201 West 103rd Street, Indianapolis, Indiana, 46290
Anonymous
with revisions by John Ray
SECOND EDITION
SECURITY
LINUX
MAXIMUM
00 0672321343 FM 5/25/01 3:58 PM Page i
Maximum Linux Security, Second Edition
Copyright  2001 by Sams Publishing
All rights reserved. No part of this book shall be reproduced, stored in a
retrieval system, or transmitted by any means, electronic, mechanical, photo-
copying, recording, or otherwise, without written permission from the pub-
lisher. No patent liability is assumed with respect to the use of the information
contained herein. Although every precaution has been taken in the preparation
of this book, the publisher and author assume no responsibility for errors or
omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
International Standard Book Number: 0-672-32134-3
Library of Congress Catalog Card Number: 00-111262
Printed in the United States of America
First Printing: June 2001
04 03 02 01 4 3 2 1
Trademarks
All terms mentioned in this book that are known to be trademarks or service
marks have been appropriately capitalized. Sams cannot attest to the accuracy
of this information. Use of a term in this book should not be regarded as
affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as

possible, but no warranty or fitness is implied. The information provided is on
an “as is” basis. The author(s) and the publisher shall have neither liability nor
responsibility to any person or entity with respect to any loss or damages aris-
ing from the information contained in this book or from the use of the CD or
programs accompanying it.
ACQUISITIONS EDITOR
Shelley Johnston Markanday
DEVELOPMENT EDITOR
Scott D. Meyers
MANAGING EDITOR
Charlotte Clapp
PROJECT EDITOR
Leah Kirkpatrick
COPY EDITOR
Michael Henry
INDEXER
Rebecca Salerno
PROOFREADER
Daniel Ponder
TECHNICAL EDITORS
Jason Byars
Steve Epstein
TEAM COORDINATOR
Amy Patton
MEDIA DEVELOPER
Dan Scherf
INTERIOR DESIGNER
Gary Adair
COVER DESIGNER
Aren Howell

00 0672321343 FM 5/25/01 3:58 PM Page ii
Contents at a Glance
Introduction 1
Part I Linux Security Basics 7
1 Introducing Linux Security 9
2Physical Security 29
3 Installation Issues 59
4 Basic Linux System Administration 95
Part II Linux User Security 137
5Password Attacks 139
6 Data Attacks 191
Part III Linux Network Security 219
7 Malicious Code 221
8 Sniffers and Electronic Eavesdropping 251
9 Scanners 281
10 Spoofing 325
Part IV Linux Internet Security 345
11 FTP Security 347
12 Mail Security 367
13 Telnet and SSH Security 399
14 Web Server Security 435
15 Secure Web Protocols 479
16 Secure Web Development 503
17 File Sharing Security 531
18 Denial-of-Service Attacks 549
19 Linux and Firewalls 583
20 Intrusion Detection 611
21 Logs and Audit Trails 633
22 Disaster Recovery 663
00 0672321343 FM 5/25/01 3:58 PM Page iii

Part V Appendixes 685
ALinux Security Command Reference 687
BLinux Security Index—Past Linux Security Issues 723
COther Useful Linux Security Utilities/Applications 741
DLinux/Unix Security Tools 767
EGlossary 797
Index 837
00 0672321343 FM 5/25/01 3:58 PM Page iv
Contents
Introduction 1
PART ILinux Security Basics 7
1 Introducing Linux Security 9
What Is Linux? 10
Linux Is Free 10
Linux Closely Resembles Unix 13
Where Did Linux Come From? 15
Why Linux Isn’t for Everyone 15
Linux as a Standalone System 16
Linux as an Intranet/Internet Server 18
A Linux Security Overview 19
User Accounts 19
Discretionary Access Control (DAC) 21
Network Access Control 23
Encryption 24
Built-in Logging, Auditing, and Network Monitoring 26
Intrusion Detection 27
Summary 28
2Physical Security 29
Server Location and Physical Access 31
The Network Operations Center (NOC) 32

