Secure howto

Page 1

1

A word from OpenNA Inc. C.E.O
Dear friends,
Following the introductory issue of "Securing and Optimizing Linux, Red Hat" we decided to
publish the second edition " The Ultimate Solution" locally, I was rather reluctant to do it in-house
at first but the overwhelming demand from friends and readers on the Open Source stage made
me resolve to go ahead with the publishing.
As we all know the explosive growth of the Internet and its related activities made computer an
essential part of our infrastructure, a production communication system that reaches millions of
people in all populated countries of the world. New technologies are providing a higher capacity
service and an economic impact as well. Linux came as the Good Samaritan and provided a
reliable and inexpensive solution to many security concerns to companies and individuals working
in critical and complex fields.
Many books are written every day and each has features that praise its content, the underlying
theory has produced a lot of challenges to beginners and professionals the same. With "The
ultimate Solution" we are updating and keeping informed our audience with the same easy and
friendly manner we used to in our first book, the reader will find new formulas and solutions
although complex but still easy to implement.
On a final note we are proud of Gerhard's work and hope that you will share with us this feeling.
Maroun Mourani
B.Eng.

Page 2

2
This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!!

--Gerhard Mourani
This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste.
Open Network Architecture is commited to using paper with the highest recycled content
available consistent with high quality.

Copyright © 2001 by Gerhard Mourani and Open Network Architecture Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording,
scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the copyright holders Gerhard Mourani and Open Network Architecture Inc. 11090 Drouart,
Montreal, PQ H3M 2S3, (514) 334-1068, fax (514) 338-3964. Requests to the Publisher for
permission should be addressed to the Publishing Manager, at Open Network Architecture Inc.,
E-mail:
pubooks@openna.com
.
This publication is designed to provide accurate and authoritative information in regard to the
subject matter covered. It is sold with the understanding that some grammatical mistakes could
have occurred but this won't jeopardize the content or the issue raised herewith.
Title: Securing and Optimizing Linux: The Ultimate Solution

Page Count: 856
Version: 2.0
Last Revised: 2001-06-13

Publisher: Open Network Architecture Inc.
Editor: Ted Nackad
Text Design & Drawings (Graphics): Bruno Mourani
Printing History: June 2000: First Publication.

Author's: Gerhard Mourani
Mail:

gmourani@openna.com

Website:
http://www.ope nna .c om/

National Library Act. R.S., c. N-11, s. 1.
Legal Deposit, 2001
Securing and Optimizing Linux: The Ultimate Solution / Open Network Architecture.
Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada.
Includes Index.
ISBN 0-9688793-0-6
Printed in Canada

Page 3

3
Overview

Part I Installation Related Reference
Chapter 1
Introduction
Chapter 2
Installing a Linux Server

Part II Security and Optimization Related Reference
Chapter 3
General System Security
Chapter 4
Linux Pluggable Authentication Modules
Chapter 5
General System Optimization

Chapter 6
Kernel Security & Optimization

Part III Networking Related Reference
Chapter 7
TCP/IP Network Management
Chapter 8
Firewall IPTABLES Packet Filter
Chapter 9
Firewall IPTABLES Masquerading & Forwarding

Part IV Cryptography & Authentication Related Reference
Chapter 10 GnuPG
Chapter 11 OpenSSL
Chapter 12 OpenSSH

Part V Monitoring & System Integrity Related Reference
Chapter 13 sXid
Chapter 14 Logcheck
Chapter 15 PortSentry
Chapter 16 Tripwire
Chapter 17 Xinetd

Part VI Management & Limitation Related Reference
Chapter 18 Quota

Part VII Domain Name System Related Reference
Chapter 19 ISC BIND/DNS

Part VIII Mail Transfer Agent Related Reference
Chapter 20 Sendmail
Chapter 21 qmail

Part IX Internet Message Access Protocol Related Reference
Chapter 22 UW IMAP

Page 4

4
Part X Database Server Related Reference
Chapter 23 MySQL
Chapter 24 PostgreSQL
Chapter 25 OpenLDAP

Part XI Gateway Server Related Reference
Chapter 26 Squid
Chapter 27 FreeS/WAN VPN

Part XII Other Server Related Reference
Chapter 28 Wu-ftpd
Chapter 29 Apache
Chapter 30 Samba

Part XIII Backup Related Reference
Chapter 31 Backup & restore procedures

Part XIII APPENDIXES

APPENDIX A
Tweaks, Tips and Administration Tasks

APPENDIX B
Contributor Users

APPENDIX C
Obtaining Requests for Comments (RFCs)

APPENDIX D
Port list

Page 5

5
Contents

Organization of the Book....................................................................................................................... 12

Steps of installation............................................................................................................................... 13

Author note ........................................................................................................................................... 14

Audience............................................................................................................................................... 15

These installation instructions assume ................................................................................................. 15

About products mentioned in this book ................................................................................................. 15

Obtaining the example configuration files ............................................................................................. 15

Problem with Securing & Optimizing Linux ........................................................................................... 16

Acknowledgments................................................................................................................................. 16

Part I Installation Related Reference 17

1 Installation - Introduction 18

What is Linux? ...................................................................................................................................... 19

Some good reasons to use Linux.......................................................................................................... 19

Let's dispel some of the fear, uncertainty, and doubt about Linux......................................................... 19

Why choose Pristine source?................................................................................................................ 20

Compiling software on your system ...................................................................................................... 20

Build, Install software on your system................................................................................................... 21

Editing files with the
vi
editor tool ........................................................................................................ 22

Recommended software to include in each type of servers.................................................................. 23

Some last comments............................................................................................................................. 25

2 Installation - Installing a Linux Server 26

Know your Hardware!............................................................................................................................ 27

Creating the Linux Boot Disk................................................................................................................. 27

Beginning the installation of Linux......................................................................................................... 29

Installation Class and Method (Install Options)..................................................................................... 31

Partition your system for Linux.............................................................................................................. 32

Disk Partition (Manual Partitioning)....................................................................................................... 35

Selecting Package Groups.................................................................................................................... 47

How to use RPM Commands................................................................................................................ 50

Starting and stopping daemon services ................................................................................................ 52

Software that must be uninstalled after installation of the server .......................................................... 53

Remove unnecessary documentation files............................................................................................ 58

Remove unnecessary/empty files and directories................................................................................. 58

Software that must be installed after installation of the server .............................................................. 59

Verifying installed programs on your Server ......................................................................................... 62

Update of the latest software ................................................................................................................ 64

Part II Security and Optimization Related Reference 66

3 Security and Optimization - General System Security 67

BIOS
..................................................................................................................................................... 68

Unplug your server from the network .................................................................................................... 68

Security as a policy ............................................................................................................................... 68

Choose a right password ...................................................................................................................... 69

The root account ................................................................................................................................... 70

Set login time out for the root account .................................................................................................. 70

The
/etc/exports
file ....................................................................................................................... 70

Page 6

6
The single-user login mode of Linux ..................................................................................................... 71

The
LILO
and
/etc/lilo.conf
file................................................................................................... 71

Disabling
Ctrl-Alt-Delete
keyboard shutdown command ............................................................. 73

The
/etc/services
file ..................................................................................................................... 74

The
/etc/securetty
file ................................................................................................................... 74

Special accounts................................................................................................................................... 75

Control mounting a file system.............................................................................................................. 77

Mounting the
/boot
directory of Linux as read-only............................................................................. 79

Conceal binary RPM ............................................................................................................................. 80

Shell logging ......................................................................................................................................... 80

Physical hard copies of all-important logs............................................................................................. 81

Tighten scripts under
/etc/rc.d/init.d/
....................................................................................... 84

The
/etc/rc.local
file ..................................................................................................................... 84

Bits from root-owned programs............................................................................................................. 85

Finding all files with the
SUID/SGID
bit enabled .................................................................................. 86

Don't let internal machines tell the server what their
MAC
address is .................................................... 87

Unusual or hidden files.......................................................................................................................... 88

Finding Group and World Writable files and directories ........................................................................ 88

Unowned files ....................................................................................................................................... 89

Finding
.rhosts
files........................................................................................................................... 89

System is compromised!....................................................................................................................... 90

4 Security and Optimization - Pluggable Authentication Modules 91

The password length............................................................................................................................. 92

Disabling console program access ....................................................................................................... 94

Disabling all console access ................................................................................................................. 95

The Login access control table ............................................................................................................. 95

Tighten console permissions for privileged users ................................................................................. 97

Putting limits on resource...................................................................................................................... 98

Controlling access time to services..................................................................................................... 100

Blocking;
su
to root, by one and sundry.............................................................................................. 101

5 Security and Optimization - General System Optimization 103

Static vs. shared libraries.................................................................................................................... 104

The
Glibc

2.2
library of Linux .......................................................................................................... 105

Why Linux programs are distributed as source................................................................................... 106

Some misunderstanding in the compiler flags options ........................................................................ 106

The
gcc

2.96

specs
file ................................................................................................................... 107

Tuning
IDE
Hard Disk Performance ................................................................................................... 113

6 Security and Optimization Kernel Security & Optimization
117

Making an emergency boot floppy ...................................................................................................... 120

Checking the
/boot
partition of Linux ................................................................................................ 120

Tuning the Kernel................................................................................................................................ 121

Applying the Openwall kernel patch.................................................................................................... 124

Cleaning up the Kernel........................................................................................................................ 126

Configuring the Kernel ........................................................................................................................ 127

Compiling the Kernel........................................................................................................................... 143

Installing the Kernel ............................................................................................................................ 144

Reconfiguring
/etc/modules.conf
file........................................................................................... 147

Delete programs, edit files pertaining to modules ............................................................................... 148

Remounting the
/boot
partition of Linux as read-only ....................................................................... 149

Rebooting your system to load the new kernel ................................................................................... 149

Making a new rescue floppy for Modularized Kernel........................................................................... 150

Making a emergency boot floppy disk for Monolithic Kernel ............................................................... 150

Page 7

7
Optimizing
Kernel
............................................................................................................................. 151

Part III Networking Related Reference 164

7 Networking -
TCP/IP
Network Management 165

TCP/IP
security problem overview..................................................................................................... 167

Installing more than one Ethernet Card per Machine.......................................................................... 171

Files-Networking Functionality ............................................................................................................ 172

Securing
TCP/IP
Networking ............................................................................................................. 176

Optimizing
TCP/IP
Networking .......................................................................................................... 184

Testing
TCP/IP
Networking ............................................................................................................... 190

The last checkup................................................................................................................................. 194

8 Networking - Firewall
IPTABLES
Packet Filter 195

What is a Network Firewall Security Policy? ....................................................................................... 197

The Demilitarized Zone....................................................................................................................... 198

What is Packet Filtering? .................................................................................................................... 199

The topology ....................................................................................................................................... 199

Building a kernel with
IPTABLES
Firewall support.............................................................................. 201

Rules used in the firewall script files ................................................................................................... 201

/etc/rc.d/init.d/iptables:
The Web Server File .................................................................. 204

/etc/rc.d/init.d/iptables:
The Mail Server File ................................................................... 213

/etc/rc.d/init.d/iptables:
The Primary Domain Name Server File...................................... 221

/etc/rc.d/init.d/iptables:
The Secondary Domain Name Server File................................ 229

9 Networking - Firewall
Masquerading & Forwarding
237

Recommended RPM packages to be installed for a
Gateway
Server................................................ 238

Building a kernel with Firewall Masquerading & Forwarding support.................................................. 239

/etc/rc.d/init.d/iptables:
The Gateway Server File............................................................ 242

Deny access to some address............................................................................................................ 254

IPTABLES
Administrative Tools.......................................................................................................... 255

Part IV Cryptography & Authentication Related Reference 257

10 Cryptography & Authentication -
GnuPG
258

Compiling - Optimizing & Installing
GnuPG
.......................................................................................... 260

GnuPG
Administrative Tools................................................................................................................ 262

11 Cryptography & Authentication -
OPENSSL
267

Compiling - Optimizing & Installing
OpenSSL
..................................................................................... 270

Configuring
OpenSSL
.......................................................................................................................... 272

OpenSSL
Administrative Tools............................................................................................................ 279

Securing
OpenSSL
.............................................................................................................................. 283

Page 8

8

12 Cryptography & Authentication -
OpenSSH
286

Compiling - Optimizing & Installing
OpenSSH
..................................................................................... 288

Configuring
OpenSSH
.......................................................................................................................... 290

OpenSSH
Per-User Configuration ....................................................................................................... 298

OpenSSH
Users Tools......................................................................................................................... 300

Part V Monitoring & System Integrity Related Reference 303

13 Monitoring & System Integrity -
sXid
304

Compiling - Optimizing & Installing
sXid
............................................................................................ 306

Configuring
sXid
................................................................................................................................ 307

sXid
Administrative Tools .................................................................................................................. 309

14 Monitoring & System Integrity -
Logcheck
310

Compiling - Optimizing & Installing
Logcheck
................................................................................... 312

Configuring
Logcheck
....................................................................................................................... 317

15 Monitoring & System Integrity -
PortSentry
319

Compiling - Optimizing & Installing
PortSentry
............................................................................... 321

Configuring
PortSentry
................................................................................................................... 324

16 Monitoring & System Integrity -
Tripwire
334

Compiling - Optimizing & Installing
Tripwire
................................................................................... 336

Configuring
Tripwire
....................................................................................................................... 339

Securing
Tripwire
............................................................................................................................ 342

Tripwire
Administrative Tools.......................................................................................................... 342

17 Monitoring & System Integrity -
Xinetd
345

Compiling - Optimizing & Installing
Xinetd
........................................................................................ 347

Configuring
Xinetd
............................................................................................................................ 349

Securing
Xinetd
................................................................................................................................ 361

Part VI Management & Limitation Related Reference 363

18 Management & Limitation -
Quota
364

Build a kernel with
Quota
support enable........................................................................................... 365

Modifying the
/etc/fstab
file........................................................................................................... 365

Creating the
quota.user
and
quota.group
files ........................................................................... 367

Assigning
Quota
for Users and Groups.............................................................................................. 367

Quota
Administrative Tools................................................................................................................ 370

Page 9

9

Part VII Domain Name System Related Reference
371

19 Domain Name System -
ISC

BIND/DNS
372

Recommended RPM packages to be installed for a
DNS
Server ........................................................ 374

Compiling - Optimizing & Installing
ISC

BIND

&

DNS
.......................................................................... 377

Configuring
ISC

BIND

&

DNS
.............................................................................................................. 380

Caching-Only Name Server ................................................................................................................ 381

Primary Master Name Server.............................................................................................................. 384

Secondary Slave Name Server........................................................................................................... 389

Running
ISC

BIND

&

DNS
in a chroot jail............................................................................................ 395

Securing
ISC

BIND

&

DNS
.................................................................................................................. 399

Optimizing
ISC

BIND

&

DNS
............................................................................................................... 414

ISC

BIND

&

DNS
Administrative Tools ................................................................................................ 417

ISC

BIND

&

DNS
Users Tools ............................................................................................................. 418

Part VIII Mail Transfer Agent Related Reference 422

20 Mail Transfer Agent -
Sendmail
423

Recommended RPM packages to be installed for a
Mail
Server ...................................................... 425

Compiling - Optimizing & Installing
Sendmail
................................................................................... 428

Configuring
Sendmail
....................................................................................................................... 433

Running
Sendmail
with
SSL
support................................................................................................. 449

Securing
Sendmail
............................................................................................................................ 457

Sendmail
Administrative Tools.......................................................................................................... 462

Sendmail
Users Tools....................................................................................................................... 463

21 Mail Transfer Agent -
qmail
465

Recommended RPM packages to be installed for a
Mail
Server ...................................................... 467

Verifying & installing all the prerequisites to run
qmail
...................................................................... 468

Compiling, Optimizing & Installing
ucspi-tcp
.................................................................................. 469

Compiling, Optimizing & Installing
checkpassword
.......................................................................... 470

Compiling, Optimizing & Installing
qmail
........................................................................................... 472

Configuring
qmail
.............................................................................................................................. 479

Running
qmail
as a standalone null client......................................................................................... 488

Running
qmail
with SSL support....................................................................................................... 489

Securing
qmail
.................................................................................................................................. 489

qmail
Administrative Tools................................................................................................................ 493

qmail
Users Tools ............................................................................................................................. 494

Part IX Internet Message Access Protocol Related Reference 496

22 Internet Message Access Protocol -
UW

IMAP
497

Compiling - Optimizing & Installing
UW

IMAP
....................................................................................... 501

Configuring
UW

IMAP
........................................................................................................................... 505

Enable
IMAP
or
POP
services via
Xinetd
.......................................................................................... 505

Securing
UW

IMAP
............................................................................................................................... 508

Running
UW

IMAP
with
SSL
support .................................................................................................... 510

Page 10

10

Part X Database Server Related Reference 517

23 Database Server -
MySQL
518

Recommended RPM packages to be installed for a
SQL
Server ........................................................ 521

Compiling - Optimizing & Installing
MySQL
.......................................................................................... 523

Configuring
MySQL
.............................................................................................................................. 526

Securing
MySQL
.................................................................................................................................. 530

Optimizing
MySQL
............................................................................................................................... 531

MySQL
Administrative Tools................................................................................................................ 536

24 Database Server -
PostgreSQL
544

Recommended RPM packages to be installed for a
SQL
Server ........................................................ 545

Compiling - Optimizing & Installing
PostgreSQL
............................................................................... 547

Configuring
PostgreSQL
................................................................................................................... 549

Running
PostgreSQL
with
SSL
support ............................................................................................ 555

Securing
PostgreSQL
....................................................................................................................... 558

Optimizing
PostgreSQL
..................................................................................................................... 562

PostgreSQL
Administrative Tools ..................................................................................................... 564

25 Database Server -
OpenLDAP
569

Recommended RPM packages to be installed for a
LDAP
Server ...................................................... 571

Compiling - Optimizing & Installing
OpenLDAP
................................................................................... 574

Configuring
OpenLDAP
....................................................................................................................... 577

Running
OpenLDAP
in a chroot jail ..................................................................................................... 583

Running
OpenLDAP
with
TLS/SSL
support ........................................................................................ 590

Securing
OpenLDAP
............................................................................................................................ 595

Optimizing
OpenLDAP
......................................................................................................................... 596

OpenLDAP
Administrative Tools.......................................................................................................... 598

OpenLDAP
Users Tools....................................................................................................................... 603

Part XI Gateway Server Related Reference 606

26 Gateway Server -
Squid
Proxy Server
607

Recommended RPM packages to be installed for a
Proxy
Server .................................................... 609

Compiling - Optimizing & Installing
Squid
.......................................................................................... 611

Using
GNU

malloc
library to improve cache performance of
Squid
.................................................. 613

Configuring
Squid
.............................................................................................................................. 616

Securing
Squid
.................................................................................................................................. 629

Optimizing
Squid
............................................................................................................................... 630

The
cachemgr.cgi
program utility of
Squid
.................................................................................... 630

27 Gateway Server -
FreeS/WAN
VPN Server 633

Recommended RPM packages to be installed for a
VPN
Server ........................................................ 635

Compiling - Optimizing & Installing
FreeS/WAN
................................................................................. 638

Configuring RSA private keys secrets................................................................................................. 648

Requiring network setup for
IPSec
.................................................................................................... 653

Testing the
FreeS/WAN
installation.................................................................................................... 656

Page 11

11

Part XII Other Server Related Reference 661

28 Other Server -
Wu-ftpd
FTP Server 662

Recommended RPM packages to be installed for a
FTP
Server ........................................................ 664

Compiling - Optimizing & Installing
Wu-ftpd
..................................................................................... 666

Running
Wu-ftpd
in a chroot jail........................................................................................................ 669

Configuring
Wu-ftpd
.......................................................................................................................... 673

Securing
Wu-ftpd
.............................................................................................................................. 681

Setup an
Anonymous

FTP
server....................................................................................................... 683

Wu-ftpd
Administrative Tools............................................................................................................ 688

29 Other Server -
Apache
Web Server 690

Compiling - Optimizing & Installing
MM
................................................................................................ 692

Some static's about
Apache
and
Linux
............................................................................................ 696

Recommended RPM packages to be installed for a
Web
Server ........................................................ 698

Compiling - Optimizing & Installing
Apache
........................................................................................ 703

Configuring
Apache
............................................................................................................................ 710

Enable
PHP4
server-side scripting language with the Web Server ..................................................... 718

Securing
Apache
................................................................................................................................ 719

Optimizing
Apache
............................................................................................................................. 723

Running
Apache
in a chroot jail.......................................................................................................... 726

30 Other Server -
Samba
File Sharing Server 739

Recommended RPM packages to be installed for a
Samba
Server .................................................... 741

Compiling - Optimizing & Installing
Samba
.......................................................................................... 744

Configuring
Samba
.............................................................................................................................. 747

Running
Samba
with
SSL
support ....................................................................................................... 757

Securing
Samba
.................................................................................................................................. 762

Optimizing
Samba
............................................................................................................................... 764

Samba
Administrative Tools................................................................................................................ 766

Samba
Users Tools ............................................................................................................................. 767

Part XIII Backup Related Reference 769

31 Backup -
Tar
&
Dump
770

Recommended RPM packages to be installed for a
Backup
Server.................................................. 771

The
tar
backup program ................................................................................................................... 772

Making backups with
tar
................................................................................................................... 773

Automating tasks of backups made with
tar
..................................................................................... 775

Restoring files with
tar
...................................................................................................................... 777

The
dump
backup program ................................................................................................................. 778

Making backups with
dump
................................................................................................................. 780

Restoring files with
dump
.................................................................................................................... 782

Backing up and restoring over the network......................................................................................... 784

Page 12

Preface

12
Organization of the Book
Securing and Optimizing Linux: Red Hat Edition has 31 chapters, organized into thirteen parts
and four appendixes:

!"Part I: Installation Related Reference includes two chapters; the first chapter
introduces Linux in general and gives some basic information to the new Linux reader
who is not familiar with this operating system. The second chapter guides you through
the steps of installing Linux (from CD) in the most secure manner, with only the essential
and critical software for a clean and secure installation.

!"Part II: Security and Optimization Related Reference focuses on how to secure and
tune Linux after it has been installed. Part II includes four chapters that explain how to
protect your Linux system, how to use and apply Pluggable Authentication Modules
(
PAM
), how to optimize your system for your specific processor, and memory. Finally, the
last chapter describes how to install, optimize, protect and customize the Kernel. All
information in part II of the book applies to the whole system.

!"Part III: Networking Related Reference contains three chapters, where the first chapter
answers fundamental questions about network devices, network configuration files, and
network security as well as essential networking commands. The second and third
chapters provide information about firewalls as well as the popular masquerading feature
of Linux and how to configure and customize the new powerful
IPTABLES
tool of this
system to fit your personal needs.

!"Part IV: Cryptography & Authentication Related Reference handle three chapters
which talk about essential security tools needed to secure network communication.
These tools are the minimum that should be installed on any type of Linux server.

!"Part V: Monitoring & System Integrity Related Reference provides five chapters which
help you to tighten security in your server by the use of some powerful security software.

!"Part VI: Management & Limitation Related Reference presently includes just one
chapter which is about limiting users space usage on the server.

!"Part VII: Domain Name System Related Reference will discuss the Domain Name
System, which is an essential service to install in all Linux servers you want on the
network. This part of the book is important and must be read by everyone.

!"Part VIII: Mail Transfer Agent Related Reference will explain everything about
installing and configuring a Mail Server and the minimum mail software to install. It is one
of the most important parts of the book.

!"Part IX: Internet Message Access Protocol Related Reference is the last required part
to read before going into installation of specific services in your Linux system. It
discusses the mail software required to allow your users to get and read their electronic
mail.

!"Part X: Database Server Related Reference contains three chapters about the most
commonly used and powerful databases on *NIX systems.

!"Part XI: Gateway Server Related Reference discusses installing a powerful proxy
server and configuring encrypted network services.

Page 13

Preface

13
!"Part XII: Other Server Related Reference shows you how to use Linux for specific
purposes such as setting up a customized FTP server, running a World Wide Web server
and sharing files between different systems, all in a secure and optimized manner.

!"Part XIII: Backup Related reference describes how to make a reliable backup of your
valuable files in a convenient way. This part includes a chapter that explains how to
perform backups with the traditional and universal UNIX tools "
tar
", and "
dump
", which
enables you to use the same procedures, without any modification, with the other Unix
family platforms.

!"Appendixes is as follow:

*
Appendix A: Tweaks, Tips and Administration Tasks has several useful Linux
tips on administration, networking and shell commands.

*
Appendix B: Contributor Users lists Linux users around the world who have
participated in a voluntary basis by providing good suggestions,
recommendations, help, tips, corrections, ideas and other information to help in
the development of this book. Thanks to all of you.

*
Appendix C: Obtaining Requests for Comments (RFCs) provides an
alphabetical reference for important RFCs related to the software or protocols
described in the book.

Steps of installation
Depending of your level of knowledge in Linux, you can read this book from the beginning
through to the end or the chapters that interest you. Each chapter and section of this book
appears in a manner that lets you read only the parts of your interest without the need to
schedule one day of reading. Too many books on the market take myriad pages to explain
something that can be explained in two lines, I'm sure that a lot of you agree with my opinion.
This book tries to be different by talking about only the essential and important information that
the readers want to know by eliminating all the nonsense
.
Although you can read this book in the order you want, there is a particular order that you could
follow if something seems to be confusing you. The steps shown below are what I recommend :

#"Setup Linux in your computer.
#"Remove all the unnecessary RPM's packages.
#"Install the necessary RPM's packages for compilation of software (if needed).
#"Secure the system in general.
#"Optimize the system in general.
#"Reinstall, recompile and customize the Kernel to fit your specific system.
#"Configure firewall script according to which services will be installed in your system.
#"Install
OpenSSL
to be able to use encryption with the Linux server.
#"Install
OpenSSH
to be able to make secure remote administration tasks.
#"Install
sXid
.
#"Install
Logcheck
.
#"Install
PortSentry
.
#"Install
Tripwire
.
#"Install
ICS

BIND/DNS
.
#"Install
Sendmail
or
qmail
.
#"
Install any software you need after to enable specific services into the server.

Page 14

Preface

14
Author note
According to some surveys on the Internet, Linux will be the number one operating system for a
server platform in year 2003. Presently it is number two and no one at one time thought that it
would be in this second place. Many organizations, companies, universities, governments, and
the military, etc, kept quiet about it. Crackers use it as the operating system by excellence to
crack computers around the world. Why do so many people use it instead of other well know
operating systems? The answer is simple, Linux is free and the most powerful, reliable, and
secure operating system in the world, providing it is well configured. Millions of programmers,
home users, hackers, developers, etc work to develop, on a voluntary basis, different programs
related to security, services, and share their work with other people to improve it without
expecting anything in return. This is the revolution of the Open Source movement that we see
and hear about so often on the Internet and in the media.
If crackers can use Linux to penetrate servers, security specialists can use the same means to
protect servers (to win a war, you should at least have equivalent weapons to what your enemy
may be using). When security holes are encountered, Linux is the one operating system that has
a solution and that is not by chance. Now someone may say: with all these beautiful features why
is Linux not as popular as other well know operating system? There are many reasons and
different answers on the Internet. I would just say that like everything else in life, anything that we
are to expect the most of, is more difficult to get than the average and easier to acquire. Linux
and *NIX are more difficult to learn than any other operating system. It is only for those who want
to know computers in depth and know what they doing. People prefer to use other OS's, which
are easy to operate but hard to understand what is happening in the background since they only
have to click on a button without really knowing what their actions imply. Every UNIX operating
system like Linux will lead you unconsciously to know exactly what you are doing because if you
pursue without understanding what is happening by the decision you made, then nothing will
surely work as expected. This is why with Linux, you will know the real meaning of a computer
and especially a server environment where every decision warrants an action which will closely
impact on the security of your organization and employees.
Many Web sites are open to all sorts of "web hacking." According to the Computer Security
Institute and the FBI's joint survey, 90% of 643 computer security practitioners from government
agencies, private corporations, and universities detected cyber attacks last year. Over
$265,589,940 in financial losses was reported by 273 organizations.
Many readers of the previous version of this book told me that the book was an easy step by step
guide for newbies, I am flattered but I prefer to admit that it was targeting for a technical audience
and I assumed the reader had some background in Linux, UNIX systems. If this is not true in your
case, I highly recommend you to read some good books in network administration related to
UNIX and especially to Linux before venturing into this book. Remember talking about security
and optimization is a very serious endeavor. It is very important to be attentive and understand
every detail in this book and if difficulties arise, try to go back and reread the explanation will save
a lot of frustration. Once again, security is not a game and crackers await only one single error
from your part to enter your system. A castle has many doors and if just one stays open, will be
enough to let intruders into your fortress. You have been warned.

Many efforts went into the making of this book, making sure that the results were as accurate as
possible. If you find any abnormalities, inconsistent results, errors, omissions or anything else that
doesn't look right, please let me know so I can investigate the problem and/or correct the error.
Suggestions for future versions are also welcome and appreciated. A web site dedicated to this
book is available on the Internet for your convenience. If you any have problem, question,
recommendation, etc, please go to the following URL:
http://www.ope nna.c o m /
We made this site
for you.

Page 15

Preface

15
Audience
This book is intended for a technical audience and system administrators who manage Linux
servers, but it also includes material for home users and others. It discusses how to install and
setup a Linux Server with all the necessary security and optimization for a high performance
Linux specific machine. It can also be applied with some minor changes to other Linux variants
without difficulty. Since we speak of optimization and security configuration, we will use a source
distribution (
tar.gz
) program for critical server software like
Apache
,
ISC

BIND/DNS
,
Samba
,
Squid
,
OpenSSL
etc. Source packages give us fast upgrades, security updates when necessary,
and better compilation, customization, and optimization options for specific machines that often
aren't available with RPM packages.

These installation instructions assume
You have a CD-ROM drive on your computer and the Official Red Hat Linux CD-ROM.
Installations were tested on the Official Red Hat Linux version 7.1.
You should familiarize yourself with the hardware on which the operating system will be installed.
After examining the hardware, the rest of this document guides you, step-by-step, through the
installation process.

About products mentioned in this book
Many products will be mentioned in this book- some commercial, but most are not, cost nothing
and can be freely used or distributed. It is also important to say that I'm not affiliated with any
specific brand and if I mention a tool, it's because it is useful. You will find that a lot of big
companies in their daily tasks, use most of them.

Obtaining the example configuration files
In a true server environment and especially when Graphical User Interface is not installed, we will
often use text files, scripts, shell, etc. Throughout this book we will see shell commands, script
files, configuration files and many other actions to execute on the terminal of the server. You can
enter them manually or use the compressed archive file that I made which contains all
configuration examples and paste them directly to your terminal. This seems to be useful in many
cases to save time.
The example configuration files in this book are available electronically via HTTP from this URL:

http://www.ope nna.c o m /produc ts /book s /s e c u ring-op tim i z i ng-li nux /f lopp y -2.0.tg z

*
In either case, extract the files into your Linux server from the archive by typing:
[root@deep /]#
cd /var/tmp

[root@deep tmp]#
tar xzpf floppy-2.0.tgz

If you cannot get the examples from the Internet, please contact the author at this email address:

gmourani@openna.com

Page 16

Preface

16

Problem with Securing & Optimizing Linux
When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it. Your
reports are an important part in making the book more reliable, because even with the utmost
care we cannot guarantee that every part of the book will work on every platform under every
circumstance.
We cannot promise to fix every error right away. If the problem is obvious, critical, or affects a lot
of users, chances are that someone will look into it. It could also happen that we tell you to
update to a newer version to see if the problem persists there. Or we might decide that the
problem cannot be fixed until some major rewriting has been done. If you need help immediately,
consider obtaining a commercial support contract or try our Q&A archive from the mailing list for
an answer.
Below are some important links:
OpenNA.com web site:
http ://www .ope nna.c o m /

Mailing list:
http://www.op e nna.c o m /s upport/m aili ng/in dex .htm

Errata:
http://www .ope nn a.c o m /pr oduc ts /book s /s e c u r i ng-opt im izin g-li nux /er r a t a .h tm

Support:
http://www .ope nn a.c o m /s uppor t/ind ex .htm

RPM Download:
http://www.ope nna.c o m /do w n loa d /i nd ex .htm

Acknowledgments
First of all, I would like to thank my younger brother Bruno Mourani for his valuable help that he
brought by drawing all the networking drafts shown in this book. For your information he has
made all the schemas by hand and without any special diagram software. Yes, he is a natural
better than me in many computer areas but don't take the time to profit of his skill.
A special gratitude and many thanks to Colin Henry who made tremendous efforts to make this
book grammatically and orthographically sound in a professional manner. Gregory A Lundberg
and the WU-FTPD Development Group for their help, recommendations on the
FTP
chapter in
this book. Werner Puschitz for his help in the
PAM
chapter of this book and his recommendation
with
SSH
software (thanks Werner). OpenNA who has decided to publish my book and all Linux
users around the world who have participated by providing good comments, ideas,
recommendations and suggestions (a dedicated section has been made for them at the end of
this book).

Page 17

17
Part I Installation Related Reference
In this Part
Installation - Introduction
Installation - Installing a Linux Server

This part of the book deals with all the basic knowledge required to properly install a Linux OS, in
our case a Red Hat Linux on your system in the most secure and clean manner available.

Page 18

18
1 Installation - Introduction
In this Chapter

What is Linux?
Some good reasons to use Linux
Let's dispel some of the fear, uncertainty, and doubt about Linux
Why choose Pristine source?
Compiling software on your system
Build, Install software on your system
Editing files with the vi editor tool
Recommended software to include in each type of servers
Some last comments

Page 19

Introduction 0
CHAPTER 1

19
Introduction

What is Linux?
Linux is an operating system that was first created at the University of Helsinki in Finland by a
young student named Linus Torvalds. At this time the student was working on a UNIX system that
was running on an expensive platform. Because of his low budget, and his need to work at home,
he decided to create a copy of the UNIX system in order to run it on a less expensive platform,
such as an IBM PC. He began his work in 1991 when he released version 0.02 and worked
steadily until 1994 when version 1.0 of the Linux Kernel was released. The current full-featured
version at this time is 2.2.X (released January 25, 1999), and development continues.
The Linux operating system is developed under the GNU General Public License (also known as
GNU GPL) and its source code is freely available to everyone who downloads it via the Internet.
The CD-ROM version of Linux is also available in many stores, and companies that provide it will
charge you for the cost of the media and support. Linux may be used for a wide variety of
purposes including networking, software development, and as an end-user platform. Linux is
often considered an excellent, low-cost alternative to other more expensive operating systems
because you can install it on multiple computers without paying more.

