Page 1

1

A word from OpenNA Inc. C.E.O
Dear friends,
Following the introductory issue of "Securing and Optimizing Linux, Red Hat" we decided to
publish the second edition " The Ultimate Solution" locally, I was rather reluctant to do it in-house
at first but the overwhelming demand from friends and readers on the Open Source stage made
me resolve to go ahead with the publishing.
As we all know the explosive growth of the Internet and its related activities made computer an
essential part of our infrastructure, a production communication system that reaches millions of
people in all populated countries of the world. New technologies are providing a higher capacity
service and an economic impact as well. Linux came as the Good Samaritan and provided a
reliable and inexpensive solution to many security concerns to companies and individuals working
in critical and complex fields.
Many books are written every day and each has features that praise its content, the underlying
theory has produced a lot of challenges to beginners and professionals the same. With "The
ultimate Solution" we are updating and keeping informed our audience with the same easy and
friendly manner we used to in our first book, the reader will find new formulas and solutions
although complex but still easy to implement.
On a final note we are proud of Gerhard's work and hope that you will share with us this feeling.
Maroun Mourani
B.Eng.

Page 2

2
This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!!

--Gerhard Mourani
This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste.
Open Network Architecture is commited to using paper with the highest recycled content
available consistent with high quality.

Copyright © 2001 by Gerhard Mourani and Open Network Architecture Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the copyright holders Gerhard Mourani and Open Network Architecture Inc. 11090 Drouart,
Montreal, PQ H3M 2S3, (514) 334-1068, fax (514) 338-3964. Requests to the Publisher for
permission should be addressed to the Publishing Manager, at Open Network Architecture Inc.,
E-mail:
pubooks@openna.com
.
This publication is designed to provide accurate and authoritative information in regard to the
subject matter covered. It is sold with the understanding that some grammatical mistakes could
have occurred but this won't jeopardize the content or the issue raised herewith.
Title: Securing and Optimizing Linux: The Ultimate Solution

Page Count: 856
Version: 2.0
Last Revised: 2001-06-13

Publisher: Open Network Architecture Inc.
Editor: Ted Nackad
Text Design & Drawings (Graphics): Bruno Mourani
Printing History: June 2000: First Publication.

Author's: Gerhard Mourani
Mail:

gmourani@openna.com

Website:
http://www.ope nna .c om/

National Library Act. R.S., c. N-11, s. 1.
Legal Deposit, 2001
Securing and Optimizing Linux: The Ultimate Solution / Open Network Architecture.
Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada.
Includes Index.
ISBN 0-9688793-0-6
Printed in Canada

Page 3

3
Overview

Part I Installation Related Reference
Chapter 1
Introduction
Chapter 2
Installing a Linux Server

Part II Security and Optimization Related Reference
Chapter 3
General System Security
Chapter 4
Linux Pluggable Authentication Modules
Chapter 5
General System Optimization

Chapter 6
Kernel Security & Optimization

Part III Networking Related Reference
Chapter 7
TCP/IP Network Management
Chapter 8
Firewall IPTABLES Packet Filter
Chapter 9
Firewall IPTABLES Masquerading & Forwarding

Part IV Cryptography & Authentication Related Reference
Chapter 10 GnuPG
Chapter 11 OpenSSL
Chapter 12 OpenSSH

Part V Monitoring & System Integrity Related Reference
Chapter 13 sXid
Chapter 14 Logcheck
Chapter 15 PortSentry
Chapter 16 Tripwire
Chapter 17 Xinetd

Part VI Management & Limitation Related Reference
Chapter 18 Quota

Part VII Domain Name System Related Reference
Chapter 19 ISC BIND/DNS

Part VIII Mail Transfer Agent Related Reference
Chapter 20 Sendmail
Chapter 21 qmail

Part IX Internet Message Access Protocol Related Reference
Chapter 22 UW IMAP

Page 4

4
Part X Database Server Related Reference
Chapter 23 MySQL
Chapter 24 PostgreSQL
Chapter 25 OpenLDAP

Part XI Gateway Server Related Reference
Chapter 26 Squid
Chapter 27 FreeS/WAN VPN

Part XII Other Server Related Reference
Chapter 28 Wu-ftpd
Chapter 29 Apache
Chapter 30 Samba

Part XIII Backup Related Reference
Chapter 31 Backup & restore procedures

Part XIII APPENDIXES

APPENDIX A
Tweaks, Tips and Administration Tasks

APPENDIX B
Contributor Users

APPENDIX C
Obtaining Requests for Comments (RFCs)

APPENDIX D
Port list

Page 5

5
Contents

Organization of the Book....................................................................................................................... 12

Steps of installation............................................................................................................................... 13

Author note ........................................................................................................................................... 14

Audience............................................................................................................................................... 15

These installation instructions assume ................................................................................................. 15

About products mentioned in this book ................................................................................................. 15

Obtaining the example configuration files ............................................................................................. 15

Problem with Securing & Optimizing Linux ........................................................................................... 16

Acknowledgments................................................................................................................................. 16

Part I Installation Related Reference 17

1 Installation - Introduction 18

What is Linux? ...................................................................................................................................... 19

Some good reasons to use Linux.......................................................................................................... 19

Let's dispel some of the fear, uncertainty, and doubt about Linux......................................................... 19

Why choose Pristine source?................................................................................................................ 20

Compiling software on your system ...................................................................................................... 20

Build, Install software on your system................................................................................................... 21

Editing files with the
vi
editor tool ........................................................................................................ 22

Recommended software to include in each type of servers.................................................................. 23

Some last comments............................................................................................................................. 25

2 Installation - Installing a Linux Server 26

Know your Hardware!............................................................................................................................ 27

Creating the Linux Boot Disk................................................................................................................. 27

Beginning the installation of Linux......................................................................................................... 29

Installation Class and Method (Install Options)..................................................................................... 31