Public Computing Facilities 32
Computer Use Policies 33
Network Topology 34
Assorted Network Topologies 34
Summary of Topology Security 40
Network Hardware 41
Common Network Hardware Security Measures 42
Summary of Network Hardware 44
Workstations and Security 44
BIOS and Console Passwords 45
Biometric Access Controls 46
Modem Security 51
Anti-Theft Devices 53
Unique Numbers, Marking, and Other Techniques 55
Summary 58
00 0672321343 FM 5/25/01 3:58 PM Page v
Maximum Linux Security
vi
3 Installation Issues 59
About Various Linux Distributions, Security, and Installation 60
All Distributions Are Not Created Equal… 63
Partitions and Security 65
What Are Partitions, Exactly? 65
Lumping Linux into a Single Partition 70
Other Advantages of Multiple Partitions 73
Sizing Out Partitions 73
Creating the Swap and Root Partitions 76
Creating the Extended Partition 78
Creating Logical Partitions Within the Extended Partition 79
Other Partitioning Tools 81

Summary of Partitions and Security 83
Choosing Network Services During Installation 85
Five Minutes to a More Secure System 87
chkconfig 90
Boot Loaders 91
/etc/lilo.conf: The LILO Configuration File 91
Summary of Boot Loaders 93
Summary 94
4 Basic Linux System Administration 95
The Basic Idea 96
Your Very Own Account 97
Creating and Managing Accounts 98
Account Policy 98
Account Structure 99
Adding Users 103
Using Your Own Tools to Add Users 110
Deleting Users 111
Performing Administrative Tasks with su 112
su—The Substitute User 112
Access Control 115
Permissions and Ownership 115
chmod: Changing File Permissions 117
A Closer Look at Groups 127
Creating Groups 129
chown: Assigning User Owner and Group Permissions 132
Removing Groups 134
Bringing Down Your System 135
shutdown: Shutting Down Your Linux System 135
Summary 136
00 0672321343 FM 5/25/01 3:58 PM Page vi

CONTENTS
vii
PART II Linux User Security 137
5Password Attacks 139
What Is a Password Attack? 140
How Linux Generates and Stores Passwords 141
Passwords Down Through the Ages 142
The Data Encryption Standard (DES) 144
Dictionary Attacks 146
Case Study: Cracking Linux Passwords via Dictionary Attack 147
Crack 147
Dictionary Attacks: A Historical Perspective 155
Password Shadowing and the
shadow Suite 157
/etc/shadow:The Password shadow Database 158
Beyond Creating and Deleting Users and Groups 170
Possible Attacks Against Your Shadowed System 172
After Installing the
shadow Suite 174
Human Password Choices and System Security 174
Proactive Password Checking 179
Other Password Security Issues 182
Password Proliferation and Security 182
Pluggable Authentication Modules 185
Still Other Password Security Solutions 187
Regarding Network Information Service and
Password Security 187
Summary 189
6 Data Attacks 191
When Is Data Security Necessary? 192

Real-life Attacks 193
Forms of Data Security 194
Private Keys 194
Public Keys 196
Common Encryption Algorithms 197
mcrypt: Installation and Usage 199
Using
mcrypt 201
GnuPG: Installing and Using a Public Key Encryption Utility 205
Generating a Keypair 206
Using Your Keychain 208
Encrypting and Decrypting Documents 210
Adding a GUI to
GnuPG 210
Steganography—Time for Something Completely Different 214
Installing and Using JPHIDE/JPSEEK 215
Additional Resources 217
Summary 218
00 0672321343 FM 5/25/01 3:58 PM Page vii
Maximum Linux Security
viii
PART III Linux Network Security 219
7 Malicious Code 221
What Is Malicious Code? 222
What Is a Trojan? 222
Viruses 226
Detecting Malicious Code 229
Tripwire 232
Availability of Tripwire 234
Installing Tripwire 234

Configuring and Running Tripwire 241
Checking File Integrity with Tripwire 242
Summary on Tripwire 245
Other File Integrity Checking Software 245
Aide 246
Distributed L6 247
Hobgoblin 247
sXid 248
trojan.pl 248
Additional Resources 248
Summary 249
8 Sniffers and Electronic Eavesdropping 251
How Sniffers Work 252
Case Studies: Performing a Few Simple Sniffer Attacks 254
linsniffer 254
linux_sniffer 258
hunt 264
sniffit 268
Other Sniffers and Network Monitoring Tools 272
Risks Posed by Sniffers 274
Defending Against Sniffer Attacks 276
ifconfig 277
NEPED: Network Promiscuous Ethernet Detector 277
Other, More Generic Defenses Against Sniffers 278
Further Reading 279
Summary 280
9 Scanners 281
What Is a Scanner? 282
Anatomy of a System Scanner 283
Anatomy of a Network Scanner 286

