neysx 06/09/18 09:22:48
Modified: shb-chroot.xml shb-firewalls.xml shb-intrusion.xml
shb-kernel.xml shb-limits.xml shb-logging.xml
shb-mounting.xml shb-pam.xml shb-perms.xml
shb-pre.xml shb-services.xml shb-tight.xml
shb-uptodate.xml
Log:
#147760 Removed all trailing spaces, no content change
Revision Changes Path
1.3 xml/htdocs/doc/en/security/shb-chroot.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?r1=1.2&r2=1.3
Index: shb-chroot.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-chroot.xml 15 Dec 2005 22:45:57 -0000 1.2
+++ shb-chroot.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v
1.2 2005/12/15 22:45:57 rane Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v
1.3 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -32,13 +32,13 @@
</p>
<p>
-Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find
what
-dynamic libraries that <c>bash</c> is compiled with (if it is compiled with
+Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find
what
+dynamic libraries that <c>bash</c> is compiled with (if it is compiled with
<c>-static</c> this step is not necessary):
</p>
<p>
-The following command will create a list of libraries used by <c>bash</c>.
+The following command will create a list of libraries used by <c>bash</c>.
</p>
<pre caption="Get listing of used libraries">
@@ -63,28 +63,28 @@
Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted
<path>lib</path> and copy the bash command to the chrooted <path>bin</path>
directory. This will create the exact same environment, just with less
-functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>.
+functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>.
If you get an prompt saying <path>/</path> it works! Otherwise it will properly
tell you what a file is missing. Some shared libraries depend on each other.
</p>
<p>
-You will notice that inside the chroot nothing works except <c>echo</c>. This
-is because we have no other commands in out chroot environment than bash and
+You will notice that inside the chroot nothing works except <c>echo</c>. This
+is because we have no other commands in out chroot environment than bash and
<c>echo</c> is a build-in functionality.
</p>
<p>
-This is basically the same way you would create a chrooted service. The only
-difference is that services sometimes rely on devices and configuration files
-in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp
--a</c>) to the chrooted environment, edit the init script to use chroot before
-executing. It can be difficult to find what devices and configuration files a
-services need. This is where the <c>strace</c> command becomes handy. Start
-the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and
-maybe connect. This will give you a clue on what files to copy. But in most
-cases just copy the passwd file (edit the copy and remove users that has
-nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path>
+This is basically the same way you would create a chrooted service. The only
+difference is that services sometimes rely on devices and configuration files
+in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp
+-a</c>) to the chrooted environment, edit the init script to use chroot before
+executing. It can be difficult to find what devices and configuration files a
+services need. This is where the <c>strace</c> command becomes handy. Start
+the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and
+maybe connect. This will give you a clue on what files to copy. But in most
+cases just copy the passwd file (edit the copy and remove users that has
+nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path>
and <path>/dev/random</path>.
</p>
1.4 xml/htdocs/doc/en/security/shb-firewalls.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?r1=1.3&r2=1.4
Index: shb-firewalls.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- shb-firewalls.xml 12 Dec 2005 02:10:43 -0000 1.3
+++ shb-firewalls.xml 18 Sep 2006 09:22:48 -0000 1.4
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.3
2005/12/12 02:10:43 vanquirius Exp $ -->
+<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.4
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -15,10 +15,10 @@
<body>
<p>
-People often think that a firewall provides the ultimate security, but they
-are wrong. In most cases a misconfigured firewall gives less security than
-not having one at all. A firewall is also a piece of software and should be
-treated the same way as any other piece of software, because it is just as
likely
+People often think that a firewall provides the ultimate security, but they
+are wrong. In most cases a misconfigured firewall gives less security than
+not having one at all. A firewall is also a piece of software and should be
+treated the same way as any other piece of software, because it is just as
likely
to contain bugs.
</p>
@@ -101,7 +101,7 @@
<ul>
<li>Simple and easy to implement</li>
<li>
- Can give warnings of a possible attack before it happens (ie. by detecting
+ Can give warnings of a possible attack before it happens (ie. by detecting
port scans)
</li>
<li>Good for stopping SYN attacks</li>
@@ -120,7 +120,7 @@
</ul>
<!--FIXME: should SmoothWall really be included, since it uses iptables?-->
<note>
-It is recommended that you use iptables. Ipchains is obsoleted.