Partition your system for Linux.............................................................................................................. 32

Disk Partition (Manual Partitioning)....................................................................................................... 35

Selecting Package Groups.................................................................................................................... 47

How to use RPM Commands................................................................................................................ 50

Starting and stopping daemon services ................................................................................................ 52

Software that must be uninstalled after installation of the server .......................................................... 53

Remove unnecessary documentation files............................................................................................ 58

Remove unnecessary/empty files and directories................................................................................. 58

Software that must be installed after installation of the server .............................................................. 59

Verifying installed programs on your Server ......................................................................................... 62

Update of the latest software ................................................................................................................ 64

Part II Security and Optimization Related Reference 66

3 Security and Optimization - General System Security 67

BIOS
..................................................................................................................................................... 68

Unplug your server from the network .................................................................................................... 68

Security as a policy ............................................................................................................................... 68

Choose a right password ...................................................................................................................... 69

The root account ................................................................................................................................... 70

Set login time out for the root account .................................................................................................. 70

The
/etc/exports
file ....................................................................................................................... 70

Page 6

6
The single-user login mode of Linux ..................................................................................................... 71

The
LILO
and
/etc/lilo.conf
file................................................................................................... 71

Disabling
Ctrl-Alt-Delete
keyboard shutdown command ............................................................. 73

The
/etc/services
file ..................................................................................................................... 74

The
/etc/securetty
file ................................................................................................................... 74

Special accounts................................................................................................................................... 75

Control mounting a file system.............................................................................................................. 77

Mounting the
/boot
directory of Linux as read-only............................................................................. 79

Conceal binary RPM ............................................................................................................................. 80

Shell logging ......................................................................................................................................... 80

Physical hard copies of all-important logs............................................................................................. 81

Tighten scripts under
/etc/rc.d/init.d/
....................................................................................... 84

The
/etc/rc.local
file ..................................................................................................................... 84

Bits from root-owned programs............................................................................................................. 85

Finding all files with the
SUID/SGID
bit enabled .................................................................................. 86

Don't let internal machines tell the server what their
MAC
address is .................................................... 87

Unusual or hidden files.......................................................................................................................... 88

Finding Group and World Writable files and directories ........................................................................ 88

Unowned files ....................................................................................................................................... 89

Finding
.rhosts
files........................................................................................................................... 89

System is compromised!....................................................................................................................... 90

4 Security and Optimization - Pluggable Authentication Modules 91

The password length............................................................................................................................. 92

Disabling console program access ....................................................................................................... 94

Disabling all console access ................................................................................................................. 95

The Login access control table ............................................................................................................. 95

Tighten console permissions for privileged users ................................................................................. 97

Putting limits on resource...................................................................................................................... 98

Controlling access time to services..................................................................................................... 100

Blocking;
su
to root, by one and sundry.............................................................................................. 101

5 Security and Optimization - General System Optimization 103

Static vs. shared libraries.................................................................................................................... 104

The
Glibc

2.2
library of Linux .......................................................................................................... 105

Why Linux programs are distributed as source................................................................................... 106

Some misunderstanding in the compiler flags options ........................................................................ 106

The
gcc

2.96

specs
file ................................................................................................................... 107

Tuning
IDE
Hard Disk Performance ................................................................................................... 113

6 Security and Optimization Kernel Security & Optimization
117

Making an emergency boot floppy ...................................................................................................... 120

Checking the
/boot
partition of Linux ................................................................................................ 120

Tuning the Kernel................................................................................................................................ 121

Applying the Openwall kernel patch.................................................................................................... 124

Cleaning up the Kernel........................................................................................................................ 126

Configuring the Kernel ........................................................................................................................ 127

Compiling the Kernel........................................................................................................................... 143

Installing the Kernel ............................................................................................................................ 144

Reconfiguring
/etc/modules.conf
file........................................................................................... 147

Delete programs, edit files pertaining to modules ............................................................................... 148

Remounting the
/boot
partition of Linux as read-only ....................................................................... 149

Rebooting your system to load the new kernel ................................................................................... 149

Making a new rescue floppy for Modularized Kernel........................................................................... 150

Making a emergency boot floppy disk for Monolithic Kernel ............................................................... 150

Page 7

7
Optimizing
Kernel
............................................................................................................................. 151

Part III Networking Related Reference 164

7 Networking -
TCP/IP
Network Management 165

TCP/IP
security problem overview..................................................................................................... 167

Installing more than one Ethernet Card per Machine.......................................................................... 171

Files-Networking Functionality ............................................................................................................ 172

Securing
TCP/IP
Networking ............................................................................................................. 176

Optimizing
TCP/IP
Networking .......................................................................................................... 184

Testing
TCP/IP
Networking ............................................................................................................... 190

The last checkup................................................................................................................................. 194

8 Networking - Firewall
IPTABLES
Packet Filter 195

What is a Network Firewall Security Policy? ....................................................................................... 197

The Demilitarized Zone....................................................................................................................... 198

What is Packet Filtering? .................................................................................................................... 199

The topology ....................................................................................................................................... 199

Building a kernel with
IPTABLES
Firewall support.............................................................................. 201

Rules used in the firewall script files ................................................................................................... 201

/etc/rc.d/init.d/iptables:
The Web Server File .................................................................. 204

/etc/rc.d/init.d/iptables:
The Mail Server File ................................................................... 213

/etc/rc.d/init.d/iptables:
The Primary Domain Name Server File...................................... 221

/etc/rc.d/init.d/iptables:
The Secondary Domain Name Server File................................ 229

9 Networking - Firewall
Masquerading & Forwarding
237

Recommended RPM packages to be installed for a
Gateway
Server................................................ 238

Building a kernel with Firewall Masquerading & Forwarding support.................................................. 239

/etc/rc.d/init.d/iptables:
The Gateway Server File............................................................ 242

Deny access to some address............................................................................................................ 254