Scanner Building Blocks and Scanner Evolution 290
How Scanners Fit into Your Security Regimen 299
00 0672321343 FM 5/25/01 3:58 PM Page viii
CONTENTS
ix
Various Scanner Tools 300
SAINT (Security Administrator’s Integrated Network Tool) 300
Nessus 301
nmap—The Network Mapper 306
CGI scanner v1.0 309
Are Scanners Legal? 314
Defending Against Scanner Attacks 315
courtney (SATAN and SAINT Detector) 315
IcmpInfo (ICMP Scan/Bomb Detector) 317
scan-detector (Generic UDP Scan Detector) 319
klaxon 320
Psionic
PortSentry 321
Interesting Resources 322
Summary 323
10 Spoofing 325
What Is Spoofing All About? 326
TCP and IP Spoofing 326
Case Study: A Simple Spoofing Attack 329
A Sample Attack 329
TCP and IP Spoofing Tools 331
What Services Are Vulnerable to IP Spoofing? 332
Preventing IP Spoofing Attacks 334
ARP Spoofing 335
Defending Against ARP Spoofing Attacks 337

DNS Spoofing 338
Other Strange Spoofing Attacks 340
Couic 342
Further Reading 343
Summary 344
PART IV Linux Internet Security 345
11 FTP Security 347
File Transfer Protocol 348
FTP Security History 348
FTP’s Default Security Features 352
/etc/ftpusers:The Restricted Users Access File 352
/etc/ftpaccess: The ftpd Configuration File 354
SSH File Transfers 360
scp 360
sftp 361
Alternative Solutions:
SSLftp and sftp 363
00 0672321343 FM 5/25/01 3:58 PM Page ix
Maximum Linux Security
x
Specific FTP Application Security 363
ncftp 363
filerunner 364
ftpwatch 364
wu-ftpd 364
Summary 365
12 Mail Security 367
SMTP Servers and Clients 368
A Simple SMTP Client 370
sendmail Security Basics 374

sendmail Service Protection 381
Other
sendmail Resources 391
Replacing
sendmail with Qmail 392
Qmail Installation 392
Other Qmail Resources 396
Summary 397
13 Telnet and SSH Security 399
Telnet’s Security History 400
Secure Telnet Systems 402
deslogin 402
Installing the
deslogin Distribution 403
STEL (Secure Telnet) 409
SRA Telnet from Texas A&M University 410
The Stanford SRP Telnet/FTP Package 410
Important Documents 411
Secure Shell (ssh) 411
The
ssh Core Utilities 413
Quick Start: Installing the
ssh Distribution 413
ssh Server Configuration 415
sshd Startup Command-Line Options 418
Starting
sshd 421
Using the
ssh Client 423
scp: The Secure Copy Remote File Copy Program 425

Providing ssh Services in a Heterogeneous Network 425
PuTTY 425
Tera Term 426
ssh Support for Macintosh 426
Examples of
ssh in Action 426
ssh Security Issues 432
Additional Resources 432
Summary 433
00 0672321343 FM 5/25/01 3:58 PM Page x
CONTENTS
xi
14 Web Server Security 435
Eliminating Nonessential Services 436
File Transfer Protocol (FTP) 437
finger 437
Network File System (NFS) 439
Other RPC Services 440
rwalld (The rwall Server) 441
The R Services 441
Other Services 443
Applying Access Control to Running Services 446
Web Server Security 446
httpd 446
Controlling Outside Access:
httpd.conf 447
Configuration Options That Can Affect Security 453
The
ExecCGI Option: Enabling CGI Program Execution 454
The

FollowSymLinks Option: Allowing Users to
Follow Symbolic Links 455
The
Includes Option: Enabling Server-Side Includes (SSI) 455
The
Indexes Option: Enabling Directory Indexing 458
Adding Directory Access Control with Basic HTTP
Authentication 459
htpasswd 460
Weaknesses in Basic HTTP Authentication 465
HTTP and Cryptographic Authentication 466
Adding MD5 Digest Authentication 467
Running a
chroot Web Environment 468
WebDAV 469
Installing and Configuring WebDAV 470
Using WebDAV on Mac OS X 471
Using WebDAV on Windows 473
Accreditation and Certification 475
PricewaterhouseCoopers, Resource Protection
Services (USA) 475
The American Institute of Certified Public
Accountants (AICPA) 475
International Computer Security Association
(Previously NCSA) 476
Troy Systems 477
Summary 477
00 0672321343 FM 5/25/01 3:58 PM Page xi
Maximum Linux Security
xii