Some good reasons to use Linux
There are no royalty or licensing fees for using Linux, and the source code can be modified to fit
your needs. The results can be sold for profit, but the original authors retain copyright and you
must provide the source to your modifications.
Because it comes with source code to the kernel, it is quite portable. Linux runs on more CPUs
and platforms than any other computer operating system.
The recent direction of the software and hardware industry is to push consumers to purchase
faster computers with more system memory and hard drive storage. Linux systems are not
affected by those industries' orientation because of it's capacity to run on any kind of computer,
even aging x486-based computers with limited amounts of RAM.
Linux is a true multi-tasking operating system similar to it's brother, UNIX. It uses sophisticated,
state-of-the-art memory management to control all system processes. That means that if a
program crashes you can kill it and continue working with confidence.
Another benefit is that Linux is practically immunized against all kinds of viruses that we find in
other operating systems. To date we have found only two viruses that were effective on Linux
systems.

Let's dispel some of the fear, uncertainty, and doubt about Linux
It's a toy operating system.
Fortune 500 companies, governments, and consumers more and more use Linux as a cost-
effective computing solution. It has been used and is still used by big companies like IBM,
Amtrak, NASA, and others.

Page 20

Introduction 0
CHAPTER 1

20
There's no support.
Every Linux distribution comes with more than 12,000 pages of documentation. Commercial
Linux distributions such as Red Hat Linux, Caldera, SuSE, Mandrake, Turbo Linux and
OpenLinux offer initial support for registered users, and small business and corporate accounts
can get 24/7 supports through a number of commercial support companies. As an Open Source
operating system, there's no six-month wait for a service release, plus the online Linux
community fixes many serious bugs within hours.

Why choose Pristine source?
All the programs in Red Hat distributions of Linux are provided as RPM files. An RPM file, also
known, as a "package", is a way of distributing software so that it can be easily installed,
upgraded, queried, and deleted. However, in the Unix world, the defacto-standard for package
distribution continues to be by way of so-called "tarballs". Tarballs are simply compressed files
that can be readable and uncompressed with the "
tar
" utility. Installing from
tar
is usually
significantly more tedious than using RPM. So why would we choose to do so?

1) Unfortunately, it takes a few weeks for developers and helpers to get the latest version of
a package converted to RPM's because many developers first release them as tarballs.

2) When developers and vendors release a new RPM, they include a lot of options that
often are not necessary. Those organization and companies don't know what options you
will need and what you will not, so they include the most used to fit the needs of
everyone.

3) Often RPMs are not optimized for your specific processors; companies like Red Hat
Linux build RPM's based on a standard PC. This permits their RPM packages to be
installed on all sorts of computers since compiling a program for an i386 machine means
it will work on all systems.

4) Sometimes you download and install RPM's, which other people around the world are
building and make available for you to use. This can pose conflicts in certain cases
depending how this individual built the package, such as errors, security and all the other
problems described above.

Compiling software on your system
A program is something a computer can execute. Originally, somebody wrote the "source code"
in a programming language he/she could understand (e.g., C, C++). The program "source code"
also makes sense to a compiler that converts the instructions into a binary file suited to whatever
processor is wanted (e.g. a 386 or similar). A modern file format for these "executable" programs
isELF. The programmer compiles his source code on the compiler and gets a result of some sort.
It's not at all uncommon that early attempts fail to compile, or having compiled, fail to act as
expected. Half of programming is tracking down and fixing these problems (debugging).
For the beginners there are more aspect and new words relating to the compilation of source
code that you must know, these include but are not limited to:

Page 21

Introduction 0
CHAPTER 1

21
Multiple Files (Linking)
One-file programs are quite rare. Usually there are a number of files (say
*.c
,
*.cpp
, etc) that
are each compiled into object files (
*.o
) and then linked into an executable. The compiler is
usually used to perform the linking and calls the '
ld
' program behind the scenes.

Makefiles
Makefiles are intended to aid you in building your program the same way each time. They also
often help with increasing the speed of a program. The "
make
" program uses "dependencies" in
the Makefile to decide what parts of the program need to be recompiled. If you change one
source file out of fifty you hope to get away with one compile and one link step, instead of starting
from scratch.

Libraries
Programs can be linked not only to object files (
*.o
) but also to libraries that are collections of
object files. There are two forms of linking to libraries: static, where the code goes in the
executable file, and dynamic, where the code is collected when the program starts to run.

Patches
It was common for executable files to be given corrections without recompiling them. Now this
practice has died out; in modern days, people change a small portion of the source code, putting
a change into a file called a "patch". Where different versions of a program are required, small
changes to code can be released this way, saving the trouble of having two large distributions.

Errors in Compilation and Linking
Errors in compilation and linking are often due to typos, omissions, or misuse of the language.
You have to check that the right "includes file" is used for the functions you are calling.
Unreferenced symbols are the sign of an incomplete link step. Also check if the necessary
development libraries (
GLIBC
) or tools (
GCC
,
DEV86
,
MAKE
, etc) are installed on your system.

Debugging
Debugging is a large topic. It usually helps to have statements in the code that inform you of what
is happening. To avoid drowning in output you might sometimes get them to print out only the first
3 passes in a loop. Checking that variables have passed correctly between modules often helps.
Get familiar with your debugging tools.

Build & install software on your system
You will see in this book that we use many different compile commands to build and install
programs on the server. These commands are UNIX compatible and are used on all variants of
*NIX machines to compile and install software.
The procedure to compile and install software tarballs on your server are as follows:

1. First of all, you must download the tarball from your trusted software archive site. Usually
from the main site of the software you hope to install.

2. After downloading the tarball change to the
/var/tmp
directory (note that other paths
are possible, as personal discretion) and untar the archive by typing the commands (as
root) as in the following example:

[root@deep /]#
tar xzpf foo.tar.gz

The above command will extract all files from the example
foo.tar.gz
compressed archive and
will create a new directory with the name of the software from the path where you executed the
command.

Page 22

Introduction 0
CHAPTER 1

22
The "
x
" option tells
tar
to extract all files from the archive.
The "
z
" option tells
tar
that the archive is compressed with
gzip
utility.
The "
p
" option maintains the original permissions the files had when the archive was created.
The "
f
" option tells
tar
that the very next argument is the file name.
Once the tarball has been decompressed into the appropriate directory, you will almost certainly
find a "
README
" and/or an "
INSTALL
" file included with the newly decompressed files, with further
instructions on how to prepare the software package for use. Likely, you will need to enter
commands similar to the following example:

./configure
make
make install
The above commands
./configure
will configure the software to ensure your system has the
necessary libraries to successfully compile the package,
make
will compile all the source files into
executable binaries. Finally,
make

install
will install the binaries and any supporting files into
the appropriate locations. Other specifics commands that you'll see in this book for compilation
and installation procedure will be:

make

depend
strip
chown
The
make

depend
command will build and make the necessary dependencies for different files.
The
strip
command will discard all symbols from the object files. This means that our binary file
will be smaller in size. This will improve the performance of the program, since there will be fewer
lines to read by the system when it executes the binary. The
chown
command will set the correct
file owner and group permissions for the binaries. More commands will be explained in the
concerned installation sections.

Editing files with the
vi
editor tool
The
vi
program is a text editor that you can use to edit any text and particularly programs. During
installation of software, the user will often have to edit text files, like
Makefiles
or configuration
files. The following are some of the more important keystroke commands to get around in
vi
. I
decided to introduce the
vi
commands now since it is necessary to use vi throughout this book.

Page 23

Introduction 0
CHAPTER 1

23
Command

Result
=====================================================================
i ---------------------------------
Notifies
vi
to insert text before the cursor
a ---------------------------------
Notifies
vi
to append text after the cursor
dd --------------------------------
Notifies
vi
to delete the current line
x ---------------------------------
Notifies
vi
to delete the current character
Esc -------------------------------
Notifies
vi
to end the insert or append mode
u ---------------------------------
Notifies
vi
to undo the last command
Ctrl+f ----------------------------
Scroll up one page
Ctrl+b ----------------------------
Scroll down one page
/string ---------------------------
Search forward for string
:f --------------------------------
Display filename and current line number
:q --------------------------------
Quit editor
:q! -------------------------------
Quit editor without saving changes
:wq -------------------------------
Save changes and exit editor
=====================================================================

Recommended software to include in each type of servers
If you buy binaries, you will not get any equity and ownership of source code. Source code is a
very valuable asset and binaries have no value. Buying software may become a thing of the past.
You only need to buy good hardware; it is worth spending money on the hardware and get the
software from Internet. Important point, is that it is the computer hardware that is doing the bulk of
the job. Hardware is the real workhorse and software is just driving it. It is for this reason that we
believe in working with and using the Open source software. Much of the software and services
that come with Linux are open source and allow the user to use and modify them in an
undiscriminating way according to the General Public License.
Linux has quickly become the most practical and friendly used platform for e-business -- and with
good reason. Linux offers users stability, functionality and value that rivals any platform in the
industry. Millions of users worldwide have chosen Linux for applications, from web and email
servers to departmental and enterprise vertical application servers. To respond to your needs and
to let you know how you can share services between systems I have developed ten different
types of servers, which cover the majority of servers' functions and enterprise demands.
Often companies try to centralize many services into one server to save money, it is well known
and often seen that there are conflicts between the technical departments and purchasing agents
of companies about investment and expenditure when it comes to buying new equipment. When
we consider security and optimization, it is of the utmost importance not to run too many services
in one server, it is highly recommended to distribute tasks and services between multiple
systems. The table below show you which software and services we recommend to for each type
of Linux server.
The following conventions will explain the interpretations of these tables:

!" Optional Components: components that may be included to improve the features of the server or
to fit special requirements.

!" Security Software Required: what we consider as minimum-security software to have installed on
the server to improve security.

!"Security Software Recommended: what we recommend for the optimal security of the servers.

Page 24

Introduction 0
CHAPTER 1

24
Mail Server
Web Server
Gateway Server
Sendmail or qmail (SMTP Server)
BIND/DNS (Caching)
IPTABLES Firewall

----------

IMAP/POP only for Sendmail
Apache (Web Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
BIND/DNS (Caching)
qmail (Standalone)
IPTABLES Firewall

----------

Squid Proxy (Server)
Optional Components
Optional Components
Optional Components

Mod_PHP4 Capability
Mod_SSL Capability
Mod-Perl Capability
MM Capability
Webmail Capability

Security Software Required
Security Software Required
Security Software Required
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Client & Server)
Tripwire Integrity Tool
Security Software recommended
Security Software recommended
Security Software recommended
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry

FTP Server
Domain Name Server
File Sharing Server
Wu-FTPD (Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
Primary BIND/DNS (Server)
qmail (Standalone)
IPTABLES Firewall

----------

Secondary BIND/DNS (Server)
Samba LAN (Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall
Optional Components
Optional Components
Optional Components
Anonymous FTP (Server)

Security Software Required
Security Software Required
Security Software Required
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Security Software recommended
Security Software recommended
Security Software recommended
GnuPG
sXid
Logcheck
PortSentry
Quota
GnuPG
sXid
Logcheck
PortSentry
GnuPG
sXid
Logcheck
PortSentry

Page 25

Introduction 0
CHAPTER 1

25
Database server
Backup server
VPN Server
PostgreSQL (Client & Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall

----------

MySQL (Client & Server)

----------

OpenLDAP (Client & Servers)

Amanda (Server)
qmail (Standalone)
BIND/DNS (Caching)
Dump Utility
IPTABLES Firewall

FreeS/WAN VPN (Server)
qmail (Standalone)
BIND/DNS (Caching)
IPTABLES Firewall

Optional Components

Optional Components

Optional Components

Security Software Required

Security Software Required

Security Software Required

Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Client & Server)
Tripwire Integrity Tool
Secure Linux Kernel Patches
OpenSSL Encryption Software
OpenSSH (Server)
Tripwire Integrity Tool
Security Software recommended

Security Software recommended

Security Software recommended

GnuPG
sXid
Logcheck
PortSentry

GnuPG
sXid
Logcheck
PortSentry
GnuPG
sXid
Logcheck
PortSentry

Some last comments
Before reading the rest of the book, it should be noted that the text assumes that certain files are
placed in certain directories. Where they have been specified, the conventions we adopt here for
locating these files are those of the Red Hat Linux distribution. If you are using a different
distribution of Linux or some other operating system that chooses to distribute these files in a
different way, you should be careful when copying examples directly from the text.
It is important to note that all software-listed from Part IV through Part IX of the book is required if
you want to run a fully operational and secure Linux system. Without them, you will have one that
it is not as secure as you expect it to be. Therefore I highly recommend you read at least Part IV
through Part IX before going into the specific services you may want to install on your server.

Page 26

Linux Installation 0
CHAPTER 2

26
2 Installation - Installing a Linux Server
In this Chapter

Know your Hardware!
Creating the Linux Boot Disk
Beginning the installation of Linux
Installation Class and Method (Install Options)
Partition your system for Linux
Disk Partition (Manual Partitioning)
Selecting Package Groups
How to use RPM Commands
Starting and stopping daemon services
Software that must be uninstalled after installation of the server
Remove unnecessary documentation files
Remove unnecessary/empty files and directories
Software that must be installed after installation of the server
Verifying installed programs on your Server
Update of the latest software

Page 27

Linux Installation 0
CHAPTER 2

27

Linux
Installation

Abstract
We have prepared and structured this chapter in a manner that follows the original installation of
the Red Hat Linux operating system from CD-ROM. Each section below refers to, and will guide
you through, the different screens that appear during the setup of your system after booting from
the Red Hat boot diskette. We promise that it will be interesting to have the machine you want to
install Linux on ready and near you when you follow the steps described below.
You will see that through the beginning of the installation of Linux, there are many options,
parameters, and hacks that you can set before the system logs in for the first time.

Know your Hardware!
Understanding the hardware of your computer is essential for a successful installation of Linux.
Therefore, you should take a moment and familiarize yourself with your computer hardware. Be
prepared to answer the following questions:
1. How many hard drives do you have?
2. What size is each hard drive (eg, 15GB)?
3. If you have more than one hard drive, which is the primary one?
4. What kind of hard drive do you have (eg, IDE ATA/66, SCSI)?
5. How much RAM do you have (eg, 256MB RAM)?
6. Do you have a SCSI adapter? If so, who made it and what model is it?
7. Do you have a RAID system? If so, who made it and what model is it?
8. What type of mouse do you have (eg, PS/2, Microsoft, Logitech)?
9. How many buttons does your mouse have (2/3)?
10. If you have a serial mouse, what COM port is it connected to (eg, COM1)?
11. What is the make and model of your video card? How much video RAM do you have (eg, 8MB)?
12. What kind of monitor do you have (make and model)?
13. Will you be connected to a network? If so, what will be the following:
a. Your IP address?
b. Your
netmask?
c. Your gateway address?
d. Your domain name server's IP address?
e. Your domain name?
f. Your
hostname?
g. Your types of network(s) card(s) (makes and model)?
h. Your number of card(s) (makes and model)?

Creating the Linux Boot Disk
The first thing to do is to create an installation diskette, also known as a boot disk. If you have
purchased the official Red Hat Linux CD-ROM, you will find a floppy disk named "Boot Diskette"
in the Red Hat Linux box so you don't need to create it.
Sometimes, you may find that the installation will fail using the standard diskette image that
comes with the official Red Hat Linux CD-ROM. If this happens, a revised diskette is required in
order for the installation to work properly. In these cases, special images are available via the
Red Hat Linux Errata web

page to solve the problem
(
http://www.redhat.com/errata
).

Page 28

Linux Installation 0
CHAPTER 2

28
Since this, is a relatively rare occurrence, you will save time if you try to use the standard diskette
images first, and then review the Errata only if you experience any problems completing the
installation
. Below, we will show you two methods to create the installation Boot Disk, the first
method is to use an existing Microsoft Windows computer and the second using an existing Linux
computer.

Making a Diskette Under MS-DOS
Before you make the boot disk, insert the Official Red Hat Linux CD-ROM Disk 1 in your
computer that runs the Windows operating system. When the program asks for the filename,
enter
boot.img
for the boot disk. To make the floppies under MS-DOS, you need to use these
commands (assuming your CD-ROM is drive D: and contain the Official Red Hat Linux CD-ROM).

*
Open the Command Prompt under Windows: Start | Programs | Command Prompt
C:\>
d:

D:\>
cd \dosutils

D:\dosutils>
rawrite

Enter disk image source file name:
..\images\boot.img

Enter target diskette drive:
a:

Please insert a formatted diskette into drive A: and press -ENTER- :
D:\dosutils>

The
rawrite.exe
program asks for the filename of the disk image: Enter
boot.img
and insert
a blank floppy into drive A. It will then ask for a disk to write to: Enter
a:
, and when complete,
label the disk "Red Hat boot disk", for example.

Making a Diskette Under a Linux-Like OS
To make a diskette under Linux or any other variant of Linux-Like operating system, you must
have permission to write to the device representing the floppy drive (known as
/dev/fd0H1440

under Linux).
This permission is granted when you log in the system as the super-user "root". Once you have
logged as "root", insert a blank formatted diskette into the diskette drive of your computer without
issuing a
mount
command on it. Now it's time to mount the Red Hat Linux CD-ROM on Linux and
change to the directory containing the desired image file to create the boot disk.

*
Insert a blank formatted diskette into the diskette drive
Insert the Red Hat Linux CD Part 1 into the CD-ROM drive
[root@deep /]#
mount /dev/cdrom /mnt/cdrom

[root@deep /]#
cd /mnt/cdrom/images/

[root@deep images]#
dd if=boot.img of=/dev/fd0H1440 bs=1440k

1+0 records in
1+0 records out
[root@deep images]#
cd /

[root@deep /]#
umount /mnt/cdrom

Don't forget to label the diskette
"Red Hat boot disk", for example.

Page 29

Linux Installation 0
CHAPTER 2

29
Beginning the installation of Linux
Now that we have made the boot disk, it is time to begin the installation of Linux. Since we'd start
the installation directly off the CD-ROM, boot with the boot disk. Insert the boot diskette you
create into the drive A: on the computer where you want to install Linux and reboot the computer.
At the
boot:
prompt, press
Enter
to continue booting and follow the three simple steps below:
Step 1
The first step is to choose what language should be used during the installation process. In our
example we choose the English language.

Step 2
After that, the system allows you to choose your keyboard type, layout type for the keyboard, and
the possibility to enable or disable Dead Keys.

Page 30

Linux Installation 0
CHAPTER 2

30

Step 3
Finally, we choose the kind of mouse type we use and if this mouse has two or three buttons. If
you have a mouse with just two buttons, you can select the option named "Emulate 3 Buttons"
and click both mouse buttons at the same time to act as the middle mouse button.

Page 31

Linux Installation 0
CHAPTER 2

31
Once we have completed the above three steps, we are ready to begin the installation of Red Hat
Linux.

Installation Class and Method (Install Options)
Red Hat Linux 7.1 includes four different classes, or type of installation. They are:

#"Workstation
#"Server System
#"Laptop
#"Custom System
The first two classes (Workstation, and Server System) give you the option of simplifying the
installation process with a significant loss of configuration flexibility that we don't want to lose.
For this reason we highly recommend you select the "Custom System" installation. Only the
custom-class installation gives us complete flexibility. During the custom-class installation, it is up
to you how disk space should be partitioned. We also have complete control over the different
RPM packages that will be installed on the system.
The idea is to load the minimum amount of packages, while maintaining maximum efficiency. The
less software that resides on the machine, the fewer potential security exploits or holes may
appear.
From the menu that appears on your screen, select the "Custom System" installation class and
click Next.

Page 32

Linux Installation 0
CHAPTER 2

32
Partition your system for Linux
The system will show you a new screen from where you can choose the tool you would like to
use to partition the disks for Linux.

From here we have two choices, but before we explain each ones, it is important to go and
understand partition strategy first.
We assume that you are installing the new Linux server to a new hard drive, with no other
existing file system or operating system installed. A good partition strategy is to create a separate
partition for each major file system. This enhances security and prevents accidental denial of
service or exploit of
SUID
programs.
Creating multiple partitions offers you the following advantages:

#"Protection against denial of service attack.
#"Protection against
SUID
programs.
#"Faster booting.
#"Easy backup and upgrade management.
#"Ability for better control of mounted file system.
#"Limit each file system's ability to grow.
#"Improve performance of some program with special setup.

WARNING:
If a previous file system or operating system exists on the hard drive and computer
where you want to install your Linux system, we highly recommend, that you make a backup of
your current system before proceeding with the disk partitioning.

Page 33

Linux Installation 0
CHAPTER 2

33
Partitions Strategy

For performance, stability and security reasons you must create something like the following
partitions listed below on your computer. We suppose for this partition configuration the fact that
you have a
SCSI
hard drive of 9.1 GB with 256 MB of physical RAM. Of course you will need to
adjust the partition sizes and swap space according to your own needs and disk size.

Minimal recommended partitions that must be created on your system:
This is the minimum number of partitions we recommend creating whatever you want to setup it
for, a Web Server, Mail Server, Gateway or something else.

/boot

5
MB
All Kernel images are kept here.

512 MB
Our swap partition. The virtual memory of the Linux operating system.
/
256
MB
Our
root
partition.
/usr

512 MB
Must be large, since many Linux binaries programs are installed here.
/home

5700 MB
Proportional to the number of users you intend to host.
(i.e. 100 MB per users * by the number of users 57 = 5700 MB)
/var

256 MB
Contains files that change when the system run normally
(i.e. Log files)
.
/tmp
329
MB
Our
temporary
files
partition
(must always reside on its own partition)
.

Additional or optional partitions that can be created on your system:
Depending on what services the Linux system will be assigned to serve or the specific software
requirements, there can be some special partitions you can add to the minimum partitions we
recommend. You can create as many partitions as you want to fit you needs. What we show you
below are partitions related to programs we describe in the book.

/chroot

256 MB
If you want to install programs in chroot jail environment (i.e.
DNS
,
Apache
).

/var/lib

1000 MB
Partition to handle
SQL
or Proxy Database Server files (i.e.
MySQL
,
Squid
).

All major file systems are on separate partitions

As you can see, there are two partitions, which are less common than the others. Lets explain
each of them in more detail:

Page 34

Linux Installation 0
CHAPTER 2

34
The
/chroot
partition can be used for
DNS
Server chrooted,
Apache
Web Server chrooted and
other chrooted future programs. The
chroot()
command is a Unix system call that is often used
to provide an additional layer of security when untrusted programs are run. The kernel on Unix
variants which support
chroot()
maintain a note of the root directory each process on the
system has. Generally this is
/
, but the
chroot()
system call can change this. When
chroot()

is successfully called, the calling process has its idea of the root directory changed to the
directory given as the argument to
chroot()
.
The
/var/lib
partition can be used to handle
SQL
or
Squid
Proxy database files on the Linux
Server. This partition can be useful to limit accidental denial of service attack and to improve the
performance of the program by tuning the
/var/lib
file system.
Putting
/tmp
and
/home
on separate partitions is pretty much mandatory if users have shell
access to the server (protection against
SUID
programs), splitting these off into separate
partitions also prevent users from filling up any critical file system (denial of service attack),
putting
/var
, and
/usr
on separate partitions is also a very good idea. By isolating the
/var

partition, you protect your root partition from overfilling (denial of service attack).
In our partition configuration we'll reserve 256 MB of disk space for chrooted programs like
Apache
,
DNS
and other software. This is necessary because
Apache

DocumentRoot
files and
other binaries, programs related to it will be installed in this partition if you decide to run
Apache

Web Server in a chrooted jail. Note that the size of the
Apache
chrooted directory on the
chrooted partition is proportional to the size of your
DocumentRoot
files or number of users.

Swap related issues:
Swap relates to virtual RAM on the system. This special device is needed when you run out of
physical RAM because you don't have enough MB of RAM available or your applications required
more than what is available on your computer. It is not true that swap space is needed on every
system, but to ensure that you do not run out of swap, it is recommended to create a swap
partition on the server.
The 2.4 kernel of Linux is more aggressive than the 2.2 kernels in its use of swap space and the
optimal sizing of swap space remains dependent on the following:

1. The amount of RAM installed
2. The amount of disk space available for swap
3. The applications being run
4. The mix of applications that are run concurrently
No rule-of-thumb can possibly take all these data points into account. However, we recommend
the following swap sizes:

*
Single-user systems with less than 128MB physical RAM: 256MB

*
Single-user systems and low-end servers with more than 128MB physical RAM: two
times physical RAM (2xRAM)

*
Dedicated servers with more than 512MB physical RAM: highly dependent on
environment and must be determined on a case-by-case basis)

Page 35

Linux Installation 0
CHAPTER 2

35
Minimum size of partitions for very old hard disk:
For information purposes only, this is the minimum size in megabytes, which a Linux installation
must have to function properly. The sizes of partitions listed below are really small. This
configuration can fit into a very old hard disk of 512MB in size that you might find in old i486
computers. We show you this partition just to get an idea of the minimum requirements.

/

35MB
/boot
5MB
/chroot 10MB
/home
100MB
/tmp 30MB
/usr 232MB
/var 25MB

WARNING:
Trying to compile program under a 512 MB of hard drive will fail due to the miss of
available space in this kind of hard disk. Instead, install RPM's packages.

Disk Partition (Manual Partitioning)
Now that we know exactly what partitions we need to create for our new Linux server, it is time to
choose the partitioning software we will use to make these partitions on the server. With Red Hat
Linux two programs exist to assist you during this step. During setup, the installation will give you
two choices, which are:

*
Manually partition with Disk druid
*
Manually partition with fdisk [experts only]

Disk Druid
is the new software used by default in Red Hat Linux to partition your disk drive,
this is an easy to use program, which allows you to work through a graphical interface to create
your partitions tables.

fdisk
was the first partitioning program available on Linux. It is more powerful then
Disk
Druid
and allows you to create your partition table in exactly the way you want it (if you want
to
put your swap partition near the beginning of your drive, then you will need to use
fdisk
).
Unfortunately, it is also a little more complicated than
Disk Druid
and many Linux users prefer
to use
Disk Druid
for this reason.
Personally, I prefer to create the required partitions with the
fdisk
program and I recommend
you use and be familiar with it, because if in future you want to add or change some file systems
you will need to use
fdisk
.

Page 36

Linux Installation 0
CHAPTER 2

36
Partitioning with
Disk

Druid

This section applies only if you chose to use
Disk

Druid
to partition your system.

Disk Druid
is a program that partitions your hard drive for you. Choose "
Add
" to add a new
partition, "
Edit
" to edit a partition, "
Delete
" to delete a partition and "
Reset
" to reset the
partitions to the original state. When you add a new partition, a new window appears on your
screen and gives you parameters to choose.
Different parameters are:
Mount Point: for where you want to mount your new partition in the filesystem.
Size (Megs): for the size of your new partition in megabytes.
Partition Type: Linux native for Linux filesystem and Swap for Linux Swap Partition.

If you have a
SCSI
disk, the device name will be
/dev/sda
and if you have an
IDE
disk it will be
/dev/hda
. If you're looking for high performance and stability, a
SCSI
disk is highly
recommended.
Linux refers to disk partitions using a combination of letters and numbers. It uses a naming
scheme that is more flexible and conveys more information than the approach used by other
operating systems.
Here is a summary:
First Two Letters The first two letters of the partition name indicate the type of device on which the
partition resides. You'll normally see either
hd
(for
IDE
disks), or
sd
(for
SCSI
disks).
The Next Letter This letter indicates which device the partition is on. For example:
/dev/hda
(the first
IDE
hard disk) and
/dev/hdb
(the second
IDE
disk), etc.
Keep this information in mind, it will make things easier to understand when you're setting up the
partitions Linux requires.

Page 37

Linux Installation 0
CHAPTER 2

37
Now, as an example:
To make the partitions listed below on your system (this is the partition we'll need for our server
installation example); the
commands below are for
Disk Druid
:
Step 1
Execute all of the following commands with
Disk Druid
to create the require partitions.

Add
Mount Point:
/boot
$ our
/boot
directory
(all Kernel images are kept here)
.
Size (Megs):
5

Partition Type:
Linux Native

Ok
Add
Mount Point:
$ our
/Swap
partition
(leave the Mount Point Blank)
.
Size (Megs):
512

Partition Type:
Linux Swap

Ok
Add
Mount Point:
/
$ our
/
directory
(the root partition)
.
Size (Megs):
256

Partition Type:
Linux Native

Ok
Add
Mount Point:
/usr
$ our
/usr
directory (
many Linux binaries programs are installed here)
.
Size (Megs):
512

Partition Type:
Linux Native

Ok
Add
Mount Point:
/home
$ our
/home
directory
(where users files & directories reside)
.
Size (Megs):
5700

Partition Type:
Linux Native

Ok
Add
Mount Point:
/chroot
$ our
/chroot
directory
(for programs installed in chroot jail environment)
.
Size (Megs):
256

Partition Type:
Linux Native

Ok
Add
Mount Point:
/var
$ our
/var
directory
(files that change when the system run are keep here)
.
Size (Megs):
256

Partition Type:
Linux Native

Ok
Add
Mount Point:
/var/lib
$ our
/var/lib
directory
(special partition to handle SQL or Proxy Database files)
.
Size (Megs):
1000

Partition Type:
Linux Native

Ok
Add
Mount Point:
/tmp
$ our
/tmp
directory
(partition for temporary files on the system)
.
Size (Megs):
227

Partition Type:
Linux Native

Ok

Page 38

Linux Installation 0
CHAPTER 2

38
Step 2
After you have executed the above commands to create and partition your drive with
Disk
Druid
, press the Next button and continue the installation to
choose partitions to format.

Partitioning with
fdisk

This section applies only if you chose to use
fdisk
to partition your system.
The first thing you will want to do is using the
p
key to check the current partition information. You
need to first add your root partition. Use the
n
key to create a new partition and then select either
e
or
p
keys for extended or primary partition.
Most likely you will want to create a primary partition. You are asked what partition number should
be assigned to it, at which cylinder the partition should start (you will be given a range just
choose the lowest number (1)), and the size of the partition. For example, for a 5MB partition,
you would enter +5M for the size when asked.
Next, you need to add your extended partition. Use the
n
key to create a new partition and then
select the
e
key for extended partition. You are asked what partition number should be assigned
to it, at which cylinder the partition should start (you will be given a range just choose the
lowest number (2)), and the size of the partition. You would enter the last number for the size
when asked (or just press Enter).
You will now want to create the swap partition. You need to use the
n
key for a new partition.
Choose logical; tell it where the first cylinder should be (2). Tell
fdisk
how big you want your
swap partition. You then need to change the partition type to
Linux swap
. Enter the
t
key to
change the type and enter the partition number of your swap partition. Enter the number
82
for
the hex code for the
Linux

swap
partition.
Now that you have created your Linux boot and Linux swap partition, it is time to add any
additional partitions you might need. Use the
n
key again to create a new partition, and enter all
the information just as before. Keep repeating this procedure until all your partitions are created.
You can create up to four primary partitions; then you must start putting extended partitions into
each primary partition.

NOTE:
None of the changes you make take effect until you save then and exit
fdisk
using the
w

command. You may quit
fdisk
at any time without saving changes by using the
q
command.

An overview of
fdisk

!"The command for help is
m

!"To list the current partition table, use
p

!"To add a new partition, use
n

!"To delete a partiotion, use
d

!"To set or changes the partition type, use
t

!"To provide a listing of the different partition types and their ID numbers, use
l

!"To saves your information and quits
fdisk
, use
w

Page 39

Linux Installation 0
CHAPTER 2

39
Now, as an example:
To make the partitions listed below on your system (these are the partitions we'll need for our
server installation example); the commands below are for
fdisk
:
Step 1
Execute all of the following commands with
fdisk
to create the require partitions.

Command (m for help):
n

Command action
e
extended

p primary partition (1-4)
p

Partition number (1-4):
1

First cylinder (1-1116, default 1):
1

Last cylinder or +size or +sizeM or +sizeK (1-1116, default 1116):
+5M
$ our
/boot
directory.

Command (m for help):
n

Command action
e
extended

p primary partition (1-4)
e

Partition number (1-4):
2

First cylinder (2-1116, default 2):
2

Last cylinder or +size or +sizeM or +sizeK (2-1116, default 1116):
1116
$ our
extended partition.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)
l

First cylinder (2-1116, default 2):
2

Last cylinder or +size or +sizeM or +sizeK (2-1116, default 1116):
+512M
$ our
Swap
partition.

Command (m for help):
t

Partition number (1-5):
5
$ this is our
Swap
partition number on this example.
Hex code (type L to list codes):
82
Changed system type of partition 5 to 82 )Linux swap)
Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)
l
First cylinder (68-1116, default 68):
68

Last cylinder or +size or +sizeM or +sizeK (68-1116, default 1116):
+256M
$ our
/

directory.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (101-1116, default 101):
101

Last cylinder or +size or +sizeM or +sizeK (101-1116, default 1116):
+512M
$ our
/usr
directory.

Page 40

Linux Installation 0
CHAPTER 2

40
Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (167-1116, default 167):
167

Last cylinder or +size or +sizeM or +sizeK (167-1116, default 1116):
+5700M
$ our
/home
directory.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (894-1116, default 894):
894

Last cylinder or +size or +sizeM or +sizeK (894-1116, default 1116):
+256M
$ our
/chroot
directory.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (927-1116, default 927):
927

Last cylinder or +size or +sizeM or +sizeK (927-1116, default 1116):
+256M
$ our
/var
directory.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (960-1116, default 960):
960

Last cylinder or +size or +sizeM or +sizeK (960-1116, default 1116):
+1000M
$ our
/var/lib
directory.

Command (m for help):
n

Command action

l logical (5 or over)

p primary partition (1-4)

l
First cylinder (1088-1116, default 1088):
1088

Last cylinder or +size or +sizeM or +sizeK (1088-1116, default 1116): 1116 $ our /tmp directory.
Step 2
Now, use the
p
command to list the partition that we've created, you must see something like the
following information on your screen.

Command (m for help):
p

Page 41

Linux Installation 0
CHAPTER 2

41
Disk /tmp/sda: 255 heads, 63 sectors, 1116 cylinders
Units = cylinders of 16065 * 512 bytes

Device Boot
/tmp/sda1
/tmp/sda2
/tmp/sda5
/tmp/sda6
/tmp/sda7
/tmp/sda8
/tmp/sda9
/tmp/sda10
/tmp/sda11
/tmp/sda12
Start
1
2
2
68
101
167
894
927
960
1088
End
1
1116
67
100
166
893
926
959
1087
1116
Blocks
8001
8956237+
530113+
265041
530113+
5839596
265041
265041
1028128+
232911
Id
83
5
82
83
83
83
83
83
83
83
System
Linux
Extended
Linux swap
Linux
Linux
Linux
Linux
Linux
Linux
Linux
Step 3
If all the partitions look fine and meet your requirements, use the
w
command to write the table to
disk and exit
fdisk
program:

Command (m for help):
w
The partition table has been altered
Step 4
After you have partitioned your drive with
fdisk
, press Next and continue the installation with
Disk Druid
to choose the mount point of the directories.
Disk Druid
contains a list of all disk
partitions with filesystems readable by Linux. This gives you the opportunity to assign these
partitions to different parts of your Linux system when it boots. Select the partition you wish to
assign and press
Enter
; then enter the mount point for that partition, e.g.,
/var
.

