website annotate en/doc/handbook/security.html @ rev 49

Add Security to Handbook (en)
author Paul Issott <paul@slitaz.org>
date Sun May 18 22:50:22 2008 +0000 (2008-05-18)
parents
children f0c0c73578c0
rev   line source
paul@49 1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
paul@49 2 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>SliTaz Handbook (en) - Template</title>
paul@49 3
paul@49 4
paul@49 5
paul@49 6 <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
paul@49 7 <meta name="description" content="slitaz English handbook" />
paul@49 8 <meta name="expires" content="never" />
paul@49 9 <meta name="modified" content="2008-02-26 18:30:00" />
paul@49 10 <meta name="publisher" content="www.slitaz.org" />
paul@49 11 <meta name="author" content="Christophe Lincoln" />
paul@49 12 <link rel="shortcut icon" href="favicon.ico" />
paul@49 13 <link rel="stylesheet" type="text/css" href="book.css" /></head><body bgcolor="#ffffff">
paul@49 14
paul@49 15 <!-- Header and quick navigation -->
paul@49 16 <div id="header">
paul@49 17 <div id="quicknav" align="right">
paul@49 18 <a name="top"></a>
paul@49 19 <a href="index.html">Table of contents</a>
paul@49 20 </div>
paul@49 21 <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>
paul@49 22 </div>
paul@49 23
paul@49 24 <!-- Content. -->
paul@49 25 <div id="content">
paul@49 26 <div class="content-right"></div>
paul@49 27
paul@49 28 <h2><font color="#df8f06">SliTaz and System Security</font></h2>
paul@49 29
paul@49 30 <ul>
paul@49 31 <li><a href="#policy">Security Policy</a></li>
paul@49 32 <li><a href="#root">Root</a> - The system administrator.</li>
paul@49 33 <li><a href="#passwords">Passwords</a></li>
paul@49 34 <li><a href="#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li>
paul@49 35 <li><a href="#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li>
paul@49 36 <li><a href="#ssh">SSH server</a> - Default options.</li>
paul@49 37 <li><a href="#pscan">Pscan</a> - Scan for open ports.</li>
paul@49 38 <li><a href="network-config.html#firewall">Firewall (Iptables)</a> -
paul@49 39 The network firewall.</li>
paul@49 40 </ul>
paul@49 41
paul@49 42 <a name="policy"></a>
paul@49 43 <h3>Security Policy</h3>
paul@49 44 <p>
paul@49 45 SliTaz has given a lot of consideration to system security. Applications are tested for many months before being
paul@49 46 included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete
paul@49 47 lists of daemons enabled, you can look in the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration
paul@49 48 file:
paul@49 49 </p>
paul@49 50 <pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS
paul@49 51 </pre>
paul@49 52 <p>
paul@49 53 To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop'
paul@49 54 utility:
paul@49 55 </p>
paul@49 56 <pre> $ ps
paul@49 57 $ htop
paul@49 58 </pre>
paul@49 59
paul@49 60 <a name="root"></a>
paul@49 61 <h3>Root - The system administrator</h3>
paul@49 62 <p>
paul@49 63 In a GNU/Linux system, the <em>root</em> user is the system administrator, <em>root</em> has all the rights
paul@49 64 to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command
paul@49 65 <code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the
paul@49 66 internet for example, this allows you to create a double barrier in the case of an attack or intrusion after a
paul@49 67 download. This makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your
paul@49 68 password and then crack the <em>root</em> password of the system administrator.
paul@49 69 </p>
paul@49 70 <p>
paul@49 71 A GNU/Linux system has secured at least two users, one to work and one to administer, configure
paul@49 72 or update the system (<code>root</code>). It's also advisable to entrust the administration of the
paul@49 73 system to a person.
paul@49 74 </p>
paul@49 75
paul@49 76 <a name="passwords"></a>
paul@49 77 <h3>Passwords</h3>
paul@49 78 <p>
paul@49 79 By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em>
paul@49 80 comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command:
paul@49 81 </p>
paul@49 82 <pre> $ passwd
paul@49 83 # passwd
paul@49 84 </pre>
paul@49 85
paul@49 86 <a name="busybox"></a>
paul@49 87 <h3>Busybox</h3>
paul@49 88 <p>
paul@49 89 The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands:
paul@49 90 su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these
paul@49 91 commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root,
paul@49 92 using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password
paul@49 93 if it is not ssx.
paul@49 94 </p>
paul@49 95
paul@49 96 <a name="web-server"></a>
paul@49 97 <h3>LightTPD web server</h3>
paul@49 98 <p>
paul@49 99 On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server
paul@49 100 environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the
paul@49 101 <code>/etc/rcS.conf</code> configuration file or to stop it manually:
paul@49 102 </p>
paul@49 103 <pre> # etc/init.d/lighttpd stop
paul@49 104 </pre>
paul@49 105
paul@49 106 <a name="ssh"></a>
paul@49 107 <h3>SSH Server</h3>
paul@49 108 <p>
paul@49 109 This small section is a compliment to the
paul@49 110 <a href="secure-server.html">Secure SHell (SSH)</a> page.
paul@49 111 On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable
paul@49 112 <code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be
paul@49 113 enabled at system boot. Or to start the server manually:
paul@49 114 </p>
paul@49 115 <pre> # /etc/init.d/dropbear start
paul@49 116 </pre>
paul@49 117 <p>
paul@49 118 By default Dropbear is launched with the following options:
paul@49 119 </p>
paul@49 120 <pre class="script"> -w Disallow root logins.
paul@49 121 -g Disallow logins for root password.
paul@49 122 </pre>
paul@49 123 <p>
paul@49 124 You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>.
paul@49 125 For all options, you can type: <code>dropbear -h</code>.
paul@49 126 </p>
paul@49 127
paul@49 128 <a name="pscan"></a>
paul@49 129 <h3>Pscan - Ports scanner</h3>
paul@49 130 <p>
paul@49 131 Pscan is a small utility of the Busybox project, it scans the ports of your machine. You can use
paul@49 132 <code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine.
paul@49 133 Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol
paul@49 134 and associated service (ssh, www, etc):
paul@49 135 </p>
paul@49 136 <pre> $ pscan localhost
paul@49 137 </pre>
paul@49 138
paul@49 139 <!-- End of content -->
paul@49 140 </div>
paul@49 141
paul@49 142 <!-- Footer. -->
paul@49 143 <div id="footer">
paul@49 144 <div class="footer-right"></div>
paul@49 145 <a href="#top">Top of the page</a> |
paul@49 146 <a href="http://www.slitaz.org/en/doc/handbook/index.html">Table of contents</a>
paul@49 147 </div>
paul@49 148
paul@49 149 <div id="copy">
paul@49 150 Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> -
paul@49 151 <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br />
paul@49 152 Documentation is under
paul@49 153 <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a>
paul@49 154 and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>.
paul@49 155 </div>
paul@49 156
paul@49 157 </body></html>
paul@49 158