rev |
line source |
paul@68
|
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
paul@68
|
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
paul@68
|
3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
paul@68
|
4 <head>
|
paul@68
|
5 <title>SliTaz Handbook (en) - Security</title>
|
paul@49
|
6 <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
|
paul@49
|
7 <meta name="description" content="slitaz English handbook" />
|
paul@49
|
8 <meta name="expires" content="never" />
|
MikeDSmith25@117
|
9 <meta name="modified" content="2008-07-18 05:30:00" />
|
paul@49
|
10 <meta name="publisher" content="www.slitaz.org" />
|
paul@49
|
11 <meta name="author" content="Christophe Lincoln" />
|
paul@49
|
12 <link rel="shortcut icon" href="favicon.ico" />
|
paul@68
|
13 <link rel="stylesheet" type="text/css" href="book.css" />
|
paul@68
|
14 </head>
|
paul@68
|
15 <body bgcolor="#ffffff">
|
paul@49
|
16
|
paul@49
|
17 <!-- Header and quick navigation -->
|
paul@49
|
18 <div id="header">
|
paul@49
|
19 <div id="quicknav" align="right">
|
paul@49
|
20 <a name="top"></a>
|
paul@49
|
21 <a href="index.html">Table of contents</a>
|
paul@49
|
22 </div>
|
paul@49
|
23 <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>
|
paul@49
|
24 </div>
|
paul@49
|
25
|
paul@49
|
26 <!-- Content. -->
|
paul@49
|
27 <div id="content">
|
paul@49
|
28 <div class="content-right"></div>
|
paul@49
|
29
|
paul@49
|
30 <h2><font color="#df8f06">SliTaz and System Security</font></h2>
|
paul@49
|
31
|
paul@49
|
32 <ul>
|
pascal@535
|
33 <li><a href="index.html#policy">Security Policy.</a></li>
|
pascal@535
|
34 <li><a href="index.html#root">Root</a> - The system administrator.</li>
|
pascal@535
|
35 <li><a href="index.html#passwords">Passwords.</a></li>
|
pascal@535
|
36 <li><a href="index.html#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li>
|
pascal@535
|
37 <li><a href="index.html#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li>
|
pascal@535
|
38 <li><a href="index.html#ssh">SSH server</a> - Default options.</li>
|
pascal@535
|
39 <li><a href="index.html#pscan">Pscan</a> - Scan for open ports.</li>
|
paul@49
|
40 <li><a href="network-config.html#firewall">Firewall (Iptables)</a> -
|
paul@49
|
41 The network firewall.</li>
|
paul@49
|
42 </ul>
|
paul@49
|
43
|
paul@49
|
44 <a name="policy"></a>
|
paul@49
|
45 <h3>Security Policy</h3>
|
paul@49
|
46 <p>
|
MikeDSmith25@117
|
47 SliTaz has given a lot of consideration to system security. Applications are tested for many months before being
|
paul@49
|
48 included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete
|
paul@129
|
49 lists of daemons enabled, you can look at the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration
|
paul@49
|
50 file:
|
paul@49
|
51 </p>
|
paul@49
|
52 <pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS
|
paul@49
|
53 </pre>
|
paul@49
|
54 <p>
|
paul@49
|
55 To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop'
|
paul@49
|
56 utility:
|
paul@49
|
57 </p>
|
paul@49
|
58 <pre> $ ps
|
paul@49
|
59 $ htop
|
paul@49
|
60 </pre>
|
paul@49
|
61
|
paul@49
|
62 <a name="root"></a>
|
paul@49
|
63 <h3>Root - The system administrator</h3>
|
paul@49
|
64 <p>
|
MikeDSmith25@117
|
65 In a GNU/Linux system, the <em>root</em> user is the system administrator. <em>root</em> has all the rights
|
paul@49
|
66 to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command
|
MikeDSmith25@117
|
67 <code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the
|
MikeDSmith25@117
|
68 internet for example. This allows you to create a double barrier in the case of an attack or intrusion after a
|
MikeDSmith25@117
|
69 download and makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your
|
paul@49
|
70 password and then crack the <em>root</em> password of the system administrator.
|
paul@49
|
71 </p>
|
paul@49
|
72 <p>
|
paul@258
|
73 A GNU/Linux system has secured at least two users, one to work and another to administer, configure
|
paul@49
|
74 or update the system (<code>root</code>). It's also advisable to entrust the administration of the
|
paul@49
|
75 system to a person.