Page 42

Linux Installation 0
CHAPTER 2

42
Step 5
After the mount points for the directories have been completed, you must see something like the
following on your screen. Our mount points look like this:
Disk Druid
Partitions
Mount Point
/boot

/
/usr
/home
/chroot
/var
/var/lib
/tmp
Device
sda1
sda5
sda6
sda7
sda8
sda9
sda10
sda11
sda12
Requested
7M
517M
258M
517M
5702M
258M
258M
1004M
227M
Actual
7M
517M
258M
517M
5702M
258M
258M
1004M
227M
Type
Linux Native
Linux Swap
Linux Native
Linux Native
Linux Native
Linux Native
Linux Native
Linux Native
Linux Native

Drive Summary
Drive
Geom [C/H/S] Total (M)
Free (M)
Used (M)
Used (%)
sda [1116/255/63]
8754M 1M
8753M
99%
Step 6
Now that you have partitioned and chosen the mount points of your directories, select Next to
continue. After your partitions are created, the installation program will ask you to choose which
partitions to format. Choose the partitions, check the (Check for bad blocks while formatting)
box, and press Next again. This formats the partitions and makes them active so Linux can use
them.

NOTE:
Checking for bad blocks can help prevent data loss by finding the bad blocks on a drive
and making a list of them to prevent data from being written to them in the future.

Page 43

Linux Installation 0
CHAPTER 2

43

System Configuration
On the next screen you will see the
LILO
Configuration screen.
LILO
, the LInux LOader, is
software that can be used to start Linux on your computer. From this screen, you will see different
configurable options related to
LILO
.

The first option is:

*
Create boot disk
The Create boot disk option is checked by default. If you do not want to create a boot disk, you
should deselect this option. Also, this option must be checked if you decide to not install
LILO
on
the
MBR
(the Master Boot Record) or if you are not installing
LILO
at all.
The second option is:

*
Do not install
LILO

This option allows you to skip installing
LILO
if you use a boot disk rather than
LILO
to start your
system. This can greatly improve security in some case since you need to have a bootable Linux
floppy with the kernel on it to start the server. But in other hand, you will not be able to restart the
server remotely if something happens.

Page 44

Linux Installation 0
CHAPTER 2

44
The third option (the one that we will chose) installs
LILO
in your Linux system and gives you
the choice to install
LILO
boot record on:

*
Master Boot Record (MBR)
*
First Sector of Boot Partition
Usually, if Linux is the only Operating System on your machine (and this must be the case in a
server installation), you should choose the "Master Boot Record (MBR)" option.

Network Configuration

After that, you need to configure your network. If you have multiple Ethernet devices, each device
will have its own configuration screen.

Firewall Configuration
The latest release of Red Hat Linux now offers the possibility to configure a Firewall during
installation. This is OK for the average end user but NOT for serious Firewall security. This newly
added feature uses the old
IPCHAINS
tool of Linux with the help of a small utility named
"
lokkit
" to set up your firewall. I highly recommend you to deactivate this feature now and see
later chapters on how to install and configure
IPTABLES
, which is the new Firewall tool to use
with Linux and kernel 2.4 generation.
From the next screen that appears, you will see three different security levels available, choose
the "No firewall" option and click Next.

Page 45

Linux Installation 0
CHAPTER 2

45

Language Support Selection
Multiple language selection is now possible with this release of Linux. With the internalization, a
need for different language support has appeared. From here the installation will ask you to
choose the default language that will be used on your Linux system once the installation is
complete. If you are only going to use one language on your system, selecting only this language
will save significant disk space.

Page 46

Linux Installation 0
CHAPTER 2

46
Time Zone Selection
On the next screen, you will have the opportunity to set your time zone. Once selected click Next.

Account Configuration

After the clock has been configured, you need to give your system a root password account.

Page 47

Linux Installation 0
CHAPTER 2

47
Authentication Configuration

Finally, the last stage is the authentication configuration. For Authentication Configuration don't
forget to select:

#"Enable
MD5
passwords
#"Enable Shadow passwords

Enable
MD5
passwords - allows a long password to be used (up to 256 characters), instead of the
Unix standard eight letters or less.
Enable shadow passwords - provides a very secure method of retaining passwords for you. All
passwords are stored in a file named
shadow
, which is readable only by the super-user root.
Enable
NIS
,
LDAP
, and
Kerberos
doesn't need to be selected since we are not configuring
these services on this server right know.

Selecting Package Groups
After your partitions have been configured and selected for formatting and configurations have
been set for your specific system, you are ready to select packages for installation. By default,
Linux is a powerful operating system that runs many useful services. However, many of these
services are unneeded and pose potential security risks.
Ideally, each network service should be on a dedicated, single-purpose host. Many Linux
operating systems are configured by default to provide a wider set of services and applications
than are required to provide a particular network service, so you may need to configure the server
to eliminate unneeded services. Offering only essential services on a particular host can enhance
your network security in several ways:

#"Other services cannot be used to attack the host and impair or remove desired network
services.

Page 48

Linux Installation 0
CHAPTER 2

48
#"The host can be configured to better suit the requirements of the particular service.
Different services might require different hardware and software configurations, which
could lead to needless vulnerabilities or service restrictions.

#"By reducing services, the number of logs and log entries is reduced so detecting
unexpected behavior becomes easier.

#"Different individuals may administer different services. By isolating services so each host
and service has a single administrator you will minimize the possibility of conflicts
between administrators.
A proper installation of your Linux server is the first step to a stable, secure system. From the
screen menu that appears (Selecting Package Groups), you first have to choose which system
components you want to install, in our case, we must DESELECT ALL CHECKED Package
Groups on the list.
Since we are configuring a Linux Server, we don't need to install a graphical interface (
XFree86
)
on our system (a graphical interface on a server means less processes, less CPU availability,
less memory, security risks, and so on), also computers are subject to the treachery of images as
well. The image on your computer screen is not a computer file -- it's only an image on a
computer screen. Images of files, processes, and network connections are very distant cousins of
the actual bits in memory, in network packets, or on disks.
Layer upon layer of hardware and software produces the images that you see. When an intruder
"owns" a machine, any of those layers could be tampered with. Application software can lie, OS
kernels can lie, boot PROMs can lie, and even hard disk drives can lie. Graphical interfaces are
usually used on only workstations.
Step 1
First of all, it is vital to verify and be SURE to deselect all of the following Package Group:

#"Printer Support
#"X Window System
#"GNOME
#"KDE
#"Mail/WWW/News Tools
#"DOS/Windows Connectivity
#"Graphics Manipulation
#"Games
#"Multimedia Support
#"Laptop Support
#"Networked Workstation
#"Dialup Workstation
#"News Server
#"NFS Server
#"SMB (Samba) Server
#"IPX/NetwareTM Connectivity
#"Anonymous FTP Server
#"SQL Server
#"Web Server
#"DNS Name Server
#"
Network Management Workstation

#"
Authoring/Publishing

#"
Emacs

#"
Development

#"
Kernel Development

#"
Utilities

#"
Everything

To resume, it is very important and I say VERY IMPORTANT to deselect (none is selected) every
selected Packages Group before clicking on the Next button for continuing the installation.

Page 49

Linux Installation 0
CHAPTER 2

49
We don't want and don't need to install any additional packages. The default install of this Linux
distribution already comes with the most essential programs we need for the functionality of the
operating system.

NOTE ABOUT SYSTEM SIZE:
At this stage of our installation of Linux, the total install size will be
224MB if you have deselected all menu packages group as described above.
Step 2
At this point, the installation program will check dependencies in packages selected for
installation (in our case no packages are selected) and format every partition you selected for
formatting in you system. This can take several minutes depending on the speed of your
machine. Once all partitions have been formatted, the installation program starts to install Linux to
your hard drive.

Page 50

Linux Installation 0
CHAPTER 2

50

How to use RPM Commands
This section contains an overview of using RPM for installing, uninstalling, upgrading, querying,
listing, and checking RPM packages on your Linux system. You must be familiar with these RPM
commands now because we'll use them often in this book and especially later in this chapter for
software that must be uninstalled after installation of the server.

*
To install a RPM package, use the command:
[root@deep /]#
rpm -ivh foo-1.0-2.i386.rpm
foo ##################################################
Note that RPM packages have a file of names like
foo-1.0-2.i386.rpm
, which include the
package name (
foo
), version (
1.0
), release (
2
), and architecture (
i386
).

*
To uninstall a RPM package, use the command:
[root@deep /]#
rpm -e foo
Notice that we used the package name "
foo
", not the name of the original package file "
foo-
1.0-2.i386.rpm
".

*
To upgrade a RPM package, use the command:
[root@deep /]#
rpm -Uvh foo-1.0-2.i386.rpm
foo ##################################################
With this command, RPM automatically uninstalls the old version of
foo
package and installs the
new one. Always use
rpm -Uvh
to install packages, since it works fine even when there are no
previous versions of the package installed.

*
To query a RPM package, use the command:

Page 51

Linux Installation 0
CHAPTER 2

51
[root@deep /]#
rpm -q foo
foo-2.3-8
This command will print the package name, version, and release number of installed package
foo
. Use this command to verify that a package is or is not installed on your system.

*
To display package information, use the command:
[root@deep /]#
rpm -qi foo
Name : foo Relocations: none
Version : 2.3 Vendor: OpenNA.com, Inc.
Release : 8
Build Date: Thu 24 Aug 2000 11:16:53 AM EDT
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm
Size : 271467 License: distributable
Packager : OpenNA.com, Inc.
Summary : Here will appears summary of the package.
Description : Here will appears the description of the package.

This command displays package information; includes name, version, and description of the
installed program. Use this command to get information about the installed package.

*
To display package information before installing the program, use the command:
[root@deep /]#
rpm -qpi foo-2.3-8.i386.rpm
Name : foo Relocations: none
Version : 2.3 Vendor: OpenNA.com, Inc.
Release : 8
Build Date: Thu 24 Aug 2000 11:16:53 AM EDT
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm
Size : 271467 License: distributable
Packager : OpenNA.com, Inc.
Summary : Here will appears summary of the package.
Description : Here will appears the description of the package.

This command displays package information; includes name, version, and description of the
program without the need to install the program first. Use this command to get information about
a package before you install it on your system.

*
To list files in a installed RPM package, use the command:
[root@deep /]#
rpm -ql foo
/usr/bin/foo
/usr/bin/foo1
/usr/sbin/foo2

This command will list all files in a installed RPM package. It works only when the package is
already installed on your system.

*
To list files in package that is not already installed, use the command:
[root@deep /]#
rpm -qpl foo
/usr/lib/foo
/usr/bin/foo1
/usr/sbin/foo2

This command will list all files in a RPM package that is not already installed on your system. It is
useful when you want to know which components are included in the package before installing it.

Page 52

Linux Installation 0
CHAPTER 2

52

*
To know which files is part of which package, use the command:
[root@deep /]#
rpm -qf /etc/passwd
setup-2.3.4-1
This command will show you from which RPM package the file comes from. It works only when
the package is already installed on your system and it is very useful when you see some files into
Linux that you do not know about it and want to get more information about its RPM provenance.

*
To check a RPM signature package, use the command:
[root@deep /]#
rpm --checksig foo
This command checks the
PGP
signature of specified package to ensure its integrity and origin.
Always use this command first before installing new RPM package on your system.
GnuPG
or
PGP

software must be already installed on your system before you can use this command. See the
chapter related to
GnuPG
installation and configuration for more information.

*
To examine only the
md5sum
of the package, use the command:
[root@deep /]#
rpm --checksig --nogpg foo
The RPM
md5sum
is useful to verify that a package has not been corrupted or tampered with.
You can use it to be sure that the download of your new RPM package was not corrupted during
network transfer.

Starting and stopping daemon services
The
init
program of Linux (also known as process control initialization) is in charge of starting
all the normal and authorized processes that need to run at boot time on your system. These may
include the APACHE daemons, NETWORK daemons, and anything else that must be running
when your machine boots. Each of these processes has a script under the
/etc/rc.d/init.d

directory written to accept an argument, which can be
start
,
stop
,
restart
, etc. You can also
execute those scripts by hand:
For example:

*
To start the
httpd
Web Server daemon manually under Linux, you'll type:
[root@deep /]#
/etc/rc.d/init.d/httpd start

Starting
httpd:
[OK]

*
To stop the
httpd
Web Server daemon manually under Linux, you'll type:
[root@deep /]#
/etc/rc.d/init.d/httpd stop

Shutting down http:

[OK]

*
To restart the
httpd
Web Server daemon manually under Linux, you'll type:
[root@deep /]#
/etc/rc.d/init.d/httpd restart

Shutting down http:

[OK]
Starting
httpd:
[OK]

Check inside your
/etc/rc.d/init.d
directory for services available and use the commands
start
|
stop
|
restart
to work around.

Page 53

Linux Installation 0
CHAPTER 2

53
Software that must be uninstalled after installation of the server
Red Hat Linux installs other programs on your system by default and doesn't give you the choice
to uninstall them during the install setup or programs which are going to be compiled from
tarballs (source code). For this reason, you must uninstall the following software on your system
after the installation of your Linux server.
In the table below, you'll find a partial list of software that must be uninstalled once the installation
of your Linux server has been completed.

anacron
apmd
at
dhcpcd
dosfstools
eject
hotplug
ipchains
ksymoops
kudzu
lokkit
mailcap
pciutils
pump
raidtools
redhat-logos
redhat-release
setserial

Use the following RPM command to uninstall them:

*
The command to uninstall RPM's software is:
[root@deep /]#
rpm -e

Where

is the name of the software you want to uninstall e.g. (
foo
).
Step 1
Programs like
apmd
,
Sendmail
,
at
and
anacron
are daemons that run as process. It is better
to stop those processes before uninstalling them from the system.

*
To stop those processes, use the following commands:
[root@deep /]#
/etc/rc.d/init.d/apmd stop
Shutting down APM daemon: [OK]

[root@deep /]#
/etc/rc.d/init.d/sendmail stop
Shutting down sendmail:

[OK]

[root@deep /]#
/etc/rc.d/init.d/atd stop
Stopping at daemon:

[OK]

[root@deep /]#
/etc/rc.d/init.d/anacron stop
Shutting down anacron:

[OK]
Step 2
Once the processes
apmd
,
sendmail
,
at
and
anacron
programs have been stopped, you can
safely uninstall them, and all the other packages, as shown below:

*
To remove all the unneeded packages together, use the following commands:
[root@deep /]#
rpm -e --nodeps
anacron

apmd
at
dhcpcd
dosfstools
eject

hotplug ipchains ksymoops kudzu

lokkit

mailcap

pciutils

pump

raidtools

redhat-logos redhat-release

setserial

[root@deep /]#
rm -rf /var/spool/anacron/

Page 54

Linux Installation 0
CHAPTER 2

54
Step 3
The program
hdparm
is needed by
IDE
hard disks but not
SCSI
hard disks. If you have an
IDE

disk on your system you must keep this program (
hdparm
), but if you don't have an
IDE
hard
disk you can remove it safely from your system.
hdparm
is used to optimize your
IDE
hard drive.
SCSI
hard drives doesn't need to be optimized since they are capable to run at their full speed
(80 Mps to 160 Mps) without modification.

*
To remove the
hdparm
package from your system, use the following command:
[root@deep /]#
rpm -e hdparm

Step 4
The program
mkinitrd
is needed by
SCSI
or
RAID
hard disk but not
IDE
hard disks. If you
have a
SCSI
or
RAID
disk on your system you must keep this program (
mkinitrd
), but if you
don't have a
SCSI
or
RAID
hard disk you can safely remove it from your system.

*
To remove the
mkinitrd
package from your system, use the following command:
[root@deep /]#
rpm -e --nodeps mkinitrd

Step 5
Use the programs
kbdconfig
,
mouseconfig
,
timeconfig
,
authconfig
,
ntsysv
, and
setuptool
in order to set your keyboard language and type, your mouse type, your default time
zone, your NIS and shadow passwords, your numerous symbolic links in
/etc/rc.d
directory,
and text mode menu utility which allow you to access all of these features. After those
configurations have been set during the installation stage of your Linux server it's rare that you
would need to change them again. So, you can uninstall them, and if in the future you need to
change your keyboard, mouse, default time, etc again via test mode menu, all you have to do is
to install the program with the RPM from your original CD-ROM.

*
To remove all the above programs from your system, use the following command:
[root@deep /]#
rpm -e kbdconfig mouseconfig timeconfig authconfig ntsysv
setuptool

Step 6
The program
quota
is a system administration tools for monitoring and limiting user/group disk
usage, per file system. This program must be installed only on servers where the need for
monitoring and restricting amount of disk space in users directories is require.

*
To remove the
quota
package from your system, use the following command:
[root@deep /]#
rpm -e quota

Step 7
Even if you have not intending to install a mail server on your Linux system, the program
Sendmail
(or equivalent program) is always needed on your servers for potential messages sent
to the root user by different software services installed on your machine.

Page 55

Linux Installation 0
CHAPTER 2

55
Sendmail
is a Mail Transport Agent (MTA) program that sends mail from one machine to
another. It can be configured in different manners; it can serve as an internal delivery mail system
to a Mail Hub Server, or can be configured to be a Central Mail Hub Server for all
Sendmail

machines on your network. So depending on what you want to do with
Sendmail
, you must
configure it to respond to your specific needs and speed. For this reason you must uninstall
Sendmail
and see the part in this book that is related to Mail Transfer Agent configuration and
installation.

*
To remove the
sendmail
package from your system, use the following command:
[root@deep /]#
rpm -e sendmail

Step 8
Procmail
is a mail-processing program, which can be used by
Sendmail
for all local mail
delivery. This program is required only if you decide to install and use
Sendmail
on your server
as a Central Mail Hub Server, and only if
Sendmail
is installed as a Central Hub Server. Since
only a mail server with
Sendmail
as a MTA required
procmail
, it is better to uninstall
procmail
and install it only on the machine that will become your mail server with
Sendmail
.

*
To remove the
procmail
package from your system, use the following command:
[root@deep /]#
rpm -e procmail

Step 9
The
OpenLDAP
software is a set of protocols for accessing directory services like phone book
style information and other kinds of information over the Internet. This useful program is not
suitable for everyone and depends of what you want to do with your system. If you want to give it
a try, see later in this book under the chapter related to databases for more information.

*
To remove the
OpenLDAP
package from your system, use the following command:
[root@deep /]#
rpm -e openldap

Step 10
The
Cyrus

SASL
implementation is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols. It is used in conjunction with
Cyrus
, which is an electronic messaging program like
Sendmail
. Since we don't use and don't
talk about it in this book, we can safety remove it.

*
To remove the
Cyrus

SASL
package from your system, use the following command:
[root@deep /]#
rpm -e cyrus-sasl

Step 11
OpenSSL
is an
SSL
encryption mechanism which ensures and provides safe and secure
transactions of data over networks. This piece of software is one of the most important tools for a
Linux server and it is highly recommended that it is installed. Unfortunately, the one that comes
with Red Hat Linux is not up to date and not optimized for our specific server. For this reason, we
will uninstall it now and see later in this book, under the chapters related to security software, how
to install, secure, optimize and use it.

*
To remove the
OpenSSL
package from your system, use the following command:
[root@deep /]#
rpm -e openssl

[root@deep /]#
rm -rf /usr/share/ssl/

Page 56

Linux Installation 0
CHAPTER 2

56
Step 12
The
ash
package is a smaller version of the Bourne shell (
sh
). Since we already use
sh
, we can
uninstall this package from our system. If you use this program in your regular administration
task, then keep it installed on your server.

*
To remove the
ash
package from your system, use the following command:
[root@deep /]#
rpm -e ash

Step 13
The
time
package is a utility for monitoring a program's use of system resources and can be
used by developer to optimize their programs. This program is useful for developers.

*
To remove the
time
package from your system, use the following command:
[root@deep /]#
rpm -e time

Step 14
The
krb5-libs
package contains the shared libraries needed by
Kerberos

5
. Because we're
not using
Kerberos
, we'll need to uninstall this package.
Kerberos
is not secure as you can
think and can be cracked easily with some good knowledge of this program. Anyway it is yours to
decide if you really need it.

*
To remove the
krb5-libs
package from your system, use the following command:
[root@deep /]#
rpm -e krb5-libs
[root@deep /]#
rm -rf /usr/kerberos/

Descriptions of programs that must be uninstalled after installation of the server
Below is the list of programs and a short description of their purpose. We must uninstall them for
increased security and to make more space on our server. For more information and an
explanation of their capabilities and uses, please see your Red Hat manual or query the package
by making an "
rpm -qi foo
" command before uninstalling it.

*
The
anacron
package is similar to the
cron
package but differ in the way that it does
not assume that the system is running continuously and it is a good command scheduler
for system which don't run 24 hours a day. [Unnecessary for a server]

*
The
apmd
package, or advanced Power Management daemon utilities, can watch your
notebook's battery and warn all users when the battery is low. [Unnecessary for a
server]

*
The
at
package is a utility that will do time-oriented job control by scheduling a command
to run later. Unfortunately, it has had a rich history of problems and we can achieve the
same functionality with the more secure
vixie-cron
package. For this reason I
recommend you to uninstall it. [Security Risks]

*
The
dhcpcd
package contains the protocol, which allows systems to get their own
network configuration information from a DHCP server. If your are going to use DHCP on
your network, it is recommended to install the DHCP client included in the
pump
package,
which provides a faster and simpler DHCP client. [Unnecessary]

Page 57

Linux Installation 0
CHAPTER 2

57
*
The
dosfstools
package contains utilities for making and checking
MS-DOS

FAT
file
systems on Linux. Remember that we want to install a Linux server on our system and
not a PC with two different operating systems on it. Therefore we must uninstall this
program from our computer. [Unnecessary, we run a server]

*
The
eject
package contains an eject program that allows the user to eject removable
media (typically CD-ROMs, floppy disks, Iomega Jaz or Zip disks) using software.
[Necessary only if you have a tape backup on this server]

*
The
hotplug
package is a helper application for loading modules for
USB
devices. On a
server environment,
USB
devices are not used at all and are required only on Linux
workstation. [Unnecessary, we run a server]

*
The
ipchains
package is the old tool used with Linux kernel 2.2 for managing Linux
kernel packet filtering capabilities and to set up firewalling on the network. A new and
more powerful tool named "
IPTABLES
" exists and this is the one that we will use later in
the book to set up our firewall on Linux. [Unnecessary]

*
The
ksymoops
package is a small tool used to report kernel oops and error message
decoder. This package is useful for developers that work on the Linux kernel and want to
debug or for users that want to report bugs with the kernel. The same result can be
achieved with the
dmesg
command of Linux. [Unnecessary]

*
The
kudzu
package is a hardware-probing tool run at system boot time to determine
what hardware has been added or removed from the system. [Unnecessary, we run a
server]

*
The
lokkit
package is a Firewall configuration application for an average end user and
it is not designed to configure arbitrary firewalls since it is solely designed to handle
typical dialup user and cable modem set-ups. It is not the answer to a complex firewall
configuration, and it is not the equal of an expert firewall designer. [Unnecessary]

*
Metamail
is a program that uses the
mailcap
file to determine how it should display
non-text or multimedia material. [Unnecessary]

*
The
pciutils
package contains various utilities for inspecting and setting devices
connected to the PCI bus. [We use other methods]

*
The
Pump
DHCP package allows individual diskless clients on a network to get their own
IP network configuration information from network servers. [Unnecessary]

*
The
raidtools
package includes the tools you need to set up and maintain a software
RAID device on a Linux system. [Depending if you use Raid or not]

*
The
redhat-logos
package contains files of the Red Hat "Shadow Man" logo and the
RPM logo. [Unnecessary on a server]

*
The
redhat-release
package contains the Red Hat Linux release file. [Unnecessary]

*
The
setserial
package is a basic system utility for displaying or setting serial port
information. [Unnecessary]

Page 58

Linux Installation 0
CHAPTER 2

58

NOTE ABOUT SYSTEM SIZE:
If all the packages described in this section have been uninstalled from
the system, then our install size of Linux is now 132MB.

Remove unnecessary documentation files
Well, 132MB is very good but we can do more. By default the majority of each RPM's packages
installed under Linux comes with documentation files related to the software. This documentation
contains original files from the program tar archive like
README
,
FAQ
,
BUG
,
INSTALL
,
NEWS
,
PROJECTS
and more.
Many of them can be easily retrieved from the website where the program has been downloaded
and it makes no sense for them to be kept on your system. I know that hard drives costs have
come down considerably recently, but why keep this kind of documentation on a secure server if
it unlikely they will not be read more than once. Anyway, have a look inside those files and decide
for yourself if you want to remove them or not.

*
To remove all documentation files from your system, use the following commands:
[root@deep /]#
cd /usr/share/doc/

[root@deep doc]#
rm -rf *

NOTE ABOUT SYSTEM SIZE:
If all the documentation files have been removed from the system, then
our install size of Linux is now 118MB.

Remove unnecessary/empty files and directories
There are some files and directories we can remove manually from the file system of Linux to
make a clean install. These files and directories are not needed but still exist after our secure
installation of Linux and can be removed safely. Some are bugs from the Red Hat installation
script and others are created by default even if you don't use them.

*
To remove all unnecessary/empty files and directories from your system, use the
following commands:
[root@deep /]#
rm -f /etc/exports
[root@deep /]#
rm -f /etc/printcap
[root@deep /]#
rm -f /etc/ldap.conf

[root@deep /]#
rm -f /etc/yp.conf
[root@deep /]#
rm -f /etc/hosts.allow
[root@deep /]#
rm -f /etc/hosts.deny

[root@deep /]#
rm -rf /etc/xinetd.d/

[root@deep /]#
rm -rf /etc/hotplug/

[root@deep /]#
rm -rf /etc/ppp/

[root@deep /]#
rm -rf /etc/opt/

[root@deep /]#
rm -rf /etc/X11/
[root@deep /]#
rm -rf /opt/

[root@deep /]#
rm -rf /var/opt/

[root@deep /]#
rm -rf /var/nis/

[root@deep /]#
rm -rf /var/spool/lpd/

[root@deep /]#
rm -rf /usr/X11R6/
[root@deep /]#
rm -rf /usr/etc/
[root@deep /]#
rm -rf /usr/local/
[root@deep /]#
rm -rf /usr/dict/

[root@deep /]#
rm -f /usr/bin/X11

[root@deep /]#
rm -f /usr/bin/kbdrate

[root@deep /]#
rm -f /usr/lib/X11

Page 59

Linux Installation 0
CHAPTER 2

59
[root@deep /]#
rm -f /usr/lib/libcrypto.so.1

[root@deep /]#
rm -f /usr/lib/libssl.so.1
[root@deep /]#
rm -rf /usr/lib/games/

[root@deep /]#
rm -rf /usr/share/empty/
[root@deep /]#
rm -rf /usr/share/pixmaps/

NOTE:
If in the future you want to install a program which needs some of the files/directories we
have removed, then the program will automatically recreate the missing files or directories. Good!

Software that must be installed after installation of the server
There are certain programs required to be able to compile programs on your server, for this
reason you must install the following RPM packages. This part of the installation is very important
and requires that you install all the packages described below.
These are on your Red Hat Part 1 and Part 2 CD-ROMs under RedHat/RPMS directory and
represents the necessary base software needed by Linux to compile and install programs. Please
note that if you don't want to compile software in your server or if you only use RPM's packages
to update programs or if you use a dedicated server to develop, compile or create your own
RPM's packages which will be installed later along your network on the servers, then you DON'T
need to install the packages described here.
Step 1
First, we mount the CD-ROM drive and move to the RPMS subdirectory of the CD-ROM.

*
To mount the CD-ROM drive and move to RPM directory, use the following commands:
[root@deep /]#
mount /dev/cdrom /mnt/cdrom/
had: ATAPI 32X CD-ROM drive, 128kB Cache
mount: block device dev/cdrom is write-protected, mounting read-only
[root@deep /]#
cd /mnt/cdrom/RedHat/RPMS/

These are the packages that we need to be able to compile and install programs on the Linux
system. Remember, this is the minimum number of packages that permits you to compile most of
the tarballs available for Linux. Other compiler packages exist on the Linux CD-ROM, so verify
with the
README
file that came with the tarballs program you want to install if you receive error
messages during compilation of the specific software.
The compiler packages:
Compiler packages contains programs and languages used to build software on the system.
Remember to uninstall all of the following compiler packages after succesfull installation of all
software required on your Linux server.

binutils-2.10.91.0.2-3.i386.rpm
bison-1.28-5.i386.rpm
byacc-1.9-18.i386.rpm
cdecl-2.5-17.i386.rpm
cpp-2.96-81.i386.rpm
cproto-4.6-7.i386.rpm
ctags-4.0.3-1.i386.rpm
dev86-0.15.0-5.i386.rpm

flex-2.5.4a-13.i386.rpm
gcc-2.96-81.i386.rpm
gcc-c++-2.96-81
kernel-headers-2.4.2-2.i386.rpm
m4-1.4.1-4.i386.rpm
make-3.79.1-5.i386.rpm
patch-2.5.4-9.i386.rpm
perl-5.6.0-12.i386.rpm

Page 60

Linux Installation 0
CHAPTER 2

60
The development packages:
Development packages contain header and other files required during compilation of software. In
general, development packages are needed when we want to add some specific functionality to
the program that we want to compile. For example if I want to add
PAM
support to
IMAP
, I'll need
pam-devel
, which contains the required header files for
IMAP
to compile successfully.
As for compiler packages, all development packages must be uninstalled after successful
compilation of all the software that you need on your Linux server. Remember to uninstall them
since they are not needed for proper functionality of the server, but just to compile the programs.

aspell-devel-0.32.6-2
db3-devel-3.1.17-7
freetype-devel-2.0.1-4
gd-devel-1.8.3-7
gdbm-devel-1.8.0-5
glibc-devel-2.2.2-10
libjpeg-devel-6b-15

libpng-devel-1.0.9-1
libstdc++-devel-2.96-81
ncurses-devel-5.2-8
pam-devel-0.74-22
pspell-devel-0.11.2-2
zlib-devel-1.1.3-22

Dependencies packages:
Dependencies packages are other RPM packages needed by the RPM packages that we want to
install. This happens because some RPM's are directly linked with others and depend on each
one to function properly. The following packages are required by the above RPM packages and
we will install them to satisfy dependencies. After proper compilation and installation of all needed
software on the Linux server, we can uninstall them (if not needed by special program that we will
install) safety.

gd-1.8.3-7
freetype-2.0.1-4
libjpeg-6b-15

libpng-1.0.9-1
libtool-libs-1.3.5-8
pspell-0.11.2-2

Step 2
It is better to install the software described above together if you don't want to receive
dependencies error messages during the install. Some of the RPMs reside on CD-ROM Part 1
and other on CD-ROM Part2 of Red Hat. For easy installation, I recommend you to copy all of the
required packages (compilers and development) to your hard drive and install them from there.

*
These procedures can be accomplished with the following commands:
[root@deep /]#
cd /var/tmp/

[root@deep tmp]#
rpm -Uvh *.rpm

binutils

##################################################
bison

##################################################
byacc

##################################################
cdecl

##################################################
cpp
##################################################
cproto
##################################################
ctags

##################################################
dev86

##################################################
flex

##################################################
gcc
##################################################
kernel-headers
##################################################

gcc-c++
##################################################
m4
##################################################
make
##################################################
patch ##################################################
perl
##################################################
aspell-devel
##################################################
db3-devel

##################################################
freetype-devel
##################################################

Page 61

Linux Installation 0
CHAPTER 2

61
gd-devel

##################################################
gdbm-devel
##################################################
glibc-devel
##################################################
libjpeg-devel
##################################################
libpng-devel

##################################################

libstdc++-devel
##################################################
ncurses-devel
##################################################
pam-devel ##################################################
pspell-devel
##################################################
zlib-devel ##################################################
gd
##################################################
libjpeg
##################################################
libpng ##################################################
pspell ##################################################
freetype
##################################################
libtool-libs
##################################################

NOTE:
Some of the RPM reside on CD-ROM part 1 and other on CD-ROM Part2 of Red Hat. For
easy installation, I recommend you to copy all of the required packages (compilers and
development) to your hard drive and install them from there.

NOTE ABOUT SYSTEM SIZE:
If you have installed all the require packages described above to be
able to make compilation in the system, then our install size of Linux is now 222MB.
Step 3
This step is required only if you also want to use the Linux server to compile programs and
services. If you have a dedicated system to compile and build RPM packages, which can be
installed on the other servers on your network, you don't need this step.
After installation and compilation of all programs and services, it's a good idea to remove all
sharp objects (compilers, etc) described above unless they are required by your system. A few
reasons are:

#"If a cracker gains access to your server he or she cannot compile or modify binary
programs. Also, this will free a lot of space and will help to improve regular scanning of
the files on your server for integrity checking.

#"When you run a server you will give it a special task to accomplish. You will never put all
services you want to offer in one machine or you will lose speed (resources available
divided by the number of process running on the server)

#"Decrease your security with a lot of services running on the same machine, if a cracker
accesses this server, he or she can attack directly all the others available.

#"Having different servers doing different tasks will simplify the administration, and
management. You know what task each server is supposed to do, what services should
be available, which ports are open to clients access and which one are closed, you know
what you are supposed to see in the log files, etc, and give you more control and
flexibility on each one (server dedicated for mail, web pages, database, development,
backup, etc.

Page 62

Linux Installation 0
CHAPTER 2

62
#"
For example, one server specialized just for development and testing will mean you will
not be compelled to install compiler programs on a server each time you want to compile
and install new software on it, and be obliged afterwards to uninstall the compilers, or
other sharp objects.