+It is recommended that you use iptables. Ipchains is obsoleted.
</note>
</body>
@@ -241,7 +241,7 @@
<p>
Iptables is the new and heavily improved packet filter in the Linux 2.4.x
kernel. It is the successor of the previous ipchains packet filter in the Linux
-2.2.x kernel. One of the major improvements is that iptables is able to
perform
+2.2.x kernel. One of the major improvements is that iptables is able to perform
stateful packet filtering. With stateful packet filtering it is possible to
keep track of each established TCP connection.
</p>
@@ -273,41 +273,41 @@
</p>
<p>
-Iptables provides several other features like NAT (Network Address
Translation)
-and rate limiting. Rate limiting is extremely useful when trying to prevent
+Iptables provides several other features like NAT (Network Address Translation)
+and rate limiting. Rate limiting is extremely useful when trying to prevent
certain DoS (Denial of Service) attacks like SYN floods.
</p>
<p>
-A TCP connection is established by a so called three-way handshake. When
-establishing a TCP connection the client-side sends a packet to the server
-with the SYN flag set. When the server-side receives the SYN packet it
-responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK
-is received the client-side responds with a third ACK packet in effect
+A TCP connection is established by a so called three-way handshake. When
+establishing a TCP connection the client-side sends a packet to the server
+with the SYN flag set. When the server-side receives the SYN packet it
+responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK
+is received the client-side responds with a third ACK packet in effect
acknowledging the connection.
</p>
<p>
-A SYN flood attack is performed by sending the SYN packet but failing to
-respond to the SYN+ACK packet. The client-side can forge a packet with a fake
+A SYN flood attack is performed by sending the SYN packet but failing to
+respond to the SYN+ACK packet. The client-side can forge a packet with a fake
source IP address because it does not need a reply. The server-side system will
-add an entry to a queue of half-open connections when it receives the SYN
-packet and then wait for the final ACK packet before deleting the entry from
-the queue. The queue has a limited number of slots and if all the slots are
-filled it is unable to open any further connections. If the ACK packet is not
-received before a specified timeout period the entry will automatically be
-deleted from the queue. The timeout settings vary but will typically be 30-60
-seconds or even more. The client-side initiates the attack by forging a lot of
-SYN packets with different source IP addresses and sends them to the target IP
-address as fast as possible and thereby filling up the queue of half-open
+add an entry to a queue of half-open connections when it receives the SYN
+packet and then wait for the final ACK packet before deleting the entry from
+the queue. The queue has a limited number of slots and if all the slots are
+filled it is unable to open any further connections. If the ACK packet is not
+received before a specified timeout period the entry will automatically be
+deleted from the queue. The timeout settings vary but will typically be 30-60
+seconds or even more. The client-side initiates the attack by forging a lot of
+SYN packets with different source IP addresses and sends them to the target IP
+address as fast as possible and thereby filling up the queue of half-open
connections and thus preventing other clients from establishing a legitimate
connection with the server.
</p>
<p>
-This is where the rate limit becomes handy. It is possible to limit the rate
-of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will
-limit the number of SYN packets accepted to one per second and therefore
+This is where the rate limit becomes handy. It is possible to limit the rate
+of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will
+limit the number of SYN packets accepted to one per second and therefore
restricting the SYN flood on our resources.
</p>
@@ -324,16 +324,16 @@
</p>
<p>
-When iptables is loaded in the kernel it has 5 hooks where you can place your
-rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>,
-<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and
-consists of a list of rules. Each rule says if the packet header looks like
-this, then here is what to do with the packet. If the rule does not match the
+When iptables is loaded in the kernel it has 5 hooks where you can place your
+rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>,
+<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and
+consists of a list of rules. Each rule says if the packet header looks like
+this, then here is what to do with the packet. If the rule does not match the
packet the next rule in the chain is consulted.
</p>
<p>
-You can place rules directly in the 5 main chains or create new chains and add
+You can place rules directly in the 5 main chains or create new chains and add
them to as a rule to an existing chain. Iptables supports the following
options.