IPTABLES
Administrative Tools.......................................................................................................... 255

Part IV Cryptography & Authentication Related Reference 257

10 Cryptography & Authentication -
GnuPG
258

Compiling - Optimizing & Installing
GnuPG
.......................................................................................... 260

GnuPG
Administrative Tools................................................................................................................ 262

11 Cryptography & Authentication -
OPENSSL
267

Compiling - Optimizing & Installing
OpenSSL
..................................................................................... 270

Configuring
OpenSSL
.......................................................................................................................... 272

OpenSSL
Administrative Tools............................................................................................................ 279

Securing
OpenSSL
.............................................................................................................................. 283

Page 8

8

12 Cryptography & Authentication -
OpenSSH
286

Compiling - Optimizing & Installing
OpenSSH
..................................................................................... 288

Configuring
OpenSSH
.......................................................................................................................... 290

OpenSSH
Per-User Configuration ....................................................................................................... 298

OpenSSH
Users Tools......................................................................................................................... 300

Part V Monitoring & System Integrity Related Reference 303

13 Monitoring & System Integrity -
sXid
304

Compiling - Optimizing & Installing
sXid
............................................................................................ 306

Configuring
sXid
................................................................................................................................ 307

sXid
Administrative Tools .................................................................................................................. 309

14 Monitoring & System Integrity -
Logcheck
310

Compiling - Optimizing & Installing
Logcheck
................................................................................... 312

Configuring
Logcheck
....................................................................................................................... 317

15 Monitoring & System Integrity -
PortSentry
319

Compiling - Optimizing & Installing
PortSentry
............................................................................... 321

Configuring
PortSentry
................................................................................................................... 324

16 Monitoring & System Integrity -
Tripwire
334

Compiling - Optimizing & Installing
Tripwire
................................................................................... 336

Configuring
Tripwire
....................................................................................................................... 339

Securing
Tripwire
............................................................................................................................ 342

Tripwire
Administrative Tools.......................................................................................................... 342

17 Monitoring & System Integrity -
Xinetd
345

Compiling - Optimizing & Installing
Xinetd
........................................................................................ 347

Configuring
Xinetd
............................................................................................................................ 349

Securing
Xinetd
................................................................................................................................ 361

Part VI Management & Limitation Related Reference 363

18 Management & Limitation -
Quota
364

Build a kernel with
Quota
support enable........................................................................................... 365

Modifying the
/etc/fstab
file........................................................................................................... 365

Creating the
quota.user
and
quota.group
files ........................................................................... 367

Assigning
Quota
for Users and Groups.............................................................................................. 367

Quota
Administrative Tools................................................................................................................ 370

Page 9

9

Part VII Domain Name System Related Reference
371

19 Domain Name System -
ISC

BIND/DNS
372

Recommended RPM packages to be installed for a
DNS
Server ........................................................ 374

Compiling - Optimizing & Installing
ISC

BIND

&

DNS
.......................................................................... 377

Configuring
ISC

BIND

&

DNS
.............................................................................................................. 380

Caching-Only Name Server ................................................................................................................ 381

Primary Master Name Server.............................................................................................................. 384

Secondary Slave Name Server........................................................................................................... 389

Running
ISC

BIND

&

DNS
in a chroot jail............................................................................................ 395

Securing
ISC

BIND

&

DNS
.................................................................................................................. 399

Optimizing
ISC

BIND

&

DNS
............................................................................................................... 414

ISC

BIND

&

DNS
Administrative Tools ................................................................................................ 417

ISC

BIND

&

DNS
Users Tools ............................................................................................................. 418

Part VIII Mail Transfer Agent Related Reference 422

20 Mail Transfer Agent -
Sendmail
423

Recommended RPM packages to be installed for a
Mail
Server ...................................................... 425

Compiling - Optimizing & Installing
Sendmail
................................................................................... 428

Configuring
Sendmail
....................................................................................................................... 433

Running
Sendmail
with
SSL
support................................................................................................. 449

Securing
Sendmail
............................................................................................................................ 457

Sendmail
Administrative Tools.......................................................................................................... 462

Sendmail
Users Tools....................................................................................................................... 463

21 Mail Transfer Agent -
qmail
465

Recommended RPM packages to be installed for a
Mail
Server ...................................................... 467

Verifying & installing all the prerequisites to run
qmail
...................................................................... 468

Compiling, Optimizing & Installing
ucspi-tcp
.................................................................................. 469

Compiling, Optimizing & Installing
checkpassword
.......................................................................... 470

Compiling, Optimizing & Installing
qmail
........................................................................................... 472

Configuring
qmail
.............................................................................................................................. 479

Running
qmail
as a standalone null client......................................................................................... 488

Running
qmail
with SSL support....................................................................................................... 489

Securing
qmail
.................................................................................................................................. 489

qmail
Administrative Tools................................................................................................................ 493

qmail
Users Tools ............................................................................................................................. 494

Part IX Internet Message Access Protocol Related Reference 496

22 Internet Message Access Protocol -
UW

IMAP
497

Compiling - Optimizing & Installing
UW

IMAP
....................................................................................... 501

Configuring
UW

IMAP
........................................................................................................................... 505

Enable
IMAP
or
POP
services via
Xinetd
.......................................................................................... 505

Securing
UW

IMAP
............................................................................................................................... 508

Running
UW

IMAP
with
SSL
support .................................................................................................... 510

Page 10

10

Part X Database Server Related Reference 517

23 Database Server -
MySQL
518

Recommended RPM packages to be installed for a
SQL
Server ........................................................ 521

Compiling - Optimizing & Installing
MySQL
.......................................................................................... 523

Configuring
MySQL
.............................................................................................................................. 526

Securing
MySQL
.................................................................................................................................. 530

Optimizing
MySQL
............................................................................................................................... 531

MySQL
Administrative Tools................................................................................................................ 536