Verifying installed programs on your Server
If you have followed each step exactly as described, this is the list of all installed programs that
you should have on your server after the complete installation of Linux.
Step 1
This list must match exactly the
install.log
file located in your
/tmp
directory or you could
run into problems.

glibc-common
mailcap
redhat-logos
redhat-release
setup
filesystem
basesystem
glibc
termcap
bdflush
chkconfig
cracklib
db1
db2
db3
dosfstools
e2fsprogs
eject
file
gdbm
glib
hdparm
ksymoops
libtermcap
losetup
mailx
mingetty
mktemp
bash
bzip2
hotplug
libstdc++
groff
MAKEDEV
modutils
ncurses
info
cpio
diffutils
ed
fileutils
at
findutils
gawk
gettext
grep
ash
dhcpcd
gzip
less
man
net-tools
openssl
popt
logrotate
procmail
procps
psmisc
pwdb
raidtools
readline
rootfiles
sed
console-tools
setserial
shadow-utils
dev
slang
newt
kbdconfig
ntsysv
setuptool
slocate
sysklogd
syslinux
tar
textutils
mount
mkinitrd
lilo
mkbootdisk
mouseconfig
time
tmpwatch
crontabs
utempter
vim-common
vim-minimal
which
words
cracklib-dicts
pam
authconfig
cyrus-sasl
gpm
kudzu
passwd
sh-utils
krb5-libs
openldap
sendmail
SysVinit
zlib
rpm
util-linux
initscripts
apmd
devfsd
ipchains
kernel
lokkit
pciutils
pump
quota
timeconfig
vixie-cron
anacron

NOTE:
All texts in bold are packages that we have uninstalled from the default install list.
Remember that some of these RPM packages will be reinstalled manually later in this book and
most are unnecessary for daily work of the system.

Page 63

Linux Installation 0
CHAPTER 2

63
Step 2
After we have uninstalled all the software that must be uninstalled and the addition of the
necessary RPM packages to be able to compile programs we must verify the list of all installed
RPM programs again, but this time with the following command:

*
To verify the list of all installed RPM package on your system, use the command:
[root@deep /]#
rpm -qa > installed_rpm

The "
-qa
" option will query all installed RPM packages on your system and the special character
"
>
" will redirect the output to the file named
installed_rpm
.
The content of the
installed_rpm
file must look exactly like this:

filesystem-2.0.7-1
glibc-2.2.2-10
bdflush-1.5-16
cracklib-2.7-8
db2-2.4.14-5
gdbm-1.8.0-5

libtermcap-2.0.8-26
mailx-8.1.1-20
mktemp-1.5-8
bzip2-1.0.1-3
libstdc++-2.96-81
MAKEDEV-3.1.0-14
ncurses-5.2-8
cpio-2.4.2-20
ed-0.2-19
gawk-3.0.6-1
grep-2.4.2-5
less-358-16
net-tools-1.57-6
popt-1.6.2-8
psmisc-19-4
rootfiles-7.0-4
console-tools-19990829-34
shadow-utils-20000826-4
slang-1.4.2-2
sysklogd-1.4-7
tar-1.13.19-4
mount-2.10r-5
lilo-21.4.4-13
tmpwatch-2.7.1-1
utempter-0.5.2-4
vim-minimal-6.0-0.27
words-2-16
pam-0.74-22
sh-utils-2.0-13
SysVinit-2.78-15
rpm-4.0.2-8
initscripts-5.83-1
devfsd-2.4.2-2
kernel-2.4.2-2
vixie-cron-3.0.1-62
glibc-common-2.2.2-10
setup-2.4.7-1
basesystem-7.0-2
termcap-11.0.1-8
chkconfig-1.2.22-1
db1-1.85-5
db3-3.1.17-7
e2fsprogs-1.19-4
file-3.33-1
glib-1.2.9-1
losetup-2.10r-5
mingetty-0.9.4-16
bash-2.04-21
groff-1.16.1-7
modutils-2.4.2-5
info-4.0-20
diffutils-2.7-21
fileutils-4.0.36-4
findutils-4.1.6-2
gettext-0.10.35-31
gzip-1.3-12
man-1.5h1-20
logrotate-3.5.4-1
procps-2.0.7-8
pwdb-0.61.1-1
readline-4.1-9
sed-3.02-9
dev-3.1.0-14
newt-0.50.22-2
slocate-2.5-5
syslinux-1.52-1
textutils-2.0.11-7

crontabs-1.9-2
vim-common-6.0-0.27
which-2.12-1
cracklib-dicts-2.7-8
gpm-1.19.3-16
passwd-0.64.1-4
zlib-1.1.3-22
util-linux-2.10s-12
binutils-2.10.91.0.2-3
byacc-1.9-18
cpp-2.96-81
ctags-4.0.3-1
dev86-0.15.0-5
kernel-headers-2.4.2-2

gcc-2.96-81
gcc-c++-2.96-81
make-3.79.1-5
perl-5.6.0-12
bison-1.28-5
cdecl-2.5-17
cproto-4.6-7

flex-2.5.4a-13
glibc-devel-2.2.2-10

m4-1.4.1-4
patch-2.5.4-9
aspell-devel-0.32.6-2
db3-devel-3.1.17-7
freetype-devel-2.0.1-4
gd-devel-1.8.3-7
gdbm-devel
libjpeg-devel-6b-15
libpng-devel-1.0.9-1
libstdc++-devel-2.96-81
ncurses-devel-5.2-8
pam-devel-0.74-22
pspell-devel-0.11.2-2
zlib-devel-1.1.3-22
gd-1.8.3-7
freetype-2.0.1-4
libjpeg-6b-15
libpng-1.0.9-1
libtool-libs-1.3.5-8
pspell-0.11.2-2

Page 64

Linux Installation 0
CHAPTER 2

64

NOTE:
All texts in bold are compiler packages that we have added to be able to compile programs
on the system. Remember that these packages can be uninstalled after complete compilation of
all software safety and without problem.
This second step is required to be sure we have not forgotten to remove some unnecessary RPM
or to add some important packages that permit us to compile programs on the system. If the
result looks the same as our
installed_rpm
file above, we are now ready to play with our new
Linux server.
In the above list, I assume that all sharp objects required for making compilation of programs and
services on the system are installed. Of course they must be uninstalled and removed from the
list if we don't want to use this server to compile programs and services but prefer to use RPM
packages made on another system for all servers on our network.

Update of the latest software
Keep all software (especially network software) up to date with the latest versions. Check the
errata pages for the Red Hat Linux distribution, available at
http://www.re dhat .c om /apps /s upport/u pda tes .htm l
.
The errata pages are perhaps the best
resource for fixing 90% of the common problems with Red Hat Linux. In addition, security holes
for which a solution exists are generally on the errata page 24 hours after Red Hat has been
notified. You should always check there first.
Step 1
For all software packages described here and later in this book, I assume that you use another
computer on your network to retrieve and download the required software. If this is not the case, I
suggest you at least install the
FTP
client program that comes with your OS CD-ROM and install
it, to be able to make remote connections and download files.
Of course if for some obscure reasons the networking feature of your server doesn't work at this
stage, I recommend you to read the part of the book called "Networking Related Reference" and
especially the chapter under it called "Networking -
TCP/IP
Network Management" for
troubleshooting and more information on the subject.
This secure Linux server installation requires that the software listed below be installed on your
system to be able to download packages from the Internet. if you don't use another computer on
your network to retrieve and download programs.

#"
ftp
, which provides the standard UNIX command-line
FTP
(File Transfer Protocol) client,
must already be installed on your system to be able to download software on the Internet.

!"To verify if
ftp
package is installed on your system, use the command:
[root@deep /]#
rpm -q ftp

package ftp is not installed

*
To mount your CD-ROM drive before installing the require package, use the command:
[root@deep /]#
mount /dev/cdrom /mnt/cdrom/
mount: block device /dev/cdrom is write-protected, mounting read-only

*
To install the
ftp
package on your Linux system, use the following command:
[root@deep /]#
cd /mnt/cdrom/RedHat/RPMS/
[root@deep RPMS]#
rpm -Uvh ftp-version.i386.rpm

Page 65

Linux Installation 0
CHAPTER 2

65
ftp ##################################################

*
To unmount your CD-ROM drive, use the following command:
[root@deep RPMS]#
cd /; umount /mnt/cdrom/

The following are based on information listed by Red Hat as of 2001/04/23. Please check
regularly at
http ://www.redh at.c om /
for the latest status.
Errata: Bug, Fixes & Advisories are available from:
Red Hat Updates Web Site
:
http://www .r edh at.c om /apps /s uppor t/upd ates .h tm l

Red Hat Updates FTP Site:
216.148.218.202, 63.240.14.64, 216.148.218.201,
63.240.14.63, 216.148.218.192, 63.240.14.62

Step 2
Software that must be updated at this time for your Red Hat Linux Secure Server are:

mount-2.11b-3.i386.rpm
SysVinit-2.78-17.i386.rpm
gcc-2.96-85.i386.rpm
gcc-c++-2.96-85.i386.rpm
cpp-2.96-85.i386.rpm
libstdc++-2.96-85.i386.rpm
libstdc++-devel-2.96-85.i386.rpm

NOTE:
You can also retrieve all present and future software RPM packages that will need to be
updated directly from our OpenNA.com website at:
h ttp ://www .ope nna.c o m /do w n lo ad/i ndex .h tm

Page 66

66
Part II Security and Optimization Related Reference
In this Part
Security and Optimization - General System Security
Security and Optimization - Pluggable Authentication Modules
Security and Optimization - General System Optimization
Security and Optimization - Kernel Security & Optimization

Now that we have installed a base system, the next four chapters will concentrate on how to
tighten the security of our configured system, optimize our system to perform at its peak and
upgrade our machine for the latest kernel.
Please note that when we talk of tightening the security we are referring to the features available
within the base installed system and not to any additional software. We will talk about them later
in this book.

Page 67

General System Security 0
CHAPTER 3

67
3 Security and Optimization - General System
Security
In this Chapter

BIOS
Unplug your server from the network
Security as a policy
Choose a right password
The root account
Set login time out for the root account
The
/etc/exports
file
The single-user login mode of Linux
The LILO and
/etc/lilo.conf
file
Disabling
Ctrl-Alt-Delete
keyboard shutdown command
The
/etc/services
file
The
/etc/securetty
file
Special accounts
Control mounting a file system
Mounting the
/boot/
directory of Linux as read-only
Conceal binary RPM
Shell logging
Physical hard copies of all-important logs
Tighten scripts under
/etc/rc.d/init.d/

The
/etc/rc.d/rc.local
file
Bits from root-owned programs
Finding all files with the
SUID/SGID
bit enabled
Don't let internal machines tell the server what their MAC address is
Unusual or hidden files
Finding Group and World Writable files and directories
Unowned files
Finding
.rhosts
files
System is compromised!

Page 68

General System Security 0
CHAPTER 3

68
Linux
General System Security

Abstract
A secure Linux server depends on how the administrator makes it. Once we have eliminated the
potential security risk by removing unneeded services, we can start to secure our existing
services and software on our server. Within a few hours of installing and configuring your system,
you can prevent many attacks before they occur. In this chapter we will discuss some of the more
general, basic techniques used to secure your system. The following is a list of features that can
be used to help prevent attacks from external and internal sources.

BIOS
It is recommended to disallow booting from floppy drives and set passwords on
BIOS
features.
You can check your
BIOS
manual or look at it thoroughly the next time you boot up your system
to find out how to do this. Disabling the ability to boot from floppy drives and being able to set a
password to access the
BIOS
features will improve the security of your system.
This will block unauthorized people from trying to boot your Linux system with a special boot disk
and will protect you from people trying to change
BIOS
features like allowing boot from floppy
drive or booting the server without prompt password. It is important to note that there is a
possibility to bypass this security measure if someone has a physical access to your server since
they can open the computer and unplug the
BIOS
battery. This will reset all features to their initial
values.

Unplug your server from the network
It is not wise to apply security changes in your newly installed Linux server if you are online. So it
is preferable to deactivate all network interfaces in the system before applying security changes.

*
To stop specific network devices manually on your system, use the following command:
[root@deep /]#
ifdown eth0

*
To start specific network devices manually on your system, use the following command:
[root@deep /]#
ifup eth0

*
To shut down all network interfaces, use the following command:
[root@deep /]#
/etc/rc.d/init.d/network stop

Shutting down interface eth0

[OK]
Disabling Ipv4 packet forwarding
[OK]

*
To start all network interfaces, use the following command:
[root@deep /]#
/etc/rc.d/init.d/network start

Setting network parameters

[OK]
Bringing up interface lo

[OK]
Bringing up interface eth0

[OK]

Security as a policy
It is important to point out that you cannot implement security if you have not decided what needs
to be protected, and from whom. You need a security policy--a list of what you consider allowable
and what you do not consider allowable upon which to base any decisions regarding security.
The policy should also determine your response to security violations. What you should consider
when compiling a security policy will depend entirely on your definition of security. The following
questions should provide some general guidelines:

Page 69

General System Security 0
CHAPTER 3

69

#"How do you classify confidential or sensitive information?

#"Does the system contain confidential or sensitive information?

#"Exactly whom do you want to guard against?

#"Do remote users really need access to your system?

#"Do passwords or encryption provide enough protection?

#"Do you need access to the Internet?

#"How much access do you want to allow to your system from the Internet?

#"What action will you take if you discover a breach in your security?
This list is short, and your policy will probably encompass a lot more before it is completed. Any
security policy must be based on some degree of paranoia; deciding how much you trust people,
both inside and outside your organization. The policy must, however, provide a balance between
allowing your users reasonable access to the information they require to do their jobs and totally
disallowing access to your information. The point where this line is drawn will determine your
policy.

Choose a right password
The starting point of our Linux General Security tour is the password. Many people keep their
valuable information and files on a computer, and the only thing preventing others from seeing it
is the eight-character string called a password. An unbreakable password, contrary to popular
belief, does not exist. Given time and resources all passwords can be guessed either by social
engineering or by brute force.
Social engineering of server passwords and other access methods are still the easiest and most
popular way to gain access to accounts and servers. Often, something as simple as acting as a
superior or executive in a company and yelling at the right person at the right time of the day
yields terrific results.
Running a password cracker on a weekly basis on your system is a good idea. This helps to find
and replace passwords that are easily guessed or weak. Also, a password checking mechanism
should be present to reject a weak password when choosing an initial password or changing an
old one. Character strings that are plain dictionary words, or are all in the same case, or do not
contain numbers or special characters should not be accepted as a new password.
We recommend the following rules to make passwords effective:

#"They should be at least six characters in length, preferably eight characters including at
least one numeral or special character.

#"They must not be trivial; a trivial password is one that is easy to guess and is usually
based on the user's name, family, occupation or some other personal characteristic.

#"They should have an aging period, requiring a new password to be chosen within a
specific time frame.

#"They should be revoked and reset after a limited number of concurrent incorrect retries.

Page 70

General System Security 0
CHAPTER 3

70

The root account
The "root" account is the most privileged account on a Unix system. The "root" account has no
security restrictions imposed upon it. This means the system assumes you know what you are
doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a
mistyped command, to wipe out crucial system files. When using this account it is important to be
as careful as possible. For security reasons, never log in on your server as "root" unless it is
absolutely an instance that necessitates root access. Also, if you are not on your server, never
sign in and leave yourself on as "root"--this is VERY, VERY. VERY BAD.

Set login time out for the root account
Despite the notice to never, if they are not on the server, sign in as "root" and leave it unattended,
administrators still stay on as "root" or forget to logout after finishing their work and leave their
terminals unattended.
The answer to solve this problem is to make the bash shell automatically logout after not being
used for a period of time. To do that, you must set the special variable of Linux named "
TMOUT
" to
the time in seconds of no input before logout.

*
Edit your
profile
file (
vi /etc/profile
) and add the following line somewhere after
the line that read "
HISTSIZE=
" on this file:

TMOUT=7200
The value we enter for the variable "
TMOUT=
" is in seconds and represents 2 hours (60 * 60 =
3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your
/etc/profile
file, then the automatic logout after two hours of inactivity will apply for all users
on the system. So, instead, if your prefer to control which users will be automatically logged out
and which ones are not, you can set this variable in their individual
.bashrc
file.
After this parameter has been set on your system, you must logout and login again (as root) for
the change to take effect.

The
/etc/exports
file
If you are exporting file systems using the
NFS
service, be sure to configure the
/etc/exports

file with the most restrictive access possible. This means not using wildcards, not allowing root
write access, and mounting read-only wherever possible.
Step 1
*
Edit the
exports
file (
vi /etc/exports
) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)

Where
/dir/to/export
is the directory you want to export,
host1.mydomain.com
is the
machine allowed to log in this directory, the

option mean mounting read-only and the

option for not allowing root write access in this directory.

Page 71

General System Security 0
CHAPTER 3

71
Step 2
*
For this change to take effect you will need to run this command on your terminal:
[root@deep]#
/usr/sbin/exportfs -a

WARNING:
Please be aware that having an NFS service available on your system can be a
security risk. Personally, I don't recommend using it. If you are follow our installation, the NFS
service is not installed in your system.

The single-user login mode of Linux
Linux has a special command (
linux single
) also known as `single-user mode', which can be
entered at the boot prompt during startup of the system. The single-user mode is generally used
for system maintenance. You can boot Linux in single-user mode by typing at the
LILO
boot
prompt the following command:

LILO:
linux single
This will place the system in Run level 1 where you'll be logged in as the super-user 'root', and
where you won't even have to type in a password!
Step 1
Requiring no password to boot into root under single-user mode is a bad idea! You can fix this by
editing the
inittab
file (
vi /etc/inittab
) and change the following line:

id:3:initdefault:
To read:

id:3:initdefault:
~~:S:wait:/sbin/sulogin
The addition of the above line will require to enter the root password before continuing to boot
into
single-user
mode by making
init

(8)
run the program
sulogin

(8)
before dropping
the machine into a root shell for maintenance.

Step 2
*
Now, for the change to take effect type in the following at a prompt:

[root@deep /]#
/sbin/init q

The
LILO
and
/etc/lilo.conf
file
LILO
is the most commonly used boot loader for Linux. It manages the boot process and can
boot Linux kernel images from floppy disks, hard disks or can even act as a "boot manager" for
other operating systems.

LILO
is very important in the Linux system and for this reason, we must protect it the best we
can. The most important configuration file of
LILO
is the
lilo.conf
file, and it resides under the
/etc
directory. It is with this file that we can configure and improve the security of our
LILO

program and Linux system. Following are three important options that will improve the security of
our valuable
LILO
program.

Page 72

General System Security 0
CHAPTER 3

72
*
Adding:
timeout=00

This option controls how long (in seconds)
LILO
waits for user input before booting to the default
selection. One of the requirements of C2 security is that this interval be set to 0 unless the system
dual boots something else.

*
Adding:
restricted

This option asks for a password only, if parameters are specified on the command line (e.g.
linux single
). The option "
restricted
" can only be used together with the "
password
"
option. Make sure you use this one on each additional image you may have.

*
Adding:
password=word>

This option asks the user for a password when trying to load the image. Actually the effect of
using the
password
parameter in
/etc/lilo.conf
will protect the Linux image from booting.
This means, it doesn't matter if you load Linux in single mode or if you just do a normal boot. It
will always ask you for the password.
Now this can have a very bad effect, namely you are not able to reboot Linux remotely any more
since it won't come up until you type in the root password at the console. It is for this reason that
adding "
restricted
" with "
password
" is very important since the option "
restricted
" relaxes
the password protection and a password is required only if parameters are specified at the
LILO

prompt, (e.g.
single
).
Passwords are always case-sensitive, also make sure the
/etc/lilo.conf
file is no longer
world readable, or any user will be able to read the password. Here is an example of our
protected
LILO
with the
lilo.conf
file.

Step 1
*
Edit the
lilo.conf
file (
vi /etc/lilo.conf
) and add or change the three options
above as show:

boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
$
remove this line if you don't want
to pass options at the LILO prompt
.

timeout=00
$
change this line to 00 to disable the
LILO prompt.

linear

message=/boot/message

$
remove this line if you don't want the welcome screem.

default=linux

restricted
$
add this line to
relaxes the password protection.

password=
$
add this line and put your password.

image=/boot/vmlinuz-2.4.2-2
label=linux
initrd=/boot/initrd-2.4.2-2.img
read-only
root=/dev/sda6
Step 2
Because the configuration file
/etc/lilo.conf
now contains unencrypted passwords, it should
only be readable for the super-user "root".

*
To make the
/etc/lilo.conf
file readable only by the super-user "root", use the
following command:
[root@deep /]#
chmod 600 /etc/lilo.conf
(will be no longer world readable).

Page 73

General System Security 0
CHAPTER 3

73
Step 3
Now we must update our configuration file
/etc/lilo.conf
for the change to take effect.

*
To update the
/etc/lilo.conf
file, use the following command:
[root@deep /]#
/sbin/lilo -v

LILO version 21.4-4, copyright © 1992-1998 Wernerr Almesberger
`lba32' extentions copyright © 1999,2000 John Coffman
Reading boot sector from /dev/sda
had : ATAPI 32X CD-ROM drive, 128kB Cache
Merging with /boot/boot.b
Mapping message file /boot/message
Boot image : /boot/vmlinuz-2.2.16-22
Mapping RAM disk /boot/initrd-2.2.16-22.img
Added linux *
/boot/boot.0800 exists no backup copy made.
Writing boot sector.

Step 4
One more security measure you can take to secure the
lilo.conf
file is to set it immutable,
using the
chattr
command.

*
To set the file immutable simply, use the following command:
[root@deep /]#
chattr +i /etc/lilo.conf

And this will prevent any changes (accidental or otherwise) to the
lilo.conf
file. If you wish to
modify the
lilo.conf
file you will need to unset the immutable flag:

*
To unset the immutable flag, use the following command:
[root@deep /]#
chattr -i /etc/lilo.conf

WARNING:
When you use the
password
option, then
LILO
will always ask you for the password,
regardless if you pass options at the
LILO
prompt (e.g.
single
) or not EXCEPT when you set
the "
restricted
" option in
/etc/lilo.conf
.
The option "
restricted
" relaxes the password protection and a password is required only if
parameters are specified at the
LILO
prompt, (e.g.
single
).
If you didn't had this option set "
restricted
", Linux will always ask you for the password and
you will not be able to remotely reboot your system, therefore don't forget to add the option
"
restricted
" with the option "
password
" into the
/etc/lilo.conf
file.

Disabling
Ctrl-Alt-Delete
keyboard shutdown command
Commenting out the line (with a "
#
") listed below in your
/etc/inittab
file will disable the
possibility of using the
Control-Alt-Delete
command to shutdown your computer. This is
pretty important if you don't have the best physical security to the machine.

Page 74

General System Security 0
CHAPTER 3

74
Step 1
*
To do this, edit the
inittab
file (
vi /etc/inittab
) and change/comment the line:

ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To read:

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Step 2
*
Now, for the change to take effect type in the following at a prompt:

[root@deep /]#
/sbin/init q

The
/etc/services
file
The port numbers on which certain "standard" services are offered are defined in the RFC 1700
"Assigned Numbers". The
/etc/services
file enables server and client programs to convert
service names to these numbers (ports). The list is kept on each host and it is stored in the file
/etc/services
. Only the "root" user is allowed to make modifications to this file. It is rare to
edit the
/etc/services
file. since it already contains the more common service names / port
numbers. To improve security, we can set the immutable flag on this file to prevent unauthorized
deletion or modification.

*
To immunize the
/etc/services
file, use the following command:
[root@deep /]#
chattr +i /etc/services

The
/etc/securetty
file
The
/etc/securetty
file allows you to specify which
TTY
and
VC
(virtual console) devices the
"root" user is allowed to login on. The
/etc/securetty
file is read by the login program (usually
/bin/login
). Its format is a list of the
tty
and
vc
devices names allowed, and for all others
that are commented out or do not appear in this file, root login is disallowed.
Disable any
tty
and
vc
devices that you do not need by commenting them out (
#
at the
beginning of the line) or by removing them.

*
Edit the
securetty
file (
vi /etc/securetty
) and comment out or remove the
following lines:

vc/1
#vc/2
#vc/3
#vc/4
#vc/5
#vc/6
#vc/7
#vc/8
#vc/9
#vc/10
#vc/11

tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11

Which means root is allowed to login on only
tty1
and
vc/1
. This is my recommendation,
allowing "root" to log in on only one
tty
or
vc
device and use the
su
command to switch to "root"
if you need more devices to log in as "root".

Page 75

General System Security 0
CHAPTER 3

75

Special accounts
It is important to DISABLE ALL default vendor accounts that you don't use on your system
(some accounts exist by default even if you have not installed the related services on your
server). This should be checked after each upgrade or new software installation. Linux provides
these accounts for various system activities, which you may not need if the services are not
installed on your server. If you do not need the accounts, remove them. The more accounts you
have, the easier it is to access your system.
We assume that you are using the Shadow password suite on your Linux system. If you are not,
you should consider doing so, as it helps to tighten up security somewhat. This is already set if
you've followed our Linux installation procedure and selected, under the "Authentication
Configuration", the option to "Enable Shadow Passwords" (see the chapter related to the
"Installation of your Linux Server" for more information).

*
To delete user on your system, use the following command:
[root@deep /]#
userdel username

*
To delete group on your system, use the following command:
[root@deep /]#
groupdel username
Step 1
First we will remove all default vendor accounts into the
/etc/passwd
file that are unnecessary
for the operation of the secure server configuration that we use in this book.

*
Type the following commands to delete all default users accounts listed below:
[root@deep /]#
userdel adm

[root@deep /]#
userdel lp

[root@deep /]#
userdel shutdown
[root@deep /]#
userdel halt
[root@deep /]#
userdel news
[root@deep /]#
userdel mail
[root@deep /]#
userdel uucp

[root@deep /]#
userdel operator

[root@deep /]#
userdel games

[root@deep /]#
userdel gopher
[root@deep /]#
userdel ftp

WARNING:
By default, the
userdel
command will not delete a user's home directory. If you want
the home directories of accounts to be deleted too, then add the
-r
option to the
userdel

command. Finally, the
-r
option must be used only when you have added a new user to the
server and want to remove them. It doesn't need to be used for the removal of the above default
users accounts.
The user account called "
mail
" must be removed from the system only if you
don't use
Sendmail
as your default Mail Server with
mailx
package. This user is related to
mailx
and not
Sendmail
.

Once the above list of users has been deleted from your Linux system, the
/etc/passwd
file
will look like this:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
sync:x:5:0:sync:/sbin:/bin/sync
nobody:x:99:99:Nobody:/:

Page 76

General System Security 0
CHAPTER 3

76
Step 2
After that we have removed all the unnecessary default vendor accounts into the
/etc/passwd

file from our system, we will remove all default vendor accounts into the
/etc/group
file.

*
Type the following commands to delete all default usersgroups accounts listed below:
[root@deep /]#
groupdel adm

[root@deep /]#
groupdel lp
[root@deep /]#
groupdel news
[root@deep /]#
groupdel mail

[root@deep /]#
groupdel uucp

[root@deep /]#
groupdel games

[root@deep /]#
groupdel dip

NOTE:
The group account called "
mail
" must be removed from the system only if you don't use
the
mailx
program for "
mail
". This is probably not what you want except if you use
qmail
.

Once the above list of group users has been deleted from your Linux system the
/etc/group

file will like this:

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
tty:x:5:
disk:x:6:root
mem:x:8:
kmem:x:9:
wheel:x:10:root
man:x:15:
nobody:x:99:
users:x:100:
floppy:x:19:
slocate:x:21:
utmp:x:22:

Step 3
Finally it is time to add the necessary and allowed users into the system:

*
To add a new user on your system, use the following command:
[root@deep /]#
useradd username

For example:
[root@deep /]#
useradd admin

*
To add or change password for user on your system, use the following command:
[root@deep /]#
passwd username

For example:
[root@deep /]#
passwd admin

The output should look something like this:
Changing password for user admin
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

Page 77

General System Security 0
CHAPTER 3

77
Step 4
The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be
protected. It also prevents someone from creating a symbolic link to this file, which has been the
source of attacks involving the deletion of
/etc/passwd
,
/etc/shadow
,
/etc/group
or
/etc/gshadow
files.

*
To set the immutable bit on the passwords and groups files, use the following commands:
[root@deep /]#
chattr +i /etc/passwd

[root@deep /]#
chattr +i /etc/shadow

[root@deep /]#
chattr +i /etc/group

[root@deep /]#
chattr +i /etc/gshadow

WARNING:
In the future, if you intend to add or delete users, passwords, usergroups, or group files,
you must unset the immutable bit on all those files or you will not be able to make and update
your changes. Also if you intend to install an RPM program that will automatically add a new user
to the different immunized
passwd
and
group
files, then you will receive an error message
during the install if you have not unset the immutable bit from those files.

*
To unset the immutable bit on the passwords and groups files, use the commands:
[root@deep /]#
chattr -i /etc/passwd

[root@deep /]#
chattr -i /etc/shadow

[root@deep /]#
chattr -i /etc/group

[root@deep /]#
chattr -i /etc/gshadow

Control mounting a file system
You can have more control on mounting file systems like
/cache/
,
/home/
or
/tmp/
partitions
with some nifty options like
noexec
,
nodev
, and
nosuid
. This can be setup in the
/etc/fstab

text file. The
fstab
file contains descriptive information about the various file system mount
options; each line addresses one file system.
Information related to security options in the
fstab
text file are:

#"
defaults

Allow everything (quota, read-write, and suid) on this partition.
#"
noquota

Do not set users quotas on this partition.
#"
nosuid

Do not set SUID/SGID access on this partition.
#"
nodev

Do not set character or special devices access on this partition.
#"
noexec

Do not set execution of any binaries on this partition.
#"
quota

Allow users quotas on this partition.
#"
ro

Allow read-only on this partition.
#"
rw

Allow read-write on this partition.
#"
suid

Allow SUID/SGID access on this partition.

NOTE:
For more information on options that you can set in this file (
fstab
), see the man pages
about
mount

(8)
.

Page 78

General System Security 0
CHAPTER 3

78
Step 1
*
Edit the
fstab
file (
vi /etc/fstab
) and change it depending on your needs.
For example change:
LABEL=/cache /cache
ext2 defaults 1
2

LABEL=/home
/home ext2 defaults 1
2
LABEL=/tmp
/tmp ext2 defaults 1
2

To read:
LABEL=/cache /cache
ext2 defaults,
nodev
1 2

LABEL=/home
/home ext2 defaults,
nosuid

1 2
LABEL=/tmp
/tmp ext2 defaults,
nosuid,noexec
1 2
Meaning,
<
nosuid
>
, do not allow set-user-identifier or set-group-identifier bits to take effect,

, do not interpret character or block special devices on this file system partition, and

, do not allow execution of any binaries on the mounted file system.

Step 2
Once you have made the necessary adjustments to the
/etc/fstab
file, it is time to inform the
Linux system about the modifications.

*
This can be accomplished with the following commands:
[root@deep /]#
mount /cache -oremount
[root@deep /]#
mount /home -oremount
[root@deep /]#
mount /tmp -oremount

Each file system that has been modified must be remounted with the command show above. In
our example we have modified the
/cache
,
/home
, and
/tmp
file system and it is for this reason
that we remount these files systems with the above commands.

*
You can verify if the modifications have been correctly applied to the Linux system with
the following command:
[root@deep /]#
cat /proc/mounts
/dev/root / ext2
rw 0 0
/proc /proc proc
rw 0 0
/dev/sda1 /boot ext2 rw
0
0
/dev/sda10 /cache
ext2 rw,
nodev
0 0
/dev/sda9 /chroot
ext2 rw
0
0
/dev/sda8 /home ext2 rw,
nosuid
0 0
/dev/sda13 /tmp ext2 rw,
noexec,nosuid
0 0
/dev/sda7 /usr ext2 rw
0
0
/dev/sda11 /var ext2 rw
0
0
/dev/sda12 /var/lib ext2 rw
0
0
none /dev/pts
devpts rw 0 0

This command will show you all the files systems on your Linux server with parameters applied to
them.

Page 79

General System Security 0
CHAPTER 3

79
Mounting the
/boot
directory of Linux as read-only
The
/boot
directory is where the Linux kernel and some of its related files are kept. On many
Linux variants this directory resides in its own partition and the default parameter is to mount it as
read-write. We can change this parameter to make it read-only for better security.
Mounting the
/boot
partition as read-only eliminates possible problems that someone may try to
change or modify vital files inside it. To mount the
/boot
file system of Linux as read-only, follow
the simple steps below.
Step 1
*
Edit the
fstab
file (
vi /etc/fstab
) and change the line:

LABEL=/boot
/boot ext2 defaults 1
2

To read:

LABEL=/boot
/boot ext2 defaults,
ro

1 2

We add the "
ro
" option to this line to specify to mount this partition as read-only.
Step 2
Make the Linux system aware about the modification you have made to the
/etc/fstab
file.

*
This can be accomplished with the following command:
[root@deep /]#
mount /boot -oremount

*
Then test your results with the following command:

[root@deep /]#
cat /proc/mounts
/dev/root / ext2
rw 0 0
/proc /proc proc
rw 0 0
/dev/sda1 /boot ext2
ro
0 0
/dev/sda10
/cache
ext2
rw,nodev 0 0
/dev/sda9 /chroot
ext2 rw
0
0
/dev/sda8 /home ext2 rw,nosuid
0
0
/dev/sda13 /tmp ext2 rw,noexec,nosuid
0
0
/dev/sda7 /usr ext2 rw
0
0
/dev/sda11 /var ext2 rw
0
0
/dev/sda12 /var/lib ext2 rw
0
0
none /dev/pts
devpts rw 0 0

If you see something like:
/dev/sda1 /boot ext2
ro
0 0
, congratulations!

WARNING:
If in the future you want to upgrade your Linux kernel, it is important to reset the
modification you have made to the
/boot
directory to its initial state (read-write) or you will not be
able to install the new kernel because the
/boot
partition is set as read-only. All you have to do if
you want to put the
/boot
partition to its original state is to edit the
/etc/fstab
file again and
remove the "
ro
" option then remount the
/boot
file system with the "
mount -oremount
"
command again.

Page 80

General System Security 0
CHAPTER 3

80
Conceal binary RPM
Once you have installed all the software that you need on your Linux server with the RPM
command, it's a good idea to move it to a safe place like a floppy disk or other safe place of your
choice. With this method if someone accesses your server and has the intention to install nasty
software with the RPM command, he wouldn't be able to. Of course, if in the future you want to
install or upgrade new software via RPM, all you have to do is to replace the RPM binary to its
original directory again.

*
To move the RPM binary on the floppy disk, use the command:
[root@deep /]#
mount /dev/fd0H1440 /mnt/floppy/
[root@deep /]#
mv /bin/rpm /mnt/floppy/

[root@deep /]#
umount /mnt/floppy/

WARNING:
Never uninstall the RPM program completely from your system or you will be unable to
reinstall it again later, since to install RPM or other software you need to have RPM commands
available.
One more thing you can do is change the default permission of the "
rpm
" command from 755 to
700. With this modification, non-root users can't use the "
rpm
" program to query, install etc; in
case you forget to move it to a safe place after installation of new programs.

