Linux basic configurations - linux security http://basicconfig.com/taxonomy/term/13 en Linux security tutorials http://basicconfig.com/linux-security-tutorials <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><h2>Overview</h2> <p>Here are some Linux security tutorials:</p> <div class="services"> <div class="service-left grid_6 alpha"> <h2>Basic Linux security</h2> <img src="/sites/all/themes/corporateclean/mockup/web-design.png" style="float:left; padding:0 10px 0 0;"/>Computer security has become a critical subject in information technology system these days. If we looked back in history, the security threat has started a long time ago during 1970s when telephone system has been hacked. <div style="clear:both; padding:10px 0 0 0; text-align:right;"><a class="more" href="linuxsecurity">View page</a></div> </div> <div class="service-right grid_6 omega"> <h2>Setup firewall in Ubuntu</h2> <img src="/sites/all/themes/corporateclean/mockup/graphic-design.png" style="float:left; padding:0 10px 0 0;"/>There are two types of firewalls available in Linux, a packet filtering firewall and a proxy-based firewall. Most Linux users use a packet filtering firewall to setup a basic firewall for their system because Linux already came with firewall package by default. <div style="clear:both; padding:10px 0 0 0; text-align:right;"><a class="more" href="security/setup_firewall_ubuntu_using_ufw">View page</a></div> </div> </div> <div class="services"> <div class="service-left grid_6 alpha"> <h2>How to upgrade software</h2> <img src="/sites/all/themes/corporateclean/mockup/seo.png" style="float:left; padding:0 10px 0 0;"/>You can always use Slackware package management tool such as slackpkg to upgrade software or install security patches for your Slackware system. However, the ftp server mirrors took sometimes to update the latest software or security patches to their server. <div style="clear:both; padding:10px 0 0 0; text-align:right;"><a class="more" href="security/howto_upgrade_software_install_security_patch_slackware_linux">View page</a></div> </div> </div></div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Tue, 10 Dec 2013 14:08:21 +0000 jinlusuh 138 at http://basicconfig.com http://basicconfig.com/linux-security-tutorials#comments Install and configure Squid in Slackware http://basicconfig.com/linuxnetwork/install-squid-in-slackware64-13.37 <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>This is a guide on how to create Slackware Squid package using scripts from Slackbuilds.org, install it in Slackware 13.37 (also Slackware64 14.1) and configure the squid.conf configuration file. It is just a basic configuration to get Squid cache proxy server works. Advanced setting is not included. You should read and at least understand some basic of Squid before try this step by step guide. Here is <a href="http://www.squid-cache.org" target="_blank">Squid-cache website</a>. Before we begin, please make sure you have these basic requirements:</p> <ol><li>Two network interface cards.</li> <li>Setup dhcp server.</li> </ol><p>The ip address must be set and working. For example, the first network card, eth0 is set and connected to the router. The second network card, eth1 is set and connected to the local network's switch. Here is a tutorial on how to configure network card in Slackware <a href="http://www.basicconfig.com/basicnetwork" target="_blank">Linux basic network configuration</a>. After that, setup dhcp server and make Slackware a gateway. Here is a guide on how to setup a dhcp server in Slackware, <a href="http://www.basicconfig.com/linuxnetwork/install_configure_dhcp_server_slackware_linux" target="_blank">Install and configure dhcp server in Slackware Linux</a>. When all clear, you can begin Squid cache proxy server configuration.</p> <p>This tutorial consists of several steps. Basically, here's what we are going to do:</p> <ul><li>Create Squid package for Slackware</li> <li>Install Squid package in Slackware</li> <li>Configure Squid cache proxy server in Slackware</li> <li>Configure Squid to block some domains and files</li> <li>Start Squid daemon in Slackware</li> </ul><h2>Create Squid package for Slackware</h2> <p>1) Download necessary files from SlackBuilds.org. All information needed are in the Slackbuilds website. Enter 'squid' in the search form and select your Slackware version.</p> <p>2) When you have all the necessary files, change directory to your working area and extract Squid slackbuilds script file. See example below:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">cd slackware/source/myslackware/</span><br /> root@slackware:~/slackware/source/myslackware# <span style="color:red;">tar zxvf /home/jinlusuh/squid/squid.tar.gz</span><br /> squid/<br /> squid/squid.logrotate<br /> squid/README<br /> squid/doinst.sh<br /> squid/squid.conf<br /> squid/squid.info<br /> squid/slack-desc<br /> squid/README.SBo<br /> squid/squid.SlackBuild<br /> squid/squid.conf.documented<br /> squid/rc.squid<br /> root@slackware:~/slackware/source/myslackware#<br /></code></td> </tr></table><p>3) Change directory to the "squid" directory from the slackbuild's script file that we've just extracted. Copy squid source, 'squid-3.1.xx.tar.bz2' into the directory. See step by step command below:</p> <p><strong>Note:</strong><em>Slackware 13.37 uses squid-3.1.12.tar.bz2 source, Slackware 14.1 uses squid-3.1.23.tar.bz2 source. The instruction steps and commands are the same.</em></p> <table><tr><td><code>root@slackware:~/slackware/source/myslackware# <span style="color:red;">cd squid/</span><br /> root@slackware:~/slackware/source/myslackware/squid# <span style="color:red;">cp /home/jinlusuh/squid/squid-3.1.xx.tar.bz2 .</span><br /> root@slackware:~/slackware/source/myslackware/squid#<br /></code></td> </tr></table><p>4) Run squid.SlackBuild script to begin create Slackware Squid package:</p> <table><tr><td><code>root@slackware:~/slackware/source/myslackware/squid# <span style="color:red;">./squid.SlackBuild </span><br /></code></td> </tr></table><p>5) When the process is over, you can find the Slackware Squid package result in the /tmp directory (default slackbuild configuration). Now change directory to the /tmp and copy the Squid package for backup. See step by step example below:</p> <table><tr><td><code>root@slackware:~/slackware/source/myslackware/squid# <span style="color:red;">cd /tmp/</span><br /> root@slackware:/tmp# <span style="color:red;">cp squid-3.1.xx-x86_64-1_SBo.tgz ~/slackware/packages/</span><br /></code></td> </tr></table><h2>Install Squid package in Slackware</h2> <p>Now that the Squid package is ready, let's install it using Slackware 'installpkg' tool. Below is the example on how to install Squid package in Slackware:</p> <table><tr><td><code>root@slackware:/tmp# <span style="color:red;">installpkg squid-3.1.xx-x86_64-1_SBo.tgz </span><br /> Verifying package squid-3.1.xx-x86_64-1_SBo.tgz.