24 Database Server -
PostgreSQL
544

Recommended RPM packages to be installed for a
SQL
Server ........................................................ 545

Compiling - Optimizing & Installing
PostgreSQL
............................................................................... 547

Configuring
PostgreSQL
................................................................................................................... 549

Running
PostgreSQL
with
SSL
support ............................................................................................ 555

Securing
PostgreSQL
....................................................................................................................... 558

Optimizing
PostgreSQL
..................................................................................................................... 562

PostgreSQL
Administrative Tools ..................................................................................................... 564

25 Database Server -
OpenLDAP
569

Recommended RPM packages to be installed for a
LDAP
Server ...................................................... 571

Compiling - Optimizing & Installing
OpenLDAP
................................................................................... 574

Configuring
OpenLDAP
....................................................................................................................... 577

Running
OpenLDAP
in a chroot jail ..................................................................................................... 583

Running
OpenLDAP
with
TLS/SSL
support ........................................................................................ 590

Securing
OpenLDAP
............................................................................................................................ 595

Optimizing
OpenLDAP
......................................................................................................................... 596

OpenLDAP
Administrative Tools.......................................................................................................... 598

OpenLDAP
Users Tools....................................................................................................................... 603

Part XI Gateway Server Related Reference 606

26 Gateway Server -
Squid
Proxy Server
607

Recommended RPM packages to be installed for a
Proxy
Server .................................................... 609

Compiling - Optimizing & Installing
Squid
.......................................................................................... 611

Using
GNU

malloc
library to improve cache performance of
Squid
.................................................. 613

Configuring
Squid
.............................................................................................................................. 616

Securing
Squid
.................................................................................................................................. 629

Optimizing
Squid
............................................................................................................................... 630

The
cachemgr.cgi
program utility of
Squid
.................................................................................... 630

27 Gateway Server -
FreeS/WAN
VPN Server 633

Recommended RPM packages to be installed for a
VPN
Server ........................................................ 635

Compiling - Optimizing & Installing
FreeS/WAN
................................................................................. 638

Configuring RSA private keys secrets................................................................................................. 648

Requiring network setup for
IPSec
.................................................................................................... 653

Testing the
FreeS/WAN
installation.................................................................................................... 656

Page 11

11

Part XII Other Server Related Reference 661

28 Other Server -
Wu-ftpd
FTP Server 662

Recommended RPM packages to be installed for a
FTP
Server ........................................................ 664

Compiling - Optimizing & Installing
Wu-ftpd
..................................................................................... 666

Running
Wu-ftpd
in a chroot jail........................................................................................................ 669

Configuring
Wu-ftpd
.......................................................................................................................... 673

Securing
Wu-ftpd
.............................................................................................................................. 681

Setup an
Anonymous

FTP
server....................................................................................................... 683

Wu-ftpd
Administrative Tools............................................................................................................ 688

29 Other Server -
Apache
Web Server 690

Compiling - Optimizing & Installing
MM
................................................................................................ 692

Some static's about
Apache
and
Linux
............................................................................................ 696

Recommended RPM packages to be installed for a
Web
Server ........................................................ 698

Compiling - Optimizing & Installing
Apache
........................................................................................ 703

Configuring
Apache
............................................................................................................................ 710

Enable
PHP4
server-side scripting language with the Web Server ..................................................... 718

Securing
Apache
................................................................................................................................ 719

Optimizing
Apache
............................................................................................................................. 723

Running
Apache
in a chroot jail.......................................................................................................... 726

30 Other Server -
Samba
File Sharing Server 739

Recommended RPM packages to be installed for a
Samba
Server .................................................... 741

Compiling - Optimizing & Installing
Samba
.......................................................................................... 744

Configuring
Samba
.............................................................................................................................. 747

Running
Samba
with
SSL
support ....................................................................................................... 757

Securing
Samba
.................................................................................................................................. 762

Optimizing
Samba
............................................................................................................................... 764

Samba
Administrative Tools................................................................................................................ 766

Samba
Users Tools ............................................................................................................................. 767

Part XIII Backup Related Reference 769

31 Backup -
Tar
&
Dump
770

Recommended RPM packages to be installed for a
Backup
Server.................................................. 771

The
tar
backup program ................................................................................................................... 772

Making backups with
tar
................................................................................................................... 773

Automating tasks of backups made with
tar
..................................................................................... 775

Restoring files with
tar
...................................................................................................................... 777

The
dump
backup program ................................................................................................................. 778

Making backups with
dump
................................................................................................................. 780

Restoring files with
dump
.................................................................................................................... 782

Backing up and restoring over the network......................................................................................... 784

Page 12

Preface

12
Organization of the Book
Securing and Optimizing Linux: Red Hat Edition has 31 chapters, organized into thirteen parts
and four appendixes:

!"Part I: Installation Related Reference includes two chapters; the first chapter
introduces Linux in general and gives some basic information to the new Linux reader
who is not familiar with this operating system. The second chapter guides you through
the steps of installing Linux (from CD) in the most secure manner, with only the essential
and critical software for a clean and secure installation.

!"Part II: Security and Optimization Related Reference focuses on how to secure and
tune Linux after it has been installed. Part II includes four chapters that explain how to
protect your Linux system, how to use and apply Pluggable Authentication Modules
(
PAM
), how to optimize your system for your specific processor, and memory. Finally, the
last chapter describes how to install, optimize, protect and customize the Kernel. All
information in part II of the book applies to the whole system.

!"Part III: Networking Related Reference contains three chapters, where the first chapter
answers fundamental questions about network devices, network configuration files, and
network security as well as essential networking commands. The second and third
chapters provide information about firewalls as well as the popular masquerading feature
of Linux and how to configure and customize the new powerful
IPTABLES
tool of this
system to fit your personal needs.

!"Part IV: Cryptography & Authentication Related Reference handle three chapters
which talk about essential security tools needed to secure network communication.
These tools are the minimum that should be installed on any type of Linux server.

