website rev 49

Add Security to Handbook (en)
author: Paul Issott <paul@slitaz.org>
date: Sun May 18 22:50:22 2008 +0000 (2008-05-18)
parents: 658fcc712636
children: 3fd476d3b61f
files: en/doc/handbook/index.html en/doc/handbook/secure-server.html en/doc/handbook/security.html
     1.1 --- a/en/doc/handbook/index.html	Sat May 17 13:37:45 2008 +0200
     1.2 +++ b/en/doc/handbook/index.html	Sun May 18 22:50:22 2008 +0000
     1.3 @@ -52,6 +52,7 @@
     1.4  	<li><a href="web-server.html">Web server</a> - Configure and use the LightTPD web server.</li>
     1.5  	<li><a href="chroot-env.html">Chroot Environment</a> - Build a chroot to protect the host system.</li>
     1.6  	<li><a href="secure-server.html">Secure SHell (SSH)</a> - Secure login using Dropbear SSH client/server.</li>
     1.7 +	<li><a href="security.html">Security</a> - SliTaz and system security.</li>
     1.8  </ul>
     1.9  
    1.10  <h3>About this Handbook</h3>

     2.1 --- a/en/doc/handbook/secure-server.html	Sat May 17 13:37:45 2008 +0200
     2.2 +++ b/en/doc/handbook/secure-server.html	Sun May 18 22:50:22 2008 +0000
     2.3 @@ -16,6 +16,7 @@
     2.4  <div id="header">
     2.5  <div id="quicknav" align="right">
     2.6      <a name="top"></a>
     2.7 +    <a href="security.html">Security</a> |
     2.8      <a href="index.html">Table of contents</a>
     2.9  </div>
    2.10  <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>