*
To change the default permission of
/bin/rpm
, use the command:
[root@deep /]#
chmod 700 /bin/rpm

Shell logging
To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands
in the
~/.bash_history
file (where "~/" is your home directory). Each user that has an account
on the system will have this file
.bash_history
in their home directory. Reducing the number
of old commands the
.bash_history
files can hold may protect users on the server who enter
by mistake their password on the screen in plain text and have their password stored for a long
time in the
.bash_history
file.
Step 1
The
HISTSIZE
line in the
/etc/profile
file determine the size of old commands the
.bash_history
file for all users on your system can hold. For all accounts I would highly
recommend setting the
HISTSIZE
in
/etc/profile
file to a low value such as
10
.

*
Edit the
profile
file (
vi /etc/profile
) and change the line:

HISTSIZE=1000
To read:

HISTSIZE=10
Which means, the
.bash_history
file in each users home directory can store 10 old
commands and no more. Now, if a cracker tries to see the
~/.bash_history
file of users on
your server to find some password typed by mistake in plain text, he or she has less chance to
find one.

Page 81

General System Security 0
CHAPTER 3

81
Step 2
The administrator should also add into the
/etc/profile
file the "
HISTFILESIZE=0
" line, so
that each time a user logs out, its
.bash_history
file will be deleted so crackers will not be
able to use
.bash_history
file of users who are not presently logged into the system.

*
Edit the
profile
file (
vi /etc/profile
) and add the following parameter below the
"
HISTSIZE=
" line:

HISTFILESIZE=0

After this parameter has been set on your system, you must logout and login again (as root) for
the change to take effect.

Physical hard copies of all-important logs
One of the most important security considerations is the integrity of the different log files under
the
/var/log/
directory on your server. If despite each of the security functions put in place on
our server, a cracker can gain access to it, our last defense is the log file system, so it is very
important to consider a method of being sure of the integrity of our log files.
If you have a printer installed on your server, or on a machine on your network, a good idea
would be to have actual physical hard copies of all-important logs. This can be easily
accomplished by using a continuous feed printer and having the syslog program sending all logs
you seem important out to
/dev/lp0
(the printer device). Cracker can change the files,
programs, etc on your server, but can do nothing when you have a printer that prints a real paper
copy of all of your important logs.
As an example:
For logging of all
telnet
,
mail
,
boot
messages and
ssh
connections from your server to the
printer attached to THIS server, you would want to add the following line to the
/etc/syslog.conf
file:
Step 1
*
Edit the
syslog.conf
file (
vi /etc/syslog.conf
) and add at the end of this file the
following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
Step 2
*
Now restart your
syslog
daemon for the change to take effect:
[root@deep /]#
/etc/rc.d/init.d/syslog restart
Shutting down kernel logger:

[OK]
Shutting down system logger:

[OK]
Starting system logger:

[OK]
Starting kernel logger:

[OK]
As an example:
For logging of all
telnet
,
mail
,
boot
messages and
ssh
connections from your server to the
printer attached to a REMOTE server in your local network, then you would want to add the
following line to
/etc/syslog.conf
file on the REMOTE server.

Page 82

General System Security 0
CHAPTER 3

82
Step 1
*
Edit the
syslog.conf
file (
vi /etc/syslog.conf
) on the REMOTE server (for
example:
printer.openna.com
) and add at the end of this file the following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0

If you don't have a printer in your network, you can also copy all the log files to another machine;
simply omit the above first step of adding
/dev/lp0
to your
syslog.conf
file on remote and go
directly to the "-r" option second step on remote. Using the feature of copying all the log files to
another machine will give you the possibility to control all
syslog
messages on one host and will
tear down administration needs.
Step 2
Since the default configuration of the
syslog
daemon is to not receive any messages from the
network, we must enable on the REMOTE server the facility to receive messages from the
network. To enable the facility to receive messages from the network on the REMOTE server,
add the following option "
-r
" to your
syslog
daemon script file (only on the REMOTE host):

*
Edit the
syslog
daemon (
vi +24 /etc/rc.d/init.d/syslog
) and change:

daemon syslogd -m 0
To read:

daemon syslogd -r -m 0
Step 3
*
Restart your syslog daemon on the remote host for the change to take effect:
[root@mail /]#
/etc/rc.d/init.d/syslog restart
Shutting down kernel logger:

[OK]
Shutting down system logger:

[OK]
Starting system logger:

[OK]
Starting kernel logger:

[OK]
Step 4
*
If we have a firewall on the REMOTE server (you are supposed to have one), we must
add or verify the existence of the following lines:

# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-s $SYSLOG_CLIENT --source-port 514 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

Where
EXTERNAL_INTERFACE="eth0"

# Internet or Internal connected interface
Where
IPADDR="208.164.186.10"

# Your IP address
Where
SYSLOG_CLIENT="208.164.168.0/24"
# Your syslog clients IP ranges

Page 83

General System Security 0
CHAPTER 3

83
Step 5
*
Now restart your firewall on the remote host for the change to take effect:
[root@printer /]#
/etc/rc.d/init.d/iptables restart
Shutting Firewalling Services:

[OK]
Starting Firewalling Services:

[OK]
This firewall rule will allow incoming UDP packets on port 514 (
syslog port
) on the remote
server that comes from our internal client to be accepted. For more information on Firewalls see
the chapter relating to network firewalls.
Step 6
*
Edit the
syslog.conf
file (
vi /etc/syslog.conf
) on the LOCAL server, and add at
the end of this file the following line:

authpriv.*;mail.*;local7.*;auth.*;daemon.info @printer
Where "
printer
" is the hostname of the REMOTE server. Now if anyone ever hacks your
machine and attempts to erase vital system logs, you still have a hard copy of everything. It
should then be fairly simple to trace where they came from and deal with it accordingly.
Step 7
*
Restart your
syslog
daemon on the LOCAL server for the change to take effect:
[root@deep /]#
/etc/rc.d/init.d/syslog restart
Shutting down kernel logger:

[OK]
Shutting down system logger:

[OK]
Starting system logger:

[OK]
Starting kernel logger:

[OK]
Step 8
*
Same as on the REMOTE host, we must add or verify the existence of the following lines
in our firewall script file on the LOCAL host:

# SYSLOG client (514)
# -----------------
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $UNPRIVPORTS \
-d $SYSLOG_SERVER --destination-port 514 -j ACCEPT

Where
EXTERNAL_INTERFACE="eth0"

# Internet or Internal connected interface
Where
IPADDR="208.164.186.1"

# Your IP address
Where
SYSLOG_SERVER="printer.openna.com"
# Your Printer Server in our example
Step 9
*
Finally restart your firewall on the LOCAL host for the change to take effect:
[root@deep /]#
/etc/rc.d/init.d/iptables restart
Shutting Firewalling Services:

[OK]
Starting Firewalling Services:

[OK]
This firewall rule will allow outgoing UDP packets on unprivileged ports on the local server
destined to the remote
syslog
server to be accepted. Repeat step 6 through steps 9 for each
additional server you may have and want
all-important logs
to be logged on remote printer server.
For more information on Firewalls see the chapter relating to network firewalls.

Page 84

General System Security 0
CHAPTER 3

84

WARNING:
Never use your Gateway Server as a host to control all
syslog
messages; this is a
very bad idea. More options and strategies exist with the
sysklogd
program, see the man pages
about
sysklogd
(8), syslog(2),
and
syslog.conf(5)
for more information.

Tighten scripts under
/etc/rc.d/init.d/

Fix the permissions of the script files that are responsible for starting and stopping all your normal
processes that need to run at boot time.

*
To fix the permissions of those files, use the following command:
[root@deep /]#
chmod -R 700 /etc/init.d/*
Which means just the super-user "root" is allowed to Read, Write, and Execute scripts files on this
directory. I don't think regular users need to know what's inside those script files.

WARNING:
If you install a new program or update a program that use the init system V script
located under
/etc/rc.d/init.d/
directory, don't forget to change or verify the permission of
this script file again.

The
/etc/rc.local
file
By default, when you login to a Linux machine, it tells you the Linux distribution name, version,
kernel version, and the name of the server. This is giving away too much info. We'd rather just
prompt users with a "Login:" prompt.
Step 1
*
To do this, edit the
rc.local
file (vi
/etc/rc.local)
and place "
#
" in front of the
following lines as shown:

--
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo "" > /etc/issue
#echo "$R" >> /etc/issue
#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue
--
Step 2
*
Then, remove the following files:
issue.net
and
issue
under
/etc/
directory:
[root@deep /]#
rm -f /etc/issue
[root@deep /]#
rm -f /etc/issue.net

Page 85

General System Security 0
CHAPTER 3

85

WARNING:
The
/etc/issue.net
file is the login banner that users will see when they make a
networked (i.e.
telnet
,
SSH
) connection to your machine. You will find it in the
/etc
directory,
along with a similar file called
issue
, which is the login banner that gets displayed to local users.
It is simply a text file and can be customized to your own tastes, but be aware that as noted
above, if you do change it or remove it like we do, you'll also need to modify the
/etc/rc.d/rc.local
shell script, which re-creates both the
issue
and
issue.net
files
every time the system boots.

Bits from root-owned programs
A regular user will be able to run a program as root if it is set to
SUID
root. All programs and files
on your computer with the '
s
' bits appearing on its mode, have the
SUID
(
-rw
s
r-xr-x
) or
SGID

(
-r-xr-
s
r-x
) bit enabled. Because these programs grant special privileges to the user who is
executing them, it is important to remove the '
s
' bits from root-owned programs that won't
absolutely require such privilege. This can be accomplished by executing the command
chmod
a-s
with the name(s) of the
SUID/SGID
files as its arguments.
Such programs include, but aren't limited to:

#"Programs you never use.
#"Programs that you don't want any non-root users to run.
#"Programs you use occasionally, and don't mind having to
su
(1) to root to run.
We've placed an asterisk (
*
) next to each program we personally might disable and consider to
be not absolutely required for the duty work of the server. Remember that your system needs
some suid root programs to work properly, so be careful.
Step 1
*
To find all files with the `
s
' bits from root-owned programs, use the command:
[root@deep]#
find / -type f $ -perm -04000 -o -perm -02000 $ -exec ls -
l {} \;

*-rwsr-xr-x 1 root root
34220 Jul 18 14:13 /usr/bin/chage
*-rwsr-xr-x 1 root root
36344 Jul 18 14:13 /usr/bin/gpasswd
-rwxr-sr-x
1 root man

35196 Jul 12 03:50 /usr/bin/man
-r-s--x--x
1 root root
13536 Jul 12 07:56 /usr/bin/passwd
-rwxr-sr-x
1 root mail
10932 Jul 12 10:03 /usr/bin/suidperl
-rwsr-sr-x
1 root mail
63772 Jul 12 10:03 /usr/bin/sperl5.6.0
-rwxr-sr-x
1 root slocate
23964 Jul 23 17:48 /usr/bin/slocate
*-r-xr-sr-x 1 root tty

6524
Jul 12 03:19 /usr/bin/wall
*-rws--x-x
1 root root
13184 Jul 21 19:15 /usr/bin/chfn
*-rws--x-x
1 root root
12640 Jul 21 19:15 /usr/bin/chsh
*-rws--x-x
1 root root
5464
Jul 21 19:15 /usr/bin/newgrp
*-rwxr-sr-x 1 root tty

8500
Jul 21 19:15 /usr/bin/write
*-rwsr-xr-x 1 root root
6288
Jul 26 10:22 /usr/sbin/usernetctl
-rwxr-sr-x
1 root utmp
6584
Jul 13 00:46 /usr/sbin/utempter
*-rwsr-xr-x 1 root root
20540 Jul 25 07:33 /bin/ping
-rwsr-xr-x
1 root root
14184 Jul 12 20:47 /bin/su
*-rwsr-xr-x 1 root root
55356 Jul 12 05:01 /bin/mount
*-rwsr-xr-x 1 root root
25404 Jul 12 05:01 /bin/umount
*-rwxr-sr-x 1 root root
4116
Jul 26 10:22 /sbin/netreport
-r-sr-xr-x
1 root root
14732 Jul 26 14:06 /sbin/pwdb_chkpwd
-r-sr-xr-x
1 root root
15340 Jul 26 14:06 /sbin/unix_chkpwd

Page 86

General System Security 0
CHAPTER 3

86
Step 2
*
To disable the suid bits on selected programs above, type the following commands:
[root@deep /]#
chmod a-s /usr/bin/chage

[root@deep /]#
chmod a-s /usr/bin/gpasswd

[root@deep /]#
chmod a-s /usr/bin/wall

[root@deep /]#
chmod a-s /usr/bin/chfn

[root@deep /]#
chmod a-s /usr/bin/chsh

[root@deep /]#
chmod a-s /usr/bin/newgrp

[root@deep /]#
chmod a-s /usr/bin/write

[root@deep /]#
chmod a-s /usr/sbin/usernetctl

[root@deep /]#
chmod a-s /bin/ping

[root@deep /]#
chmod a-s /bin/mount

[root@deep /]#
chmod a-s /bin/umount

[root@deep /]#
chmod a-s /sbin/netreport

If you want to know what those programs do, type "man

program-name" and read the man page.
As an example:
*
To read the
netreport
man page, use the following command:
[root@deep /]#
man netreport

Finding all files with the
SUID/SGID
bit enabled
All
SUID
and
SGID
files that still exist on your system after we have removed those that won't
absolutely require such privilege are a potential security risk, and should be monitored closely.
Because these programs grant special privileges to the user who is executing them, it is
necessary to ensure that insecure programs are not installed.
A favorite trick of crackers is to exploit
SUID
"root" programs, and leave a
SUID
program as a
backdoor to get in the next time. Find all
SUID
and
SGID
programs on your system, and keep
track of what they are so that you are aware of any changes, which could indicate a potential
intruder.

*
Use the following command to find all
SUID/SGID
programs on your system:
[root@deep /]#
find / -type f $ -perm -04000 -o -perm -02000 $ -exec ls
-l {} \;
When you have, for example, the home directories of the users accounts mountable on all
servers, then this find command will check the same home directory on every server (SUIDs on
mounted file systems are not effective). If there are more mounted file systems on the servers,
then this can take some time which actually a waste of time.

*
In this case, you can avoid this by executing the following command (see '
-fstype
'):
[root@deep /]#
find / $ ! -fstype nfs -o -prune $ -type f $ -perm -
04000 -o -perm -02000 $ -exec ls -l {} \;

NOTE:
See later in this book the chapter related to "Securities Software - Monitoring Tools" for
more information about the software named "
sXid
" that will do the job for you automatically each
day and report the results via mail.

Page 87

General System Security 0
CHAPTER 3

87
Don't let internal machines tell the server what their
MAC
address is
To avoid the risk that a user could easily change a computers IP address and appear as
someone else to the firewall, you can force the ARP cache entries of Linux using the
arp

command utility. A special option can be used with the
arp
utility to avoid letting INTERNAL
machines tell the server what their MAC (Media Access Control) address is and the IP address
associated with it. ARP is a small utility, which manipulates the kernel's ARP (Address Resolution
Protocol) cache. Through all possible options associated with this utility, the primary one is
clearing an address mapping entry and manually setting up one. In the hope to more secure our
server from the INTERNAL, we will manually set MAC address (sometimes called Hardware
addresses) of all know computers in our network statically by using static ARP entries.
Step1
*
For each IP address of INTERNAL computers in your network, use the following
command to know the MAC address associate with the IP address:
[root@deep /]#
ifconfig
eth0 Link encap:Ethernet
HWaddr 00:50:DA:C6:D3:FF

inet addr:207.35.78.3 Bcast:207.35.78.32 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1887318 errors:0 dropped:0 overruns:1 frame:0
TX packets:2709329 errors:0 dropped:0 overruns:0 carrier:1
collisions:18685 txqueuelen:100
Interrupt:10 Base address:0xb000
eth1 Link encap:Ethernet
HWaddr 00:50:DA:C6:D3:09

inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:182937 errors:0 dropped:0 overruns:0 frame:0
TX packets:179612 errors:0 dropped:0 overruns:0 carrier:0
collisions:7434 txqueuelen:100
Interrupt:11 Base address:0xa800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:7465 errors:0 dropped:0 overruns:0 frame:0
TX packets:7465 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
The MAC (Media Access Control) address will be the letters and numbers that come after
"HWaddr" (the Hardware Address). In the above example our MAC address are:
00:50:DA:C6:D3:FF for the interface
eth0
and 00:50:DA:C6:D3:09 for the interface
eth1
.
Step 2
Once we know the MAC (Media Access Control) address associated with IP address, we can add
them manually to the ARP entries of the Linux server.

*
To add manually MAC address to ARP entries, use the following command:
[root@deep /]#
arp -s 207.35.78.3 00:50:DA:C6:D3:FF
[root@deep /]#
arp -s 192.168.1.11 00:50:DA:C6:D3:09
The "-s" option means to manually create an ARP address mapping entry for host
hostname

with hardware address set to
hw_addr
class. You can add you ARP commands to the
/etc/rc.d/rc.local
file if you want to keep your configuration if the system reboot.

Page 88

General System Security 0
CHAPTER 3

88
Step 3
*
To verify if the modifications have been added to the system, use the following command:
[root@deep /]#
arp
Address
Hwtype
Hwaddress Flags
Mask
Iface
207.35.78.3 ether 00:20:78:13:86:92 CM eth1
192.168.1.11 ether 00:E0:18:90:1B:56 CM

eth1

WARNING:
If you receive error message like: SIOCSARP: Invalid argument, it is because the
MAC (Media Access Control) address you want to add is the one of your server. You must add
only MAC address of INTERNAL computers in your private network. This hack doesn't apply to
external node on the Internet.
You can now be reassured that someone will not change the system's IP address of an
INTERNAL system and get through. If they do change the IP address, the server simply won't talk
to them. With the new
iptables
tool of Linux, which replace the old
ipchains
utility for packet
filter administration and firewall setup, MAC addresses can be filtered and configured in the
firewall rules too.

Unusual or hidden files
It is important to look everywhere on the system for unusual or hidden files (files that start with a
period and are normally not shown by the "
ls
" command), as these can be used to hide tools and
information (password cracking programs, password files from other systems, etc.). A common
technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual
name, something like '
...
' or '
..
' (dot dot space) or '
..^G
' (dot dot control-G). The
find

program can be used to look for hidden files.

*
To look for hidden files, use the following commands:
[root@deep /]#
find / -name ".. " -print -xdev

[root@deep /]#
find / -name ".*" -print -xdev | cat -v

WARNING:
Files with names such as '
.xx
' and '
.mail
' have been used (that is, files that might
appear to be normal).

Finding Group and World Writable files and directories
Group and world writable files and directories, particularly system files (partions), can be a
security hole if a cracker gains access to your system and modifies them. Additionally, world-
writable directories are dangerous, since they allow a cracker to add or delete files as he or she
wishes in these directories. In the normal course of operation, several files will be writable,
including some from the
/dev/
,
/var/catman/
directories, and all symbolic links on your
system.

*
To locate all group & world-writable files on your system, use the command:
[root@deep /]#
find / -type f $ -perm -2 -o -perm -20 $ -exec ls -lg {} \;

*
To locate all group & world-writable directories on your system, use the command:
[root@deep /]#
find / -type d $ -perm -2 -o -perm -20 $ -exec ls -ldg {} \;

Page 89

General System Security 0
CHAPTER 3

89

WARNING:
A file and directory integrity checker like "
Tripwire
" software can be used regularly to
scan, manage and find modified group or world writable files and directories easily. See later in
this book the chapter related to "Securities Software - System Integrity" for more information
about
Tripwire
.

Unowned files
Don't permit any unowned file. Unowned files may also be an indication that an intruder has
accessed your system. If you find unowned file or directory on your system, verify its integrity,
and if all looks fine, give it an owner name. Some time you may uninstall a program and get an
unowned file or directory related to this software; in this case you can remove the file or directory
safely.

*
To locate files on your system that do not have an owner, use the following command:
[root@deep /]#
find / -nouser -o -nogroup

WARNING:
It is important to note that files reported under
/dev/
directory don't count.

Finding
.rhosts
files
Finding all existing
.rhosts
files that could exist on your server should be a part of your regular
system administration duties, as these files should not be permitted on your system. Remember
that a cracker only needs one insecure account to potentially gain access to your entire network.
Step 1
*
You can locate all existing
.rhosts
files on your system with the following command:
[root@deep /]#
find /home -name .rhosts
If the result returns nothing, then you are safe and your system contain no
.rhosts
files in the
/home/
directory at this time. If you are doing a new install of Linux (like we did), you should not
have any
.rhosts
files on your system.
Step 2
You can also use a
cron
job to periodically check for, report the contents of, and delete
$HOME/.rhosts
files. Also, users should be made aware that you regularly perform this type of
audit, as directed by your security policy.

*
To use a
cron
job to periodically check and report via mail all
.rhosts
files, create as
"root" the
find_rhosts_files
script file under
/etc/cron.daily/
directory (
touch
/etc/cron.daily/find_rhosts_files
) and add the following lines in this script:

#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat < This is an automated report of possible existent ".rhosts" files on the server
deep.openna.com, generated by the find utility command.
New detected ".rhosts" files under the "/home/" directory include:
EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root

Page 90

General System Security 0
CHAPTER 3

90

*
Now make this script executable, verify the owner, and change the group to "root".
[root@deep /]#
chmod 755 /etc/cron.daily/find_rhosts_files
[root@deep /]#
chown 0.0 /etc/cron.daily/find_rhosts_files

Each day mail will be sent to "root" with a subject:" Content of .rhosts file audit report" containing
potential new
.rhosts
files.

System is compromised!
If you believe that your system has been compromised, contact CERT ® Coordination Center or
your representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email:

cert@cert.org

CERT Hotline:
(+1) 412-268-7090
Facsimile: (+1)
412-268-6989
CERT/CC personnel answer 8:00 a.m. 8:00 p.m. EST (GMT 5)/EDT (GMT 4)) on working
days; they are on call for emergencies during other hours and on weekends and holidays.

Page 91

Pluggable Authentication Modules 0
CHAPTER 4

91
4 Security and Optimization - Pluggable
Authentication Modules
In this Chapter

The password length
Disabling console program access
Disabling all console access
The Login access control table
Tighten console permissions for privileged users
Putting limits on resource
Controlling access time to services
Blocking;
su
to root, by one and sundry

Page 92

Pluggable Authentication Modules 0
CHAPTER 4

92
Linux
Pluggable Authentication Modules

Abstract
The Pluggable Authentication Modules (
PAM
) consists of shared libraries, which enable
administrators to choose how applications authenticate users.
Basically,
PAM
enables the separation of authentication schemes from the applications. This is
accomplished by providing a library of functions that applications can use for requesting user
authentications.
ssh
,
pop
,
imap
, etc. are
PAM
-aware applications, hence these applications can
be changed from providing a password to providing a voice sample or fingerprint by simply
changing the
PAM
modules without having to rewrite any code in these applications.
The configuration files of the
PAM
modules are located in the directory
/etc/pam.d
and the
modules (shared libraries) themselves are located in the directory
/lib/security
. The
/etc/pam.d
directory has a collection of named files of its own, e.g.
ssh
,
pop
,
imap
, etc.
PAM
-
aware applications that do not have a configuration file will automatically be pointed to the default
configuration file '
other
'.
In the next section we will set up some recommended minimum-security restrictions using
PAM
.

The password length
The minimum acceptable password length by default when you install your Linux system is 5.
This means that when a new user is given access to the server, his/her password length will be at
minimum 5 mixes of character strings, letter, number, special character etc. This is not enough
and must be 8 or more. The password length under Linux by the use of its
PAM
feature is
controlled by 5 arguments
minlen
,
dcredit
,
ucredit
,
lcredit
, and
ocredit
.
Step 1
To prevent non-security-minded people or administrators from being able to enter just 5
characters for the valuable password, edit the rather important
/etc/pam.d/passwd
file and
enforce the minimum password length.

*
Edit the
passwd
file (
vi /etc/pam.d/passwd
) and remove the following line:

password required /lib/security/pam_stack.so service=system-auth
Step 2
Once the above line has been removed from the
passwd
file, we must remove the following three
lines as shown below from the
system-auth
file. This is a bug in the
PAM
RPM package of Red
Hat that we must correct here to be able to use this feature with Linux.

*
Edit the
system-auth
file (
vi /etc/pam.d/system-auth
) and remove the lines:

password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so

Page 93

Pluggable Authentication Modules 0
CHAPTER 4

93
Step 3
Now add the following lines to
/etc/pam.d/passwd
. We use the
PAM
"
pam_cracklib
" module
here with the argument "
minlen
" to enforce the password length.

password required /lib/security/pam_cracklib.so retry=3 minlen=12
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so

After adding the above lines, the
/etc/pam.d/passwd
file should look like this:

#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_cracklib.so retry=3 minlen=12
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so

And the
/etc/pam.d/system-auth
file should look like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so

WARNING:
It is important to note that when you set the password for a user under `root', then these
restrictions don't apply!! This is the case on all Unix OS. The user `root' can override pretty much
everything. Instead, log as the user account from which you apply this restriction and try to
change the password. You will see that it works.

You need to keep in mind that this module includes a credit mechanism. E.g. if you define
minlen=12
, then you will get 1 credit for e.g. including a single digit number in your password, or
for including a non-alphanumeric character. Getting 1 credit means that the module will accept a
password of the length of minlen-credit. When you check the parameters of the cracklib module,
you will see that it has some parameters that let you define what a credit is
(
http://www.us .k ernel .o rg/p ub/l i n u x /l i bs /pam /Li nux -P A M -htm l /pam .ht m l
).
For example:
minlen The following password was accepted
--------- ---------------------------------------------------
14 gjtodgsdf1$

Page 94

Pluggable Authentication Modules 0
CHAPTER 4

94
You can see that I got 1 credit for a alphanumeric character and a credit for each non-
alphanumeric character. "
gjtodgsdf1
$
" has a length of 11, 1 credit for alpha-numeric, 2 credits
for non-alphanumeric character (1 and $) which gives me a credit of 3, hence the password
length of 11 was accepted.
At any rate, the minimum length is adjusted by the mixture of types of characters used in the
password. Using digits (up to the number specified with the "
dcredit=
" parameter, which
defaults to 1) or uppercase letters "
ucredit
" or lowercase letters "
lcredit
" or other types of
letters "
ocredit
" will decrease the minimum length by up to four since the default parameter for
these arguments is 1 and there is four different arguments that you can add.
A password with 9 lowercase letters in it will pass a minimum length set to 10 unless "lcredit=0" is
used, because a credit is granted for the use of a lowercase letter. If the mixture includes an
uppercase letter, a lowercase letter, and a digit, then a minlength of 8 effectively becomes 5.

NOTE:
With the new
MD5
passwords capability, which is installed by default in all modern Linux
operating system, a long password can be used now (up to 256 characters), instead of the Unix
standard eight letters or less. If you want to change the password length of 8 characters to
example 16 characters, all you have to do is to replace the number 12 by 20 in the "
minlen=12
"
line of the
/etc/pam.d/passwd
file.

Disabling console program access
In a safe environment, where we are sure that console is secured because passwords for
BIOS

and
LILO
are set and all physical power and reset switches on the system are disabled, it may be
advantageous to entirely disable all console-equivalent access to programs like
shutdown
,
reboot
, and
halt
for regular users on your server.

*
To do this, run the following command:
[root@deep /]#
rm -f /etc/security/console.apps/

Where

is the name of the program to which you wish to disable console-
equivalent access. Unless you use
xdm
, however, be careful to not remove the
xserver
file or
no one but only `root' will be able to start the X server. (If you always use
xdm
to start the X
server, `root' is the only user that needs to start X, in which case you might actually want to
remove the
xserver
file).

*
To disable console program access, use the following commands:
[root@deep /]#
rm -f /etc/security/console.apps/halt

[root@deep /]#
rm -f /etc/security/console.apps/poweroff

[root@deep /]#
rm -f /etc/security/console.apps/reboot

[root@deep /]#
rm -f /etc/security/console.apps/shutdown
[root@deep /]#
rm -f /etc/security/console.apps/xserver

(if removed, root
will be the only user able to start X).

This will disable console-equivalent access to programs
halt
,
poweroff
,
reboot
, and
shutdown
. Once again, the program
xserver
applies only if you installed the Xwindow interface
on your system.

Page 95

Pluggable Authentication Modules 0
CHAPTER 4

95

WARNING:
If you are following our setup installation, the Xwindow interface is not installed on your
server and all the files described above will not appear in the
/etc/security/console.apps

directory, so don't pay attention to the above step.

Disabling all console access
The Linux-
PAM
library installed by default on your system allows the system administrator to
choose how applications authenticate users, such as for console access, program and file
access. In order to disable all these accesses for the users, you must comment out all lines that
refer to
pam_console.so
in the
/etc/pam.d
directory. This step is a continuation of the hack
"Disabling console program access". The following script will do the trick automatically for you.
Step 1
*
As `root' creates the
disabling.sh
script file (
touch disabling.sh
) and add the
following lines inside:

# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Step 2
*
Make this script executable with the following command and execute it:
[root@deep /]#
chmod 700 disabling.sh

[root@deep /]#
./disabling.sh

This will comment out all lines that refer to
pam_console.so
for all files located under
/etc/pam.d
directory. Once the script has been executed, you can remove it from your system.

The Login access control table
On a server environment where authorized and legitimate logins can come from everywhere, it is
important to have the possibility to use a security file which allow us to have more control over
users who can connect to the server. What we are looking here is to have more control on not
allowing some legitimated accounts to login from anywhere. Fortunately, this file exists and is
called "
access.conf
", you can find it under your
/etc/security
directory.
The
access.conf
file which comes already installed with your native Linux system allow us to
control which authorized users can/cannot log in to the server or to the console and from where.
Don't forget that users access can come everywhere from remote host or directly from the
console of the system. Configuration of the
access.conf
file of Linux is not complicated to
understand. Below I show you how to configure it to be very restrictive and secure.
Step 1
By default denying access to every one, is the first step of a reliable security policy. In this way
we eliminate the possibility of forgetting someone or to making a mistake.

*
Edit the
access.conf
file (
vi /etc/security/access.conf
) and add the following
line at the end of the file.

-:ALL EXCEPT root gmourani:ALL

Page 96

Pluggable Authentication Modules 0
CHAPTER 4

96
This access policy means to disallow console logins as well as remote accounts login to all from
anywhere except for user `
root
' and `
gmourani
'. With this choice of policy, we deny non-
networked and remote logins to every user with a shell account on the system from everywhere
and allow only the selected users.
Take a note that many possibilities exist as for example allowing the same users `
root
' and
`
gmourani
' to log only to the system from remote host with IP address
207.35.78.2
. To enable
this policy, all we need to do is to change the above policy to this one:

*
Edit the
access.conf
file (
vi /etc/security/access.conf
) and add the following
lines at the end of the file.

-:ALL EXCEPT root gmourani:207.35.78.2
-:ALL:LOCAL
Here the second policy line means to disallow all local access to the console for every users even
for the super-user `
root
', therefore if you want to log as `
root
' you need first to log as user
`
gmourani
' from remote host with IP address
207.35.78.2
and
su
to `
root
' (this is why I
added `
root
' to the users allowed to connect from remote host
207.35.78.2
).

Step 2
To be able to use the
access.conf
feature of Linux, make sure to add the following line to
/etc/pam.d/login
and
sshd
if you use this service or it will not work.

*
Edit the
login
file (
vi /etc/pam.d/login
) and add the following line.

account required /lib/security/pam_access.so

After adding the above line, the
/etc/pam.d/login
file should look like this:

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_access.so
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth

NOTE:
Please read information about possible configurations of this file inside the
access.conf

file since your policies will certainly differ from the example that I show you above.

Page 97

Pluggable Authentication Modules 0
CHAPTER 4

97
Tighten console permissions for privileged users
The
console.perms
security file of Linux, which use the
pam_console.so
module to operate,
is designed to give to privileged users at the physical console (virtual terminals and local xdm-
managed X sessions) capabilities that they would not otherwise have, and to take those
capabilities away when they are no longer logged in at the console.
It provides two main kinds of capabilities: file permissions and authentication. When a user logs in
at the console and no other user is currently logged in at the console, the
pam_console.so

module will change permissions and ownership of files as described in the file
/etc/security/console.perms
.
Please note that privileged users are nothing in common with regular users you may add to the
server, they are special users like
floppy
,
cdrom
,
scanner
, etc which in an networking server
environment are also considered and treated as users.
Step 1
The default
console.perms
configuration file of Linux is secure enough for regular use of the
system where an Xwindow interface is considered to be installed but in a highly secure
environment where the Graphical User Interface (
GUI
) is not installed or where some special
devices like
sound
,
jaz
, etc have no reason to exist, we can tighten the
console.perms

security file of Linux to be more secure by eliminating non-existent or unneeded privileged users
to have capabilities that they would not otherwise have.

