website annotate en/doc/handbook/security.html @ rev 535

en: localy browseable (with file://)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Wed Aug 19 14:09:59 2009 +0200 (2009-08-19)
parents 27b4add872f6
children fa89733be92f
rev   line source
paul@68 1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
paul@68 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
paul@68 3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
paul@68 4 <head>
paul@68 5 <title>SliTaz Handbook (en) - Security</title>
paul@49 6 <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
paul@49 7 <meta name="description" content="slitaz English handbook" />
paul@49 8 <meta name="expires" content="never" />
MikeDSmith25@117 9 <meta name="modified" content="2008-07-18 05:30:00" />
paul@49 10 <meta name="publisher" content="www.slitaz.org" />
paul@49 11 <meta name="author" content="Christophe Lincoln" />
paul@49 12 <link rel="shortcut icon" href="favicon.ico" />
paul@68 13 <link rel="stylesheet" type="text/css" href="book.css" />
paul@68 14 </head>
paul@68 15 <body bgcolor="#ffffff">
paul@49 16
paul@49 17 <!-- Header and quick navigation -->
paul@49 18 <div id="header">
paul@49 19 <div id="quicknav" align="right">
paul@49 20 <a name="top"></a>
paul@49 21 <a href="index.html">Table of contents</a>
paul@49 22 </div>
paul@49 23 <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>
paul@49 24 </div>
paul@49 25
paul@49 26 <!-- Content. -->
paul@49 27 <div id="content">
paul@49 28 <div class="content-right"></div>
paul@49 29
paul@49 30 <h2><font color="#df8f06">SliTaz and System Security</font></h2>
paul@49 31
paul@49 32 <ul>
pascal@535 33 <li><a href="index.html#policy">Security Policy.</a></li>
pascal@535 34 <li><a href="index.html#root">Root</a> - The system administrator.</li>
pascal@535 35 <li><a href="index.html#passwords">Passwords.</a></li>
pascal@535 36 <li><a href="index.html#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li>
pascal@535 37 <li><a href="index.html#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li>
pascal@535 38 <li><a href="index.html#ssh">SSH server</a> - Default options.</li>
pascal@535 39 <li><a href="index.html#pscan">Pscan</a> - Scan for open ports.</li>
paul@49 40 <li><a href="network-config.html#firewall">Firewall (Iptables)</a> -
paul@49 41 The network firewall.</li>
paul@49 42 </ul>
paul@49 43
paul@49 44 <a name="policy"></a>
paul@49 45 <h3>Security Policy</h3>
paul@49 46 <p>
MikeDSmith25@117 47 SliTaz has given a lot of consideration to system security. Applications are tested for many months before being
paul@49 48 included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete
paul@129 49 lists of daemons enabled, you can look at the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration
paul@49 50 file:
paul@49 51 </p>
paul@49 52 <pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS
paul@49 53 </pre>
paul@49 54 <p>
paul@49 55 To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop'
paul@49 56 utility:
paul@49 57 </p>
paul@49 58 <pre> $ ps
paul@49 59 $ htop
paul@49 60 </pre>
paul@49 61
paul@49 62 <a name="root"></a>
paul@49 63 <h3>Root - The system administrator</h3>
paul@49 64 <p>
MikeDSmith25@117 65 In a GNU/Linux system, the <em>root</em> user is the system administrator. <em>root</em> has all the rights
paul@49 66 to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command
MikeDSmith25@117 67 <code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the
MikeDSmith25@117 68 internet for example. This allows you to create a double barrier in the case of an attack or intrusion after a
MikeDSmith25@117 69 download and makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your
paul@49 70 password and then crack the <em>root</em> password of the system administrator.
paul@49 71 </p>
paul@49 72 <p>
paul@258 73 A GNU/Linux system has secured at least two users, one to work and another to administer, configure
paul@49 74 or update the system (<code>root</code>). It's also advisable to entrust the administration of the
paul@49 75 system to a person.
paul@49 76 </p>
paul@49 77
paul@49 78 <a name="passwords"></a>
paul@49 79 <h3>Passwords</h3>
paul@49 80 <p>
paul@49 81 By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em>
paul@49 82 comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command:
paul@49 83 </p>
paul@49 84 <pre> $ passwd
paul@49 85 # passwd
paul@49 86 </pre>
paul@49 87
paul@49 88 <a name="busybox"></a>
paul@49 89 <h3>Busybox</h3>
paul@49 90 <p>
paul@49 91 The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands:
paul@49 92 su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these
paul@49 93 commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root,
paul@49 94 using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password
paul@49 95 if it is not ssx.
paul@49 96 </p>
paul@49 97
paul@49 98 <a name="web-server"></a>
paul@49 99 <h3>LightTPD web server</h3>
paul@49 100 <p>
paul@49 101 On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server
paul@49 102 environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the
paul@49 103 <code>/etc/rcS.conf</code> configuration file or to stop it manually:
paul@49 104 </p>
MikeDSmith25@117 105 <pre> # /etc/init.d/lighttpd stop
paul@49 106 </pre>
paul@49 107
paul@49 108 <a name="ssh"></a>
paul@49 109 <h3>SSH Server</h3>
paul@49 110 <p>
paul@49 111 This small section is a compliment to the
paul@49 112 <a href="secure-server.html">Secure SHell (SSH)</a> page.
paul@49 113 On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable
paul@49 114 <code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be
paul@49 115 enabled at system boot. Or to start the server manually:
paul@49 116 </p>
paul@49 117 <pre> # /etc/init.d/dropbear start
paul@49 118 </pre>
paul@49 119 <p>
MikeDSmith25@117 120 By default, Dropbear is launched with the following options:
paul@49 121 </p>
paul@49 122 <pre class="script"> -w Disallow root logins.
paul@49 123 -g Disallow logins for root password.
paul@49 124 </pre>
paul@49 125 <p>
paul@49 126 You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>.
paul@49 127 For all options, you can type: <code>dropbear -h</code>.
paul@49 128 </p>
paul@49 129
paul@49 130 <a name="pscan"></a>
paul@49 131 <h3>Pscan - Ports scanner</h3>
paul@49 132 <p>
MikeDSmith25@117 133 Pscan is a small utility of the Busybox project that scans the ports of your machine. You can use
paul@49 134 <code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine.
paul@49 135 Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol
paul@49 136 and associated service (ssh, www, etc):
paul@49 137 </p>
paul@49 138 <pre> $ pscan localhost
paul@49 139 </pre>
paul@49 140
paul@49 141 <!-- End of content -->
paul@49 142 </div>
paul@49 143
paul@49 144 <!-- Footer. -->
paul@49 145 <div id="footer">
paul@49 146 <div class="footer-right"></div>
pascal@535 147 <a href="index.html#top">Top of the page</a> |
paul@68 148 <a href="index.html">Table of contents</a>
paul@49 149 </div>
paul@49 150
paul@49 151 <div id="copy">
paul@49 152 Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> -
paul@49 153 <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br />
paul@49 154 Documentation is under
paul@49 155 <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a>
paul@49 156 and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>.
paul@49 157 </div>
paul@49 158
paul@68 159 </body>
paul@68 160 </html>
paul@49 161