<br /> Installing package squid-3.1.xx-x86_64-1_SBo.tgz:<br /> PACKAGE DESCRIPTION:<br /> # Squid (a popular free and open source Web proxy server and web cache)<br /> #<br /> # Squid is a high-performance proxy caching server for web clients,<br /> # supporting FTP, gopher, and HTTP data objects.<br /> #<br /> # Homepage: http://www.squid-cache.org/<br /> #<br /> Executing install script for squid-3.1.xx-x86_64-1_SBo.tgz.<br /> Package squid-3.1.xx-x86_64-1_SBo.tgz installed.<br /><br /> root@slackware:/tmp#<br /></code></td> </tr></table><h2>Configure Squid cache proxy server in Slackware</h2> <p>We are ready to configure Squid in Slackware as a cache proxy server. Change the directory /etc/squid. This is the home of Squid configuration files.</p> <table><tr><td><code>root@slackware:/tmp# <span style="color:red;">cd /etc/squid/</span><br /> root@slackware:/etc/squid# <span style="color:red;">ls</span><br /> cachemgr.conf errorpage.css.default squid.conf<br /> cachemgr.conf.default mime.conf squid.conf.default<br /> errorpage.css mime.conf.default squid.conf.documented<br /> root@slackware:/etc/squid#<br /></code></td> </tr></table><p>You can start configure squid by editing the squid configuration file which is the /etc/squid/squid.conf file.</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">vim /etc/squid/squid.conf</span><br /></code></td> </tr></table><p>Scroll down to the 'Recommended minimum configuration' or you can type '/Recommended minimum configuration' and press Enter. See example below:</p> <table><tr><td><code># Recommended minimum configuration:<br /> #<br /> acl manager proto cache_object<br /> acl localhost src 127.0.0.1/32 ::1<br /> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1<br /><br /> # Example rule allowing access from your local networks.<br /> # Adapt to list your (internal) IP networks from where browsing<br /> # should be allowed<br /> #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br /> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br /> #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br /> #acl localnet src fc00::/7 # RFC 4193 local private network range<br /> #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br /><span style="color:red;">acl localnet src 192.168.1.0/255.255.255.0 # Makmal Bahasa internal network</span><br /><br /> acl SSL_ports port 443<br /> acl Safe_ports port 80 # http<br /> acl Safe_ports port 21 # ftp<br /> acl Safe_ports port 443 # https<br /> acl Safe_ports port 70 # gopher<br /> acl Safe_ports port 210 # wais<br /> acl Safe_ports port 1025-65535 # unregistered ports<br /> acl Safe_ports port 280 # http-mgmt<br /> acl Safe_ports port 488 # gss-http<br /> acl Safe_ports port 591 # filemaker<br /> acl Safe_ports port 777 # multiling http<br /> acl CONNECT method CONNECT<br /></code></td> </tr></table><p>The red color font is a local network that we add to the proxy server. Next, we are going to set the http port for the proxy. So scroll down again until you found http_port as in the example below:</p> <table><tr><td><code># Squid normally listens to port 3128<br /> #http_port 3128<br /> #http_port 192.168.1.1:8080<br /><span style="color:red;">http_port 8080</span><br /></code></td> </tr></table><p>You can use the default port if you want. When you are done, we can set the cache directory size now. Scroll down and find 'cache_dir' as in the example below. The format is "cache_dir ufs Directory-Name Mbytes L1 L2 [options]" where L1 is level one subdirectory size and L2 is level 2 subdirectory size.</p> <table><tr><td><code>#Default:<br /><span style="color:red;">cache_dir ufs /var/cache/squid/ 5000 16 256</span><br /></code></td> </tr></table><p>That's the basic setting to get cache proxy server to works. The rest is up to you.</p> <h2>Configure Squid to block some domains and files</h2> <p>We can use Squid to restricts access to some domains using access list (acl). What we need to do is to configure acl in /etc/squid/dquid.conf file and create a file containing blocked domain names. Here are the steps:</p> <p>1. Add these red lines in /etc/squid/squid.conf file:</p> <table><tr><td><code># Recommended minimum configuration:<br /> #<br /> acl manager proto cache_object<br /> acl localhost src 127.0.0.1/32 ::1<br /> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1<br /><br /><span style="color:red;">acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"</span><br /> # Deny all blocked domains<br /><span style="color:red;">http_access deny blockeddomain</span><br /></code></td> </tr></table><p>Create a file name blocked.domains.acl in /etc/squid directory. Add those domains that you want to restrict access to. Here is the example:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">vim /etc/squid/blocked.domains.acl</span></code></td> </tr></table><p>Add domain names in line:</p> <table><tr><td><code>.facebook.com<br /> .youtube.com<br /> .onlinegames.com<br /></code></td> </tr></table><p>We put '.' at the beginning of the domain to block subdomain and if the domain start with www address. Save and quit the file.</p> <p>We can also restrict certain file that we don't want user to download by blocking the file extension. To do that, add these lines in red in the /etc/squid/squid.conf file:</p> <table><tr><td><code># Recommended minimum configuration:<br /> #<br /> acl manager proto cache_object<br /> acl localhost src 127.0.0.1/32 ::1<br /> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1<br /><br /> acl blockeddomain dstdomain "/etc/squid/blocked.domains.acl"<br /> # Deny all blocked domains<br /> http_access deny blockeddomain<br /><br /><span style="color:red;">acl blockfiles urlpath_regex -i "/etc/squid/blocked.files.acl"</span><br /> # Deny all blocked extensions<br /><span style="color:red;">deny_info ERR_BLOCKED_FILES blockfiles<br /> http_access deny blockfiles</span><br /></code></td> </tr></table><p>Create a file name blocked.files.acl in /etc/squid directory. Add file extension that you don't want user to download. Here is the example:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">vim /etc/squid/blocked.files.acl</span></code></td> </tr></table><p>Add file extension in line:</p> <table><tr><td><code># \.[Ee][Xx][Ee]$<br /> \.[Aa][Vv][Ii]$<br /> \.[Mm][Pp][Gg]$<br /> \.[Mm][Pp][Ee][Gg]$<br /> \.[Mm][Pp]3$<br /></code></td> </tr></table><p>Save and quit the file and we are done. It's time to run Squid in our network.