website view en/doc/handbook/security.html @ rev 535
en: localy browseable (with file://)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Wed Aug 19 14:09:59 2009 +0200 (2009-08-19) |
| parents | 27b4add872f6 |
| children | fa89733be92f |
line source
1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
4 <head>
5 <title>SliTaz Handbook (en) - Security</title>
6 <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
7 <meta name="description" content="slitaz English handbook" />
8 <meta name="expires" content="never" />
9 <meta name="modified" content="2008-07-18 05:30:00" />
10 <meta name="publisher" content="www.slitaz.org" />
11 <meta name="author" content="Christophe Lincoln" />
12 <link rel="shortcut icon" href="favicon.ico" />
13 <link rel="stylesheet" type="text/css" href="book.css" />
14 </head>
15 <body bgcolor="#ffffff">
17 <!-- Header and quick navigation -->
18 <div id="header">
19 <div id="quicknav" align="right">
20 <a name="top"></a>
21 <a href="index.html">Table of contents</a>
22 </div>
23 <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>
24 </div>
26 <!-- Content. -->
27 <div id="content">
28 <div class="content-right"></div>
30 <h2><font color="#df8f06">SliTaz and System Security</font></h2>
32 <ul>
33 <li><a href="index.html#policy">Security Policy.</a></li>
34 <li><a href="index.html#root">Root</a> - The system administrator.</li>
35 <li><a href="index.html#passwords">Passwords.</a></li>
36 <li><a href="index.html#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li>
37 <li><a href="index.html#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li>
38 <li><a href="index.html#ssh">SSH server</a> - Default options.</li>
39 <li><a href="index.html#pscan">Pscan</a> - Scan for open ports.</li>
40 <li><a href="network-config.html#firewall">Firewall (Iptables)</a> -
41 The network firewall.</li>
42 </ul>
44 <a name="policy"></a>
45 <h3>Security Policy</h3>
46 <p>
47 SliTaz has given a lot of consideration to system security. Applications are tested for many months before being
48 included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete
49 lists of daemons enabled, you can look at the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration
50 file:
51 </p>
52 <pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS
53 </pre>
54 <p>
55 To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop'
56 utility:
57 </p>
58 <pre> $ ps
59 $ htop
60 </pre>
62 <a name="root"></a>
63 <h3>Root - The system administrator</h3>
64 <p>
65 In a GNU/Linux system, the <em>root</em> user is the system administrator. <em>root</em> has all the rights
66 to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command
67 <code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the
68 internet for example. This allows you to create a double barrier in the case of an attack or intrusion after a
69 download and makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your
70 password and then crack the <em>root</em> password of the system administrator.
71 </p>
72 <p>
73 A GNU/Linux system has secured at least two users, one to work and another to administer, configure
74 or update the system (<code>root</code>). It's also advisable to entrust the administration of the
75 system to a person.
76 </p>
78 <a name="passwords"></a>
79 <h3>Passwords</h3>
80 <p>
81 By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em>
82 comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command:
83 </p>
84 <pre> $ passwd
85 # passwd
86 </pre>
88 <a name="busybox"></a>
89 <h3>Busybox</h3>
90 <p>
91 The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands:
92 su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these
93 commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root,
94 using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password
95 if it is not ssx.
96 </p>
98 <a name="web-server"></a>
99 <h3>LightTPD web server</h3>
100 <p>
101 On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server
102 environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the
103 <code>/etc/rcS.conf</code> configuration file or to stop it manually:
104 </p>
105 <pre> # /etc/init.d/lighttpd stop
106 </pre>
108 <a name="ssh"></a>
109 <h3>SSH Server</h3>
110 <p>
111 This small section is a compliment to the
112 <a href="secure-server.html">Secure SHell (SSH)</a> page.
113 On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable
114 <code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be
115 enabled at system boot. Or to start the server manually:
116 </p>
117 <pre> # /etc/init.d/dropbear start
118 </pre>
119 <p>
120 By default, Dropbear is launched with the following options:
121 </p>
122 <pre class="script"> -w Disallow root logins.
123 -g Disallow logins for root password.
124 </pre>
125 <p>
126 You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>.
127 For all options, you can type: <code>dropbear -h</code>.
128 </p>
130 <a name="pscan"></a>
131 <h3>Pscan - Ports scanner</h3>
132 <p>
133 Pscan is a small utility of the Busybox project that scans the ports of your machine. You can use
134 <code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine.
135 Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol
136 and associated service (ssh, www, etc):
137 </p>
138 <pre> $ pscan localhost
139 </pre>
141 <!-- End of content -->
142 </div>
144 <!-- Footer. -->
145 <div id="footer">
146 <div class="footer-right"></div>
147 <a href="index.html#top">Top of the page</a> |
148 <a href="index.html">Table of contents</a>
149 </div>
151 <div id="copy">
152 Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> -
153 <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br />
154 Documentation is under
155 <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a>
156 and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>.
157 </div>
159 </body>
160 </html>