!"Part V: Monitoring & System Integrity Related Reference provides five chapters which
help you to tighten security in your server by the use of some powerful security software.

!"Part VI: Management & Limitation Related Reference presently includes just one
chapter which is about limiting users space usage on the server.

!"Part VII: Domain Name System Related Reference will discuss the Domain Name
System, which is an essential service to install in all Linux servers you want on the
network. This part of the book is important and must be read by everyone.

!"Part VIII: Mail Transfer Agent Related Reference will explain everything about
installing and configuring a Mail Server and the minimum mail software to install. It is one
of the most important parts of the book.

!"Part IX: Internet Message Access Protocol Related Reference is the last required part
to read before going into installation of specific services in your Linux system. It
discusses the mail software required to allow your users to get and read their electronic
mail.

!"Part X: Database Server Related Reference contains three chapters about the most
commonly used and powerful databases on *NIX systems.

!"Part XI: Gateway Server Related Reference discusses installing a powerful proxy
server and configuring encrypted network services.

Page 13

Preface

13
!"Part XII: Other Server Related Reference shows you how to use Linux for specific
purposes such as setting up a customized FTP server, running a World Wide Web server
and sharing files between different systems, all in a secure and optimized manner.

!"Part XIII: Backup Related reference describes how to make a reliable backup of your
valuable files in a convenient way. This part includes a chapter that explains how to
perform backups with the traditional and universal UNIX tools "
tar
", and "
dump
", which
enables you to use the same procedures, without any modification, with the other Unix
family platforms.

!"Appendixes is as follow:

*
Appendix A: Tweaks, Tips and Administration Tasks has several useful Linux
tips on administration, networking and shell commands.

*
Appendix B: Contributor Users lists Linux users around the world who have
participated in a voluntary basis by providing good suggestions,
recommendations, help, tips, corrections, ideas and other information to help in
the development of this book. Thanks to all of you.

*
Appendix C: Obtaining Requests for Comments (RFCs) provides an
alphabetical reference for important RFCs related to the software or protocols
described in the book.

Steps of installation
Depending of your level of knowledge in Linux, you can read this book from the beginning
through to the end or the chapters that interest you. Each chapter and section of this book
appears in a manner that lets you read only the parts of your interest without the need to
schedule one day of reading. Too many books on the market take myriad pages to explain
something that can be explained in two lines, I'm sure that a lot of you agree with my opinion.
This book tries to be different by talking about only the essential and important information that
the readers want to know by eliminating all the nonsense
.
Although you can read this book in the order you want, there is a particular order that you could
follow if something seems to be confusing you. The steps shown below are what I recommend :

#"Setup Linux in your computer.
#"Remove all the unnecessary RPM's packages.
#"Install the necessary RPM's packages for compilation of software (if needed).
#"Secure the system in general.
#"Optimize the system in general.
#"Reinstall, recompile and customize the Kernel to fit your specific system.
#"Configure firewall script according to which services will be installed in your system.
#"Install
OpenSSL
to be able to use encryption with the Linux server.
#"Install
OpenSSH
to be able to make secure remote administration tasks.
#"Install
sXid
.
#"Install
Logcheck
.
#"Install
PortSentry
.
#"Install
Tripwire
.
#"Install
ICS

BIND/DNS
.
#"Install
Sendmail
or
qmail
.
#"
Install any software you need after to enable specific services into the server.

Page 14

Preface

14
Author note
According to some surveys on the Internet, Linux will be the number one operating system for a
server platform in year 2003. Presently it is number two and no one at one time thought that it
would be in this second place. Many organizations, companies, universities, governments, and
the military, etc, kept quiet about it. Crackers use it as the operating system by excellence to
crack computers around the world. Why do so many people use it instead of other well know
operating systems? The answer is simple, Linux is free and the most powerful, reliable, and
secure operating system in the world, providing it is well configured. Millions of programmers,
home users, hackers, developers, etc work to develop, on a voluntary basis, different programs
related to security, services, and share their work with other people to improve it without
expecting anything in return. This is the revolution of the Open Source movement that we see
and hear about so often on the Internet and in the media.
If crackers can use Linux to penetrate servers, security specialists can use the same means to
protect servers (to win a war, you should at least have equivalent weapons to what your enemy
may be using). When security holes are encountered, Linux is the one operating system that has
a solution and that is not by chance. Now someone may say: with all these beautiful features why
is Linux not as popular as other well know operating system? There are many reasons and
different answers on the Internet. I would just say that like everything else in life, anything that we
are to expect the most of, is more difficult to get than the average and easier to acquire. Linux
and *NIX are more difficult to learn than any other operating system. It is only for those who want
to know computers in depth and know what they doing. People prefer to use other OS's, which
are easy to operate but hard to understand what is happening in the background since they only
have to click on a button without really knowing what their actions imply. Every UNIX operating
system like Linux will lead you unconsciously to know exactly what you are doing because if you
pursue without understanding what is happening by the decision you made, then nothing will
surely work as expected. This is why with Linux, you will know the real meaning of a computer
and especially a server environment where every decision warrants an action which will closely
impact on the security of your organization and employees.
Many Web sites are open to all sorts of "web hacking." According to the Computer Security
Institute and the FBI's joint survey, 90% of 643 computer security practitioners from government
agencies, private corporations, and universities detected cyber attacks last year. Over
$265,589,940 in financial losses was reported by 273 organizations.
Many readers of the previous version of this book told me that the book was an easy step by step
guide for newbies, I am flattered but I prefer to admit that it was targeting for a technical audience
and I assumed the reader had some background in Linux, UNIX systems. If this is not true in your
case, I highly recommend you to read some good books in network administration related to
UNIX and especially to Linux before venturing into this book. Remember talking about security
and optimization is a very serious endeavor. It is very important to be attentive and understand
every detail in this book and if difficulties arise, try to go back and reread the explanation will save
a lot of frustration. Once again, security is not a game and crackers await only one single error
from your part to enter your system. A castle has many doors and if just one stays open, will be
enough to let intruders into your fortress. You have been warned.