     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/en/doc/handbook/security.html	Sun May 18 22:50:22 2008 +0000
     3.3 @@ -0,0 +1,158 @@
     3.4 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
     3.5 +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>SliTaz Handbook (en) - Template</title>
     3.6 +
     3.7 +
     3.8 +    
     3.9 +    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
    3.10 +    <meta name="description" content="slitaz English handbook" />
    3.11 +    <meta name="expires" content="never" />
    3.12 +    <meta name="modified" content="2008-02-26 18:30:00" />
    3.13 +    <meta name="publisher" content="www.slitaz.org" />
    3.14 +    <meta name="author" content="Christophe Lincoln" />
    3.15 +    <link rel="shortcut icon" href="favicon.ico" />
    3.16 +    <link rel="stylesheet" type="text/css" href="book.css" /></head><body bgcolor="#ffffff">
    3.17 +
    3.18 +<!-- Header and quick navigation -->
    3.19 +<div id="header">
    3.20 +<div id="quicknav" align="right">
    3.21 +    <a name="top"></a>
    3.22 +    <a href="index.html">Table of contents</a>
    3.23 +</div>
    3.24 +<h1><font color="#3e1220">SliTaz Handbook (en)</font></h1>
    3.25 +</div>
    3.26 +
    3.27 +<!-- Content. -->
    3.28 +<div id="content">
    3.29 +<div class="content-right"></div>
    3.30 +
    3.31 +<h2><font color="#df8f06">SliTaz and System Security</font></h2>
    3.32 +
    3.33 +<ul>
    3.34 +	<li><a href="#policy">Security Policy</a></li>
    3.35 +	<li><a href="#root">Root</a> - The system administrator.</li>
    3.36 +	<li><a href="#passwords">Passwords</a></li>
    3.37 +	<li><a href="#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li>
    3.38 +	<li><a href="#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li>
    3.39 +	<li><a href="#ssh">SSH server</a> - Default options.</li>
    3.40 +	<li><a href="#pscan">Pscan</a> - Scan for open ports.</li>
    3.41 +	<li><a href="network-config.html#firewall">Firewall (Iptables)</a> - 
    3.42 +	The network firewall.</li>
    3.43 +</ul> 
    3.44 +
    3.45 +<a name="policy"></a>
    3.46 +<h3>Security Policy</h3>
    3.47 +<p>
    3.48 +SliTaz has given a lot of consideration to system security. Applications are tested for many months before being 
    3.49 +included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete
    3.50 +lists of daemons enabled, you can look in the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration
    3.51 +file:
    3.52 +</p>
    3.53 +<pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS
    3.54 +</pre>
    3.55 +<p>
    3.56 +To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop'
    3.57 +utility:
    3.58 +</p>
    3.59 +<pre> $ ps
    3.60 + $ htop
    3.61 +</pre>
    3.62 +
    3.63 +<a name="root"></a>
    3.64 +<h3>Root - The system administrator</h3>
    3.65 +<p>
    3.66 +In a GNU/Linux system, the <em>root</em> user is the system administrator, <em>root</em> has all the rights 
    3.67 +to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command 
    3.68 +<code>su</code>  followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the 
    3.69 +internet for example, this allows you to create a double barrier in the case of an attack or intrusion after a 
    3.70 +download. This makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your
    3.71 +password and then crack the <em>root</em> password of the system administrator.
    3.72 +</p>
    3.73 +<p>
    3.74 +A GNU/Linux system has secured at least two users, one to work and one to administer, configure
    3.75 +or update the system (<code>root</code>). It's also advisable to entrust the administration of the
    3.76 +system to a person.
    3.77 +</p>
    3.78 +
    3.79 +<a name="passwords"></a>
    3.80 +<h3>Passwords</h3>
    3.81 +<p>
    3.82 +By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em>
    3.83 +comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command:
    3.84 +</p>
    3.85 +<pre> $ passwd
    3.86 + # passwd
    3.87 +</pre>
    3.88 +
    3.89 +<a name="busybox"></a>
    3.90 +<h3>Busybox</h3>
    3.91 +<p>
    3.92 +The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands:
    3.93 +su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these 
    3.94 +commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root,
    3.95 +using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password 
    3.96 +if it is not ssx.
    3.97 +</p>
    3.98 +
    3.99 +<a name="web-server"></a>
   3.100 +<h3>LightTPD web server</h3>
   3.101 +<p>
   3.102 +On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server 
   3.103 +environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the
   3.104 +<code>/etc/rcS.conf</code> configuration file or to stop it manually:
   3.105 +</p>
   3.106 +<pre> # etc/init.d/lighttpd stop
   3.107 +</pre>
   3.108 +
   3.109 +<a name="ssh"></a>
   3.110 +<h3>SSH Server</h3>
   3.111 +<p>
   3.112 +This small section is a compliment to the 
   3.113 +<a href="secure-server.html">Secure SHell (SSH)</a> page. 
   3.114 +On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable 
   3.115 +<code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be
   3.116 +enabled at system boot. Or to start the server manually:
   3.117 +</p>
   3.118 +<pre> # /etc/init.d/dropbear start
   3.119 +</pre>
   3.120 +<p>
   3.121 +By default Dropbear is launched with the following options:
   3.122 +</p>
   3.123 +<pre class="script"> -w   Disallow root logins.
   3.124 + -g   Disallow logins for root password.
   3.125 +</pre>
   3.126 +<p>
   3.127 +You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>. 
   3.128 +For all options, you can type: <code>dropbear -h</code>.
   3.129 +</p>
   3.130 +
   3.131 +<a name="pscan"></a>
   3.132 +<h3>Pscan - Ports scanner</h3>
   3.133 +<p>
   3.134 +Pscan is a small utility of the Busybox project, it scans the ports of your machine. You can use 
   3.135 +<code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine.
   3.136 +Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol
   3.137 +and associated service (ssh, www, etc):
   3.138 +</p>
   3.139 +<pre> $ pscan localhost
   3.140 +</pre>
   3.141 +
   3.142 +<!-- End of content -->
   3.143 +</div>
   3.144 +
   3.145 +<!-- Footer. -->
   3.146 +<div id="footer">
   3.147 +	<div class="footer-right"></div>
   3.148 +	<a href="#top">Top of the page</a> | 
   3.149 +	<a href="http://www.slitaz.org/en/doc/handbook/index.html">Table of contents</a>
   3.150 +</div>
   3.151 +
   3.152 +<div id="copy">
   3.153 +    Copyright � 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> -
   3.154 +    <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br />
   3.155 +    Documentation is under
   3.156 +    <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a>
   3.157 +    and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>.
   3.158 +</div>
   3.159 +
   3.160 +</body></html>
   3.161 +
author	Paul Issott <paul@slitaz.org>
date	Sun May 18 22:50:22 2008 +0000 (2008-05-18)
parents	658fcc712636
children	3fd476d3b61f
files	en/doc/handbook/index.html en/doc/handbook/secure-server.html en/doc/handbook/security.html