*
Edit the
console.perms
file (
vi /etc/security/console.perms
), and change the
default lines inside this file:

# file classes -- these are regular expressions
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
=:[0-9]\.[0-9] :[0-9]
# device classes -- these are shell-style globs
=/dev/fd[0-1]*
=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer
=/dev/cdrom* /dev/cdwriter*
=/dev/pilot
=/dev/jaz
=/dev/zip
=/dev/scanner
=/dev/fb /dev/fb[0-9]*
=/dev/kbd =/dev/js* =/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* =/dev/gpmctl =/dev/dri/* /dev/nvidia* # permission definitions 0660 0660 root.floppy 0600 0640 root.sys 0600 0600 root.disk 0600 0660 root.tty 0600 0660 root.disk 0600 0660 root.disk 0600 0600 root 0600 0600 root 0600 0600 root 0600 0600 root 0600 0600 root 0700 0700 root Page 98 Pluggable Authentication Modules 0 CHAPTER 4 98 0600 /dev/console 0600 root.root 0600 0600 root To read : # file classes -- these are regular expressions =tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] # device classes -- these are shell-style globs =/dev/fd[0-1]* =/dev/cdrom* /dev/cdwriter* =/dev/pilot =/dev/fb /dev/fb[0-9]* =/dev/kbd =/dev/gpmctl =/dev/dri/* /dev/nvidia* # permission definitions 0660 0660 root.floppy 0600 0600 root.disk 0600 0660 root.tty 0600 0600 root 0600 0600 root 0700 0700 root Here we removed every privileged user related to the Graphical User Interface and others related to sound , zip drive, jaz drive, scanner , joystick and video media at the physical console on the server. Putting limits on resource The limits.conf file located under the /etc/security directory can be used to control and limit resources for the users on your system. It is important to set resource limits on all your users so they can't perform denial of service attacks (number of processes, amount of memory, etc) on the server. These limits will have to be set up for the user when he or she logs in. For example, limits for all users on your system might look like this. Step 1 * Edit the limits.conf file ( vi /etc/security/limits.conf ) and add or change the lines to read: * hard core 0 * hard rss 5000 * hard nproc 35 This says to prohibit the creation of core files " core 0 ", restrict the number of processes to 20 " nproc 20 ", and restrict memory usage to 5M " rss 5000 " for everyone except the super user "root". All of the above only concerns users who have entered through the login prompt on your system. With this kind of quota, you have more control on the processes, core files, and memory usage that users may have on your system. The asterisk " * " mean: all users that logs in on the server. Putting an asterisk " * " to cover all users can pose problem with daemon users account like " www " for a Web Server, " mysql " for a SQL Database Server, etc. If we put an asterisk, then, these users will be affected by the restriction and limitation of processes or memory usage. Page 99 Pluggable Authentication Modules 0 CHAPTER 4 99 To solve the problem, we can choose an existing group name in our system and add every regular user to this group. In this manner, the restrictions and limitations will apply to all users who are members of this group name only. A special group account named " users " can be used for this purpose. * Edit the limits.conf file ( vi /etc/security/limits.conf ) and add or change the lines to read: @users hard core 0 @users hard rss 5000 @users hard nproc 35 If you decide to use a group name like " @users " to control and limit resources for the users on your system, then it is important to not forget to change the GUI (Group User ID) of these users to be " 100 ". " 100 " is the numeric value of the user's ID " users ". * The command to create a new user with group name which is set by default to users is: [root@deep /]# useradd -g100 admin The " -g100 " option represents the number of the user's initial login group and in our case " 100 " is the group account name " users ". The " admin " parameter is the user name we want to add to the group name " users ". WARNING: Use the same command above for all users on your system you want to be member of the " users " group account. It is also preferable to set this parameter first before adding users to the system. Step 2 * You must also edit the /etc/pam.d/login file and add the following line to the bottom of the file: session required /lib/security/pam_limits.so After adding the line above, the /etc/pam.d/login file should look like this: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so services=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so services=system-auth account required /lib/security/pam_access.so password required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_limits.so Page 100 Pluggable Authentication Modules 0 CHAPTER 4 100 Controlling access time to services As the Linux- PAM system said, running a well-regulated system occasionally involves restricting access to certain services in a selective manner. The time.conf security file, which is provided by the pam_time.so module of Linux, offers some time control for access to services offered by a system. Its actions are determined through the configuration file called time.conf and located under /etc/security directory. Step 1 The time.conf file can be configured to deny access to (individual) users based on their name, the time of day, the day of week, the service they are applying for and their terminal from which they are making their request. * Edit the time.conf file ( vi /etc/security/time.conf ), and add the following line: login ; tty* & !ttyp* ; !root !gmourani ; !Al0000-2400 The above time control access line means to deny all user access to console-login at all times except for the super-user ' root ' and the user ' gmourani '. Take a note that many combinations exist as described in the time.conf file, we can, for example, allow user ` admin ' to access the console-login any time except at the weekend and on Tuesday from 8AM to 6PM with the following statement. * Edit the time.conf file ( vi /etc/security/time.conf ), and add the following line: login ; * ; !admin ; !Wd0000-2400 !Tu0800-1800 Step 2 To be able to use the time.conf feature of Linux, make sure to add the following line to /etc/pam.d/login and sshd if you use this service or nothing will work. * Edit the login file ( vi /etc/pam.d/login ) and add the following line. account required /lib/security/pam_time.so After adding the line above, the /etc/pam.d/login file should look like this: #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so services=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so services=system-auth account required /lib/security/pam_access.so account required /lib/security/pam_time.so password required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_stack.so services=system-auth session required /lib/security/pam_limits.so NOTE: Please read information about possible configurations of this file inside the time.conf file since your policies will certainly differ from the examples that I show you above. Page 101 Pluggable Authentication Modules 0 CHAPTER 4 101 Blocking; su to root, by one and sundry The su (Substitute User) command allows you to become other (existing) users on the system. For example you can temporarily become `root' and execute commands as the super-user `root'. If you don't want anyone to su to root or want to restrict the su command to certain users then uncomment the following line of your su configuration file in the /etc/pam.d directory. We highly recommend that you limit the persons allowed to su to the root account. Step 1 * Edit the su file ( vi /etc/pam.d/su ) and uncomment the following line in the file: auth required /lib/security/pam_wheel.so use_uid After this line has been uncommented, the /etc/pam.d/su file should look like this: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so Which means only those who are members of the " wheel " group can su to root; it also includes logging. Note that the " wheel " group is a special account on your system that can be used for this purpose. You cannot use any group name you want to make this hack. This hack combined with specifying which TTY and VC devices root is allowed to login on will improve your security a lot on the system. Step 2 Now that we have defined the " wheel " group in our /etc/pam.d/su file configuration, it is time to add some users who will be allowed to su to "root" account. * If you want to make, for example, the user " admin " a member of the " wheel " group, and thus be able to su to root, use the following command: [root@deep /]# usermod -G10 admin Which means " G " is a list of supplementary groups, where the user is also a member of. " 10 " is the numeric value of the user's ID " wheel ", and " admin " is the user we want to add to the " wheel " group. Use the same command above for all users on your system you want to be able to su to "root" account. NOTE: For Linux users, who use the Xwindow interface, it is important to note that if you can't su in a GNOME terminal, it's because you've used the wrong terminal. (So don't think that this advice doesn't work simply because of a GNOME terminal problem!) Page 102 Pluggable Authentication Modules 0 CHAPTER 4 102 Facultative: With the latest Linux operating system, a special line exists in the su file /etc/pam.d/su which allows you to implicitly trust users in the " wheel " group (for security reasons, I don't recommend using this option). This mean that all users who are members of the " wheel " group can su to root without the need to enter the "root" password. * To allow users who are members of the " wheel " group to su to root account without the need to enter the "root" password, edit the su file ( vi /etc/pam.d/su ) and uncomment the following line in the file: auth sufficient /lib/security/pam_wheel.so trust use_uid After this line has been uncommented, the /etc/pam.d/su file should look like this: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so Page 103 103 5 Security and Optimization - General System Optimization In this Chapter Static vs. shared libraries The Glibc 2 library of Linux Why Linux programs are distributed as source Some misunderstanding in the compiler flags options The gcc 2.96 specs file Tuning IDE Hard Disk Performance Page 104 General System Optimization 0 CHAPTER 5 104 Linux General System Optimization Abstract At this stage of your configuration, you should now have a Linux server optimally configured and secured. Our server contains the most essential package and programs installed to be able to work properly and the most essential general system security configuration. Before we continue and begin to install the services we want to share with our customers, it is important to tune our Linux server. The tuning we will perform in the following part will be applied to the whole system. It also applies to present as well as future programs, such as services that we will later install. Generally, if you don't use a x386 Intel processor, Red Hat Linux out of the box is not optimized for your specific CPU architecture (most people now run Linux on a Pentium processor). The sections below will guide you through different steps to optimize your Linux server for your specific processor, memory, and network. Static vs. shared libraries During compilation and build time of a program, the last stage (where all the parts of the program are joined together) is to link the software through the Linux libraries if needed. These libraries, which come in both shared and static formats, contain common system code which are kept in one place and shared between programs. Obviously there are some tasks that many programs will want to do, like opening files, and the codes that perform these functions are provided by the Linux libraries. On many Linux system these libraries files can be found into the /lib , /usr/lib , and /usr/share directories. The default behavior of Linux is to link shared and if it cannot find the shared libraries, then is to link statically. One of the differences between using static or shared libraries are: When using a static library, the linker finds the bits that the program modules need, and directly copies them into the executable output file that it generates. For shared libraries, it leaves a note in the output saying, "when this program is run, it will first have to load this library". As Gregory A Lundberg from the WU-FTPD Development Group said: Performance-wise, for most systems, worrying about static vs. dynamic is a moot point. There simply isn't enough difference to measure. Security-wise there are valid arguments both ways. Static linking is less secure because it locks in the library bugs; unless you rebuild all such programs, your system won't be properly secured. Static linking is more secure because it avoids library attacks. The choice is yours: run a daemon which will remain vulnerable to library attacks, or run one which remains vulnerable to library bugs. Portability-wise, the only difference is the size of the file you'll be transferring between systems. To make setup easier, a statically linked daemon is only needed when the libraries are completely unavailable. That is rarely the case. Finally, on a busy system (when performance becomes a true issue), by statically linking you'll be DEGRADING performance. Being bigger, as more and more statically linked daemons are running, your system begins to swap sooner and since none of the code is shared, swapping will have a larger effect on performance. So, when looking to improve performance, you'll want to use shared libraries as much as possible. Page 105 General System Optimization 0 CHAPTER 5 105 If you decide to compile program statically, you will generally need to add the " -static " and/or " --disable-shared " options flag to your compile line during compilation of your software. Be aware that it is not always possible to use and compile statically all programs, this highly depends on how developers are coding and developed the software. To resume: 1. If you want to compile program with shared libraries, you will use something like the following: CFLAGS='-O3 -march=i686 mcpu=i686 -funroll-loops -fomit-frame-pointer' ./Configure \ 2. If you want to compile program with static libraries, you will use something like the following: CFLAGS='-O3 static -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer' ./Configure \ --disable-shared \ WARNING: On Linux, static libraries have names like libc.a , while shared libraries are called libc.so.x.y.z where x.y.z is some form of version number since it would be quite a pain to recompile programs each time the version number changed so instead programs reference libraries by these shorter names and depend on the dynamic linker to make these shorter names symlinks to the current version. Shared libraries often have links pointing to them. The Glibc 2.2 library of Linux The Glibc 2.2 , which replaces the libc4 and libc5 that came before it, is the latest version of the GNU C Library for Linux and it contains standard libraries used by multiple programs on the system as described in the previous section. This particular package contains the most important sets of shared and static libraries, which provides the core functionality for C programs to run and without it, a Linux system would not function. Under Red Hat Linux this package comes configured to run under i386 processor for portability reasons and this will pose problems for us if we want to compile programs under Linux because even if we have put in all the optimization flags we need to improve the speed of our server, when the compiler includes static or shared libraries files to our program, these library files will run optimized for an i386 processor. In this case, our program will have some parts of its binaries optimized for an i686 processor (the program itself) and another parts optimized for an i386 processor (the GLIBC libraries). To solve the problem, we have made new RPM's packages at your disposal at the following Internet address: * Go to this URL and download the following RPM's packages for an i686 CPU: URL: http://www.openna.com/products/books/securing-optimizing-linux/rpms/index.htm glibc-2.2.3-1.i686.rpm glibc-common-2.2.3-1.i686.rpm glibc-devel-2.2.3-1.i686.rpm For each RPM for your particular architecture, run: [root@deep /]# rpm -Uvh [filename] Page 106 General System Optimization 0 CHAPTER 5 106 Why Linux programs are distributed as source Linux has been ported to run on a large number of different machines and rather than provide a copy for each machine Linux can run on, it's much simpler just to distribute the source and let the end user compile it. The creators of the distribution have no idea if you're going to be running it on a 386 or on a Pentium III and above so they have to write programs that work on all processors and this is where the problem comes, because all the programs that were installed with your distribution are going to be compiled so they work on the 386 for portability, meaning that they don't use any new feature like MMX which can only be found on newer generation of processors. Fortunately, various compiler options exist to optimize program you want to install under Linux for your specific CPU architecture. This is great for those of us that want to tweak every ounce of performance out of the program, now we get to decide how the program is compiled. If you want some speed out of your programs you've got to know a fair amount about the various option flags you can use to compile. The first thing you want to set is your CPU type, that's done with the " -march=cpu_type " (processor machine architecture) flag, an example would be " -march=i686 " or " -march=k6 ", this will allow the compiler to select the appropriate optimizations for the processor, but this is only the beginning of what can be done. You can set the " -O " flag anywhere from 1 to 3 to tell the compiler how aggressive to be with the optimizations, " -O3 " will produce the fastest programs assuming the compiler didn't optimize an important part of a subroutine out. The next thing you might want to do is check out the " -f " options of the compiler, these are things like " -funroll-loops ", and " -fomit-frame- pointer ". WARNING: Compiling with the " -fomit-frame-pointer " switch option will use the stack for accessing variables. Unfortunately, debugging is almost impossible with this option. Also take special attention to the above optimization number " -O3 "; " O " is a capital o and not a 0 (zero) . Some misunderstanding in the compiler flags options At lot of discussions exist in the Linux community about the " -O " option and its level numbers. Some Linux users try to convince that level number up to " -O3 " like " -O9 " will produce faster program. The " -O9 " flag doesn't do anything over " -O3 ", if you don't believe me make a small file, call it testO3.c and see: Step 1 * Create the testO3.c file with the following command: [root@deep tmp]# touch testO3.c Step 2 * Run the GCC compiler with " -O3 " flag through the testO3.c file with the command: [root@deep tmp]# gcc -O3 -S -fverbose-asm testO3.c Page 107 General System Optimization 0 CHAPTER 5 107 Step 3 Look at testO3.s that it made, then run again with " -O9 " and compare the output. * Create the testO9.c file with the following command: [root@deep tmp]# touch testO9.c Step 4 * Run the GCC compiler again with " -O9 " flag through the testO9.c file with the command: [root@deep tmp]# gcc -O9 -S -fverbose-asm testO9.c Step 5 Now if you compare the output you will see no difference between the both files. * To compare the output, use the following command: [root@deep tmp]# diff testO3.s testO9.s > difference WARNING: The " -O3 " flag level number is the best and highest optimization flag you can use during optimization of programs under Linux. The gcc 2.96 specs file The /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file of Red Hat Linux is a set of defines that the gcc compiler uses internally to set various aspects of the compile environment. All customizations that you put in this file will apply for the entire variable environment on your system, so putting optimization flags in this file is a good choice. To squeeze the maximum performance from your x86 programs, you can use full optimization when compiling with the " -O3 " flag. Many programs contain " -O2 " in the Makefile. The " -O3 " level number is the highest level of optimization. It will increase the size of what it produces, but it runs faster. You can also use the " -march=cpu_type " switch to optimize the program for the CPU listed to the best of GCC's ability. However, the resulting code will only be run able on the indicated CPU or higher. Below are the optimization flags that we recommend you to put in your /usr/lib/gcc- lib/i386-redhat-linux/2.96/specs file depending on your CPU architecture. The optimization options apply only when we compile and install a new program in our server. These optimizations don't play any role in our Linux base system; it just tells our compiler to optimize the new programs that we will install with the optimization flags we have specified in the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file. Adding options listed below depending of your CPU architecture to the gcc 2.96 specs file will save you having to change every CFLAGS in future Makefiles. Step 1 The first thing to do is to verify the compiler version installed on your Linux server. * To verify the compiler version installed on your system, use the command: [root@deep /]# gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81) Page 108 General System Optimization 0 CHAPTER 5 108 Step 2 For CPU i686 or PentiumPro, Pentium II, Pentium III, and Athlon Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways... You'll see a section like the following: *cpp_cpu_default: -D__tune_i386__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}} Change it for the following: *cpp_cpu_default: -D__tune_i686__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: -O3 march=i686 -funroll-loops -fomit-frame-pointer %{m386:- mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:- mcpu=pentiumpro}} WARNING: Make sure that you're putting -O3 and not -03 (dash zero three). Page 109 General System Optimization 0 CHAPTER 5 109 For CPU i586 or Pentium Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways... You'll see a section like the following: *cpp_cpu_default: -D__tune_i386__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}} Change it for the following: *cpp_cpu_default: -D__tune_i586__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: -O3 -march=i586 -funroll-loops -fomit-frame-pointer %{m386:- mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:- mcpu=pentiumpro}} WARNING: Make sure that you're putting -O3 and not -03 (dash zero three). Page 110 General System Optimization 0 CHAPTER 5 110 For CPU i486 Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways... You'll see a section like the following: *cpp_cpu_default: -D__tune_i386__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}} Change it for the following: *cpp_cpu_default: -D__tune_i486__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: -O3 -march=i486 -funroll-loops -fomit-frame-pointer %{m386:- mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:- mcpu=pentiumpro}} WARNING: Make sure that you're putting -O3 and not -03 (dash zero three). Page 111 General System Optimization 0 CHAPTER 5 111 For CPU AMD K6 or K6-2 Edit the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file, scroll down a ways... You'll see a section like the following: *cpp_cpu_default: -D__tune_i386__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}} Change it for the following: *cpp_cpu_default: -D__tune_k6__ *cpp_cpu: -Acpu(i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:%{!mcpu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:-D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ %{!mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro - D__pentiumpro__ %{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ %{!mcpu*:-D__tune_k6__ }}%{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }%{mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon__ }%{!march*:%{!mcpu*:%{!m386:%{!m486:%{!mpentium*:%(cpp_cpu_default)}}}}} *cc1_cpu: %{!mcpu*: -O3 -march=k6 -funroll-loops -fomit-frame-pointer %{m386:-mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:-mcpu=pentiumpro}} WARNING: Make sure that you're putting -O3 and not -03 (dash zero three). Page 112 General System Optimization 0 CHAPTER 5 112 Step3 Once our optimization flags have been applied to the gcc 2.96 specs file, it time to verify if the modification work. * To verify if the optimization work, use the following commands: [root@deep tmp]# touch cpu.c [root@deep tmp]# gcc cpu.c -S -fverbose-asm [root@deep tmp]# less cpu.s What you'll get is a file that contains depending of options you have chose, something like: .file "cpu.c" .version "01.01" # GNU C version 2.96 20000731 (Red Hat Linux 7.1) (i386-redhat-linux) compiled by GNU C version 2.96 20000731 (Red Hat Linux 7.1). # options passed: -O3 -march=i686 -funroll-loops -fomit-frame-pointer # -fverbose-asm # options enabled: -fdefer-pop -fomit-frame-pointer # -foptimize-sibling-calls -fcse-follow-jumps -fcse-skip-blocks # -fexpensive-optimizations -fthread-jumps -fstrength-reduce -funroll-loops # -fpeephole -fforce-mem -ffunction-cse -finline-functions -finline # -fkeep-static-consts -fcaller-saves -fpcc-struct-return -fgcse # -frerun-cse-after-loop -frerun-loop-opt -fdelete-null-pointer-checks # -fschedule-insns2 -fsched-interblock -fsched-spec -fbranch-count-reg # -fnew-exceptions -fcommon -fverbose-asm -fgnu-linker -fregmove # -foptimize-register-move -fargument-alias -fstrict-aliasing -fident # -fpeephole2 -fmath-errno -m80387 -mhard-float -mno-soft-float -mieee-fp # -mfp-ret-in-387 -march=i686 gcc2_compiled.: .ident "GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-81)" WARNING: In our example we are optimized the specs file for a i686 CPU processor. It is important to note that most of the " -f " options are automatically included when you use "-O3" and don't need to be specified again . The changes that were shown were made so that a command like " gcc " would really be the command " gcc -march=i686 " without having to change every single Makefile which can really be a pain. Below is the explanation of the different optimization options we use: * The " -march=cpu_type " optimization flag The " -march=cpu_type " optimization option will set the default CPU to use for the machine type when scheduling instructions. * The " -funroll-loops " optimization flag The " -funroll-loops " optimization option will perform the optimization of loop unrolling and will do it only for loops whose number of iterations can be determined at compile time or run time. * The " -fomit-frame-pointer " optimization flag The " -fomit-frame-pointer " optimization option, one of the most interesting, will allow the program to not keep the frame pointer in a register for functions that don't need one. This avoids the instructions to save, set up and restores frame pointers; it also makes an extra register available in many functions and makes debugging impossible on most machines. Page 113 General System Optimization 0 CHAPTER 5 113 WARNING: All future optimizations that we will describe in this book refer by default to a Pentium PRO/II/III and higher i686 CPU family. So you must adjust the compilation flags for your specific CPU processor type in the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file and during your compilation time. Tuning IDE Hard Disk Performance The hdparm is a tool, which can be used to tune and improve the performance of your IDE hard disk. By default, any IDE drives you have in your Linux system are not optimized. Even if you have an ULTRA DMA system you will not be able to take full advantage of its speed if you are not using the hdparm tool to enable its features. This is because there is many different hard drive makes and models and Linux cannot know every feature of each one. Performance increases have been reported on massive disk I/O operations by setting the IDE drivers to use DMA , 32-bit transfers and multiple sector modes. The kernel seems to use more conservative settings unless told otherwise. The magic command to change the setting of your drive is hdparm . Before going into the optimization of your hard drive, it is important to verify that the hdparm package is installed in your system. If you have followed every step during the installation of Linux on your computer, then this package is not installed. !"To verify if hdparm package is installed on your system, use the command: [root@deep /]# rpm -q hdparm package hdparm is not installed If the hdparm package seems not to be installed, you'll need to mount your CD-ROM drive containing the Linux CD-ROM Part 1 and install it. * To mount the CD-ROM drive, use the following commands: [root@deep /]# mount /dev/cdrom /mnt/cdrom/ had: ATAPI 32X CD-ROM drive, 128kB Cache mount: block device dev/cdrom is write-protected, mounting read-only * To install the hdparm package on your Linux system, use the following command: [root@deep /]# cd /mnt/cdrom/RedHat/RPMS/ [root@deep RPMS]# rpm -Uvh hdparm-version.i386.rpm hdparm ################################################## * To unmount your CD-ROM drive, use the following command: [root@deep RPMS]# cd /; umount /mnt/cdrom/ Once hdparm package is installed on the system, it is time to go into the optimization of your hard drive. It is important to note that depending on your model and make, there will be some parameters that will apply and other that don't. It is to your responsibility to know and understand your disk drive before applying any optimization parameters as described below. Finally, and especially for UltraDMA systems, it is vital to verify under your BIOS settings if the parameters related to DMA support on your computer are enabled or you will inevitably break your hard disk. You have been warned. Page 114 General System Optimization 0 CHAPTER 5 114 Step 1 The first parameter applies to the majority of all modern drives and models in the market and enables 32-bit I/O over PCI buses. This option is one of the most important and will usually double the speed of your drive. * To enable 32-bit I/O over the PCI buses, use the following command: [root@deep /]# /sbin/hdparm -c3 /dev/hda (or hdb, hdc etc). This will usually, depending on your IDE Disk Drive model, cut the timing buffered disk reads time by two. The hdparm (8) manpage says that you may need to use "-c3" for many chipsets since it works with nearly all 32-bit IDE chipsets. All (E)IDE drives still have only a 16-bit connection over the ribbon cable from the interface card. Step 2 The second parameter applies only on standard DMA disk and will activate the simple DMA feature of the disk. This feature is for old disk drives with DMA capabilities. * To enable DMA , use the following command: [root@deep /]# /sbin/hdparm -d1 /dev/hda (or hdb, hdc etc). This may depend on support for your motherboard chipset being compiled into your kernel. Also, this command will enable DMA support for your hard drive only for interfaces which support DMA , it will cut the timing buffered disk reads time and will improve the performance by two. Step 3 Multiword DMA mode 2, also kown as ATA2 disk drive is the successor of the simple DMA drive. If you have this kind of hard drive, then you must enable the parameter in your Linux system. * To enable multiword DMA mode 2 transfers, use the following command: [root@deep /]# /sbin/hdparm -d1 -X34 /dev/hda (or hdb, hdc etc). This sets the IDE transfer mode for newer (E)IDE/ATA2 drives. (Check your hardware manual to see if you have it). Step 4 As for DMA mode 2, the UltraDMA mode 2 is an improvement of the DMA technology. If you have this kind of drive in your system, then choose this mode. * To enable UltraDMA mode 2 transfers, use the following command: [root@deep /]# /sbin/hdparm -d1 -X66 /dev/hda (or hdb, hdc etc) See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME CAUTION! Step 5 The UltraDMA mode 4 is one of the latest entries and one of the most popular at this time; it is also known and referred as ATA/66 . I guess that most of you have this kind of drive installed and if it is the case then it is the one that you must choose for sure. * To enable UltraDMA mode4 transfers, use the following command: [root@deep /]# /sbin/hdparm -d1 -X12 -X68 /dev/hda (or hdb, hdc etc) Page 115 General System Optimization 0 CHAPTER 5 115 This will enable UltraDMA ATA/66 mode on your drive. See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME CAUTION! Step 6 Multiple sector mode ( aka IDE Block Mode), is a feature of most modern IDE hard drives, permitting the transfer of multiple sectors per I/O interrupt, rather than the usual one sector per interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O by 30-50%. On many systems it also provides increased data throughput of anywhere from 5% to 50%. * To set multiple sector mode I/O, use the following command: [root@deep /]# /sbin/hdparm -mXX /dev/hda (or hdb, hdc etc) Where " XX " is the maximum setting supported by your drive. The " -i " flag can be used to find the maximum setting supported by an installed drive: look for MaxMultSect in the output. * To find the maximum setting of your drive, use the following command: [root@deep /]# /sbin/hdparm -i /dev/hda (or hdb, hdc etc) /dev/hda: Model=QUANTUM FIREBALLP LM15, FwRev=A35.0700, SerialNo=883012661990 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs } RawCHS=16383/16/63, TrkSize=32256, SectSize=21298, ECCbytes=4 BuffType=3(DualPortCache), BuffSize=1900kB, MaxMultSect=16 , MultSect=16 DblWordIO=no, OldPIO=2, DMA=yes, OldDMA=2 CurCHS=16383/16/63, CurSects=-66060037, LBA=yes, LBAsects=29336832 tDMA={min:120,rec:120}, DMA modes: mword0 mword1 mword2 IORDY=on/off, tPIO={min:120,w/IORDY:120}, PIO modes: mode3 mode4 UDMA modes: mode0 mode1 mode2 mode3 *mode4 Step 7 The get/set sector count is used to improve performance in sequential reads of large files! The default setting is 8 sectors (4KB) and we will double and change it for 16. USE THIS OPTION WITH EXTREME CAUTION! * To improve the get/set sector count for file system read-ahead, use the command: [root@deep /]# /sbin/hdparm -a16 /dev/hda (or hdb, hdc etc) Step 8 The get/set interrupt-unmask flag will greatly improve Linux's responsiveness and eliminates "serial port overrun" errors. USE THIS OPTION WITH EXTREME CAUTION! * To improve and get/set interrupt-unmask flag for the drive, use the command: [root@deep /]# /sbin/hdparm -u1 /dev/hda (or hdb, hdc etc) Step 9 The IDE drive's write-caching feature will improve the performance of the hard disk. USE THIS OPTION WITH EXTREME CAUTION! * To enable the IDE drive's write-caching feature, use the following command: [root@deep /]# /sbin/hdparm -W1 /dev/hda (or hdb, hdc etc) Page 116 General System Optimization 0 CHAPTER 5 116 Step 10 These options will allow the drive to retain your settings over a soft reset (as done during the error recovery sequence). It is important to note that not all drives support this feature. * To enables the drive to retain your settings, use the command: [root@deep /]# /sbin/hdparm -K1 -k1 /dev/hda (or hdb, hdc etc) Step 11 Once every tuning related to your specific drive have been set, you can test the results and see if you want to keep them or not. * You can test the results of your changes by running hdparm in performance test mode: [root@deep /]# /sbin/hdparm -vtT /dev/hda (or hdb, hdc etc). /dev/hda: multcount = 16 (on) I/O support = 3 (32-bit w/sync) unmaskirq = 1 (on) using_dma = 1 (on) keepsettings = 1 (on) nowerr = 0 (off) readonly = 0 (off) readahead = 16 (on) geometry = 1826/255/63, sectors = 29336832, start = 0 Timing buffer-cache reads: 128 MB in 0.85 seconds = 150.59 MB/sec Timing buffered disk reads: 64 MB in 2.54 seconds = 25.20 MB/sec Once you have a set of hdparm options, you can put the commands in your /etc/rc.d/rc.local file to run it every time you reboot the machine. When running from /etc/rc.d/rc.local , you can add the "-q" option for reducing screen clutter. In my case, I will put the following configuration in the end of my rc.local file: /sbin/hdparm -q -c3 -d1 -X12 -X68 -m16 -a16 -u1 -W1 -k1 -K1 /dev/had NOTE: The latest realese of Red Hat Linux (7.1) now by default automatically optimizes your IDE hard drive. Therefore, you don't have to configure it as shown above but I prefer to tell you this now to let you read this section and understand how hard disk optimization works with the hdparm tool of Linux. Page 117 Kernel Security & Optimization 0 CHAPTER 6 117 6 Security and Optimization Kernel Security & Optimization In this Chapter Making an emergency boot floppy Checking the /boot partition of Linux Tuning the Kernel Applying the Openwall kernel patch Cleaning up the Kernel Configuring the Kernel Compiling the Kernel Installing the Kernel Reconfiguring /etc/modules.conf file Delete programs, edit files pertaining to modules Remounting the /boot partition of Linux as read-only Rebooting your system to load the new kernel Making a new rescue floppy for Modularized Kernel Making a emergency boot floppy disk for Monolithic Kernel Optimizing Kernel Page 118 Kernel Security & Optimization 0 CHAPTER 6 118 Linux Kernel Abstract Well, our Linux server seems to be getting in shape now! But wait, what is the most important part of our server? Yes, it's the kernel. The Linux kernel is the core of our operating system, and without it there is no Linux at all. So we must take care of our kernel and configure it to fit our needs and compile just features we really need. The new generation of Linux Kernel 2.4 was seemingly written with the server in mind. Many of the old limits, which prevented Linux adoption in the "enterprise" market, have been lifted. The first thing to do next is to build a kernel that best suits your system. It's very simple to do but, in any case, refer to the README file in the /usr/src/linux source directory after uncompressing the archive on your system. When configuring your kernel only compile in code that you need and use. Few main reasons that come to mind are: #"The Kernel will be faster (less code to run), #"You will have more memory (Kernel parts are NEVER swapped to the virtual memory), #"More stable (Ever probed for a non-existent card?), #"Unnecessary parts can be used by an attacker to gain access to the machine or other machines on the network. #"Modules are also slower than support compiled directly in the kernel. In our configuration and compilation we will firstly show you how to build a monolithic kernel , which is the recommended method for better performance and a modularized kernel for easily portability between different Linux systems . Monolithic kernel means to only answer yes or no to the questions (don't make anything modular) and omit the steps: make modules and make modules_install . Unfortunately with Linux kernel 2.4 generation, patching our new kernel with the buffer overflow protection from Openwall kernel patches will not work since the Openwall project announced that Linux 2.4 is NOT going to be supported until 2.4.10 or so. Patches for the Linux kernel exist, like Solar Designer's non-executable stack patch, which disallows the execution of code on the stack, making a number of buffer overflow attacks harder - and defeating completely a number of current exploits used by "script kiddies" worldwide. These installation instructions assume Commands are Unix-compatible. The source path is /usr/src . Installations were tested on Red Hat Linux 7.1. All steps in the installation will happen using the super-user account "root". Latest Kernel version number is 2.4.5 Latest Secure Linux Kernel Patches version number is not available with this kernel. Page 119 Kernel Security & Optimization 0 CHAPTER 6 119 Packages The following are based on information as listed by The Linux Kernel Archives as of 2001/05/26 and by the Openwall project as of 2001/05/26. Please regularly check at www.kernel.org and www.openwall.com/linux/ for the latest status. Pristine source code is available from: Kernel Homepage : http://www.kernel.org/ Kernel FTP Site: 209.10.41.242 You must be sure to download: linux-2.4.5.tar.gz Secure Linux Kernel Patches Homepage : http://www.openwall.com/linux/ Secure Linux Kernel Patches FTP Site: 195.42.162.180 You must be sure to download: Not available at this time. Prerequisites Depending on whether you want a firewall or