</p> <h2>Start Squid daemon in Slackware</h2> <p>What you need to do now is to start Squid daemon. Run squid twice. One with the command '/usr/sbin/squid -z' and after that '/usr/sbin/squid'. Please check and make the rc.squid file executable and then restart the service. Below is the steps example:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">chmod 755 /etc/rc.d/rc.squid </span><br /> root@slackware:~# <span style="color:red;">/usr/sbin/squid -z </span><br /> 2013/12/31 10:45:00| Creating Swap Directories<br /> 2013/12/31 10:45:00| /var/cache/squid/ exists<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//00<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//01<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//02<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//03<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//04<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//05<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//06<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//07<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//08<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//09<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0A<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0B<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0C<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0D<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0E<br /> 2013/12/31 10:45:00| Making directories in /var/cache/squid//0F<br /> root@slackware:~# <span style="color:red;">/usr/sbin/squid </span><br /> 2013/12/31 10:43:20| aclIpParseIpData: WARNING: Netmask masks away part of the specified IP in '192.168.2.0/16'<br /></code></td> </tr></table><p>Oh there are warnings. Open Squid configuration file again and edit the rules. See example below:</p> <table><tr><td><code># Example rule allowing access from your local networks.<br /> # Adapt to list your (internal) IP networks from where browsing<br /> # should be allowed<br /> #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br /> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br /> #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br /> #acl localnet src fc00::/7 # RFC 4193 local private network range<br /> #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br /><span style="color:red;">acl localnet src 192.168.1.0/24 # Makmal Bahasa internal network</span><br /></code></td> </tr></table><p>That's it for now. Don't forget to restart daemon after you modify the configuration file. There are three daemons related in this task which are squid daemon, inet1 (network card) and dhcpd. We are going to set on the client side now. See step by step guide below on how to do it.</p> <p>Start squid at boot by adding script below in /etc/rc.d/rc.local file:</p> <table><tr><td><code>root@slackware:/etc/rc.d# vim rc.local<br /> #!/bin/sh<br /> #<br /> # /etc/rc.d/rc.local: Local system initialization script.<br /> #<br /> # Put any local startup commands in here. Also, if you have<br /> # anything that needs to be run at shutdown time you can<br /> # make an /etc/rc.d/rc.local_shutdown script and put those<br /> # commands in there.<br /><span style="color:red;">if [ -x /etc/rc.d/rc.squid ]; then<br /> /etc/rc.d/rc.squid start<br /> fi</span><br /> root@slackware:/etc/rc.d#<br /></code></td> </tr></table><h2>Setup client to use squid cache proxy server</h2> <p>First we start with Mozilla Firefox browser. Click <b>Tools</b> menu and choose <b>Options...</b>.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid1.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid1.jpg" alt="Squid cache proxy client Firefox setup image" class="imgp_img" /></a></p> <p>In 'Options' window, choose <b>Advanced</b> tab. There are General, Network, Update and Encryption tabs. Choose <b>Network</b> and in the 'Connection section', click <b>Settings...</b> to configure how Firefox connects to the Internet.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid2.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid2.jpg" alt="Squid cache proxy client Firefox setup image2" class="imgp_img" /></a></p> <p>In 'Connection Settings' window, click <b>Manual proxy configuration</b> and key in 'HTTP Proxy' and 'Port'. Don't forget to tick <b>Use this proxy server for all protocols</b>.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid3.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid3.jpg" alt="Squid cache proxy client Firefox setup image3" class="imgp_img" /></a></p> <p>Click <b>OK</b> and you are done. If you forgot to tick 'Use this proxy server for all protocols' as mention above, you'll have trouble to connect to any https sites such as yahoo mail, gmail, etc.</p> <p>For Internet Explorer browser, follow the steps below to configure Squid cache proxy client:</p> <p>Open 'Menu bar'.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid4.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid4.jpg" alt="Squid cache proxy client IE setup image" class="imgp_img" /></a></p> <p>Click 'Tools' and and choose 'Internet Options'.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid5.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid5.jpg" alt="Squid cache proxy client IE setup image2" class="imgp_img" /></a></p> <p><in options="" window="" choose="" to="" setup="" an="" internet="" connection="" click="">Setup./p&gt;</in></p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid6.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid6.jpg" alt="Squid cache proxy client IE setup image3" class="imgp_img" /></a></p> <p>Finally, when 'Local Area Network Settings' window pops up, enter Squid proxy server IP address and port in 'Proxy server' section. Click 'OK' and you are done.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/2/vista-squid7.jpg" title="" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/2/thumbs/vista-squid7.jpg" alt="Squid cache proxy client IE setup image4" class="imgp_img" /></a></p> <p>That's all. The basic configuration and setup is done. You just need to study more about Squid and tweaks your squid's configuration to get the best out of it. Good luck and all the best!</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/16" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux server</a></div><div class="field-item odd" rel="dc:subject"><a href="/taxonomy/term/21" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">proxy server</a></div><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Wed, 22 Jun 2011 06:52:12 +0000 jinlusuh 128 at http://basicconfig.com http://basicconfig.com/linuxnetwork/install-squid-in-slackware64-13.37#comments How to upgrade software or install security patches for Slackware Linux http://basicconfig.com/security/howto_upgrade_software_install_security_patch_slackware_linux <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>You can always use Slackware package management tool such as slackpkg to upgrade software or install security patches for your Slackware system. However, the ftp server mirrors took sometimes to update the latest software or security patches to their server. So the best way is to upgrade them yourself. This is an example on how to upgrade software or install security patches for Slackware Linux. First thing you need to do is to subscribe the Slackware security mailing list from Slackware website. To do this, visit <a href="http://www.slackware.com/lists/" target="_blank">Slackware mailing list</a> at Slackware official website. The picture below is an example of the current Slackware mailing list page:</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch01.