kerberos</title>
<indexterm><primary>Kerberos</primary></indexterm>
<para><emphasis>Contributed by &a.markm; (based on contribution by
&a.md;).</emphasis></para>
@ -1149,6 +1228,7 @@ permit port ttyd0</programlisting>
<para>The following instructions can be used as a guide on how to set up
Kerberos as distributed for FreeBSD. However, you should refer to the
relevant manual pages for a complete description.</para>
<indexterm><primary>4.4BSD-Lite</primary></indexterm>
<para>In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
@ -1585,6 +1665,11 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect1 id="firewalls">
<title>Firewalls</title>
<indexterm><primary>firewalls</primary></indexterm>
<indexterm>
<primary>security</primary>
<secondary>firewalls</secondary>
</indexterm>
<para><emphasis>Contributed by &a.gpalmer; and Alex Nash.</emphasis></para>
@ -1693,6 +1778,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect2>
<title>What does IPFW allow me to do?</title>
<indexterm><primary>ipfw</primary></indexterm>
<para><application>IPFW</application>, the software supplied with
FreeBSD, is a packet filtering and accounting system which resides in
@ -1718,6 +1804,10 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect2>
<title>Enabling IPFW on FreeBSD</title>
<indexterm>
<primary>ipfw</primary>
<secondary>enabling</secondary>
</indexterm>
<para>As the main part of the <application>IPFW</application> system
lives in the kernel, you will need to add one or more options to your
@ -1780,6 +1870,10 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect2>
<title>Configuring IPFW</title>
<indexterm>
<primary>ipfw</primary>
<secondary>configuring</secondary>
</indexterm>
<para>The configuration of the <application>IPFW</application> software
is done through the &man.ipfw.8; utility. The syntax for this
@ -2321,6 +2415,11 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect1 id="openssl">
<title>OpenSSL</title>
<indexterm>
<primary>security</primary>
<secondary>OpenSSL</secondary>
</indexterm>
<indexterm><primary>OpenSSL</primary></indexterm>
<para>As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. <ulink url="http://www.openssl.org/">OpenSSL</ulink>
@ -2339,6 +2438,11 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<para>Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.</para>
<indexterm>
<primary>OpenSSL</primary>
<secondary>install</secondary>
</indexterm>
<sect2>
<title>Source Code Installations</title>
@ -2352,6 +2456,12 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<sect1 id="ipsec">
<title>IPsec</title>
<indexterm><primary>IPsec</primary></indexterm>
<indexterm>
<primary>security</primary>
<secondary>IPsec</secondary>
</indexterm>
<para><emphasis>Contributed by &a.shin;, 5 March
2000.</emphasis></para>
@ -2694,6 +2804,12 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<sect1 id="openssh">
<title>OpenSSH</title>
<indexterm><primary>OpenSSH</primary></indexterm>
<indexterm>
<primary>security</primary>
<secondary>OpenSSH</secondary>
</indexterm>
<para><emphasis>Contributed by &a.chern;, April 21,
2001.</emphasis>
</para>
@ -2725,6 +2841,11 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<sect2>
<title>Enabling sshd</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>enabling</secondary>
</indexterm>
<para>Be sure to make the following additions to your
<filename>rc.conf</filename> file:
</para>
@ -2736,6 +2857,11 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<sect2>
<title>SSH client</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>client</secondary>
</indexterm>
<para>The &man.ssh.1; utility works similarly to
&man.rlogin.1;.
</para>
@ -2761,8 +2887,15 @@ user@foobardomain.com's password: <userinput>*******</userinput>
<sect2>
<title>Secure copy</title>
<para>The <command>scp</command> command works similarly to rcp; it copies a
file to or from a remote machine, except in a secure fashion.</para>
<indexterm>
<primary>OpenSSH</primary>
<secondary>secure copy</secondary>
</indexterm>
<indexterm><primary>scp</primary></indexterm>
<para>The <command>scp</command> command works similarly to rcp;
it copies a file to or from a remote machine, except in a
secure fashion.</para>
<screen>&prompt.root <userinput> scp <replaceable>user@foobardomain.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@foobardomain.com's password:
@ -2778,6 +2911,11 @@ COPYRIGHT 100% |*****************************| 4735
<sect2>
<title>Configuration</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>configuration</secondary>
</indexterm>
<para>The system-wide configuration files for both the OpenSSH
daemon and client reside within the <filename>/etc/ssh</filename>
directory.
@ -2830,6 +2968,11 @@ Your identification has been saved in /home/user/.ssh/identity.
<sect2>
<title>SSH Tunneling</title>
<indexterm>
<primary>OpenSSH</primary>
<secondary>tunneling</secondary>
</indexterm>
<para>OpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
<para>The following command tells &man.ssh.1; to create a tunnel