</p>
@@ -528,7 +528,7 @@
<ti>owner</ti>
<ti>Attempt to match various characteristics of the packet creator</ti>
<ti>
- --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner
+ --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner
sessionid
</ti>
</tr>
@@ -539,7 +539,7 @@
</table>
<p>
-Lets try to create a user-defined chain and apply it to one of the existing
+Lets try to create a user-defined chain and apply it to one of the existing
chains:
</p>
@@ -556,7 +556,7 @@
</pre>
<p>
-By applying the rule to the input chain we get the policy: All outgoing
packets
+By applying the rule to the input chain we get the policy: All outgoing packets
are allowed and all incoming packets are dropped.
</p>
@@ -573,11 +573,11 @@
<ul>
<li>Connections to the firewall are only allowed through SSH (port 22)</li>
<li>
- The local network should have access to HTTP, HTTPS and SSH (DNS should also
+ The local network should have access to HTTP, HTTPS and SSH (DNS should also
be allowed)
</li>
<li>
- ICMP traffic can contain payload and should not be allowed. Of course we
have
+ ICMP traffic can contain payload and should not be allowed. Of course we have
to allow some ICMP traffic.
</li>
<li>Port scans should be detected and logged</li>
@@ -621,7 +621,7 @@
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j
ACCEPT
- $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix
\
+ $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \
"Bad packet from ${IINTERFACE}:"
$IPTABLES -A allowed-connection -j DROP
@@ -629,9 +629,9 @@
einfo "Creating icmp chain"
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
- $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
+ $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
time-exceeded -j ACCEPT
- $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
+ $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -j DROP
@@ -641,11 +641,11 @@
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
ALL RST --dport ssh -j ACCEPT
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
ALL FIN --dport ssh -j ACCEPT
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p
tcp --dport ssh -j ACCEPT
@@ -658,9 +658,9 @@
einfo "Creating outgoing dns traffic chain"
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
- $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
+ $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \
-j ACCEPT
- $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
+ $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \
-j ACCEPT
einfo "Creating outgoing http/https traffic chain"
@@ -673,29 +673,29 @@
einfo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
- --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
+ --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
- $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
+ $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
+ $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
- $IPTABLES -A INPUT -j icmp_allowed
+ $IPTABLES -A INPUT -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in
@@ -703,7 +703,7 @@
einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
- $IPTABLES -A FORWARD -j icmp_allowed
+ $IPTABLES -A FORWARD -j icmp_allowed
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j allow-ssh-traffic-in
@@ -721,7 +721,7 @@
$IPTABLES -A OUTPUT -j allowed-connection
#Allow client to route through via NAT (Network Address Translation)
- $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE
+ $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE
eend $?
}
@@ -791,7 +791,7 @@
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
- echo "showstatus) Shows the status"
+ echo "showstatus) Shows the status"
}
</pre>
@@ -831,7 +831,7 @@
browser, authenticated user name, MIME type, and port number (protocol). I
probably forgot some features, but it can be hard to cover the entire list
right
here.
-</p>
+</p>
<p>
In the following example I have added a banner filter instead of a filter based
1.3 xml/htdocs/doc/en/security/shb-intrusion.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.2&r2=1.3
Index: shb-intrusion.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-intrusion.xml 23 Nov 2005 18:02:07 -0000 1.2
+++ shb-intrusion.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.2
2005/11/23 18:02:07 neysx Exp $ -->
+<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.3
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -196,7 +196,7 @@
</table>
<p>
-Now you can create you own rules based on the above flags by combining them
+Now you can create you own rules based on the above flags by combining them
like this:
</p>
@@ -232,11 +232,11 @@
</p>
<pre caption="/etc/aide/aide.conf">
-@@ifndef TOPDIR
+@@ifndef TOPDIR
@@define TOPDIR /
@@endif
-@@ifndef AIDEDIR
+@@ifndef AIDEDIR
@@define AIDEDIR /etc/aide
@@endif
@@ -278,7 +278,7 @@
when checking for file integrity. But when updating or creating a new file it
stores the information in <path>/etc/aide/aide.db.new</path>. This is done so
it
won't automatically overwrite the old db file. The option
-<c>report_URL</c> is not yet implemented, but the author's intention was that
+<c>report_URL</c> is not yet implemented, but the author's intention was that
it should be able to e-mail or maybe even execute scripts.