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch01.png" alt="Slackware mailing list subscription page screenshot image" /></a>.</p> <p>It is easy to subscribe the Slackware security mailing list. You just have to email Slackware security team and mention what mailing list you are going to subscribe. The detail can be found in the Slackware mailing list subscription page. You'll start receiving security mailing list in your email when you successfully completed the mailing list subscription procedure.</p> <h2>Upgrade software or install security patches for Slackware Linux</h2> <p>You'll receive email when there is an upgrade or security patch for Slackware. See the example screenshot below:</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch02.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch02.png" alt="Slackware mailing list for security patches screenshot image" /></a></p> <p>This tutorial shows how to upgrade or patch Mozilla Firefox as an example. When there is a Slackware security notification in your email inbox, read the email and choose the correct update package version for your Slackware system. Click the link to download the package. Save the package in your Slackware user home directory. See the example screenshot below:</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch03.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch03.png" alt="Slackware download security patch screenshot image" /></a></p> <p>The software download in progress. Wait until the process complete.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch04.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch04.png" alt="Software download progress screenshot image" /></a></p> <p>When the download finished, switch to command line terminal and login as root. Use Slackware upgradepkg command to upgrade the software. See the example below:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">upgradepkg /home/luzar/Desktop/mozilla-firefox-3.0.8-i686-1.tgz</span><br /><br /> +==============================================================================<br /> | Upgrading mozilla-firefox-3.0.7-i686-1 package using /home/luzar/Desktop/mozilla-firefox-3.0.8-i686-1.tgz<br /> +==============================================================================<br /><br /> Pre-installing package mozilla-firefox-3.0.8-i686-1...<br /><br /> Removing package /var/log/packages/mozilla-firefox-3.0.7-i686-1-upgraded-2009-03-28,16:12:35...<br /> - - -<br /> - - -<br /> Installing package mozilla-firefox-3.0.8-i686-1...<br /> PACKAGE DESCRIPTION:<br /> mozilla-firefox: mozilla-firefox (Mozilla Firefox Web browser)<br /> mozilla-firefox:<br /> mozilla-firefox: This project is a redesign of the Mozilla browser component written<br /> mozilla-firefox: using the XUL user interface language. Firefox empowers you to<br /> mozilla-firefox: browse faster, more safely and more efficiently than with any other<br /> mozilla-firefox: browser.<br /> mozilla-firefox:<br /> mozilla-firefox: Visit the Mozilla Firefox project online:<br /> mozilla-firefox: http://www.mozilla.org/projects/firefox/<br /> mozilla-firefox:<br /> Executing install script for mozilla-firefox-3.0.8-i686-1...<br /><br /> Package mozilla-firefox-3.0.7-i686-1 upgraded with new package /home/luzar/Desktop/mozilla-firefox-3.0.8-i686-1.tgz.<br /><br /> root@slackware:~#<br /></code></td> </tr></table><p>If you installed firefox plugins such as Adobe Flash player, you have to copy the plugins manually. When the Firefox installation is complete, change directory to /usr/lib/firefox-3.0.X/plugins, where X is firefox previous version. Copy the plugins to the new firefox directory. See the example below on how to do this:</p> <table><tr><td><code>root@slackware:~# <span style="color:red;">cd /usr/lib/firefox-3.0.7/plugins</span><br /> root@slackware:/usr/lib/firefox-3.0.7/plugins# <span style="color:red;">ls</span><br /> libflashplayer.so*<br /> root@slackware:/usr/lib/firefox-3.0.7/plugins# <span style="color:red;">cp * ../../firefox-3.0.8/plugins</span><br /></code></td> </tr></table><p>Now we can safely remove the old firefox version with <strong>rm -r</strong> command. See the example below:</p> <table><tr><td><code>root@slackware:/usr/lib/firefox-3.0.7/plugins# cd ../..<br /> root@slackware:/usr/lib# <span style="color:red;">ls -l | grep firefox</span><br /> lrwxrwxrwx 1 root root 13 2009-03-28 16:12 firefox -&gt; firefox-3.0.8/<br /> drwxr-xr-x 3 root root 4096 2009-03-28 16:12 firefox-3.0.7/<br /> drwxr-xr-x 14 root root 4096 2009-03-28 07:46 firefox-3.0.8/<br /> root@slackware:/usr/lib# <span style="color:red;">rm -r firefox-3.0.7/</span><br /> root@slackware:/usr/lib#<br /></code></td> </tr></table><p>Switch back to the kde x-window and start Firefox. The new version of Firefox started and it will check the compatibility for add-ons you installed in the previous version.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch05.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch05.png" alt="Firefox check compatibility screenshot image" /></a></p> <p>You'll get the latest Firefox version updated page which means you have successfully upgraded and patched the software.</p> <p><a href="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/security_patch06.png" title="Image" target="_blank"><img src="http://www.basicconfig.com/files/imagepicker/s/suarkuyak/thumbs/security_patch06.png" alt="Firefox successfull upgrade screenshot image" /></a><br /></p> <p>That's all. Upgrading and patching your Slackware is not a hard and complicated job as many people said. Make it a priority so that your Slackware system always secure.</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/4" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux administration</a></div><div class="field-item odd" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Sat, 28 Mar 2009 08:47:51 +0000 jinlusuh 141 at http://basicconfig.com http://basicconfig.com/security/howto_upgrade_software_install_security_patch_slackware_linux#comments Setup firewall in Ubuntu using ufw http://basicconfig.com/security/setup_firewall_ubuntu_using_ufw <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>There are two types of firewalls available in Linux, a packet filtering firewall and a proxy-based firewall. Most Linux users use a packet filtering firewall to setup a basic firewall for their system because Linux already came with firewall package by default.