users quota support with your system, the Linux Kernel requires that the listed software below be already installed on your system to be able to compile successfully. If this is not the case, you must install them from your Linux CD-ROM or source archive files. Please make sure you have all of these programs installed on your system before proceeding with this chapter. #" iptables package, is the new secure and more powerful program used by Linux to set up firewalls as well as IP masquerading in your system. Install this package if you want to support Firewalls in your server. #" quota package, is a system administration tool for monitoring and limiting users' and/or groups' disk usage, per file system. Install this package if you want a tool to control users directories sizes in your server. !"To verify if iptables package is installed on your system, use the command: [root@deep /]# rpm -q iptables package iptables is not installed !"To verify if quota package is installed on your system, use the command: [root@deep /]# rpm -q quota package quota is not installed * To mount your CD-ROM drive before installing the required packages, use the command: [root@deep /]# mount /dev/cdrom /mnt/cdrom/ had: ATAPI 32X CD-ROM drive, 128kB Cache mount: block device dev/cdrom is write-protected, mounting read-only * To install the iptables package on your Linux system, use the following command: [root@deep /]# cd /mnt/cdrom/RedHat/RPMS/ [root@deep RPMS]# rpm -Uvh iptables-version.i386.rpm iptables ################################################## * To install the quota package on your Linux system, use the following command: [root@deep /]# cd /mnt/cdrom/RedHat/RPMS/ [root@deep RPMS]# rpm -Uvh quota-version.i386.rpm quota ################################################## Page 120 Kernel Security & Optimization 0 CHAPTER 6 120 NOTE: For more information on Iptables Netfilter Firewall configuration or quota software, see further down there related chapter in this book. Making an emergency boot floppy The first pre-install step is to make an emergency boot floppy. Linux has a small utility named mkbootdisk to do this. The first step is to find out what kernel version you are currently using. Check out your /etc/lilo.conf file and see which image was booted from and from this image we can find the kernel version we need to make our emergency boot floppy. In my example, I have the following in the lilo.conf file. [root@deep /]# cat /etc/lilo.conf boot=/dev/sda map=/boot/map install=/boot/boot.b timeout=00 default=linux restricted password=mypasswd image= /boot/vmlinuz-2.4.2-2 $ $ $ $ the kernel version label= linux $ $ $ $ the image we booted from initrd=/boot/initrd-2.4.2-2.img read-only root=/dev/sda6 Now you'll need to find the image that you booted from. On a standard new first install, it will be the one-labeled linux . In the above example we show that the machine booted using the /boot/vmlinuz-2.4.2-2 original kernel version of the system. Now we simply need to put a formatted 1.44 floppy in our system and execute the following command as root: [root@deep /]# mkbootdisk --device /dev/fd0H1440 2.4.2-2 Insert a disk in /dev/fd0. Any information on the disk will be lost. Press to continue or ^C to abort: Following these guidelines, you will now have a boot floppy with a known working kernel in case of problems with the upgrade. I recommend rebooting the system with the floppy to make sure that the floppy works correctly. Checking the /boot partition of Linux It is important before going into the compilation and installation of a new kernel to check if the /boot file system of Linux is mounted as read-write. If you have follow the steps described in chapter related to "General System Security" under the section named "Mounting the /boot directory of Linux as read-only", then your /boot file system is mounted as read-only. In this case we must remount it as read-write or you will not be able to install the new kernel on the system. To remount the /boot partition as read-write, follow the simple steps below. Page 121 Kernel Security & Optimization 0 CHAPTER 6 121 Step1 * Edit the fstab file ( vi /etc/fstab ) and change the line: LABEL=/boot /boot ext2 defaults, ro 1 2 To read: LABEL=/boot /boot ext2 defaults 1 2 We remove the " ro " option (read-only) from this line to specify to mount this partition as read- write. Step 2 Make the Linux system aware about the modification you have made to the /etc/fstab file. * This can be accomplished with the following command: [root@deep /]# mount /boot -oremount * Then test your results or check the state of your /boot partition with the command: [root@deep /]# cat /proc/mounts /dev/root / ext2 rw 0 0 /proc /proc proc rw 0 0 /dev/sda1 /boot ext2 rw 0 0 /dev/sda10 /cache ext2 rw,nodev 0 0 /dev/sda9 /chroot ext2 rw 0 0 /dev/sda8 /home ext2 rw,nosuid 0 0 /dev/sda13 /tmp ext2 rw,noexec,nosuid 0 0 /dev/sda7 /usr ext2 rw 0 0 /dev/sda11 /var ext2 rw 0 0 /dev/sda12 /var/lib ext2 rw 0 0 none /dev/pts devpts rw 0 0 If you see something like: /dev/sda1 /boot ext2 rw 0 0 , congratulations! Tuning the Kernel Ok first of all, it is important to copy the new kernel tar archive in the appropriate location on your server /usr/src and then remove the old kernel from your system before installing a new one. Removing the old kernel will not freeze your computer until you try to reboot it before installing the new one because the Linux kernel resides in memory. Step 1 We must copy the archive file of the kernel to the /usr/src directory and move to this directory. * To copy the tar archive of the Linux kernel to the /usr/src directory, use the command: [root@deep /]# cp linux-version.tar.gz /usr/src/ * To move to the /usr/src directory, use the following command: [root@deep /]# cd /usr/src/ Step 2 Depending on how the Linux Kernel has been previously installed on your system, there are two possibilities too uninstall it as shown below. Page 122 Kernel Security & Optimization 0 CHAPTER 6 122 If you already have installed a Linux kernel with a tar archive before These steps are required only if you already have installed a Linux kernel with a tar archive before. If it is a first, fresh install of Linux kernel, then instead uninstall the kernel-headers- version.i386.rpm , kernel-version.i386.rpm packages that are on your system. * Move to the /usr/src directory if you are not already in it with the following command: [root@deep /]# cd /usr/src/ * Remove the Linux symbolic link with the following command: [root@deep src]# rm -f linux * Remove the Linux kernel headers directory with the following command: [root@deep src]# rm -rf linux-2.4.x/ * Remove the Linux kernel with the following command: [root@deep src]# rm -f /boot/vmlinuz-2.4.x * Remove the Linux System.map file with the following command: [root@deep src]# rm -f /boot/System.map-2.4.x * Remove the Linux kernel modules directory (if available) with the following command: [root@deep src]# rm -rf /lib/modules/2.4.x/ NOTE: Removing the old kernel modules is required only if you have installed a modularized kernel version before. If the modules directory doesn't exist under the /lib/modules directory, it's because your old kernel version is not a modularized kernel . If the original kernel's RPM packages are installed on your system If the original kernel RPM packages are installed on your system instead of the Linux kernel tar archive, because you have just finished installing your new Linux system, or have used an RPM package before to upgrade your Linux system, then use the following command to uninstall the Linux kernel: * You can verify which kernel RPM packages are installed on your system with the following command: [root@deep src]# rpm -qa | grep kernel kernel-2.4.2-2 kernel-headers-2.4.2-2 The above command shows us that kernel and kernel-headers are the only kernel RPM packages installed on our system. We uninstall them as show below. * To uninstall the linux kernel RPM, use the following command: [root@deep src]# rpm -e --nodeps kernel kernel-headers NOTE: If you receive an error message like: cannot remove /lib/modules/2.4.x directory, directory not empty , then remove the directory manually with command like: rm rf /lib/modules/2.4.x/ form your system. This directory is related to the old kernel and it is not required for the new kernel we want to install. Page 123 Kernel Security & Optimization 0 CHAPTER 6 123 Step 3 Once we have uninstalled the old kernel and after our new kernel tar archive has been copied to the /usr/src directory, we must uncompress it and remove the tar archive ( linux- version.tar.gz ) from the system if we wish to conserve disk space. * To uncompress the kernel, use the following command: [root@deep src]# tar xzpf linux-version.tar.gz * To remove the kernel tar archive from the system, use the following command: [root@deep src]# rm -f linux-version.tar.gz WARNING: If kernel compilation is something new for you, then it is recommended to keep the kernel tar archive ( linux-version.tar.gz ) until the end of the installation. In this way, if you make some mistake during compilation, you always have the source available to try again. Step 4 Ok, the old kernel has been uninstalled from our system; we have copied the new one to its appropriate location and uncompressed it. Now, we must tune our new Linux kernel to the maximum of its capabilities. All optimizations shown below are just an increase of the default kernel parameters. * Edit the sem.h file ( vi +66 /usr/src/linux/include/linux/sem.h ) and change the following parameter: #define SEMMNI 128 /* <= IPCMNI max # of semaphore identifiers */ To read: #define SEMMNI 512 /* <= IPCMNI max # of semaphore identifiers */ * Edit the printk.c file ( vi +26 /usr/src/linux/kernel/printk.c ) and change the following parameter: #define LOG_BUF_LEN (16384) To read: #define LOG_BUF_LEN (65536) Page 124 Kernel Security & Optimization 0 CHAPTER 6 124 Step 5 Finally, we must instruct the kernel to fit our specific CPU architecture and optimization flags. Depending of your CPU architecture and optimization flags, this step will improve the performance of the kernel. As an example with a PII 400MHz the BogoMIPS will become 799.54 instead of the default number of 400.00. Also take a note that it is not because BogoMIPS show you a number of 799.54 for a 400MHz CPU that your processor runs at this speed now. The BogoMIPS result can just be considered as a benchmark since it was a meaningless benchmark measurement. * Edit the Makefile file ( vi +19 /usr/src/linux/Makefile ) and change the line: HOSTCFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer To read: HOSTCFLAGS = -Wall -Wstrict-prototypes -O3 -funroll-loops -fomit- frame-pointer * Edit the Makefile file ( vi +90 /usr/src/linux/Makefile ) and change the line: CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-strict-aliasing To read: CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O3 -funroll-loops - fomit-frame-pointer -fno-strict-aliasing WARNING: These changes turn on aggressive optimization tricks that may or may not work with all kernels. Please, if the optimization flags above do not work for you, don't try to force it to work. I wouldn't want to make your system unstable like Microsoft Windows. Also take a note that we are not specifying the " -march=i686 " option in the above lines since the kernel and related to what processor you will choose during kernel configuration will add automatically this option for you during compilation. Applying the Openwall kernel patch The Secure Linux Kernel patches from the Openwall Project are a great way to prevent attacks like Stack Buffer Overflows, and others. The Openwall patch is a collection of security-related features for the Linux kernel, all configurable via the new '"Security options" configuration section that will be added to your new kernel. This patch may change from version to version, and some may contain various other security fixes. Unfortunately Openwall announced that Linux 2.4 is NOT going to be supported until 2.4.10 or so. Below, I'm continuing to show you how to apply this security patch to the kernel in the eventuality that Openwall release a patch for kernel 2.4 generation. As you can see, I use a fictitious version for my example. Page 125 Kernel Security & Optimization 0 CHAPTER 6 125 New features of patch version linux-2.4.5-ow1.tar.gz are: Non-executable user stack area Restricted links in /tmp Restricted FIFOs in /tmp Restricted /proc Special handling of fd 0, 1, and 2 Enforce RLIMIT_NPROC on execve(2) Destroy shared memory segments not in use WARNING: When applying the linux-2.4.5-ow1 patch, a new "Security options" section will be added at the end of your kernel configuration. For more information and description of the different features available with this patch, see the README file that come with the source code of the patch. * To apply the Openwall Secure Kernel Patch to the Linux kernel, use the commands: [root@deep /]# cp linux-2.4.5-ow1.tar.gz /usr/src/ [root@deep /]# cd /usr/src/ [root@deep src]# tar xzpf linux-2.4.5-ow1.tar.gz [root@deep src]# cd linux-2.4.5-ow1/ [root@deep linux-2.4.5-ow1]# mv linux-2.4.5-ow1.diff /usr/src/ [root@deep linux-2.4.5-ow1]# cd .. [root@deep src]# patch -p0 < linux-2.4.5-ow1.diff [root@deep src]# rm -rf linux-2.4.5-ow1 [root@deep src]# rm -f linux-2.4.5-ow1.diff [root@deep src]# rm -f linux-2.4.5-ow1.tar.gz First we copy the program archive to the /usr/src directory, then we move to this directory and uncompress the linux-2.4.5-ow1.tar.gz archive. We then move to the new uncompressed Linux patch, move the file linux-2.4.5-ow1.diff file containing the patch to the /usr/src , return to /usr/src and patch our kernel with the file linux-2.4.5-ow1.diff. Afterwards, we remove all files related to the patch. WARNING: All security messages related to the linux-2.4.5-ow1 patch, like the non-executable stack part, should be logged to the log file /var/log/messages . The "Restricted links in /tmp" feature of this patch will make Mailing List like Mailman to not work properly on the system. The "Destroy shared memory segments not in use" feature of this patch will make SQL database like PostgreSQL to not work properly on the system but this seem to be ok with MySQL database now. So if you use or are intended to use one of these services, don't enable the related feature during compilation of the Kernel. The step of patching your new kernel is completed. Now follow the rest of this installation to build the Linux kernel and reboot your system. Page 126 Kernel Security & Optimization 0 CHAPTER 6 126 Cleaning up the Kernel It is important to be sure that your /usr/include/asm , and /usr/include/linux subdirectories are just symlinks to the kernel sources. Step 1 The asm , and linux subdirectories are soft links to the real include kernel source header directories needed for our Linux architecture, for example /usr/src/linux/include/asm- i386 for asm . * To symlink the asm , and linux subdirectories to the kernel sources, type the following commands on your terminal: [root@deep src]# cd /usr/include/ [root@deep include]# rm -f asm linux [root@deep include]# ln -s /usr/src/linux/include/asm-i386 asm [root@deep include]# ln -s /usr/src/linux/include/linux linux This is a very important part of the configuration: we remove the asm , and linux directories under /usr/include then rebuild a new links that point to the same name directories under the new Linux kernel source version directory. The /usr/include directory contains important header files needed by your Linux kernel and programs to be able to compile on your system. WARNING: If the previously installed kernel in your system was made by RPM packages, then the asm and linux soft links will not exist since the uninstall of kernel-headers RPM package removes them automatically for you. Don't forget to create them. Step 2 Make sure you have no stale .o files and dependencies lying around. * To be sure that we have no stale .o files and dependencies lying around, type the following commands on your terminal: [root@deep include]# cd /usr/src/linux/ [root@deep linux]# make mrproper NOTE: These two steps above simply clean up anything that might have accidentally been left in the source tree by the development team. You should now have the sources correctly installed. You can configure the Linux kernel in one of three ways. The first method is to use the make config command. It provides you with a text- based interface for answering all the configuration options. You are prompted for all the options you need to set up your kernel. The second method is to use the make menuconfig command, which provides all the kernel options in an easy-to-use menu. The third is to use the make xconfig command (only available if the graphical interface of Linux is installed on the system), which provides a full graphical interface to all the kernel options. Page 127 Kernel Security & Optimization 0 CHAPTER 6 127 Step 3 For configuration in this chapter, you will use the make config command because we have not installed the XFree86 Window Interface on our Linux server or the necessary packages to use make menuconfig command. * Type the following commands on your terminal to load the kernel configuration: [root@deep /]# cd /usr/src/linux/ (if you are not already in this directory). [root@deep linux]# make config rm -f include/asm ( cd include ; ln -sf asm-i386 asm) /bin/sh scripts/Configure arch/i386/config.in # # Using defaults found in arch/i386/defconfig # Configuring the Kernel As soon as you enter make config at the prompt as described in the previous step, a list of kernel configurable options will be displayed for you to choose to configure the kernel, you must indicate what features and devices drivers you want to include in your Linux system and select how to include support for specific devices. Typically, for each configuration option, you have to respond with one of the following choices: [y] To compile into the kernel and always be loaded. [m] To use a module for that feature and load that segment of code on demand. [n] To skip and excludes the support for that specific device from the kernel. WARNING: It is important to note that an n or y means the default choice. If a device does not have a modular device driver, you will not see the [m] option. Some time an [?] option will appear in the choices. This mean that you can get more information about the feature when you type the ? + ENTER key. Choosing the [?] help option will opens another terminal describing the option. Monolithic kernel configuration As we know now, they are two possible different configurations for the kernel. The first is called a monolithic kernel the second is called a modularized kernel . Below we begin by showing you the configuration of a monolithic kernel which is to compile the required code and drivers directly into the kernel by answering the different kernel questions only by yes or no . Don't forget to only compile code that you need and use. A new kernel is very specific to your computer hardware, in the monolithic kernel configuration part below; we assume the following hardware for our example. Of course you must change them to fit your system components. 1 Pentium-III 667 MHz (i686) processor 1 Motherboard Asus P3V4X Pro 133Mhz EIDE 1 Hard Disk Ultra ATA/66 EIDE 1 Chipset Apollo Pro133A 1 CD-ROM ATAPI IDE 1 Floppy Disk 2 Ethernet Cards 3COM 3c597 PCI 10/100 1 Mouse PS/2 Page 128 Kernel Security & Optimization 0 CHAPTER 6 128 If you don't want some options listed in the monolithic kernel configuration that I enable by default, answer n (for no) instead of y (for yes) to the related questions. If you want some other options that I disable, then answer y instead of n . In the configuration below, we tune our kernel for a Pentium III family i686 CPU processor, enable generic firewall support, to be able to implement IPTABLE Netfilter firewall feature on the system, as well as DMA support for IDE disk drive and disable SCSI disk support. We configure the kernel to work with a 3COM Ethernet card, disable insecure NFS services, USB technology and sound features for our server. This kind of kernel configuration can be used for all kind of Linux server except for a system, which is supposed to run as a Gateway/Proxy Server by forwarding packets. rm -f include/asm ( cd include ; ln -sf asm-i386 asm) /bin/sh scripts/Configure arch/i386/config.in # # Using defaults found in arch/i386/defconfig # * * Code maturity level options * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [N/y/?] * * Loadable module support * Enable loadable module support (CONFIG_MODULES) [Y/n/?] n * * Processor type and features * Processor family (386, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MMX, Pentium- Pro/Celeron/Pentium-II, Pentium-III, Pentium-4, K6/K6-II/K6-III, Athlon/K7, Crusoe, Winchip-C6, Winchip-2, Winchip-2A/Winchip-3) [Pentium-III] defined CONFIG_M686FXSR Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/?] /dev/cpu/microcode - Intel IA32 CPU microcode support (CONFIG_MICROCODE) [N/y/?] /dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/?] /dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/?] High Memory Support (off, 4GB, 64GB) [off] defined CONFIG_NOHIGHMEM MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n APIC and IO-APIC support on uniprocessors (CONFIG_X86_UP_IOAPIC) [N/y/?] (NEW) y * * General setup * Networking support (CONFIG_NET) [Y/n/?] SGI Visual Workstation support (CONFIG_VISWS) [N/y/?] PCI support (CONFIG_PCI) [Y/n/?] PCI access mode (BIOS, Direct, Any) [Any] defined CONFIG_PCI_GOANY PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n EISA support (CONFIG_EISA) [N/y/?] MCA support (CONFIG_MCA) [N/y/?] Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n System V IPC (CONFIG_SYSVIPC) [Y/n/?] BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] Sysctl support (CONFIG_SYSCTL) [Y/n/?] Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] defined CONFIG_KCORE_ELF Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/n/?] Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/n/?] Page 129 Kernel Security & Optimization 0 CHAPTER 6 129 Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/n/?] Power Management support (CONFIG_PM) [Y/n/?] n * * Memory Technology Devices (MTD) * Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/?] * * Parallel port support * Parallel port support (CONFIG_PARPORT) [N/y/?] * * Plug and Play configuration * Plug and Play support (CONFIG_PNP) [Y/n/?] n * * Block devices * Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/m/n/?] XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/m/?] Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/m/?] Compaq CISS Array support (CONFIG_BLK_CPQ_CISS_DA) [N/y/m/?] Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960) [N/y/m/?] Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/m/?] Network block device support (CONFIG_BLK_DEV_NBD) [N/y/m/?] RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/m/?] * * Multi-device support (RAID and LVM) * Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] * * Networking options * Packet socket (CONFIG_PACKET) [Y/m/n/?] Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y Socket Filtering (CONFIG_FILTER) [N/y/?] Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] TCP/IP networking (CONFIG_INET) [Y/n/?] IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] IP: tunneling (CONFIG_NET_IPIP) [N/y/?] IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/?] IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y * * IP: Netfilter Configuration * Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/?] (NEW) IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/?] (NEW) y limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) y netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/y/m/?] (NEW) y Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/y/m/?] (NEW) y tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/?] (NEW) y Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] (NEW) y REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y Page 130 Kernel Security & Optimization 0 CHAPTER 6 130 Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] (NEW) y TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) y MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/m/?] (NEW) y LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] (NEW) y TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/m/?] (NEW) y * * * The IPX protocol (CONFIG_IPX) [N/y/?] Appletalk protocol support (CONFIG_ATALK) [N/y/?] DECnet Support (CONFIG_DECNET) [N/y/?] 802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/?] * * QoS and/or fair queuering * QoS and/or fair queuring (EXPERIMENTAL) (CONFIG_NET_SCHED) [N/y/?] * * Telephony Support * Linux telephony support (CONFIG_PHONE) [N/y/?] * * ATA/IDE/MFM/RLL support * ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/n/?] * * IDE, ATA and ATAPI Block devices * Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [Y/n/?] * * Please see Documentation/ide.txt for help/info on IDE drives * Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?] Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISK) [Y/n/?] Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [N/y/?] Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [Y/n/?] Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/?] Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/?] SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/?] * * IDE chipset support/bugfixes * CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCI) [N/y/?] y Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [N/y/?] y AEC62XX chipset support (CONFIG_BLK_DEV_AEC62XX) [N/y/?] ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] AMD Viper support (CONFIG_BLK_DEV_AMD7409) [N/y/?] CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [N/y/?] NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] PROMISE PDC20246/PDC20262/PDC20267 support (CONFIG_BLK_DEV_PDC202XX) [N/y/?] ServerWorks OSB4 chipset support (CONFIG_BLK_DEV_OSB4) [N/y/?] SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] Page 131 Kernel Security & Optimization 0 CHAPTER 6 131 Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?] VIA82CXXX chipset support (CONFIG_BLK_DEV_VIA82CXXX) [N/y/?] y Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] (NEW) * * SCSI support * SCSI support (CONFIG_SCSI) [Y/n/?] n * * I2O device support * I2O support (CONFIG_I2O) [N/y/?] * * Network device support * Network device support (CONFIG_NETDEVICES) [Y/n/?] * * ARCnet devices * ARCnet support (CONFIG_ARCNET) [N/y/?] Dummy net driver support (CONFIG_DUMMY) [Y/n/?] Bonding driver support (CONFIG_BONDING) [N/y/?] EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/?] Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/?] General Instruments Surfboard 1000 (CONFIG_NET_SB1000) [N/y/?] * * Ethernet (10 or 100Mbit) * Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] 3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] y 3c501 "EtherLink" support (CONFIG_EL1) [N/y/?] (NEW) 3c503 "EtherLink II" support (CONFIG_EL2) [N/y/?] (NEW) 3c505 "EtherLink Plus" support (CONFIG_ELPLUS) [N/y/?] (NEW) 3c509/3c529 (MCA)/3c579 "EtherLink III" support (CONFIG_EL3) [N/y/?] (NEW) 3c515 ISA "Fast EtherLink" (CONFIG_3C515) [N/y/?] (NEW) 3c590/3c900 series (592/595/597) "Vortex/Boomerang" support (CONFIG_VORTEX) [N/y/?] (NEW) y AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/?] Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/?] HP 10/100VG PCLAN (ISA, EISA, PCI) support (CONFIG_HP100) [N/y/?] Other ISA cards (CONFIG_NET_ISA) [N/y/?] EISA, VLB, PCI and on board controllers (CONFIG_NET_PCI) [Y/n/?] n Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] * * Ethernet (1000 Mbit) * Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC) [N/y/?] Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/?] SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/?] FDDI driver support (CONFIG_FDDI) [N/y/?] PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/?] SLIP (serial line) support (CONFIG_SLIP) [N/y/?] * * Wireless LAN (non-hamradio) * Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] * * Token Ring devices * Token Ring driver support (CONFIG_TR) [N/y/?] Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] Page 132 Kernel Security & Optimization 0 CHAPTER 6 132 * * Wan interfaces * Wan interfaces support (CONFIG_WAN) [N/y/?] * * Amateur Radio support * Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] * * IrDA (infrared) support * IrDA subsystem support (CONFIG_IRDA) [N/y/?] * * ISDN subsystem * ISDN support (CONFIG_ISDN) [N/y/?] * * Old CD-ROM drivers (not SCSI, not IDE) * Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] * * Input core support * Input core support (CONFIG_INPUT) [N/y/?] * * Character devices * Virtual terminal (CONFIG_VT) [Y/n/?] Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL) [Y/n/?] Support for console on serial port (CONFIG_SERIAL_CONSOLE) [N/y/?] Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) [N/y/?] Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128 * * I2C support * I2C support (CONFIG_I2C) [N/y/?] * * Mice * Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/?] Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/n/?] PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) [Y/n/?] C&T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE) [N/y/?] PC110 digitizer pad support (CONFIG_PC110_PAD) [N/y/?] * * Joysticks * QIC-02 tape support (CONFIG_QIC02_TAPE) [N/y/?] * * Watchdog Cards * Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/?] /dev/nvram support (CONFIG_NVRAM) [N/y/?] Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/?] Double Talk PC internal speech card support (CONFIG_DTLK) [N/y/?] Siemens R3964 line discipline (CONFIG_R3964) [N/y/?] Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/?] * Page 133 Kernel Security & Optimization 0 CHAPTER 6 133 * Ftape, the floppy tape device driver * Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/?] /dev/agpgart (AGP Support) (CONFIG_AGP) [Y/m/n/?] n Direct Rendering Manager (XFree86 DRI support) (CONFIG_DRM) [Y/n/?] n * * Multimedia devices * Video For Linux (CONFIG_VIDEO_DEV) [N/y/?] * * File systems * Quota support (CONFIG_QUOTA) [N/y/?] Kernel automounter support (CONFIG_AUTOFS_FS) [N/y/?] Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_FS) [Y/n/?] n DOS FAT fs support (CONFIG_FAT_FS) [N/y/?] Compressed ROM file system support (CONFIG_CRAMFS) [N/y/?] Simple RAM-based file system support (CONFIG_RAMFS) [N/y/?] ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/n/?] Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] Minix fs support (CONFIG_MINIX_FS) [N/y/?] NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/?] OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/?] /proc file system support (CONFIG_PROC_FS) [Y/n/?] /dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] ROM file system support (CONFIG_ROMFS_FS) [N/y/?] Second extended fs support (CONFIG_EXT2_FS) [Y/n/?] System V and Coherent file system support (read only) (CONFIG_SYSV_FS) [N/y/?] UDF file system support (read only) (CONFIG_UDF_FS) [N/y/?] UFS file system support (read only) (CONFIG_UFS_FS) [N/y/?] * * Network File Systems * Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/?] NFS file system support (CONFIG_NFS_FS) [Y/n/?] n NFS server support (CONFIG_NFSD) [Y/n/?] n SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/?] NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/?] * * Partition Types * Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] * * Console drivers * VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] * * Sound * Sound card support (CONFIG_SOUND) [Y/n/?] n * (Security options will appear only if you are patched your kernel with the Openwall Project patch). * Security options * Non-executable user stack area (CONFIG_SECURE_STACK) [Y] Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) [Y] Restricted links in /tmp (CONFIG_SECURE_LINK) [Y] n Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) [Y] Restricted /proc (CONFIG_SECURE_PROC) [N] y Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) [Y] Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) [Y] Page 134 Kernel Security & Optimization 0 CHAPTER 6 134 Destroy shared memory segments not in use (CONFIG_SECURE_SHM) [N] * * USB support * Support for USB (CONFIG_USB) [Y/n/?] n * * Kernel hacking * Magic SysRq key (CONFIG_MAGIC_SYSRQ) [N/y/?] *** End of Linux kernel configuration. *** Check the top-level Makefile for additional configuration. *** Next, you must run 'make dep'. WARNING: If you want to enable IPTABLES support into the kernel, the iptables program must be installed first or you will receive error messages during kernel compilation. This is because when iptables support is enabled, the kernelwill associate some part of the iptables program with it configuration. Therefore don't forget to install IPTABLES before configuring kernel with IPTABLES support. Finally the same warning is true for quota support into the kernel. Modularized kernel configuration Building kernel with modules ( modularized kernel ) has some advantages. It allow easy portability between different Linux systems, since you can choose and build different parts of the kernel as a module and load that segment of code on demand. Below we show you the configuration of modularized kernel , which is to compile some needed codes and drivers as a module into the kernel by answering to the different questions by y , n or m . As for the previous monolithic kernel configuration, don't forget to only compile code that you need and use. A new kernel is very specific to your computer hardware, in the modularized kernel configuration part below; we assume the following hardware for our example. Of course you must change them to fit your system components. 1 Pentium II 400 MHz (i686) processor 1 SCSI Motherboard 1 SCSI Hard Disk 1 SCSI Controler Adaptec AIC 7xxx 1 CD-ROM ATAPI IDE 1 Floppy Disk 2 Ethernet Cards Intel EtherExpressPro 10/100 1 Mouse PS/2 If you don't want some options listed in the modularized kernel configuration that I enable by default, answer n (for no) instead of y (for yes) or m (for modularized if possible) to the related questions. If you want some other options that I disable, then answer y or m instead of n . Page 135 Kernel Security & Optimization 0 CHAPTER 6 135 In the configuration below, we have enable loadable module support in the kernel, tune our kernel for a Pentium II family i686 CPU processor, enable full Firewall Netfilter with masquerading and forwarding support. This is a perfect configuration if you want to run your system as a Gateway/Proxy Server since it will be capable to forward and redistribute network packet. After that, we enable DMA support for IDE disk drives since our CD-ROM in this example is an IDE model (if your system is pure SCSI we can disable support for IDE and DMA ) and enable SCSI disk support for Adaptec AIC7xxx model. We configure the kernel to work with Intel EtherExpressPro/100 network cards, disable insecure NFS services, USB technology and sound features for our Linux server. rm -f include/asm ( cd include ; ln -sf asm-i386 asm) /bin/sh scripts/Configure arch/i386/config.in # # Using defaults found in arch/i386/defconfig # * * Code maturity level options * Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [N/y/?] * * Loadable module support * Enable loadable module support (CONFIG_MODULES) [Y/n/?] Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?] n Kernel module loader (CONFIG_KMOD) [Y/n/?] * * Processor type and features * Processor family (386, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MMX, Pentium- Pro/Celeron/Pentium-II, Pentium-III, Pentium-4, K6/K6-II/K6-III, Athlon/K7, Crusoe, Winchip-C6, Winchip-2, Winchip-2A/Winchip-3) [Pentium-III] Pentium-Pro/Celeron/Pentium-II defined CONFIG_M686 Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/m/?] /dev/cpu/microcode - Intel IA32 CPU microcode support (CONFIG_MICROCODE) [N/y/m/?] /dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/m/?] /dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/m/?] High Memory Support (off, 4GB, 64GB) [off] defined CONFIG_NOHIGHMEM Math emulation (CONFIG_MATH_EMULATION) [N/y/?] (NEW) MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n APIC and IO-APIC support on uniprocessors (CONFIG_X86_UP_IOAPIC) [N/y/?] (NEW) y * * General setup * Networking support (CONFIG_NET) [Y/n/?] SGI Visual Workstation support (CONFIG_VISWS) [N/y/?] PCI support (CONFIG_PCI) [Y/n/?] PCI access mode (BIOS, Direct, Any) [Any] defined CONFIG_PCI_GOANY PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n EISA support (CONFIG_EISA) [N/y/?] MCA support (CONFIG_MCA) [N/y/?] Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n System V IPC (CONFIG_SYSVIPC) [Y/n/?] BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] Sysctl support (CONFIG_SYSCTL) [Y/n/?] Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] defined CONFIG_KCORE_ELF Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/m/n/?] Page 136 Kernel Security & Optimization 0 CHAPTER 6 136 Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/m/n/?] Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/m/n/?] Power Management support (CONFIG_PM) [Y/n/?] n * * Memory Technology Devices (MTD) * Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/m/?] * * Parallel port support * Parallel port support (CONFIG_PARPORT) [N/y/m/?] * * Plug and Play configuration * Plug and Play support (CONFIG_PNP) [Y/m/n/?] n * * Block devices * Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/m/n/?] XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/m/?] Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/m/?] Compaq CISS Array support (CONFIG_BLK_CPQ_CISS_DA) [N/y/m/?] Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960) [N/y/m/?] Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/m/?] Network block device support (CONFIG_BLK_DEV_NBD) [N/y/m/?] RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/m/?] * * Multi-device support (RAID and LVM) * Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] * * Networking options * Packet socket (CONFIG_PACKET) [Y/m/n/?] Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y Socket Filtering (CONFIG_FILTER) [N/y/?] Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] TCP/IP networking (CONFIG_INET) [Y/n/?] IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] y IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [N/y/?] (NEW) y IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [N/y/?] (NEW) y IP: fast network address translation (CONFIG_IP_ROUTE_NAT) [N/y/?] (NEW) y IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH) [N/y/?] (NEW) y IP: use TOS value as routing key (CONFIG_IP_ROUTE_TOS) [N/y/?] (NEW) y IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [N/y/?] (NEW) y IP: large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES) [N/y/?] (NEW) y IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] IP: tunneling (CONFIG_NET_IPIP) [N/y/m/?] IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y * * IP: Netfilter Configuration * Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m FTP protocol support (CONFIG_IP_NF_FTP) [N/m/?] (NEW) m Page 137 Kernel Security & Optimization 0 CHAPTER 6 137 IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/m/?] (NEW) m MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/m/?] (NEW) m netfilter MARK match support (CONFIG_IP_NF_MATCH_MARK) [N/m/?] (NEW) m Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/m/?] (NEW) m TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/m/?] (NEW) m tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/m/?] (NEW) m Connection state match support (CONFIG_IP_NF_MATCH_STATE) [N/m/?] (NEW) m Packet filtering (CONFIG_IP_NF_FILTER) [N/m/?] (NEW) m REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/m/?] (NEW) m Full NAT (CONFIG_IP_NF_NAT) [N/m/?] (NEW) m MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [N/m/?] (NEW) m REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/m/?] (NEW) m Packet mangling (CONFIG_IP_NF_MANGLE) [N/m/?] (NEW) m TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/m/?] (NEW) m MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/m/?] (NEW) m LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/m/?] (NEW) m TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/m/?] (NEW) m ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] (NEW) ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] (NEW) * * * The IPX protocol (CONFIG_IPX) [N/y/m/?] Appletalk protocol support (CONFIG_ATALK) [N/y/m/?] DECnet Support (CONFIG_DECNET) [N/y/m/?] 