15 Secure Web Protocols 479
The Problem 480
Secure Sockets Layer (SSL) from Netscape
Communications Corporation 480
SSL’s Security History 481
Installing
mod_ssl 485
Unpacking, Compiling, and Installing OpenSSL 485
Unpacking, Compiling, and Installing
mod_ssl 487
Testing the Server 494
About Certificates and Certificate Authorities 500
Summary of Apache-SSL 501
Further Reading on SSL 502
Summary 502
16 Secure Web Development 503
Development Risk Factors: A Wide Overview 504
Spawning Shells 504
Executing Shell Commands with
system() 505
popen() in C and C++ 509
open() in Perl 511
eval (Perl and shell) 513
exec() in Perl 513
Buffer Overruns 513
About User Input in General 516
Paths, Directories, and Files 517
chdir() 519
Files 519
Embedded Programming Languages 519

Installing PHP 522
Other Embedded Languages 525
Automated CGI Testing Tools 526
Other Interesting Security Programming and Testing Tools 527
Other Online Resources 529
Summary 529
17 File Sharing Security 531
Linux as a File Server 532
Samba 533
Global Directives 534
Share-Level Directives 537
SWAT 540
Other Resources 541
00 0672321343 FM 5/25/01 3:58 PM Page xii
CONTENTS
xiii
Netatalk 542
Basic Netatalk Configuration 543
Additional Information 544
NFS Security 545
exports 546
Other References 546
Virtual Private Networks 547
IPSEC 547
Summary 548
18 Denial-of-Service Attacks 549
What Is a Denial-of-Service Attack? 551
Risks Posed by Denial-of-Service Attacks 552
Distributed Denial-of-Service Attacks (DDoS) 553
How This Chapter Is Laid Out 554

Network Hardware DoS Attacks 554
Attacks on Linux Networking 558
knfsd Attack 559
ICMP Fragmentation Attack 560
sesquipedalian.c 560
inetd and NMAP 562
lpd Bogus Print Requests 563
mimeflood.pl 563
portmap (and Other RPC Services) 564
Unix Socket Garbage Collection DoS 564
time and daytime DoS 565
teardrop.c 566
identd Open Socket Flood 568
Lynx/
chargen Browser Attack 568
nestea.c 569
pong.c and ICMP Floods 569
The Ping of Death 570
octopus.c 571
Attacks on Linux Applications 573
Netscape Communicator Content Type (1) 573
Netscape Communicator Content Type (2) 573
passwd Resource Starvation 574
xdm 575
wtmp Lock 575
Other DoS Attacks 576
Defending Against Denial-of-Service Attacks 579
Online Resources 580
Summary 581
00 0672321343 FM 5/25/01 3:58 PM Page xiii

Maximum Linux Security
xiv
19 Linux and Firewalls 583
What Is a Firewall? 584
Network-Level Firewalls: Packet Filters 585
Application-Proxy Firewalls/Application Gateways 586
Assessing Whether You Really Need a Firewall 588
Internet Gateway/Firewalls 589
tcpd: TCP Wrappers 592
TCP Wrappers and Network Access Control 595
Summary of TCP Wrappers 598
ipfwadm 598
ipfwadm Basics 599
Configuring
ipfwadm 602
ipchains 603
ipchains Security History 604
iptables 604
Free Firewall Tools and Add-ons for Linux 605
Commercial Firewalls 606
CSM Proxy/Enterprise Edition 607
GNAT Box Firewall 607
NetScreen 607
Sun Cobalt Adaptive Firewall 608
PIX Firewall 608
Additional Resources 608
Summary 610
20 Intrusion Detection 611
What Is Intrusion Detection? 612
Basic Intrusion Detection Concepts 613