</p> <p>Linux kernel came with a module called <b>netfilter</b>. Netfilter is used to manipulate incoming and outgoing traffic in Linux system. You can use locate command to find netfilter in your Linux system like in the example below:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">locate netfilter</span><br /> /lib/modules/2.6.24-19-server/kernel/net/netfilter<br /> /lib/modules/2.6.24-19-server/kernel/net/bridge/netfilter<br /> /lib/modules/2.6.24-19-server/kernel/net/bridge/netfilter/ebt_802_3.ko<br /> /lib/modules/2.6.24-19-server/kernel/net/bridge/netfilter/ebt_among.ko<br /> /lib/modules/2.6.24-19-server/kernel/net/bridge/netfilter/ebt_arp.ko<br /> /lib/modules/2.6.24-19-server/kernel/net/bridge/netfilter/ebt_arpreply.ko<br /> ...<br /> ...<br /></code></td> </tr></table><p>However, netfilter by itself cannot do anything without being configured. Thereby, Linux has <b>iptables</b>, a command line user interface to manipulate and configure rules. The netfilter will refer to that rules to accept or reject incoming or outgoing packets in Linux system.</p> <h2>Ubuntu ufw configuration</h2> <p>Ubuntu ufw is a user friendly interface to configure firewall in Ubuntu system. It is an alternative for users who find iptables is difficult to use. ufw stands for uncomplicated firewall. Here is a part of ufw manual page:</p> <table><tr><td><code>NAME<br /> ufw - program for managing a netfilter firewall<br /><br /> DESCRIPTION<br /> This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.<br /><br /> USAGE<br /> ufw [--dry-run] enable|disable<br /><br /> ufw [--dry-run] default allow|deny<br /><br /> ufw [--dry-run] logging on|off<br /><br /> ufw [--dry-run] status<br /><br /> ufw [--dry-run] [delete] allow|deny PORT[/protocol]<br /><br /> ufw [--dry-run] [delete] allow|deny [proto protocol] [from ADDRESS [port PORT]]<br /> [to ADDRESS [port PORT]]<br /></code></td> </tr></table><p>ufw is not enabled by default. Check ufw status with this command:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw status</span><br /> Firewall not loaded<br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>To use ufw to configure rules for Ubuntu firewall, we need to enable it. Here's the command to enable ufw:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw enable</span><br /> [sudo] password for luzar:<br /> Firewall started and enabled on system startup<br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>To disable ufw, use this command:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw disable</span><br /> Firewall stopped and disabled on system startup<br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>To add a firewall rule, use <b>ufw allow</b> command. Make sure to enable ufw before running this command. Here is an example to allow ssh service to firewall rules:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw allow ssh</span><br /> Rule added<br /> luzar@ubuntu:~$ <span style="color:red;">sudo ufw status verbose</span><br /> Firewall loaded<br /><br /> To Action From<br /> -- ------ ----<br /> 22:tcp ALLOW Anywhere<br /> 22:udp ALLOW Anywhere<br /><br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>We can also use <b> --dry-run</b> option to check the rules applied. The --dry-run option do not modify anything, it just show the changes. Here is an example:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw --dry-run allow http</span><br /> *filter<br /> :ufw-user-input - [0:0]<br /> :ufw-user-output - [0:0]<br /> :ufw-user-forward - [0:0]<br /> ### RULES ###<br /><br /> ### tuple ### allow any 22 0.0.0.0/0 any 0.0.0.0/0<br /> -A ufw-user-input -p tcp --dport 22 -j ACCEPT<br /> -A ufw-user-input -p udp --dport 22 -j ACCEPT<br /><br /> ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0<br /> -A ufw-user-input -p tcp --dport 80 -j ACCEPT<br /><br /> ### END RULES ###<br /> -A ufw-user-input -j RETURN<br /> -A ufw-user-output -j RETURN<br /> -A ufw-user-forward -j RETURN<br /> COMMIT<br /> Rules updated<br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>Here are other commands that you can use with ufw:</p> <table><tr><td><code>Usage: ufw COMMAND<br /><br /> Commands:<br /> enable Enables the firewall<br /> disable Disables the firewall<br /> default ARG set default policy to ALLOW or DENY<br /> logging ARG set logging to ON or OFF<br /> allow|deny RULE allow or deny RULE<br /> delete allow|deny RULE delete the allow/deny RULE<br /> status show firewall status<br /> version display version information<br /></code></td> </tr></table><p>You should enable firewall log so you can always check all activity running in your system. To enable firewall log using ufw, use this command:</p> <table><tr><td><code>luzar@ubuntu:~$ <span style="color:red;">sudo ufw logging on</span><br /> Logging enabled<br /> luzar@ubuntu:~$<br /></code></td> </tr></table><p>Firewall logs can be checked in /var/log/kern.log, /var/log/syslog and /var/log/messages.</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Mon, 15 Dec 2008 12:18:08 +0000 jinlusuh 140 at http://basicconfig.com http://basicconfig.com/security/setup_firewall_ubuntu_using_ufw#comments Linux file and directory permissions http://basicconfig.com/linux/permission <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>Linux permission is a very interesting topic. It is part of Linux security and mandatory knowledge for Linux administration. Linux permission controls all files and directories in the Linux system. So every Linux user must understand how Linux permission works including end user, who only uses desktop application or x-window.</p> <p>There are three types of file and directory permissions in Linux; <b>read, write</b> and <b>execute</b>. Those permissions must be assigned to three different types of users; <b>owner (user), group</b> and <b>others</b>. This is a unique permission system derived from Unix file and directory's permission style.</p> <p>The Linux command used to manipulate file and directory permission is <b>chmod</b> command. In this tutorial, you are going to learn and practice chmod command to change file and directory permissions in the Linux system.</p> <p>Issue '<strong>su -</strong>' command to switch to root environment. Change directory to a normal user's home directory. Create a new file called permission.txt. View the content with '<strong>ls -l</strong>'. See step by step example below:</p> <table><tr><td><code> luzar@slackware:~/owner$ <span style="color:red;">su - </span><br /> Password:<br /> root@slackware:~# <span style="color:red;">cd /home/luzar/ </span><br /> root@slackware:/home/luzar# <span style="color:red;">touch permission.txt </span><br /> root@slackware:/home/luzar# <span style="color:red;">ls -l </span><br /> total 4<br /><span style="color:#FF0000;">-rw-r--r--</span> 1 root root 1 2006-01-16 15:49<br /> permission.txt<br /> root@slackware:/home/luzar#<br /></code></td> </tr></table><p>Let's take a closer look at the 'permission.txt' file permissions (<strong><span style="color:#FF0000;">-rw-r--r--</span></strong>). The Linux file permission is divided into 3 groups like this:</p> <table><tr><th>?