802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/m/?] * * QoS and/or fair queuering * QoS and/or fair queuring (EXPERIMENTAL) (CONFIG_NET_SCHED) [N/y/?] * * Telephony Support * Linux telephony support (CONFIG_PHONE) [N/y/m/?] * * ATA/IDE/MFM/RLL support * ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/m/n/?] m * * IDE, ATA and ATAPI Block devices * Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [M/n/?] * * Please see Documentation/ide.txt for help/info on IDE drives * Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?] Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISK) [M/n/?] Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [N/y/?] Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [M/n/?] Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/m/?] Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/m/?] SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/m/?] * * IDE chipset support/bugfixes * CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCI) [N/y/?] y Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] Page 138 Kernel Security & Optimization 0 CHAPTER 6 138 Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [N/y/?] y AEC62XX chipset support (CONFIG_BLK_DEV_AEC62XX) [N/y/?] ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] AMD Viper support (CONFIG_BLK_DEV_AMD7409) [N/y/?] CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [N/y/?] NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] PROMISE PDC20246/PDC20262/PDC20267 support (CONFIG_BLK_DEV_PDC202XX) [N/y/?] ServerWorks OSB4 chipset support (CONFIG_BLK_DEV_OSB4) [N/y/?] SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?] VIA82CXXX chipset support (CONFIG_BLK_DEV_VIA82CXXX) [N/y/?] Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] (NEW) * * SCSI support * SCSI support (CONFIG_SCSI) [Y/m/n/?] * * SCSI support type (disk, tape, CD-ROM) * SCSI disk support (CONFIG_BLK_DEV_SD) [Y/m/n/?] Maximum number of SCSI disks that can be loaded as modules (CONFIG_SD_EXTRA_DEVS) [40] SCSI tape support (CONFIG_CHR_DEV_ST) [N/y/m/?] SCSI OnStream SC-x0 tape support (CONFIG_CHR_DEV_OSST) [N/y/m/?] SCSI CD-ROM support (CONFIG_BLK_DEV_SR) [N/y/m/?] SCSI generic support (CONFIG_CHR_DEV_SG) [N/y/m/?] * * Some SCSI devices (e.g. CD jukebox) support multiple LUNs * Enable extra checks in new queueing code (CONFIG_SCSI_DEBUG_QUEUES) [Y/n/?] n Probe all LUNs on each SCSI device (CONFIG_SCSI_MULTI_LUN) [Y/n/?] n Verbose SCSI error reporting (kernel size +=12K) (CONFIG_SCSI_CONSTANTS) [Y/n/?] n SCSI logging facility (CONFIG_SCSI_LOGGING) [N/y/?] * * SCSI low-level drivers * 3ware Hardware ATA-RAID support (CONFIG_BLK_DEV_3W_XXXX_RAID) [N/y/m/?] 7000FASST SCSI support (CONFIG_SCSI_7000FASST) [N/y/m/?] ACARD SCSI support (CONFIG_SCSI_ACARD) [N/y/m/?] Adaptec AHA152X/2825 support (CONFIG_SCSI_AHA152X) [N/y/m/?] Adaptec AHA1542 support (CONFIG_SCSI_AHA1542) [N/y/m/?] Adaptec AHA1740 support (CONFIG_SCSI_AHA1740) [N/y/m/?] Adaptec AIC7xxx support (CONFIG_SCSI_AIC7XXX) [N/y/m/?] y Enable Tagged Command Queueing (TCQ) by default (CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT) [N/y/?] (NEW) y Maximum number of TCQ commands per device (CONFIG_AIC7XXX_CMDS_PER_DEVICE) [8] (NEW) Collect statistics to report in /proc (CONFIG_AIC7XXX_PROC_STATS) [N/y/?] (NEW) Delay in seconds after SCSI bus reset (CONFIG_AIC7XXX_RESET_DELAY) [5] (NEW) AdvanSys SCSI support (CONFIG_SCSI_ADVANSYS) [N/y/m/?] Always IN2000 SCSI support (CONFIG_SCSI_IN2000) [N/y/m/?] AM53/79C974 PCI SCSI support (CONFIG_SCSI_AM53C974) [N/y/m/?] AMI MegaRAID support (CONFIG_SCSI_MEGARAID) [N/y/m/?] BusLogic SCSI support (CONFIG_SCSI_BUSLOGIC) [N/y/m/?] Compaq Fibre Channel 64-bit/66Mhz HBA support (CONFIG_SCSI_CPQFCTS) [N/y/m/?] DMX3191D SCSI support (CONFIG_SCSI_DMX3191D) [N/y/m/?] DTC3180/3280 SCSI support (CONFIG_SCSI_DTC3280) [N/y/m/?] Page 139 Kernel Security & Optimization 0 CHAPTER 6 139 EATA ISA/EISA/PCI (DPT and generic EATA/DMA-compliant boards) support (CONFIG_SCSI_EATA) [N/y/m/?] EATA-DMA [Obsolete] (DPT, NEC, AT&T, SNI, AST, Olivetti, Alphatronix) support (CONFIG_SCSI_EATA_DMA) [N/y/m/?] EATA-PIO (old DPT PM2001, PM2012A) support (CONFIG_SCSI_EATA_PIO) [N/y/m/?] Future Domain 16xx SCSI/AHA-2920A support (CONFIG_SCSI_FUTURE_DOMAIN) [N/y/m/?] GDT SCSI Disk Array Controller support (CONFIG_SCSI_GDTH) [N/y/m/?] Generic NCR5380/53c400 SCSI support (CONFIG_SCSI_GENERIC_NCR5380) [N/y/m/?] IBM ServeRAID support (CONFIG_SCSI_IPS) [N/y/m/?] Initio 9100U(W) support (CONFIG_SCSI_INITIO) [N/y/m/?] Initio INI-A100U2W support (CONFIG_SCSI_INIA100) [N/y/m/?] NCR53c406a SCSI support (CONFIG_SCSI_NCR53C406A) [N/y/m/?] NCR53c7,8xx SCSI support (CONFIG_SCSI_NCR53C7xx) [N/y/m/?] NCR53C8XX SCSI support (CONFIG_SCSI_NCR53C8XX) [N/y/m/?] SYM53C8XX SCSI support (CONFIG_SCSI_SYM53C8XX) [Y/m/n/?] n PAS16 SCSI support (CONFIG_SCSI_PAS16) [N/y/m/?] PCI2000 support (CONFIG_SCSI_PCI2000) [N/y/m/?] PCI2220i support (CONFIG_SCSI_PCI2220I) [N/y/m/?] PSI240i support (CONFIG_SCSI_PSI240I) [N/y/m/?] Qlogic FAS SCSI support (CONFIG_SCSI_QLOGIC_FAS) [N/y/m/?] Qlogic ISP SCSI support (CONFIG_SCSI_QLOGIC_ISP) [N/y/m/?] Qlogic ISP FC SCSI support (CONFIG_SCSI_QLOGIC_FC) [N/y/m/?] Qlogic QLA 1280 SCSI support (CONFIG_SCSI_QLOGIC_1280) [N/y/m/?] Seagate ST-02 and Future Domain TMC-8xx SCSI support (CONFIG_SCSI_SEAGATE) [N/y/m/?] Simple 53c710 SCSI support (Compaq, NCR machines) (CONFIG_SCSI_SIM710) [N/y/m/?] Symbios 53c416 SCSI support (CONFIG_SCSI_SYM53C416) [N/y/m/?] Tekram DC390(T) and Am53/79C974 SCSI support (CONFIG_SCSI_DC390T) [N/y/m/?] Trantor T128/T128F/T228 SCSI support (CONFIG_SCSI_T128) [N/y/m/?] UltraStor 14F/34F support (CONFIG_SCSI_U14_34F) [N/y/m/?] UltraStor SCSI support (CONFIG_SCSI_ULTRASTOR) [N/y/m/?] * * I2O device support * I2O support (CONFIG_I2O) [N/y/m/?] * * Network device support * Network device support (CONFIG_NETDEVICES) [Y/n/?] * * ARCnet devices * ARCnet support (CONFIG_ARCNET) [N/y/m/?] Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] Bonding driver support (CONFIG_BONDING) [N/y/m/?] EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/m/?] Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/m/?] General Instruments Surfboard 1000 (CONFIG_NET_SB1000) [N/y/m/?] * * Ethernet (10 or 100Mbit) * Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] 3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/m/?] Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/m/?] HP 10/100VG PCLAN (ISA, EISA, PCI) support (CONFIG_HP100) [N/y/m/?] Other ISA cards (CONFIG_NET_ISA) [N/y/?] EISA, VLB, PCI and on board controllers (CONFIG_NET_PCI) [Y/n/?] AMD PCnet32 PCI support (CONFIG_PCNET32) [N/y/m/?] Apricot Xen-II on board Ethernet (CONFIG_APRICOT) [N/y/m/?] CS89x0 support (CONFIG_CS89x0) [N/y/m/?] Page 140 Kernel Security & Optimization 0 CHAPTER 6 140 DECchip Tulip (dc21x4x) PCI support (CONFIG_TULIP) [N/y/m/?] Generic DECchip & DIGITAL EtherWORKS PCI/EISA (CONFIG_DE4X5) [N/y/m/?] Digi Intl. RightSwitch SE-X support (CONFIG_DGRS) [N/y/m/?] EtherExpressPro/100 support (CONFIG_EEPRO100) [Y/m/n/?] National Semiconductor DP83810 series PCI Ethernet support (CONFIG_NATSEMI) [N/y/m/?] PCI NE2000 and clones support (see help) (CONFIG_NE2K_PCI) [N/y/m/?] RealTek RTL-8139 PCI Fast Ethernet Adapter support (CONFIG_8139TOO) [N/y/m/?] SiS 900/7016 PCI Fast Ethernet Adapter support (CONFIG_SIS900) [N/y/m/?] SMC EtherPower II (CONFIG_EPIC100) [N/y/m/?] Sundance Alta support (CONFIG_SUNDANCE) [N/y/m/?] TI ThunderLAN support (CONFIG_TLAN) [N/y/m/?] VIA Rhine support (CONFIG_VIA_RHINE) [N/y/m/?] Winbond W89c840 Ethernet support (CONFIG_WINBOND_840) [N/y/m/?] Sun Happy Meal 10/100baseT PCI support (CONFIG_HAPPYMEAL) [N/y/m/?] Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] * * Ethernet (1000 Mbit) * Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC) [N/y/m/?] Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/m/?] SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/m/?] FDDI driver support (CONFIG_FDDI) [N/y/?] PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/m/?] SLIP (serial line) support (CONFIG_SLIP) [N/y/m/?] * * Wireless LAN (non-hamradio) * Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] * * Token Ring devices * Token Ring driver support (CONFIG_TR) [N/y/?] Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] * * Wan interfaces * Wan interfaces support (CONFIG_WAN) [N/y/?] * * Amateur Radio support * Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] * * IrDA (infrared) support * IrDA subsystem support (CONFIG_IRDA) [N/y/m/?] * * ISDN subsystem * ISDN support (CONFIG_ISDN) [N/y/m/?] * * Old CD-ROM drivers (not SCSI, not IDE) * Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] * * Input core support * Input core support (CONFIG_INPUT) [N/y/m/?] * * Character devices * Virtual terminal (CONFIG_VT) [Y/n/?] Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] Page 141 Kernel Security & Optimization 0 CHAPTER 6 141 Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL) [Y/m/n/?] Support for console on serial port (CONFIG_SERIAL_CONSOLE) [N/y/?] Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) [N/y/?] Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128 * * I2C support * I2C support (CONFIG_I2C) [N/y/m/?] * * Mice * Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/m/?] Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/m/n/?] PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) [Y/n/?] C&T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE) [N/y/m/?] PC110 digitizer pad support (CONFIG_PC110_PAD) [N/y/m/?] * * Joysticks * * * Input core support is needed for joysticks * QIC-02 tape support (CONFIG_QIC02_TAPE) [N/y/m/?] * * Watchdog Cards * Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/m/?] /dev/nvram support (CONFIG_NVRAM) [N/y/m/?] Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/m/?] Double Talk PC internal speech card support (CONFIG_DTLK) [N/y/m/?] Siemens R3964 line discipline (CONFIG_R3964) [N/y/m/?] Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/m/?] * * Ftape, the floppy tape device driver * Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/m/?] /dev/agpgart (AGP Support) (CONFIG_AGP) [Y/m/n/?] n Direct Rendering Manager (XFree86 DRI support) (CONFIG_DRM) [Y/n/?] n * * Multimedia devices * Video For Linux (CONFIG_VIDEO_DEV) [N/y/m/?] * * File systems * Quota support (CONFIG_QUOTA) [N/y/?] Kernel automounter support (CONFIG_AUTOFS_FS) [N/y/m/?] Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_FS) [Y/m/n/?] n DOS FAT fs support (CONFIG_FAT_FS) [N/y/m/?] Compressed ROM file system support (CONFIG_CRAMFS) [N/y/m/?] Simple RAM-based file system support (CONFIG_RAMFS) [N/y/m/?] ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/m/n/?] m Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] Minix fs support (CONFIG_MINIX_FS) [N/y/m/?] NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/m/?] OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/m/?] /proc file system support (CONFIG_PROC_FS) [Y/n/?] /dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] ROM file system support (CONFIG_ROMFS_FS) [N/y/m/?] Page 142 Kernel Security & Optimization 0 CHAPTER 6 142 Second extended fs support (CONFIG_EXT2_FS) [Y/m/n/?] System V and Coherent file system support (read only) (CONFIG_SYSV_FS) [N/y/m/?] UDF file system support (read only) (CONFIG_UDF_FS) [N/y/m/?] UFS file system support (read only) (CONFIG_UFS_FS) [N/y/m/?] * * Network File Systems * Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/m/?] NFS file system support (CONFIG_NFS_FS) [Y/m/n/?] n NFS server support (CONFIG_NFSD) [Y/m/n/?] n SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/m/?] NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/m/?] * * Partition Types * Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] * * Console drivers * VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] * * Sound * Sound card support (CONFIG_SOUND) [Y/m/n/?] n * (Security options will appear only if you are patched your kernel with the Openwall Project patch). * Security options * Non-executable user stack area (CONFIG_SECURE_STACK) [Y] Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) [Y] Restricted links in /tmp (CONFIG_SECURE_LINK) [Y] n Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) [Y] Restricted /proc (CONFIG_SECURE_PROC) [N] y Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) [Y] Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) [Y] Destroy shared memory segments not in use (CONFIG_SECURE_SHM) [N] * * USB support * Support for USB (CONFIG_USB) [Y/m/n/?] n * * Kernel hacking * Magic SysRq key (CONFIG_MAGIC_SYSRQ) [N/y/?] *** End of Linux kernel configuration. *** Check the top-level Makefile for additional configuration. *** Next, you must run 'make dep'. Page 143 Kernel Security & Optimization 0 CHAPTER 6 143 WARNING: With the new kernel 2.4 and SCSI system you don't have the choice to configure a modularized kernel because of the option " Maximum number of SCSI disks that can be loaded as modules (CONFIG_SD_EXTRA_DEVS) [40] " which doesn't let us to compile it directly into the kernel. If you want to enable IPTABLES support into the kernel, the iptables program must be installed first or you will receive error messages during kernel compilation. This is because when iptables support is enabled, the kernel will associate some part of the iptables program with it configuration. Therefore don't forget to install IPTABLES before configuring kernel with IPTABLES support. Finally the same warning is true for quota support into the kernel. Finally, it is important to note that the kernel configuration part related to " IP: Netfilter Configuration " has been configured as loadable module in this example. This is because I want to show you a different kernel configuration than the first for monolithic kernel that you may have. With kernel 2.4.x generation, we have now the possibility to compile all " IP: Netfilter Configuration " options related to Masquerading and Forwarding support directly into the kernel. Therefore it is for you to decide how you want to configure this part of the kernel for your system, you can configure it as modules or compiled and included directly into the kernel. Compiling the Kernel This section applies to monolithic kernel and modularized kernel . Now, return to the /usr/src/linux directory (if you are not already in it). You need to compile the new kernel. You do so by using the following command: * To compile the Kernel, use the following command: [root@deep linux]# make dep; make clean; make bzImage This line contains three commands in one. The first one, make dep , actually takes your configuration and builds the corresponding dependency tree. This process determines what gets compiled and what doesn't. The next step, make clean , erases all previous traces of a compilation so as to avoid any mistakes in which the wrong version of a feature gets tied into the kernel. Finally, make bzImage does the full compilation of the kernel. After the process is complete, the kernel is compressed and ready to be installed on your system. Before we can install the new kernel, we must know if we need to compile the corresponding modules. This is required ONLY if you said yes to " Enable loadable module support (CONFIG_MODULES) " and have compiled some options in the kernel configuration above as a module (See Modularized kernel configuration). In this case, you must execute the following commands: * To compile the corresponding modules for your kernel, use the following commands: [root@deep linux]# make modules [root@deep linux]# make modules_install WARNING: The make modules and make modules_install commands are required ONLY if you say yes to " Enable loadable module support (CONFIG_MODULES) " in your kernel configurations (See Modularized kernel configuration) because you want to build a modularized kernel . Page 144 Kernel Security & Optimization 0 CHAPTER 6 144 Installing the Kernel This section applies to monolithic kernel and modularized kernel . Ok, kernel has been configured, compiled and is now ready to be installed in your system. Below are the required steps to install all the necessary kernel components into your server. Step 1 Copy the file /usr/src/linux/arch/i386/boot/bzImage from the kernel source tree to the /boot directory, and give it an appropriate new name. * To copy the bzImage file to the /boot directory, use the following commands: [root@deep /]# cd /usr/src/linux/ (if you are not already in it) [root@deep linux]# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.5 NOTE: An appropriate or recommended new name is something like vmlinuz-2.4.5 , this is important if you want a new rescue floppy or emergency boot floppy using the mkbootdisk tool that require some specific needs like for example: vmlinuz-2.4.5 instead of vmlinuz- 2.4.5.a Step 2 A new System.map file is generated when you compile a kernel, and is a list of all the addresses in that kernel and their corresponding symbols. Every time that you create a new kernel, such a file System.map is created and saved in /usr/src/linux . In it you will find information about offsets within kernel that are required by the modules if you have compiled the kernel as modularized. It's a text file, which is read by a few programs (like ps ) to do address <-> symbol translation, and which you need if you ever get an Oops. Certain commands, like klog , ps , and lsof , use the System.map file to get the name of kernel symbols. Without it some commands like lsof will complain that they can't find a System.map file to match the currently booted kernel. Copy the file /usr/src/linux/System.map from the kernel source tree to the /boot directory, and give it an appropriate new name. * To copy the System.map file to the /boot directory, use the following commands: [root@deep /]# cd /usr/src/linux/ (if you are not already in it) [root@deep linux]# cp System.map /boot/System.map-2.4.5 Step 3 Move into the /boot directory and rebuild the links vmlinuz and System.map . * To rebuild the vmlinuz and System.map files, use the following commands: [root@deep linux]# cd /boot/ [root@deep /boot]# ln -fs vmlinuz-2.4.5 vmlinuz [root@deep /boot]# ln -fs System.map-2.4.5 System.map We must rebuild the links of vmlinuz and System.map to point them to the new installed kernel version. Without the new links LILO program will look, by default, for the old version of your Linux kernel. Page 145 Kernel Security & Optimization 0 CHAPTER 6 145 Step 4 Remove obsolete and unnecessary files under the /boot directory to increase disk space: * To remove obsolete and unnecessary files under the /boot directory, use commands: [root@deep /]# cd /boot/ (if you are not already in it) [root@deep /boot]# rm -f module-info [root@deep /boot]# rm -f initrd-2.4.x.img The module-info is a link, which points to the old modules directory of your original kernel. Since we have installed a brand new kernel, we don't need to keep this broken link. The initrd-2.4.x.img is a file that contains an initial RAM disk image that serves as a system before the disk is available. This file is only available and is installed from the Linux initial setup installation if your system has a SCSI adapter present and only if your system has a SCSI adapter. If we use and have a SCSI system, the required driver now will be incorporated into our new Linux kernel since we have build it by answering Yes to the question related to our SCS I model during the configuration of the kernel, so we can remove this file ( initrd-2.4.x.img ) safely. Step 5 Create a new Linux kernel directory that will handle all header files related to Linux kernel for future compilation of other programs on your system. Recall, we had created two symlinks under the /usr/include directory that point to the Linux kernel header files to be able to compile it without receiving error and also be able to compile future programs. The /usr/include directory is where all the header files for your Linux system are kept for reference and dependencies when you compile and install new programs. The asm , and linux links are used when programs need to know some functions which are compile-time specific to the kernel installed on your system. Programs call other headers as well in the /usr/include directory when they must know specific information, dependencies, etc of your system. * To create a new Linux kernel directory to handle all header files, use the commands: [root@deep /]# mkdir -p /usr/src/linux-2.4.5/include [root@deep /]# cd /usr/src/linux/ [root@deep linux]# cp -r include/asm-generic ../linux-2.4.5/include/ [root@deep linux]# cp -r include/asm-i386 ../linux-2.4.5/include/ [root@deep linux]# cp -r include/linux ../linux-2.4.5/include/ [root@deep linux]# cd ../ [root@deep src]# rm -rf /usr/src/linux [root@deep src]# cd /usr/src/ (to be sure that we are into the src directory) [root@deep src]# ln -s /usr/src/linux-2.4.5 linux First we create a new directory named " linux-2.4.5 " based on the version of the kernel we have installed for easy interpretation, then we copy directories asm-generic , asm-i386 , and linux from /usr/src/linux/include to our new location /usr/src/linux- 2.4.5/include . After we remove the entire source directory where we had compiled the new kernel, we create a new symbolic link named " linux " under /usr/src that points to our new /usr/src/linux- 2.4.5 directory. With these steps, future compiled programs will know where to look for headers related to the kernel on your server. Page 146 Kernel Security & Optimization 0 CHAPTER 6 146 NOTE: This step will allow us to gain space on our hard drive and will reduce the risk of security. The Linux kernel source directory handles a lot files and is about 94M in size when uncompressed. With the procedure described above, our Linux kernel directory began approximately 4M in size so we save 90MB for the same functionalities. Step 6 Finally, you need to edit the /etc/lilo.conf file to make your new kernel one of the boot time options: Edit the lilo.conf file ( vi /etc/lilo.conf ) and make the appropriate change on the line that read " image=/boot/vmlinuz-x.x.x ". [root@deep /]# vi /etc/lilo.conf boot=/dev/sda map=/boot/map install=/boot/boot.b timeout=00 default=linux restricted password=somepasswd image=/boot/vmlinuz label=linux read-only root=/dev/sda6 WARNING: I recommend you to put on the line " image=/boot/vmlinuz-x.x.x " only the word " vmlinuz "; this allow us to not have to edit the lilo.conf file each time we upgrade our kernel. The word " vmlinuz " always point to your latest kernel image. Also, for SCSI system only, don't forget to remove the line that read " initrd=/boot/initrd- x.x.x.img " in the lilo.conf file, since this line is not necessary now since we have built our SCSI system directly into the kernel by answering Yes to the question related to our SCSI model during configuration of the kernel. Once the necessary modifications has been made into the /etc/lilo.conf file as shown above, we update our lilo.conf file for the change to take effect with the following command: [root@deep /]# /sbin/lilo -v LILO version 21.4-4, copyright © 1992-1998 Wernerr Almesberger `lba32' extentions copyright © 1999,2000 John Coffman Reading boot sector from /dev/sda had : ATAPI 32X CD-ROM drive, 128kB Cache Merging with /boot/boot.b Mapping message file /boot/message Boot image : /boot/vmlinuz Added linux * /boot/boot.0800 exists no backup copy made. Writing boot sector. Page 147 Kernel Security & Optimization 0 CHAPTER 6 147 Reconfiguring /etc/modules.conf file This section applies only if you chose to install a modularized kernel in your system. The /etc/modules.conf file represents the (optional) configuration file for loading some kernel modules in your system. It is used to modify the behavior of modprobe and depmod programs. This file consists of a set of lines with different parameters. It is important after each upgrade of a modularized kernel to verify if all information and parameters contained inside it, are valid and correct. All the contents of the /etc/modules.conf file apply only for systems where the kernel has been configured with modules ( modularized kernel ). So if you have recompiled your new kernel with some new options as modules or if you have removed some modules from it, it is important to update or remove the modules.conf file to reflect the changes and eliminate possible error message during booting. As an example, the following is the content of the modules.conf file on my system. Linux has added these parameters automatically, depending of the system hardware during the primary install stage of the operating system. alias scsi_hostadapter aic7xxx alias eth0 eepro100 alias eth1 eepro100 alias parport_lowlevel parport_pc alias usb-controller uhci One important use of the modules.conf file is the possibility of using the " alias " directive to give alias names to modules and link object files to a module. After recompilation of the kernel, and depending of how we have answered the different kernel questions during kernel configuration, it may be possible that we need to make some adjustments to the default parameters, especially if we have answered yes during kernel configuration to some devices available in our system, like network cards and SCSI adapters. If the configuration file /etc/modules.conf is missing, or if any directive is not overridden, the default will be to look under /lib/modules directory containing modules compiled for the current release of the kernel. Therefore, we can remove the /etc/modules.conf file from the system and let the modprobe and depmod programs manage all existing modules for us. To summarize, you can: 1) Keep the modules.conf file; only kernel options which you have answered m during kernel configuration time (of course only if these modules did exist into modules.conf ). Any kernel options where you have answered yes or no will not appears into the modules.conf file. 2) Or remove the /etc/modules.conf file from your system and let modprobe and depmod programs manage all existing modules for you. On a server environment, I prefer to use this choice. Page 148 Kernel Security & Optimization 0 CHAPTER 6 148 Delete programs, edit files pertaining to modules This section applies only if you chose to install a monolithic kernel in your system. By default when you install Linux for the first time (like we did), the kernel is built as a modularized kernel . This means that each device or function we need exists as a module and is controlled by the Kernel Daemon program named kmod . kmod automatically loads some modules and functions into memory as they are needed, and unloads them when they're no longer being used. Step 1 kmod and other module management programs included in the modutils RPM package use the modules.conf file located in the /etc directory to know for example which Ethernet card you have, if your Ethernet card requires special configuration and so on. If we don't use any modules in our new compiled kernel because we have compiled the kernel as monolithic kernel and ONLY in this case, we can remove the modules.conf file and uninstall completely the modutils RPM package. * To remove the modules.conf file, use the following command: [root@deep /]# rm -f /etc/modules.conf * To uninstall the modutils package, use the following command: [root@deep /]# rpm -e --nodeps modutils Step 2 One last thing to do is to edit the file devfsd.conf and comment out the line related to module autoloading by inserting a " # " at the beginning of the line. * Edit the devfsd.conf file ( vi /etc/devfsd.conf ), and change the line: LOOKUP .* MODLOAD To read: #LOOKUP .* MODLOAD Step 3 Finaly, it is important to remove the file named " modules.devfs " under /etc since it is no longer needed for a monolithic kernel. * To remove the modules.devfs file, use the following command: [root@deep /]# rm -f /etc/modules.devfs WARNING: Once again, the above ("Delete program, file and lines related to modules") is required only if you said no to " Enable loadable module support (CONFIG_MODULES) " in your kernel configuration because you have decided to build a monolithic kernel . Page 149 Kernel Security & Optimization 0 CHAPTER 6 149 Remounting the /boot partition of Linux as read-only This section applies to monolithic kernel and modularized kernel . Once our new kernel has been installed in the system, we can now remount the /boot partition of Linux as read-only to eliminate possible problems that someone might try to change or modify vital files inside it. To remount the /boot directory as read-only, follow the simple steps below. Step1 * Edit the fstab file ( vi /etc/fstab ) and change the line: LABEL=/boot /boot ext2 defaults 1 2 To read: LABEL=/boot /boot ext2 defaults, ro 1 2 Step 2 Make the Linux system aware of the modification you have made to the /etc/fstab file. * This can be accomplished with the following command: [root@deep /]# mount /boot -oremount * Then test your results with the following command: [root@deep /]# cat /proc/mounts /dev/root / ext2 rw 0 0 /proc /proc proc rw 0 0 /dev/sda1 /boot ext2 ro 0 0 /dev/sda10 /cache ext2 rw,nodev 0 0 /dev/sda9 /chroot ext2 rw 0 0 /dev/sda8 /home ext2 rw,nosuid 0 0 /dev/sda13 /tmp ext2 rw,noexec,nosuid 0 0 /dev/sda7 /usr ext2 rw 0 0 /dev/sda11 /var ext2 rw 0 0 /dev/sda12 /var/lib ext2 rw 0 0 none /dev/pts devpts rw 0 0 If you see something like: /dev/sda1 /boot ext2 ro 0 0 , congratulations! Rebooting your system to load the new kernel Whether you have installed a new monolithic kernel where codes and drivers are compiled into the kernel and are always loaded or a modularized kernel where some segment of codes are compiled into the kernel as a module and loaded on demand, it is time to Reboot your system and test your results. * To reboot your Linux system, use the following command: [root@deep /]# reboot When the system is rebooted and you are logged in, verify the new version of your kernel with the following command: * To verify the version of your new kernel, use the following command: [root@deep /]# uname -a Linux deep 2.4.5 #1 Sat Mar 24 09:38:35 EDT 2001 i686 unknown Congratulations! Page 150 Kernel Security & Optimization 0 CHAPTER 6 150 NOTE ABOUT SYSTEM SIZE: After recompilation of the kernel and installation of all packages necessary to make compilation on the system plus the update of required RPM packages, our install size of Linux is now 162MB. Note that it can be smaller than 162 MB if we don't install compilers packages and use another computer to develop and compile tarballs. Making a new rescue floppy for Modularized Kernel This section applies only if you chose to install a modularized kernel in your system. After the reboot, you should have now a system with an upgraded kernel. Therefore, it's time is to make a new rescue floppy with the new kernel in case of emergencies. To do this, follow the simple step below: * Login as root, and insert a new floppy, then execute the following command: [root@deep /]# mkbootdisk --device /dev/fd0H1440 2.4.5 Insert a disk in /dev/fd0. Any information on the disk will be lost. Press to continue or ^C to abort: WARNING: The mkbootdisk program runs only on modularized Kernel . So you can't use it on a monolithic Kernel ; instead create an emergency boot floppy as shown below. Making a emergency boot floppy disk for Monolithic Kernel This section applies only if you chose to install a monolithic kernel in your system. Because it is possible to create a rescue floppy only on modularized kernel , we must find another way to boot our Linux system for a monolithic kernel if the Linux kernel on the hard disk is damaged. This is possible with a Linux emergency boot floppy disk. You should create it immediately after you successfully start your system and log in as root. * To create the emergency boot floppy disk, follow these steps: 1. Insert a floppy disk and format it with the following command: [root@deep /]# fdformat /dev/fd0H1440 Double-sided, 80 tracks, 18 sec/track. Total capacity 1440 kB. Formatting ... done Verifying ... done 2. Copy the file " vmlinuz " from the /boot directory to the floppy disk: [root@deep /]# cp /boot/vmlinuz /dev/fd0H1440 cp: overwrite /dev/fd0H1440'? y The vmlinuz file is a symbolic link that points to the real Linux kernel. 3. Determine the kernel's root device with the following command: [root@deep /]# rdev /dev/sda6 / The kernel's root device is the disk partition where the root file system is located. In this example, the root device is /dev/sda6 ; the device name may be different on your system. Page 151 Kernel Security & Optimization 0 CHAPTER 6 151 4. Set the kernel's root device with the following command: [root@deep /]# rdev /dev/fd0H1440 /dev/sda6 To set the kernel's root device, use the device reported by the " rdev " command utility in the previous step. 5. Mark the root device as read-only with the following command: [root@deep /]# rdev -R /dev/fd0H1440 1 This causes Linux to initially mount the root file system as read-only. By setting the root device as read-only, you avoid several warnings and error messages. 6. Now put the boot floppy in the drive A: and reboot your system with the following command: [root@deep /]# reboot Because the mkbootdisk program is required only when you have a modularized kernel installed in your Linux system, we can remove the unneeded mkbootdisk package from the system. * To uninstall the mkbootdisk utility, use the following command: [root@deep /]# rpm e mkbootdisk Optimizing Kernel This section deals with actions we can make to improve and tighten performance of the Linux Kernel . Note that we refer to the features available within the base installed Linux system. /proc/sys/vm: The virtual memory subsystem of Linux All parameters described later in this chaper reside under the /proc/sys/vm directory of the server and can be used to tune the operation of the virtual memory (VM) subsystem of the Linux kernel. Be very careful when attempting this. You can optimize your system, but you can also cause it to crash. Since every system is different, you'll probably want some control over these pieces of the system. Finally, these are advanced setting and if you don't understand them, then don't try to play in this area or try to use all examples below directly in your systems. Remember that all systems are different and require different setting and customization. The majority of the following hacks will work fine on a server with >= at 512MB of RAM or at minimum of 256MB of RAM. Below this amount of memory, nothing is guaranteed and the default setting will just be fine for you. Below I show you parameters that can be optimized for the system. All suggestions I make in this section are valid for every kind of server. The only difference depends on the amount of RAM your machines have and this is where settings will change. Page 152 Kernel Security & Optimization 0 CHAPTER 6 152 | - bdflush | - buffermem | - freepages /proc/sys/vm ---------------------- | - kswapd | - avercommit_memory | - page-cluster | - pagecache | - pagetable_cache The above figure shows a snapshot of /proc/sys/vm directory on a Red Hat Linux system running kernel version 2.4. Please note that this picture may look different on your system. The bdflush parameters The bdflush file is closely related to the operation of the virtual memory (VM) subsystem of the Linux kernel and has a little influence on disk usage. This file /proc/sys/vm/bdflush controls the operation of the bdflush kernel daemon. We generally tune this file to improve file system performance. By changing some values from the defaults shown below, the system seems more responsive; e.g. it waits a little more to write to disk and thus avoids some disk access contention. The bdflush parameters currently contains 9 integer values, of which 6 are actually used by the kernel 2.4 generation. The default setup for the bdflush parameters under Red Hat Linux is: "30 64 64 256 500 3000 60 0 0" Step 1 To change the values of bdflush , type the following command on your terminal: * Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line: # Improve file system performance vm.bdflush = 100 1200 128 512 500 6000 500 0 0 Step 2 You must restart your network for the change to take effect. The command to restart the network is the following: * To restart all network devices manually on your system, use the following command: [root@deep /]# /etc/rc.d/init.d/network restart Setting network parameters [OK] Bringing up interface lo [OK] Bringing up interface eth0 [OK] Bringing up interface eth1 [OK] NOTE: There is another way to update the entry without restarting the network by using the following command into your terminal screen: [root@deep /]# sysctl -w vm.bdflush="100 1200 128 512 500 6000 500 0 0" Page 153 Kernel Security & Optimization 0 CHAPTER 6 153 In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt file, the first parameter (100 %) governs the maximum number of dirty buffers in the buffer cache. Dirty means that the contents of the buffer still have to be written to disk (as opposed to a clean buffer, which can just be forgotten about). Setting this to a high value means that Linux can delay disk writes for a long time, but it also means that it will have to do a lot of I/O at once when memory becomes short. A low value will spread out disk I/O more evenly. The second parameter (1200) ( ndirty ) gives the maximum number of dirty buffers that bdflush can write to the disk in one time. A high value will mean delayed, bursty I/O, while a small value can lead to memory shortage when bdflush isn't woken up often enough. The third parameter (128) ( nrefill ) is the number of buffers that bdflush will add to the list of free buffers when refill_freelist() is called. It is necessary to allocate free buffers beforehand, since the buffers often are of a different size than memory pages and some bookkeeping needs to be done beforehand. The higher the number, the more memory will be wasted and the less often refill_freelist() will need to run. When refill_freelist() (512) comes across more than nref_dirt dirty buffers, it will wake up bdflush . Finally, the age_buffer (50*HZ) and age_super parameters (5*HZ) govern the maximum time Linux waits before writing out a dirty buffer to disk. The value is expressed in jiffies (clockticks); the number of jiffies per second is 100. Age_buffer is the maximum age for data blocks, while age_super is for file system metadata. The fifth (500) and last two parameters (0 and 0) are unused by the system so we don't need to change the default ones. NOTE: Look at /usr/src/linux/Documentation/sysctl/vm.txt for more information on how to improve kernel parameters related to virtual memory. Also note that bdflush features parameters may vary from kernel version to another. The buffermem parameters The buffermem file is also closely related to the operation of the virtual memory (VM) subsystem of the Linux kernel. The value in this file /proc/sys/vm/buffermem controls how much memory should be used for buffer memory (in percentage). It is important to note that the percentage is calculated as a percentage of total system memory. The buffermem parameters currently contains 3 integer values, of which 1 is actually used by the kernel. The default setup for the buffermem parameters under Red Hat Linux is: "2 10 60" Step 1 To change the values of buffermem , type the following command on your terminal: * Edit the sysctl.conf file ( vi /etc/sysctl.conf) and add the following line: # Improve virtual memory performance vm.buffermem = 80 10 60 Page 154 Kernel Security & Optimization 0 CHAPTER 6 154 Step 2 You must restart your network for the change to take effect. The command to restart the network is the following: * To restart all networks devices manually on your system, use the following command: [root@deep /]# /etc/rc.d/init.d/network restart Setting network parameters [OK] Bringing up interface lo [OK] Bringing up interface eth0 [OK] Bringing up interface eth1 [OK] NOTE: There is another way to update the entry without restarting the network by using the following command into your terminal screen: [root@deep /]# sysctl -w vm.buffermem="80 10 60" In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt file, the first parameter (80 %) means to use a minimum of 80 percent of memory for the buffer cache; the minimum percentage of memory that should be spent on buffer memory. The last two parameters (10 and 60) are unused by the system so we don't need to change the defaults. Depending of the amount of RAM you have in the server the value of 80% may vary. When your server is highly loaded and when all applications are used, you know in detail