|
paul@49
|
76 </p>
|
paul@49
|
77
|
paul@49
|
78 <a name="passwords"></a>
|
paul@49
|
79 <h3>Passwords</h3>
|
paul@49
|
80 <p>
|
paul@49
|
81 By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em>
|
paul@49
|
82 comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command:
|
paul@49
|
83 </p>
|
paul@49
|
84 <pre> $ passwd
|
paul@49
|
85 # passwd
|
paul@49
|
86 </pre>
|
paul@49
|
87
|
paul@49
|
88 <a name="busybox"></a>
|
paul@49
|
89 <h3>Busybox</h3>
|
paul@49
|
90 <p>
|
paul@49
|
91 The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands:
|
paul@49
|
92 su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these
|
paul@49
|
93 commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root,
|
paul@49
|
94 using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password
|
paul@49
|
95 if it is not ssx.
|
paul@49
|
96 </p>
|
paul@49
|
97
|
paul@49
|
98 <a name="web-server"></a>
|
paul@49
|
99 <h3>LightTPD web server</h3>
|
paul@49
|
100 <p>
|
paul@49
|
101 On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server
|
paul@49
|
102 environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the
|
paul@49
|
103 <code>/etc/rcS.conf</code> configuration file or to stop it manually:
|
paul@49
|
104 </p>
|
MikeDSmith25@117
|
105 <pre> # /etc/init.d/lighttpd stop
|
paul@49
|
106 </pre>
|
paul@49
|
107
|
paul@49
|
108 <a name="ssh"></a>
|
paul@49
|
109 <h3>SSH Server</h3>
|
paul@49
|
110 <p>
|
paul@49
|
111 This small section is a compliment to the
|
paul@49
|
112 <a href="secure-server.html">Secure SHell (SSH)</a> page.
|
paul@49
|
113 On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable
|
paul@49
|
114 <code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be
|
paul@49
|
115 enabled at system boot. Or to start the server manually:
|
paul@49
|
116 </p>
|
paul@49
|
117 <pre> # /etc/init.d/dropbear start
|
paul@49
|
118 </pre>
|
paul@49
|
119 <p>
|
MikeDSmith25@117
|
120 By default, Dropbear is launched with the following options:
|
paul@49
|
121 </p>
|
paul@49
|
122 <pre class="script"> -w Disallow root logins.
|
paul@49
|
123 -g Disallow logins for root password.
|
paul@49
|
124 </pre>
|
paul@49
|
125 <p>
|
paul@49
|
126 You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>.
|
paul@49
|
127 For all options, you can type: <code>dropbear -h</code>.
|
paul@49
|
128 </p>
|
paul@49
|
129
|
paul@49
|
130 <a name="pscan"></a>
|
paul@49
|
131 <h3>Pscan - Ports scanner</h3>
|
paul@49
|
132 <p>
|
MikeDSmith25@117
|
133 Pscan is a small utility of the Busybox project that scans the ports of your machine. You can use
|
paul@49
|
134 <code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine.
|
paul@49
|
135 Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol
|
paul@49
|
136 and associated service (ssh, www, etc):
|
paul@49
|
137 </p>
|
paul@49
|
138 <pre> $ pscan localhost
|
paul@49
|
139 </pre>
|
paul@49
|
140
|
paul@49
|
141 <!-- End of content -->
|
paul@49
|
142 </div>
|
paul@49
|
143
|
paul@49
|
144 <!-- Footer. -->
|
paul@49
|
145 <div id="footer">
|
paul@49
|
146 <div class="footer-right"></div>
|
pascal@535
|
147 <a href="index.html#top">Top of the page</a> |
|
paul@68
|
148 <a href="index.html">Table of contents</a>
|
paul@49
|
149 </div>
|
paul@49
|
150
|
paul@49
|
151 <div id="copy">
|
paul@49
|
152 Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> -
|
paul@49
|
153 <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br />
|
paul@49
|
154 Documentation is under
|
paul@49
|
155 <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a>
|
paul@49
|
156 and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>.
|
paul@49
|
157 </div>
|
paul@49
|
158
|
paul@68
|
159 </body>
|
paul@68
|
160 </html>
|
paul@49
|
161
|