</th> <th>Owner</th> <th>Group</th> <th>Others</th> </tr><tr><td><span style="color:#FF0000;"> - </span></td> <td><span style="color:#FF0000;">r w -</span></td> <td><span style="color:#FF0000;">r - -</span></td> <td><span style="color:#FF0000;">r - -</span></td> </tr></table><p>As you can see from the table above, Linux file permission concerns <b>owner</b> (or user), <b>groups</b> and <b>others</b> (or the world). Owner is the user who creates the file. Group is the group name that the owner belongs to or assigned. Others is everybody else, other users in the system whose not in the group or anonymous users. When assigning a file permission or a directory permission, a character is used to represent owner (user), group and others. Each character is shown below:</p> <table><tr><th>Character</th> <th>Represent</th> </tr><tr><td><span style="color:#FF0000;">u</span></td> <td><span style="color:#FF0000;">u</span>ser</td> </tr><tr><td><span style="color:#FF0000;">g</span></td> <td><span style="color:#FF0000;">g</span>roup</td> </tr><tr><td><span style="color:#FF0000;">o</span></td> <td><span style="color:#FF0000;">o</span>thers</td> </tr></table><p>There are four characters used in the Linux file permission, as you can see from the example above, which are <b><span style="color:red;">r, w, x, - </span></b>. The table below shows the meaning of <b><span style="color:red;">r, w, x, -</span></b>:</p> <table><tr><th>Symbol</th> <th>Meaning</th> </tr><tr><td><span style="color:#FF0000;">r</span></td> <td><span style="color:#FF0000;">r</span>ead</td> </tr><tr><td><span style="color:#FF0000;">w</span></td> <td><span style="color:#FF0000;">w</span>rite</td> </tr><tr><td><span style="color:#FF0000;">x</span></td> <td>e<span style="color:#FF0000;">x</span>ecute</td> </tr><tr><td><span style="color:#FF0000;">-</span></td> <td>no permission</td> </tr></table><p>If you have the '<span style="color:#FF0000;">r</span>' permission, you can view the subject (file or directory).</p> <p>If you have the '<span style="color:#FF0000;">w</span>' permission, you can edit the subject (file or directory).</p> <p>If you have the '<span style="color:#FF0000;">x</span>' permission, you can run or execute the subject (a program or binary file).</p> <p>If you have the '<span style="color:#FF0000;">-</span>' permission, that means you don't have any permission ;-)</p> <p>That's it. Did I miss something? Yes, what about the first (<span style="color:#FF0000;">-</span>) character right before the owner permission? It has special meaning. It indicates the subject, whether it is a file, directory or symbolic link. Here's the complete list of other characters at the beginning of Linux permissions and what it means:</p> <table><tr><th>Characters</th> <th>Meaning</th> </tr><tr><td><span style="color:#FF0000;">- </span></td> <td>Regular file</td> </tr><tr><td><span style="color:#FF0000;">d </span></td> <td>Directory</td> </tr><tr><td><span style="color:#FF0000;">l </span></td> <td>Link</td> </tr><tr><td><span style="color:#FF0000;">c </span></td> <td>Special file</td> </tr><tr><td><span style="color:#FF0000;">s </span></td> <td>Socket</td> </tr><tr><td><span style="color:#FF0000;">p </span></td> <td>Named pipe</td> </tr></table><p>Another method used to set Linux file permission is the octal system. The octal system uses numbers to represent permissions. Here is the list of octal system:</p> <ul><li>0 = No permission </li> <li><span style="color:blue;">1 = Execute permission</span></li> <li><span style="color:blue;">2 = Write permission</span></li> <li>3 = Write and execute permissions</li> <li><span style="color:blue;">4 = Read permission</span></li> <li>5 = Read and execute permissions</li> <li>6 = Read and write permissions</li> <li>7 = Read, write and execute permissions</li> </ul><p>As you can see from the table below, the essential numbers are 1,2 and 4 which represent execute, write and read permissions respectively. Other numbers are just the sum of adding those numbers together.</p> <p>Sometimes the octal permission is used as a whole permissions for owner, group and others. The example is shown in the table below: </p> <table><tr><th>Octal number</th> <th>Permission</th> </tr><tr><td>0000</td> <td>No permission</td> </tr><tr><td>0100</td> <td>Execute permission for owner</td> </tr><tr><td>0200</td> <td>Write permission for owner</td> </tr><tr><td>0400</td> <td>Read permission for owner</td> </tr><tr><td>0010</td> <td>Execute permission for group</td> </tr><tr><td>0020</td> <td>Write permission for group</td> </tr><tr><td>0040</td> <td>Read permission for group</td> </tr><tr><td>0001</td> <td>Execute permission for others</td> </tr><tr><td>0002</td> <td>Write permission for others</td> </tr><tr><td>0004</td> <td>Read permission for others</td> </tr><tr><td>1000</td> <td>Sticky bit</td> </tr><tr><td>2000</td> <td>Apply the special permission SETGID bit</td> </tr><tr><td>4000</td> <td>Apply the special permission SETUID bit</td> </tr></table><h2><a name="chmod" id="chmod"></a>Linux chmod command</h2> <p>Let's try practicing the Linux permission we just learned. We are going to change permission of a file first and followed by changing directory permission. The command to change the Linux file permission is '<strong>chmod</strong>'. Let's see the first example below:</p> <table><tr><td><code><br /> root@slackware:/home/luzar# ls -l<br /> total 4<br /> -rw-r--r-- 1 root root 1 2006-01-16 15:49 permission.txt<br /> root@slackware:/home/luzar# <span style="color:#FF0000;">chmod ugo+x </span><span style="color:#000000;">permission.txt </span><br /> root@slackware:/home/luzar# <span style="color:#FF0000;">ls -l </span><br /> total 4<br /><span style="color:#FF0000;">-rwxr-xr-x</span> 1 root root 1 2006-01-16 15:49 permission.txt*<br /> root@slackware:/home/luzar#<br /></code></td> </tr></table><p>The command '<strong>chmod ugo+x</strong>' means we want to give '<strong>x</strong>', which is an execute permission to owner(<strong>u</strong>), group(<strong>g</strong>) and others(<strong>o</strong>) for the 'permission.txt' file.</p> <p>How do we remove a Linux file permission? See example below:</p> <table><tr><td><code><br /> root@slackware:/home/luzar# <span style="color:#FF0000;">chmod go-rx </span>permission.txt<br /> root@slackware:/home/luzar# <span style="color:#FF0000;">ls -l </span><br /> total 4<br /><span style="color:#FF0000;">-rwx------ </span>1 root root 1 2006-01-16 15:49 permission.txt* </code></td> </tr></table><p>Now we removed read and execute permission from group(g) and others(o) for the permission.txt file.</p> <p>Our next example is to use octal numbers to change file permissions in Linux. Octal numbers have been used widely to describes file or directory permission in Linux system. It is faster using octal numbers to change Linux file or directory permissions and easier than the first method. Let's see some examples of changing Linux file permission using octal numbers.