</p>
@@ -456,7 +456,7 @@
<p>
The best way to use <c>chkrootkit</c> to detect an intrusion is to run it
-routinely from <c>cron</c>. To start, emerge
<path>app-admin/chkrootkit</path>.
+routinely from <c>cron</c>. To start, emerge <path>app-admin/chkrootkit</path>.
<c>chkrootkit</c> can be run from the command line by the command of the same
name, or from <c>cron</c> with an entry such as this:
</p>
1.3 xml/htdocs/doc/en/security/shb-kernel.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?r1=1.2&r2=1.3
Index: shb-kernel.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-kernel.xml 4 Aug 2006 10:01:50 -0000 1.2
+++ shb-kernel.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v
1.2 2006/08/04 10:01:50 rane Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v
1.3 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -40,7 +40,7 @@
<p>
To dynamically change kernel parameters and variables on the fly, you need
<c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in
-a standard 2.4 kernel.
+a standard 2.4 kernel.
</p>
<pre caption="Deactivate IP forwarding">
@@ -215,7 +215,7 @@
</ul>
<p>
-And there are probably a lot more.
+And there are probably a lot more.
</p>
</body>
1.5 xml/htdocs/doc/en/security/shb-limits.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?r1=1.4&r2=1.5
Index: shb-limits.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- shb-limits.xml 26 Feb 2006 12:37:22 -0000 1.4
+++ shb-limits.xml 18 Sep 2006 09:22:48 -0000 1.5
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v
1.4 2006/02/26 12:37:22 nightmorph Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v
1.5 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -41,7 +41,7 @@
</p>
<note>
-<path>/etc/security/limits.conf</path> is part of the PAM package and will
+<path>/etc/security/limits.conf</path> is part of the PAM package and will
only apply to packages that use PAM.
</note>
@@ -52,7 +52,7 @@
<body>
<p>
-<path>/etc/limits</path> is very similar to the limit file
+<path>/etc/limits</path> is very similar to the limit file
<path>/etc/security/limits.conf</path>. The only difference is the format and
that it only works on users or wild cards (not groups). Let's have a look at a
sample configuration:
@@ -97,7 +97,7 @@
<p>
Start by installing quotas with <c>emerge quota</c>. Then modify your
-<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the
+<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the
partitions that you want to restrict disk usage on, like in the example below.
</p>
@@ -153,8 +153,8 @@
</p>
<pre caption="Setting up quota's for user kn">
-Quotas for user kn:
-/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)
+Quotas for user kn:
+/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)
inodes in use: 356, limits (soft = 1000, hard = 1500)
</pre>
@@ -168,7 +168,7 @@
<section>
<title>/etc/login.defs</title>
<body>
-
+
<p>
If your security policy states that users should change their password
every other week, change the value <c>PASS_MAX_DAYS</c> to 14
@@ -203,19 +203,19 @@
</pre>
<impo>
-Be careful when configuring these options, since mistakes will leave you
+Be careful when configuring these options, since mistakes will leave you
with no access to the machine if you do not have root access.
</impo>
<note>
-These settings do not apply to SSH, since SSH does not execute
-<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin
-yes</c> in <path>/etc/ssh/sshd_config</path>.
+These settings do not apply to SSH, since SSH does not execute
+<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin
+yes</c> in <path>/etc/ssh/sshd_config</path>.
</note>
<p>
-This will setup login access so members of the wheel group can login locally
-or from the gentoo.org domain. Maybe too paranoid, but better to be safe than
+This will setup login access so members of the wheel group can login locally
+or from the gentoo.org domain. Maybe too paranoid, but better to be safe than
sorry.
</p>
1.4 xml/htdocs/doc/en/security/shb-logging.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?r1=1.3&r2=1.4
Index: shb-logging.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- shb-logging.xml 25 Nov 2005 13:54:03 -0000 1.3
+++ shb-logging.xml 18 Sep 2006 09:22:48 -0000 1.4
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v
1.3 2005/11/25 13:54:03 neysx Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v
1.4 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -31,17 +31,17 @@
<body>
<p>
-Syslogd is the most common logger for Linux and Unix in general.