Many efforts went into the making of this book, making sure that the results were as accurate as
possible. If you find any abnormalities, inconsistent results, errors, omissions or anything else that
doesn't look right, please let me know so I can investigate the problem and/or correct the error.
Suggestions for future versions are also welcome and appreciated. A web site dedicated to this
book is available on the Internet for your convenience. If you any have problem, question,
recommendation, etc, please go to the following URL:
http://www.ope nna.c o m /
We made this site
for you.

Page 15

Preface

15
Audience
This book is intended for a technical audience and system administrators who manage Linux
servers, but it also includes material for home users and others. It discusses how to install and
setup a Linux Server with all the necessary security and optimization for a high performance
Linux specific machine. It can also be applied with some minor changes to other Linux variants
without difficulty. Since we speak of optimization and security configuration, we will use a source
distribution (
tar.gz
) program for critical server software like
Apache
,
ISC

BIND/DNS
,
Samba
,
Squid
,
OpenSSL
etc. Source packages give us fast upgrades, security updates when necessary,
and better compilation, customization, and optimization options for specific machines that often
aren't available with RPM packages.

These installation instructions assume
You have a CD-ROM drive on your computer and the Official Red Hat Linux CD-ROM.
Installations were tested on the Official Red Hat Linux version 7.1.
You should familiarize yourself with the hardware on which the operating system will be installed.
After examining the hardware, the rest of this document guides you, step-by-step, through the
installation process.

About products mentioned in this book
Many products will be mentioned in this book- some commercial, but most are not, cost nothing
and can be freely used or distributed. It is also important to say that I'm not affiliated with any
specific brand and if I mention a tool, it's because it is useful. You will find that a lot of big
companies in their daily tasks, use most of them.

Obtaining the example configuration files
In a true server environment and especially when Graphical User Interface is not installed, we will
often use text files, scripts, shell, etc. Throughout this book we will see shell commands, script
files, configuration files and many other actions to execute on the terminal of the server. You can
enter them manually or use the compressed archive file that I made which contains all
configuration examples and paste them directly to your terminal. This seems to be useful in many
cases to save time.
The example configuration files in this book are available electronically via HTTP from this URL:

http://www.ope nna.c o m /produc ts /book s /s e c u ring-op tim i z i ng-li nux /f lopp y -2.0.tg z

*
In either case, extract the files into your Linux server from the archive by typing:
[root@deep /]#
cd /var/tmp

[root@deep tmp]#
tar xzpf floppy-2.0.tgz

If you cannot get the examples from the Internet, please contact the author at this email address:

gmourani@openna.com

Page 16

Preface

16

Problem with Securing & Optimizing Linux
When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it. Your
reports are an important part in making the book more reliable, because even with the utmost
care we cannot guarantee that every part of the book will work on every platform under every
circumstance.
We cannot promise to fix every error right away. If the problem is obvious, critical, or affects a lot
of users, chances are that someone will look into it. It could also happen that we tell you to
update to a newer version to see if the problem persists there. Or we might decide that the
problem cannot be fixed until some major rewriting has been done. If you need help immediately,
consider obtaining a commercial support contract or try our Q&A archive from the mailing list for
an answer.
Below are some important links:
OpenNA.com web site:
http ://www .ope nna.c o m /

Mailing list:
http://www.op e nna.c o m /s upport/m aili ng/in dex .htm

Errata:
http://www .ope nn a.c o m /pr oduc ts /book s /s e c u r i ng-opt im izin g-li nux /er r a t a .h tm

Support:
http://www .ope nn a.c o m /s uppor t/ind ex .htm

RPM Download:
http://www.ope nna.c o m /do w n loa d /i nd ex .htm

Acknowledgments
First of all, I would like to thank my younger brother Bruno Mourani for his valuable help that he
brought by drawing all the networking drafts shown in this book. For your information he has
made all the schemas by hand and without any special diagram software. Yes, he is a natural
better than me in many computer areas but don't take the time to profit of his skill.
A special gratitude and many thanks to Colin Henry who made tremendous efforts to make this
book grammatically and orthographically sound in a professional manner. Gregory A Lundberg
and the WU-FTPD Development Group for their help, recommendations on the
FTP
chapter in
this book. Werner Puschitz for his help in the
PAM
chapter of this book and his recommendation
with
SSH
software (thanks Werner). OpenNA who has decided to publish my book and all Linux
users around the world who have participated by providing good comments, ideas,
recommendations and suggestions (a dedicated section has been made for them at the end of
this book).

Page 17

17
Part I Installation Related Reference
In this Part
Installation - Introduction
Installation - Installing a Linux Server

This part of the book deals with all the basic knowledge required to properly install a Linux OS, in
our case a Red Hat Linux on your system in the most secure and clean manner available.

Page 18

18
1 Installation - Introduction
In this Chapter

What is Linux?
Some good reasons to use Linux
Let's dispel some of the fear, uncertainty, and doubt about Linux
Why choose Pristine source?
Compiling software on your system
Build, Install software on your system
Editing files with the vi editor tool
Recommended software to include in each type of servers
Some last comments

Page 19

Introduction 0
CHAPTER 1

19
Introduction

What is Linux?
Linux is an operating system that was first created at the University of Helsinki in Finland by a
young student named Linus Torvalds. At this time the student was working on a UNIX system that
was running on an expensive platform. Because of his low budget, and his need to work at home,
he decided to create a copy of the UNIX system in order to run it on a less expensive platform,
such as an IBM PC. He began his work in 1991 when he released version 0.02 and worked
steadily until 1994 when version 1.0 of the Linux Kernel was released. The current full-featured
version at this time is 2.2.X (released January 25, 1999), and development continues.
The Linux operating system is developed under the GNU General Public License (also known as
GNU GPL) and its source code is freely available to everyone who downloads it via the Internet.
The CD-ROM version of Linux is also available in many stores, and companies that provide it will
charge you for the cost of the media and support. Linux may be used for a wide variety of
purposes including networking, software development, and as an end-user platform. Linux is
often considered an excellent, low-cost alternative to other more expensive operating systems
because you can install it on multiple computers without paying more.