Some Interesting Intrusion Detection Tools 615
chkwtmp 615
tcplogd 616
Snort 617
HostSentry 618
Shadow 619
MOM 620
The HummingBird System 621
AAFID (Autonomous Agents for Intrusion Detection) 622
Practical Intrusion Detection 623
PortSentry 624
Installing and Configuring
PortSentry 625
Automating Startup 628
Documents on Intrusion Detection 629
Summary 631
00 0672321343 FM 5/25/01 3:58 PM Page xiv
CONTENTS
xv
21 Logs and Audit Trails 633
What Is Logging, Exactly? 634
Logging in Linux 635
lastlog 636
last 637
xferlog 640
httpd Logs 641
Samba 645
System and Kernel Messages 647
/var/log/messages: Recording System and Kernel Messages 647
Writing to

syslog from Your Own Programs 651
Backing and Handling Logs 654
Other Interesting Logging and Audit Tools 657
SWATCH (The System Watcher) 658
SNORT 659
Watcher 659
NOCOL/NetConsole v4.0 660
PingLogger 660
LogSurfer 660
Analog 661
Summary 661
22 Disaster Recovery 663
What Is Disaster Recovery? 664
Why You Need a Disaster Recovery-Contingency Plan 664
Steps to Take Before Building Your Linux Network 664
Hardware Standardization 664
Software Standardization: Your Basic Config 666
Choosing Your Backup Tools 669
Simple Archiving:
tarring and Zipping Your Files and
Directories 670
Creating a
tar Archive 670
Compressing Your
tar Archive with gzip 671
kArchiver 672
cpio: Another File Archive Tool 673
Creating a Hot Archive Site 674
Types of Backups and Backup Strategies 675
Backup Packages 679

KDat 679
KBackup (from Karsten) 680
Enhanced Software Technologies’ BRU 680
AMANDA (the Advanced Maryland Automatic Network
Disk Archiver) 681
Odds and Ends 682
Summary 683
00 0672321343 FM 5/25/01 3:58 PM Page xv
Maximum Linux Security
xvi
PART V Appendixes 685
ALinux Security Command Reference 687
.htaccess 688
.htpasswd 688
ACUA (An Add-On) 689
amadmin 689
amanda 689
amcheck 689
amcleanup 689
amdump 690
amrestore 690
Angel Network Monitor (An Add-On) 690
AppleVolumes.default 690
APS (An Add-On) 690
arp 691
bootpd 691
cfdisk 691
chmod 692
chown 692
chroot 692

CIPE Crypto IP Encapsulation (An Add-On) 693
crypt 693
ctrlaltdel 693
Dante (An Add-On) 693
Deception Toolkit (An Add-On) 694
DOC (Domain Obscenity Control, an Add-On) 694
dns_lint (An Add-On) 694
dnswalk (An Add-On) 694
Ethereal (An Add-On) 694
exports 694
exscan (An Add-On) 695
FakeBO (An Add-On) 695
fdisk 695
finger 695
fingerd 696
ftphosts 696
ftpaccess 696
ftpd 697
ftpshut 697
ftpwho 697
GNU Privacy Guard (An Add-On) 697
halt 698
00 0672321343 FM 5/25/01 3:58 PM Page xvi
CONTENTS
xvii
hosts_access 698
hosts.allow 698
hosts.deny 698
hosts_options 698
hosts.equiv 699

HostSentry from the Abacus Project 699
htpasswd 699
httpd 700
identd 700
IdentTCPscan (An Add-On) 700
inetd.conf 700
ip_filter (An Add-On) 701
IPAC (An Add-On) 701
IPchains 702
ipfwadm 702
IPTables 702
IPv4 & IPv6 Sniffer 702
ISS (An Add-On) 702
KSniffer (An Add-On) 703
last 703
Logcheck from the Abacus Project (An Add-On) 703
lsof (An Add-On) 703
MAT (Monitoring and Administration Tool, an Add-On) 704
WebDAV (
mod_dav—an Apache Add-On) 704
mod_ssl (An Apache Add-On) 704
MOM (An Add-On) 704
msystem (An Add-On That’s Made for Unix but Can
Work with Linux) 704
NEPED (Network Promiscuous Ethernet Detector,
an Add-On) 705
Nessus (An Add-On) 705
netstat 705
NMAP (The Network Mapper, an Add-On) 705
npasswd (An Add-On) 706

ntop (An Add-On) 706
OpenSSL 706
passwd 706
passwd+ (An Add-On) 707
pgp4pine 707
ping 707
ps 708
qmail (An Add-On) 708
QueSo (An Add-On) 708
00 0672321343 FM 5/25/01 3:58 PM Page xvii
Maximum Linux Security
xviii
rcmd 708
rcp 709
reboot 709
rlogin 709
rhosts 709
rhosts.dodgy (An Add-On) 710
rsh 710
scp 710
PortSentry from the Abacus Project 710
services 711
shadow 711
Shadow in a Box (An Add-On) 711
showmount 711
shutdown 712
SINUS (An Add-On) 712
smb.conf 712
Snort (An Add-On) 712
SocketScript (An Add-On) 712