-It has some log rotation facilities, but using
+Syslogd is the most common logger for Linux and Unix in general.
+It has some log rotation facilities, but using
<path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in
<path>/etc/logrotate.conf</path>) might prove to be more powerful as
-<c>logrotate</c> has many features. How often
+<c>logrotate</c> has many features. How often
log rotation should be done depends on the system load.
</p>
<p>
-Below is the standard <path>syslog.conf</path> with some added features. We
-have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote
+Below is the standard <path>syslog.conf</path> with some added features. We
+have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote
logging server. To further enhance security you could add logging to two
places.
</p>
@@ -113,7 +113,7 @@
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
-#
+#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
@@ -147,7 +147,7 @@
facility (like syslogd), and comes with regular expression matching with which
you can launch external scripts when specific patterns are found. It is very
good
at taking action when needed.
-</p>
+</p>
<p>
The standard configuration is usually enough. If you want to be notified by
@@ -170,18 +170,18 @@
<pre caption="/usr/local/sbin/mail_pwd_failures.sh for qmail">
#!/bin/sh
echo "To: root
-Subject:Failure (Warning: $2)
+Subject:Failure (Warning: $2)
$3
" | /var/qmail/bin/qmail-inject -f root
</pre>
<p>
-Remember to make the script executable by issuing <c>/bin/chmod +x
+Remember to make the script executable by issuing <c>/bin/chmod +x
/usr/local/sbin/mail_pwd_failures.sh</c>
</p>
<p>
-Then uncomment the command line under "Password failures" in
+Then uncomment the command line under "Password failures" in
<path>/etc/metalog/metalog.conf</path> like:
</p>
@@ -248,7 +248,7 @@
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
-filter f_messages { level(info..warn)
+filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
1.3 xml/htdocs/doc/en/security/shb-mounting.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?r1=1.2&r2=1.3
Index: shb-mounting.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-mounting.xml 1 Jun 2005 17:42:46 -0000 1.2
+++ shb-mounting.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.2
2005/06/01 17:42:46 neysx Exp $ -->
+<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.3
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -22,7 +22,7 @@
<ul>
<li>
- <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
+ <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary
file
</li>
<li>
@@ -63,14 +63,14 @@
<note>
I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files
normally are never executed from this mount point. The reason for this is that
-qmail is installed in <path>/var/qmail</path> and must be allowed to execute
-and access one SUID file. I setup <path>/usr</path> in read-only mode since I
-never write anything there unless I want to update Gentoo. Then I remount the
+qmail is installed in <path>/var/qmail</path> and must be allowed to execute
+and access one SUID file. I setup <path>/usr</path> in read-only mode since I
+never write anything there unless I want to update Gentoo. Then I remount the
file system in read-write mode, update and remount again.
</note>
<note>
-Even if you do not use qmail, Gentoo still needs the executable bit set on
+Even if you do not use qmail, Gentoo still needs the executable bit set on
<path>/var/tmp</path> since ebuilds are made here. But an alternative path can
be setup if you insist on having <path>/var</path> mounted in <c>noexec</c>
mode.
1.4 xml/htdocs/doc/en/security/shb-pam.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?r1=1.3&r2=1.4
Index: shb-pam.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- shb-pam.xml 4 Aug 2006 10:20:13 -0000 1.3
+++ shb-pam.xml 18 Sep 2006 09:22:48 -0000 1.4
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.3
2006/08/04 10:20:13 rane Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.4
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -43,7 +43,7 @@
</p>
<pre caption="/etc/pam.d/sshd">
-auth required pam_unix.so nullok
+auth required pam_unix.so nullok
auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
@@ -65,13 +65,13 @@
</p>
<pre caption="/etc/pam.d/other">
-auth required pam_deny.so
-auth required pam_warn.so
-account required pam_deny.so
-account required pam_warn.so
-password required pam_deny.so
-password required pam_warn.so
-session required pam_deny.so
+auth required pam_deny.so
+auth required pam_warn.so
+account required pam_deny.so
+account required pam_warn.so
+password required pam_deny.so
+password required pam_warn.so
+session required pam_deny.so
session required pam_warn.so
</pre>
1.4 xml/htdocs/doc/en/security/shb-perms.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?r1=1.3&r2=1.4
Index: shb-perms.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- shb-perms.xml 16 Sep 2006 20:52:02 -0000 1.3
+++ shb-perms.xml 18 Sep 2006 09:22:48 -0000 1.4
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v
1.3 2006/09/16 20:52:02 neysx Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v
1.4 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -117,33 +117,33 @@
<body>
<p>
-A file is only considered deleted when there are no more links pointing to it.