Some good reasons to use Linux
There are no royalty or licensing fees for using Linux, and the source code can be modified to fit
your needs. The results can be sold for profit, but the original authors retain copyright and you
must provide the source to your modifications.
Because it comes with source code to the kernel, it is quite portable. Linux runs on more CPUs
and platforms than any other computer operating system.
The recent direction of the software and hardware industry is to push consumers to purchase
faster computers with more system memory and hard drive storage. Linux systems are not
affected by those industries' orientation because of it's capacity to run on any kind of computer,
even aging x486-based computers with limited amounts of RAM.
Linux is a true multi-tasking operating system similar to it's brother, UNIX. It uses sophisticated,
state-of-the-art memory management to control all system processes. That means that if a
program crashes you can kill it and continue working with confidence.
Another benefit is that Linux is practically immunized against all kinds of viruses that we find in
other operating systems. To date we have found only two viruses that were effective on Linux
systems.

Let's dispel some of the fear, uncertainty, and doubt about Linux
It's a toy operating system.
Fortune 500 companies, governments, and consumers more and more use Linux as a cost-
effective computing solution. It has been used and is still used by big companies like IBM,
Amtrak, NASA, and others.

Page 20

Introduction 0
CHAPTER 1

20
There's no support.
Every Linux distribution comes with more than 12,000 pages of documentation. Commercial
Linux distributions such as Red Hat Linux, Caldera, SuSE, Mandrake, Turbo Linux and
OpenLinux offer initial support for registered users, and small business and corporate accounts
can get 24/7 supports through a number of commercial support companies. As an Open Source
operating system, there's no six-month wait for a service release, plus the online Linux
community fixes many serious bugs within hours.

Why choose Pristine source?
All the programs in Red Hat distributions of Linux are provided as RPM files. An RPM file, also
known, as a "package", is a way of distributing software so that it can be easily installed,
upgraded, queried, and deleted. However, in the Unix world, the defacto-standard for package
distribution continues to be by way of so-called "tarballs". Tarballs are simply compressed files
that can be readable and uncompressed with the "
tar
" utility. Installing from
tar
is usually
significantly more tedious than using RPM. So why would we choose to do so?

1) Unfortunately, it takes a few weeks for developers and helpers to get the latest version of
a package converted to RPM's because many developers first release them as tarballs.

2) When developers and vendors release a new RPM, they include a lot of options that
often are not necessary. Those organization and companies don't know what options you
will need and what you will not, so they include the most used to fit the needs of
everyone.

3) Often RPMs are not optimized for your specific processors; companies like Red Hat
Linux build RPM's based on a standard PC. This permits their RPM packages to be
installed on all sorts of computers since compiling a program for an i386 machine means
it will work on all systems.

4) Sometimes you download and install RPM's, which other people around the world are
building and make available for you to use. This can pose conflicts in certain cases
depending how this individual built the package, such as errors, security and all the other
problems described above.

Compiling software on your system
A program is something a computer can execute. Originally, somebody wrote the "source code"
in a programming language he/she could understand (e.g., C, C++). The program "source code"
also makes sense to a compiler that converts the instructions into a binary file suited to whatever
processor is wanted (e.g. a 386 or similar). A modern file format for these "executable" programs
isELF. The programmer compiles his source code on the compiler and gets a result of some sort.
It's not at all uncommon that early attempts fail to compile, or having compiled, fail to act as
expected. Half of programming is tracking down and fixing these problems (debugging).
For the beginners there are more aspect and new words relating to the compilation of source
code that you must know, these include but are not limited to:

Page 21

Introduction 0
CHAPTER 1

21
Multiple Files (Linking)
One-file programs are quite rare. Usually there are a number of files (say
*.c
,
*.cpp
, etc) that
are each compiled into object files (
*.o
) and then linked into an executable. The compiler is
usually used to perform the linking and calls the '
ld
' program behind the scenes.

Makefiles
Makefiles are intended to aid you in building your program the same way each time. They also
often help with increasing the speed of a program. The "
make
" program uses "dependencies" in
the Makefile to decide what parts of the program need to be recompiled. If you change one
source file out of fifty you hope to get away with one compile and one link step, instead of starting
from scratch.

Libraries
Programs can be linked not only to object files (
*.o
) but also to libraries that are collections of
object files. There are two forms of linking to libraries: static, where the code goes in the
executable file, and dynamic, where the code is collected when the program starts to run.

Patches
It was common for executable files to be given corrections without recompiling them. Now this
practice has died out; in modern days, people change a small portion of the source code, putting
a change into a file called a "patch". Where different versions of a program are required, small
changes to code can be released this way, saving the trouble of having two large distributions.

Errors in Compilation and Linking
Errors in compilation and linking are often due to typos, omissions, or misuse of the language.
You have to check that the right "includes file" is used for the functions you are calling.
Unreferenced symbols are the sign of an incomplete link step. Also check if the necessary
development libraries (
GLIBC
) or tools (
GCC
,
DEV86
,
MAKE
, etc) are installed on your system.

Debugging
Debugging is a large topic. It usually helps to have statements in the code that inform you of what
is happening. To avoid drowning in output you might sometimes get them to print out only the first
3 passes in a loop. Checking that variables have passed correctly between modules often helps.
Get familiar with your debugging tools.