</p> <p>The first example is we are going to change 'permission.txt' file using octal numbers and giving owner read and write permission , group a read permission and others a read permission too. This is a normal permission for file in Linux system.</p> <table><tr><td><code>root@slackware:/home/luzar# <span style="color:red;">ls -l</span><br /> -rwx------ 1 root root 0 2009-02-21 07:33 permission.txt*<br /> root@slackware:/home/luzar# <span style="color:red;">chmod 644 permission.txt</span><br /> root@slackware:/home/luzar# <span style="color:red;">ls -l</span><br /><span style="color:red;">-rw-r--r--</span> 1 root root 0 2009-02-21 07:33 permission.txt<br /></code></td> </tr></table><p>We can also change permissions for multiple files at once. What I am going to do is to give all the snapshot files a write permission for groups and others. </p> <table><tr><td><code>root@slackware:~# <span style="color:red;">ls -l </span><br /> total 624<br /> drwx------ 2 root root 4096 2008-09-07 00:45 Desktop/<br /> -rw-r--r-- 1 root root 1808 2002-04-17 12:21 loadlin16c.txt<br /> -rw-r--r-- 1 root root 97874 2002-04-17 12:20 loadlin16c.zip<br /> -rw-r--r-- 1 root root 12962 2008-09-17 01:41 manual.mantxt<br /><span style="color:blue;">-rw-r--r-- 1 root root 84669 2008-09-11 01:13 snapshot1.png<br /> -rw-r--r-- 1 root root 100439 2008-09-11 01:14 snapshot2.png<br /> -rw-r--r-- 1 root root 113450 2008-09-11 01:14 snapshot3.png<br /> -rw-r--r-- 1 root root 99071 2008-09-11 01:14 snapshot4.png<br /> -rw-r--r-- 1 root root 84640 2008-09-11 01:15 snapshot5.png </span><br /> root@slackware:~# <span style="color:red;">chmod 666 snapshot*.png</span><br /> root@slackware:~# <span style="color:red;">ls -l </span><br /> total 624<br /> drwx------ 2 root root 4096 2008-09-07 00:45 Desktop/<br /> -rw-r--r-- 1 root root 1808 2002-04-17 12:21 loadlin16c.txt<br /> -rw-r--r-- 1 root root 97874 2002-04-17 12:20 loadlin16c.zip<br /> -rw-r--r-- 1 root root 12962 2008-09-17 01:41 manual.mantxt<br /><span style="color:red;">-rw-rw-rw-</span> <span style="color:blue;">1 root root 84669 2008-09-11 01:13 snapshot1.png</span><br /><span style="color:red;">-rw-rw-rw-</span> <span style="color:blue;">1 root root 100439 2008-09-11 01:14 snapshot2.png</span><br /><span style="color:red;">-rw-rw-rw-</span> <span style="color:blue;">1 root root 113450 2008-09-11 01:14 snapshot3.png</span><br /><span style="color:red;">-rw-rw-rw-</span> <span style="color:blue;">1 root root 99071 2008-09-11 01:14 snapshot4.png</span><br /><span style="color:red;">-rw-rw-rw-</span> <span style="color:blue;">1 root root 84640 2008-09-11 01:15 snapshot5.png</span><br /> root@slackware:~#<br /></code></td> </tr></table><p>As you can see, the original Linux file permission for snapshot files are 644 . We use chmod 666, the devil command to give write permission to the groups and others.</p> <p>That's it. If you want to play around with ownership and permissions, I must remind you to exit root and use a normal user instead. Now, before you exit root, let's change permission.txt file once again:</p> <table><tr><td><code>root@slackware:/home/luzar# <span style="color:red;">chmod 600 permission.txt</span><br /> root@slackware:/home/luzar# <span style="color:red;">ls -l</span><br /><span style="color:red;">-rw-------</span> 1 root root 0 2009-02-21 07:33 permission.txt<br /></code></td> </tr></table><p>Now we can exit root and open permission.txt file as a normal user:</p> <table><tr><td><code>luzar@slackware:~$ <span style="color:red;">cat permission.txt</span><br /><span style="color:blue;">cat: permission.txt: Permission denied</span><br /> luzar@slackware:~$<br /></code></td> </tr></table><p>Well that's what Linux permission means. Practice hard to get a better understanding of Linux permission concept. Good luck.</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/4" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux administration</a></div><div class="field-item odd" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Fri, 19 Sep 2008 13:03:01 +0000 jinlusuh 93 at http://basicconfig.com http://basicconfig.com/linux/permission#comments Basic Linux security http://basicconfig.com/linuxsecurity <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>Computer security has become a critical subject in information technology system these days. If we looked back in history, the security threat has started a long time ago during 1970s when telephone system has been hacked. Many computer crimes happened and as a result, the Computer Fraud and Abuse Act has been made in 1980s. As technology advanced, the evolution of computer networking and the born of Internet, the threats to information and networks have risen significantly. The well-known harassment and destructive attacks are denial of service (DOS), mail bombs and list-linking, viruses, worms and Trojan horses. </p> <p>Many efforts have been taken to improve computer security including the use of a network and security tools, control user access using permissions and passwords, data encryptions, and virus detectors. Other approaches to improve computer security involve secure operating systems, security architecture, security by design, secure coding and application.</p> <h3>Physical security</h3> <p>The purpose of security is to prevent unauthorized access into the system. This involves securing the physical and network access. Securing the physical access means to limit who can physically access your system, server room and workstations. It's been estimated that 80% of intrusions initiated by insiders. Securing physical access can be made by implementing a restricted area to the network operation centers and developing security policy controls.</p> <p>Another way of securing the physical access into the system is to secure network hardware such as routers, bridges and switches from local users. Many network hardware have password issue which provide the means to perform onside password recovery. Several steps can be taken such as setting administrative and user password by overwrite the default password, enabled encryption, disable unwanted service such as telnet, and use security utility options if provided by the network hardware. </p> <p>If your servers and security hardware are secured, intruder will look at other vulnerabilities which are workstation and user. Securing workstation can be made with BIOS and console passwords. For the users part, they must be given security knowledge such as never reveal their password to anyone else, never leave their computer unlock, and so on and alert them with security threats from time to time. </p> <h3>Linux network security</h3> <p>Securing the network access is securing access to the operating system remotely. One of the network security threat is malicious code, such as virus and Trojan which create a backdoor in your system. There are many file integrity checking software available for Linux. Some of them are Tripwire, TAMU, Aide and ATP.