-This might sound like a strange concept, but consider that a filename like
-<path>/usr/bin/perl</path> is actually a link to the inode where the data is
+A file is only considered deleted when there are no more links pointing to it.
+This might sound like a strange concept, but consider that a filename like
+<path>/usr/bin/perl</path> is actually a link to the inode where the data is
stored. Any number of links can point to the file, and until all of them are
gone, the file still exists.
</p>
<p>
If your users have access to a partition that isn't mounted with <c>nosuid</c>
-or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or
-<path>/var/tmp</path> are not separate partitions) you should take care to
-ensure your users don't create hard links to SUID or SGID binaries, so that
+or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or
+<path>/var/tmp</path> are not separate partitions) you should take care to
+ensure your users don't create hard links to SUID or SGID binaries, so that
after Portage updates they still have access to the old versions.
</p>
<warn>
-if you have received a warning from portage about remaining hard links, and
your
-users can write to a partition that allows executing SUID/SGID files, you
-should read this section carefully. One of your users may be attempting to
-circumvent your update by keeping an outdated version of a program. If your
+if you have received a warning from portage about remaining hard links, and
your
+users can write to a partition that allows executing SUID/SGID files, you
+should read this section carefully. One of your users may be attempting to
+circumvent your update by keeping an outdated version of a program. If your
users cannot create their own SUID files, or can only execute programs using
-the dynamic loader (partitions mounted <c>noexec</c>), you do not have to
+the dynamic loader (partitions mounted <c>noexec</c>), you do not have to
worry.
</warn>
<note>
-Users do not need read access to a file to create a link to it, they only need
+Users do not need read access to a file to create a link to it, they only need
read permission to the directory that contains it.
</note>
@@ -152,7 +152,7 @@
</p>
<pre caption="Stat command">
-$ stat /bin/su
+$ stat /bin/su
File: `/bin/su'
Size: 29350 Blocks: 64 IO Block: 131072 regular file
Device: 900h/2304d Inode: 2057419 Links: 1
1.3 xml/htdocs/doc/en/security/shb-pre.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?r1=1.2&r2=1.3
Index: shb-pre.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-pre.xml 1 Jun 2005 17:42:46 -0000 1.2
+++ shb-pre.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.2
2005/06/01 17:42:46 neysx Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.3
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -62,7 +62,7 @@
<ul>
<li>
- Any directory tree a user should be able to write to (e.g.
<path>/home</path>,
+ Any directory tree a user should be able to write to (e.g.
<path>/home</path>,
<path>/tmp</path>) should be on a separate partition and use disk quotas.
This
reduces the risk of a user filling up your whole filesystem. Portage
uses <path>/var/tmp</path> to compile files, so that partition should be
large.
@@ -143,7 +143,7 @@
<p>
There are several reasons to draft a security policy for your system(s) and
network.