Build & install software on your system
You will see in this book that we use many different compile commands to build and install
programs on the server. These commands are UNIX compatible and are used on all variants of
*NIX machines to compile and install software.
The procedure to compile and install software tarballs on your server are as follows:

1. First of all, you must download the tarball from your trusted software archive site. Usually
from the main site of the software you hope to install.

2. After downloading the tarball change to the
/var/tmp
directory (note that other paths
are possible, as personal discretion) and untar the archive by typing the commands (as
root) as in the following example:

[root@deep /]#
tar xzpf foo.tar.gz

The above command will extract all files from the example
foo.tar.gz
compressed archive and
will create a new directory with the name of the software from the path where you executed the
command.

Page 22

Introduction 0
CHAPTER 1

22
The "
x
" option tells
tar
to extract all files from the archive.
The "
z
" option tells
tar
that the archive is compressed with
gzip
utility.
The "
p
" option maintains the original permissions the files had when the archive was created.
The "
f
" option tells
tar
that the very next argument is the file name.
Once the tarball has been decompressed into the appropriate directory, you will almost certainly
find a "
README
" and/or an "
INSTALL
" file included with the newly decompressed files, with further
instructions on how to prepare the software package for use. Likely, you will need to enter
commands similar to the following example:

./configure
make
make install
The above commands
./configure
will configure the software to ensure your system has the
necessary libraries to successfully compile the package,
make
will compile all the source files into
executable binaries. Finally,
make

install
will install the binaries and any supporting files into
the appropriate locations. Other specifics commands that you'll see in this book for compilation
and installation procedure will be:

make

depend
strip
chown
The
make

depend
command will build and make the necessary dependencies for different files.
The
strip
command will discard all symbols from the object files. This means that our binary file
will be smaller in size. This will improve the performance of the program, since there will be fewer
lines to read by the system when it executes the binary. The
chown
command will set the correct
file owner and group permissions for the binaries. More commands will be explained in the
concerned installation sections.

Editing files with the
vi
editor tool
The
vi
program is a text editor that you can use to edit any text and particularly programs. During
installation of software, the user will often have to edit text files, like
Makefiles
or configuration
files. The following are some of the more important keystroke commands to get around in
vi
. I
decided to introduce the
vi
commands now since it is necessary to use vi throughout this book.

Page 23

Introduction 0
CHAPTER 1

23
Command

Result
=====================================================================
i ---------------------------------
Notifies
vi
to insert text before the cursor
a ---------------------------------
Notifies
vi
to append text after the cursor
dd --------------------------------
Notifies
vi
to delete the current line
x ---------------------------------
Notifies
vi
to delete the current character
Esc -------------------------------
Notifies
vi
to end the insert or append mode
u ---------------------------------
Notifies
vi
to undo the last command
Ctrl+f ----------------------------
Scroll up one page
Ctrl+b ----------------------------
Scroll down one page
/string ---------------------------
Search forward for string
:f --------------------------------
Display filename and current line number
:q --------------------------------
Quit editor
:q! -------------------------------
Quit editor without saving changes
:wq -------------------------------
Save changes and exit editor
=====================================================================

Recommended software to include in each type of servers
If you buy binaries, you will not get any equity and ownership of source code. Source code is a
very valuable asset and binaries have no value. Buying software may become a thing of the past.
You only need to buy good hardware; it is worth spending money on the hardware and get the
software from Internet. Important point, is that it is the computer hardware that is doing the bulk of
the job. Hardware is the real workhorse and software is just driving it. It is for this reason that we
believe in working with and using the Open source software. Much of the software and services
that come with Linux are open source and allow the user to use and modify them in an
undiscriminating way according to the General Public License.
Linux has quickly become the most practical and friendly used platform for e-business -- and with
good reason. Linux offers users stability, functionality and value that rivals any platform in the
industry. Millions of users worldwide have chosen Linux for applications, from web and email
servers to departmental and enterprise vertical application servers. To respond to your needs and
to let you know how you can share services between systems I have developed ten different
types of servers, which cover the majority of servers' functions and enterprise demands.
Often companies try to centralize many services into one server to save money, it is well known
and often seen that there are conflicts between the technical departments and purchasing agents
of companies about investment and expenditure when it comes to buying new equipment. When
we consider security and optimization, it is of the utmost importance not to run too many services
in one server, it is highly recommended to distribute tasks and services between multiple
systems. The table below show you which software and services we recommend to for each type
of Linux server.
The following conventions will explain the interpretations of these tables:

!" Optional Components: components that may be included to improve the features of the server or
to fit special requirements.

!" Security Software Required: what we consider as minimum-security software to have installed on
the server to improve security.

!"Security Software Recommended: what we recommend for the optimal security of the servers.

Page 24

Introduction 0
CHAPTER 1

24
Mail Server
Web Server
Gateway Server
Sendmail or qmail (SMTP Server)
BIND/DNS (Caching)
IPTABLES Firewall

----------

IMAP/POP only for Sendmail
Apache (Web Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
BIND/DNS (Caching)
qmail (Standalone)
IPTABLES Firewall

----------

Squid Proxy (Server)
Optional Components
Optional Components
Optional Components

Mod_PHP4 Capability
Mod_SSL Capability
Mod-Perl Capability
MM Capability
Webmail Capability

Security Software Required
Security Software Required
Security Software Required
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Client & Server)
Tripwire Integrity Tool
Security Software recommended
Security Software recommended
Security Software recommended
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry

FTP Server
Domain Name Server
File Sharing Server
Wu-FTPD (Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
Primary BIND/DNS (Server)
qmail (Standalone)
IPTABLES Firewall

----------

Secondary BIND/DNS (Server)
Samba LAN (Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
Optional Components
Optional Components
Optional Components
Anonymous FTP (Server)

Security Software Required
Security Software Required
Security Software Required
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Security Software recommended
Security Software recommended
Security Software recommended
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry
GnuPG
sXid
Logcheck
Port