ssh 713
ssh-add 713
ssh-agent 713
ssh-keygen 713
sshd 713
Strobe (An Add-On) 714
sudo 714
Swan (An Add-On) 714
sXid Secure (An Add-On) 714
sysklogd 714
System Administrator’s Tool for Analyzing Networks
(SATAN, an Add-On) 715
tcpd (TCP Wrappers) 715
tcpdchk 715
tcpdmatch 715
tcpdump 716
tftp 716
The Linux Shadow Password Suite (An Add-On) 716
traceroute 716
traffic-vis (An Add-On) 718
Trinux (An Add-On) 718
TripWire (An Add-On) 718
trafgraf 718
trojan.pl 718
00 0672321343 FM 5/25/01 3:58 PM Page xviii
CONTENTS
xix
ttysnoop 719
vipw 719
visudo 719

w 719
who 720
whois 720
xinetd.conf 721
Xlogmaster (An Add-On) 721
BLinux Security Index—Older Linux Security Issues 723
Summary 739
C Other Useful Linux Security Tools 741
D Sources for More Information 767
Linux Security Patches, Updates, and Advisories 768
Mailing Lists 768
Usenet Newsgroups 771
Secure Programming 773
General Web Security 776
General Security Resources 777
RFCS of Interest 787
EGlossary 797
Index 837
00 0672321343 FM 5/25/01 3:58 PM Page xix
About the Authors
Anonymous is a self-described Unix and Perl fanatic who lives in southern California with his
wife Michelle and a half-dozen computers. He currently runs an Internet security consulting
company and is at work building one of the world’s largest computer security archives. He
also moonlights doing contract programming for several Fortune 500 firms.
John Ray is an award-winning developer and security consultant with more than 16 years of
programming and administration experience. He has worked on projects for the FCC, The
Ohio State University, Xerox, and the state of Florida, as well as serving as IT Director for
Blue Cosmos Design, Inc. Ray has written/contributed to more than 10 titles currently in print,
ranging from Using TCP/IP: Special Edition to Sams Teach Yourself Dreamweaver UltraDev 4
in 21 Days.

00 0672321343 FM 5/25/01 3:58 PM Page xx
Dedications
For Harlie, my sister. For you, I stopped the clocks. I wound down the money machine.
I bade the planets come to rest and commanded that all the winds fall silent, merely so that
I could hear you. I still hear you now, laughing, as you rush through the trees in our garden.
—Anonymous
In memory of
Carol Neuschwander
and
William C. Ray, I
—John Ray
Acknowledgments
The following persons were indispensable: Harry Reginald Hammond, Michael Michaleczko,
Scott Lobel, David Fugate, Andrew Marsh, Tonie Villeneuve, and John Sale. Additionally, my
deepest thanks to a superb editing team: Mark Taber, Scott Meyers, Shelley Johnston
Markanday, Randi Roger, Jason Byars, Steve Epstein, Dan Scherf, Mike Henry, and Ben Berg.
—Anonymous
Many thanks to the wonderful people at Sams, including Shelley Johnston Markanday, Scott
Meyers, and Leah Kirkpatrick. I’d also like to express my gratitude to Jason and Steve, the
tech editors, for checking and double-checking each example and URL, and to the original
author (who shall continue to remain nameless) for creating a work that was a delight to
update, yet comprehensive in scope. Finally, a very special thanks to Amtrak security and
Chicago police for not shooting me or my companion during our recent train ride.
—John Ray
00 0672321343 FM 5/25/01 3:58 PM Page xxi
Tell Us What You Think!
As the reader of this book, you are our most important critic and commentator. We value your
opinion and want to know what we’re doing right, what we could do better, what areas you’d
like to see us publish in, and any other words of wisdom you’re willing to pass our way.
You can e-mail or write me directly to let me know what you did or didn’t like about this

book—as well as what we can do to make our books stronger.
Please note that I cannot help you with technical problems related to the topic of this book,
and that due to the high volume of mail I receive, I might not be able to reply to every
message.
When you write, please be sure to include this book’s title and author as well as your name
and phone or e-mail address. I will carefully review your comments and share them with the
author and editors who worked on the book.
E-mail:

Mail: Mark Taber
Associate Publisher
Sams Publishing
201 West 103rd Street
Indianapolis, IN 46290 USA
00 0672321343 FM 5/25/01 3:58 PM Page xxii
Introduction
As little as four years ago, Linux books were a rarity on the bookstand. The fledgling operat-
ing system was considered a dead-end by some, and a hobby operating system by others. The
marketplace for a Linux security book was, as you might guess, remarkably small. Today,
Linux growth in the server marketplace easily outpaces commercial operating systems such as
Windows NT. Expansion into the consumer arena has also started, with the maturation of the
KDE and GNOME environments and the strong support of innovative companies such as
Eazel.
No matter how you use Linux, you need to understand its security model. The advent of wide-
spread broadband service has suddenly turned each connected computer into the potential tool
of a hacker. Without the proper security provisions, you risk the loss of data, theft of informa-
tion, perhaps even criminal prosecution for negligence. To make matters worse, Linux distribu-
tions are not created equal. Depending on the version of Linux you’re installing, you might be
getting a system more secure than traditional desktop operating systems, or a computer more
open and exposed than Windows NT on its worst day.

With this revision, Maximum Linux Security continues its tradition of providing the most com-
prehensive and up-to-date information available. Those new to Linux will enjoy the depth of
coverage, and seasoned pros will appreciate the unbiased look at new and upcoming technolo-
gies. Linux security is no longer just useful to a select few, and Maximum Linux Security will
continue to bring the latest tools and developments to you, the reader.
This Book’s Organization
Over the course of writing several books, I’ve learned much about structure and organization.
Armed with this knowledge, I’ve examined my earlier works and found serious shortcomings
that might have prevented readers from quickly locating important information. To prevent that
from happening again, I wrote this book with a new approach.
In particular, Maximum Linux Security is cross-referenced exceptionally well, and is therefore
a more cohesive resource. Such cross-referencing inevitably leads to better indexing, too—a
critical point that’s often overlooked in otherwise superb books.
This book’s most valuable facet, in fact, might be how I cross-referenced it. Let’s briefly cover
that issue now.
01 0672321343 Intro 5/25/01 3:35 PM Page 1
Maximum Linux Security
2
How This Book Is Cross-Referenced
Authors of books like this one generally enjoy certain advantages. For example, imagine if this
book’s title were Maximum NT Security. I could write it swiftly, cover to cover, secure in the
knowledge that Windows NT users have years of experience (if not with NT, with Windows 3,
3.1, 3.11, 95, and 98). Indeed, my readers would quickly understand and implement every sug-
gestion and tip.
But this book is a special case. Although Linux users now number more than 10 million, the
majority of them have used Linux for less than one year. In fact, many are just now getting
their bearings. Additionally, although excellent Linux security documentation is available
online, there are few hardcopy books on the subject. Again, this is in contrast to Windows NT.
A big problem that is being addressed (albeit slowly), is the availability of GUI software for
configuring much of Linux’s server functionality. Unlike Windows NT, Linux was built with

command-line tools and has been adding graphic interfaces to these tools over time. In the
Windows world, much of the configuration is handled by centralized management software and
with preferences being stored in a proprietary binary database—also known as the Registry.
Linux developers, on the other hand, often break up essential functions into separate com-
mands, or files, or both. A good example is the
tcpd system, which allows you to accept or
deny network connections from specified hosts or host hierarchies. To skillfully employ tcpd,
you must be familiar with several commands and files:
•
/etc/hosts.allow—A table of host access rules
•
/etc/hosts.deny—A table of host denial rules
•
hosts_access—A system and language for establishing access rules
•
hosts_options—An extension to hosts_access
• tcpd—The TCP daemon
•
tcpdchk—A tool that verifies your tcpd-centric configuration
•
tcpdmatch—A tool that interactively demonstrates your rules
These arrangements can be frustrating and confusing for first-time Linux users. They might
become discouraged, believing that they’ll never properly configure all those commands and
files. This understandably contributes to Linux’s reputation as a difficult-to-configure operating
system.
Finally, Linux conforms to the axiom most commonly attributed to Perl programmers: There’s
more than one way to do it. Linux often has several commands that perform the same (or sub-
stantially the same) function.
01 0672321343 Intro 5/25/01 3:35 PM Page 2