-</p>
+</p>
<ul>
<li>
1.4 xml/htdocs/doc/en/security/shb-services.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.3&r2=1.4
Index: shb-services.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- shb-services.xml 11 Mar 2006 16:44:44 -0000 1.3
+++ shb-services.xml 18 Sep 2006 09:22:48 -0000 1.4
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.3
2006/03/11 16:44:44 swift Exp $ -->
+<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.4
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -35,8 +35,8 @@
#Make it listen on your ip
Listen 127.0.0.1
BindAddress 127.0.0.1
-#It is not a good idea to use nobody or nogroup -
-#for every service not running as root
+#It is not a good idea to use nobody or nogroup -
+#for every service not running as root
#(just add the user apache with group apache)
User apache
Group apache
@@ -46,7 +46,7 @@
</pre>
<p>
-Apache is compiled with <c>--enable-shared=max</c> and
+Apache is compiled with <c>--enable-shared=max</c> and
<c>--enable-module=all</c>. This will by default enable all modules, so you
should comment out all modules in the <c>LoadModule</c> section
(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the
@@ -72,13 +72,13 @@
</p>
<p>
-The newer BIND ebuilds support chrooting out of the box. After emerging
+The newer BIND ebuilds support chrooting out of the box. After emerging
<c>bind</c> follow these simple instructions:
</p>
<pre caption="Chrooting BIND">
ebuild /var/db/pkg/net-dns/bind-9.2.2-r2/bind-9.2.2-r2.ebuild config\`"
-<comment>(Before running the above command you might want to change the chroot
+<comment>(Before running the above command you might want to change the chroot
directory in /etc/conf.d/named. Otherwise /chroot/dns will be used.)</comment>
<comment>(You might need to substitute the version number with the current
version number )</comment>
</pre>
@@ -118,7 +118,7 @@
<body>
<p>
-If you only need local applications to access the <c>mysql</c> database,
+If you only need local applications to access the <c>mysql</c> database,
uncomment the following line in <path>/etc/mysql/my.cnf</path>.
</p>
@@ -227,7 +227,7 @@
<p>
Use virtual users (never system accounts) by enabling the <c>AUTH</c> option.
Set this to <c>-lpuredb:/etc/pureftpd.pdb</c> and create your users by using
-<c>/usr/bin/pure-pw</c>.
+<c>/usr/bin/pure-pw</c>.
</p>
<pre caption="/etc/conf.d/pure-ftpd">
@@ -261,7 +261,7 @@
<p>
Vsftpd (short for very secure ftp) is a small ftp daemon running a reasonably
-default configuration. It is simple and does not have as many features as
+default configuration. It is simple and does not have as many features as
pureftp and proftp.
</p>
@@ -327,7 +327,7 @@
#allow traffic from 10.0.0.*
hosts allow = 10.0.0.
- #Enables user authentication
+ #Enables user authentication
#(don't use the share mode)
security = user
@@ -366,7 +366,7 @@
<p>
The only securing that OpenSSH needs is turning on a stronger authentication
based on public key encryption. Too many sites (like
-<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and
+<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and
<uri>http://www.apache.org</uri>) have suffered unauthorized intrusion
due to password leaks or bad passwords.
</p>
@@ -391,11 +391,11 @@
AllowGroups wheel admin
#In those groups only allow the following users
-#The @<domainname> is optional but replaces the
+#The @<domainname> is optional but replaces the
#older AllowHosts directive
AllowUsers [EMAIL PROTECTED] [EMAIL PROTECTED]
-#Logging
+#Logging
SyslogFacility AUTH
LogLevel INFO
@@ -433,8 +433,8 @@
</pre>
<p>
-This will add two files in your <path>~/.ssh/</path> directory called
-<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called
+This will add two files in your <path>~/.ssh/</path> directory called
+<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called
<path>id_dsa</path> is your private key and should be kept from other people
than yourself. The other file <path>id_dsa.pub</path> is to be distributed to
every server that you have access to. Add the key to the users home directory
@@ -444,7 +444,7 @@
<pre caption="Adding the id_dsa.pub file to the authorized_keys file">
$ <i>scp id_dsa.pub other-host:/var/tmp/currenthostname.pub</i>
$ <i>ssh other-host</i>
-password:
+password:
$ <i>cat /var/tmp/currenthostname.pub >> ~/.ssh/authorized_keys</i>
</pre>
@@ -466,10 +466,10 @@
<body>
<p>
-xinetd is a replacement for <c>inetd</c> (which Gentoo does not have),
+xinetd is a replacement for <c>inetd</c> (which Gentoo does not have),
the Internet services daemon. It supports access control based on the address
of
-the remote host and the time of access. It also provide extensive logging
-capabilities, including server start time, remote host address, remote user
+the remote host and the time of access. It also provide extensive logging
+capabilities, including server start time, remote host address, remote user
name, server run time, and actions requested.