</p> <p>Other network security attack is sniffers and network monitoring tools. Sniffers are very dangerous because they can capture sensitive data such as passwords and confidential information.</p> <p>Scanners are also a high risk tool use by attacker to scan your system and network. To protect your network and system from scanner you can use a firewall and other tools such as IcmpInfo, scan-detector and klaxon. </p> <p>Another way of attacking a network is spoofing attack. There are TCP and IP spoofing, ARP spoofing and DNS spoofing.</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Thu, 18 Sep 2008 14:06:08 +0000 jinlusuh 139 at http://basicconfig.com http://basicconfig.com/linuxsecurity#comments Linux administration - File and directory ownership http://basicconfig.com/linux/ownership <!-- google_ad_section_start --><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><h2>Linux file and directory ownerships guide</h2> <p>Managing file and directory ownerships are important administration task in Linux. Setting up ownership means give security to a file or directory.</p> <p>Linux has a very special ownership and permission system. Each files or directories has 2 ownership which is user and group. That means, a certain file or a directory has its owner and group responsible for it. Let's see more about these in details with examples. We will create a new directory named 'owner' in /home/bill directory. We will use <strong>mkdir</strong> command to create a new directory or folder (as you called it in Windows). Type as follows:</p> <table><tr><td><code> bill@slackware:~$ mkdir /home/bill/owner<br /> bill@slackware:~$ cd /home/bill/owner/<br /> bill@slackware:~/owner$<br /></code></td> </tr></table><p>Now create a new file named <b>ownership.txt</b>. The command to create a new file (simple file) is <strong>touch</strong> &lt;filename&gt;.</p> <table><tr><td><code> bill@slackware:~/owner$ touch ownership.txt<br /> bill@slackware:~/owner$ ls -l<br /> total 0 <br /><span style="color:#0000FF;">-rw-r--r--</span> 1 <span style="color:#FF0000;">bill</span><br /><span style="color:660000;">users</span> 0 <span style="color:#006600;">2006-01-16<br /> 13:02</span> <span style="color:#660000;">ownership.txt</span><br /> bill@slackware:~/owner$<br /></code></td> </tr></table><p>The first column (<strong><span style="color:#0000FF;">-rw-r--r--</span></strong>) is a <em>permission</em> of the subject.</p> <p>The second column (<strong>1</strong>) is the <em>number of link</em> to the subject.</p> <p>The third column (<strong><span style="color:#FF0000;">bill</span></strong>) is the <em>owner</em> of the subject.</p> <p>The fourth column (<strong><span style="color:#660000;">users</span></strong>) is the <em>group owner</em> of the subject.</p> <p>The column (<strong>0</strong>) is the <em>size</em> of the subject.</p> <p>The next column (<strong><span style="color:#006600;">2006-01-16 13:02</span></strong>) is the <em>date and time when the subject is last updated</em>.</p> <p>Finally, the last column (<strong><span style="color:#660000;">ownership.txt</span></strong>) is the <em>subject</em>.</p> <p>The size of the subject <b>ownership.txt</b> is 0. We can edit the file with <strong>vim</strong> text editor to add some text to it. Try <strong>vim ownership.txt</strong> now. Press <strong>i</strong> to go to insert mode. Type something:</p> <table><tr><td><code> You'll have a similar screen like this.<br /> Something Something Something Something Something<br /> ~<br /> ~<br /> ~<br /></code></td> </tr></table><p>Now press <strong>Esc</strong> to go back to the vi command mode. Save what we did by entering '<strong>:w</strong> and <strong>:q</strong> to exit vim editor. Don't worry to much about vim editor now. You can learn more in <a href="/linux/vi">Linux vi editor tutorial</a> later if you want.</p> <h2>Linux chown command</h2> <p>Ok now, the command to change the owner of the subject is <strong>chown</strong>. Oh you can view the format and info about <strong>chown</strong> with <strong>man chown</strong>. Let's try it if you are ready.</p> <table><tr><td><code> bill@slackware:~/owner$ <span style="color:#FF0000;">chown</span> root ownership.txt<br /> chown: changing ownership of `ownership.txt': Operation not permitted<br /><br /> bill@slackware:~/owner$<br /></code></td> </tr></table><p>You can't change the owner of 'ownership.txt' file to root because you don't have the power. Who's the most powerful user in Linux operating system? Well, switch to root now. The command is <strong>su</strong>, means switch user or super user. Type <strong>su -</strong> to switch to root environment. Enter the root password and you are root now.</p> <table><tr><td><code> bill@slackware:~/owner$ su -<br /> Password:<br /> root@slackware:~#<br /></code></td> </tr></table><p>Now issue the following command:</p> <table><tr><td><code> root@slackware:~# chown <span style="color:#FF0000;">root</span> /home/bill/owner/ownership.txt<br /> root@slackware:~# ls -l /home/bill/owner/<br /> total 0<br /> -rw-r--r-- 1 <span style="color:#FF0000;">root</span> users 0 2006-01-16 13:02 ownership.txt<br /> root@slackware:~#<br /></code></td> </tr></table><p>Now the owner of the subject is <span style="color:#FF0000;"><strong>root</strong></span>.</p> <h2><a name="chgrp" id="chgrp"></a>Linux chgrp command</h2> <p>The command <strong>chgrp</strong> is used to change the group owner. The example is as follows:</p> <table><tr><td><code> root@slackware:~# chgrp <span style="color:#660000;">root</span> /home/bill/owner/ownership.txt<br /> root@slackware:~# ls -l /home/bill/owner/<br /> total 0<br /> -rw-r--r-- 1 root <span style="color:#660000;">root</span> 0 2006-01-16 13:02 ownership.txt<br /> root@slackware:~#<br /></code></td> </tr></table><p>We have changed the owner and group of the subject. Now press <strong>Ctrl + D</strong> or type <strong>exit</strong> to exit from <strong>root</strong>.</p> <table><tr><td><code> root@slackware:~# exit<br /> logout<br /> bill@slackware:~/owner$<br /></code></td> </tr></table><p>View the content again with '<strong>vi ownership.txt</strong>'. Press'<strong>i</strong>' and insert some text. After you finished, try force save and exit with ':<strong>wq!</strong>'</p> <p>You can't overwrite the file this time. Why? That's ownership ;-)</p> <p>To exit from vim press '<strong>:q!</strong>'. This option is to force quit vi.</p> </div></div></div><!-- google_ad_section_end --><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-above"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/taxonomy/term/4" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux administration</a></div><div class="field-item odd" rel="dc:subject"><a href="/taxonomy/term/13" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">linux security</a></div></div></div> Tue, 29 Jan 2008 15:06:35 +0000 jinlusuh 92 at http://basicconfig.com http://basicconfig.com/linux/ownership#comments