</p>
@@ -506,10 +506,10 @@
# bind the interfaces to only 1 ip
# allow access from 10.0.0.*
# limit the time developers can use cvs from 8am to 5pm
-# use tpcd wrappers (access control controlled in
+# use tpcd wrappers (access control controlled in
# <i>/etc/hosts.allow</i> and <i>/etc/hosts.deny</i>)
# max_load on the machine set to 1.0
-# The disable flag is per default set to no but I like having
+# The disable flag is per default set to no but I like having
# it in case of it should be disabled
service cvspserver
{
@@ -547,28 +547,28 @@
</p>
<impo>
-If you do not need this service disable it!
+If you do not need this service disable it!
</impo>
<p>
-But if you depend on using your workstation as a Xserver use the
-<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients
-from other hosts to connect and use your display. This can become handy if you
-need an X application from a different machine and the only way is through the
+But if you depend on using your workstation as a Xserver use the
+<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients
+from other hosts to connect and use your display. This can become handy if you
+need an X application from a different machine and the only way is through the
network, but it can also be exploited by an attacker. The syntax of this
command is <c>/usr/X11R6/bin/xhost +hostname</c>
</p>
<warn>
-Do not ever use the <c>xhost +</c> feature! This will allow any client to
-connect and take control of your X. If an attacker can get access to your X,
-he can log your keystrokes and take control over your desktop. If you have to
+Do not ever use the <c>xhost +</c> feature! This will allow any client to
+connect and take control of your X. If an attacker can get access to your X,
+he can log your keystrokes and take control over your desktop. If you have to
use it always remember to specify a host.
</warn>
<p>
-A more secure solution is to disable this feature completely by starting X
with
-<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration.
+A more secure solution is to disable this feature completely by starting X with
+<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration.
</p>
<pre caption="/usr/X11R6/bin/startx">
@@ -603,7 +603,7 @@
</p>
<pre caption="/etc/X11/xdm/Xservers">
-:0 local /usr/bin/X11/X -nolisten tcp
+:0 local /usr/bin/X11/X -nolisten tcp
</pre>
</body>
1.3 xml/htdocs/doc/en/security/shb-tight.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?r1=1.2&r2=1.3
Index: shb-tight.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-tight.xml 4 Mar 2006 05:58:44 -0000 1.2
+++ shb-tight.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v
1.2 2006/03/04 05:58:44 fox2mike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v
1.3 2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -66,7 +66,7 @@
grub> <i>md5crypt</i>
Password: <i>********</i>
-<comment>(Typed changeme at the prompt)</comment>
+<comment>(Typed changeme at the prompt)</comment>
Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.
grub> <i>quit</i>
@@ -77,7 +77,7 @@
</p>
<pre caption="/boot/grub/grub.conf">
-timeout 5
+timeout 5
password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.
</pre>
@@ -104,8 +104,8 @@
</p>
<pre caption="/etc/lilo.conf">
-password=changeme
-restricted
+password=changeme
+restricted
delay=3
</pre>
@@ -114,9 +114,9 @@
</p>
<pre caption="/etc/lilo.conf">
-image=/boot/bzImage
- read-only
- password=changeme
+image=/boot/bzImage
+ read-only
+ password=changeme
restricted
</pre>
1.3 xml/htdocs/doc/en/security/shb-uptodate.xml
file :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&view=markup
plain:
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&content-type=text/plain
diff :
http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?r1=1.2&r2=1.3
Index: shb-uptodate.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- shb-uptodate.xml 13 Oct 2005 15:34:30 -0000 1.2
+++ shb-uptodate.xml 18 Sep 2006 09:22:48 -0000 1.3
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='UTF-8'?>
-<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.2
2005/10/13 15:34:30 neysx Exp $ -->
+<!-- $Header:
/var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.3
2006/09/18 09:22:48 neysx Exp $ -->
<!DOCTYPE sections SYSTEM "/dtd/book.dtd">
<!-- The content of this document is licensed under the CC-BY-SA license -->
@@ -108,7 +108,7 @@
</p>
<p>
-If you want an email each time a GLSA is released subscribe to the
+If you want an email each time a GLSA is released subscribe to the
<c>gentoo-announce</c> mailing list. Instructions for joining it and many other
great mailing lists can be found <uri link="/main/en/lists.xml">Gentoo Linux
Mailing List Overview</uri>.
--
[email protected] mailing list
