Linuxmafia.com Knowledgebase
Top: Security
- 3DES
Strength - Effective key strength of 3DES encryption
explained
- ACLs -
Support for POSIX ACLs and similar fine-grained permission
systems on Linux
-
Apache HTTP Methods Patch - Patch to remove insecure HTTP
methods from Apache httpd 1.3.x.
- Apache
Security Tips - Security tips for the Apache httpd
- Attacking
Linux - How to improve your Linux security by thinking
like an attacker; article by Rick Moen
- Auditor
LiveCD - Auditor Security Collection is a Linux live CD
with an extensive collection of tools for examining
compromised systems.
- Authfail - Tool
to monitor logs for repeated authentication failures and
generate netfilter DROP or REJECT rules, foiling brute-force
login attacks
-
Break-in without Remote Exploit - Explains why it's not
enough to just keep patch-levels updated and use encrypted
transports.
- Buffer
Overflow - Techniques to eliminate security risks from
buffer overflows
- Challenge-Response
- Critique of Challenge-Response software by Karsten
Self
- Debian
Compromise 2003 - Analysis and lessons to draw from the
Nov. 2003 compromise of several Debian developer servers
- DNSSEC cheat
sheet - Setting up and checking DNSSEC with BIND 9
- Extended
File Attributes - chattr, lsattr, and extended file
attributes.
- fail2ban -
Python utility 'fail2ban' scans logfiles like
/var/log/pwdfail and then bans via iptables rules IPs that
generate too much password failures
- Firewalls -
Complete text of Cheswick and Bellovin's classic book
'Firewalls and Internet Security: Repelling the Wily Hacker',
first edition
- Firewall
Builders - Tools available on Linux for easily building
and managing iptables IP-filtering rulesets
-
Firewall Limitations - Editorial making the point that
people relying on 'firewalls' for security are deluded, and
that the perimeter security model is severely broken
- Firewall
Piercing - Tunneling SSH through firewalls using
httptunnel, proxytunnel, or corkscrew
- FISH
Protocol - The FIles over SsH protocol extension
- Forensics
- Basic security detective techniques
- FTP
Daemons - List of all known ftp daemons for Linux and
*BSD, with recommendations for anonymous-only
deployments.
- iptables logs -
Guides and tools for interpreting iptables and ipchains logs,
by Manfred Bartz
- GnuPG
Lecture - Lecture notes from a technical overview lecture
about GnuPG (gpg), by Rick Moen.
- GnuPG with
Mutt - Everything You Need to Know to Start using GnuPG,
but Justin R. Miller
- Halted
Firewalls - Constructing a hardened firewall using a
Linux host that deliberately runs in a system-shutdown
state
- Identd
for Firewalls - How to set up an identd for
firewalls
- IDS
Lecture at BayLISA, March 2002 - Notes on John S.
Flowers's highly-regarded intrusion detection software
lecture
- IDSes
- Presentation by David B. Allen at LinuxWorld Conference and
Expo 2003 on Linux Intrusion Detection Systems
- IDSes -
Rick Moen and other mailing list participants' rundown on
Intrusion Detection System software options
- IP
Tables - IP Tables Quick Reference (unfinished)
- Linspire
Root Issues - What is and is not true about LinspireOS
(formerly LindowsOS) and the trait of running routinely as
the root user
-
mod_security - Ivan Ristic's ONLamp.com article on
configuring and using Apache's mod_security module
- Network
Monitoring - Rundown of tools commonly used to monitor
networks
- NFS -
How to Secure NFS, article about Debian 4.0 Etch, but broadly
applicable
- NTLM
Auth - How to do NTLM authentication on Linux, required
to talk through IIS / MS Proxy Server firewalls
- Overview
- Overview of Linux system and network security
- PAM -
Documentation about the Programmable Authentication Modules
(PAM) framework
- PAM
Delay - Module for PAM that foils brute-force login
attacks by introducing an enforced delay between login
attempts of any given login name. (See also Authfail.)
- PAM
LDAP - Configuring PAM to authenticate to an LDAP
directory
- Passwords
- How to deal with humans' inability to remember strong
passwords reliably and in sufficient number
- Password
Safes - Applications for storing passwords in encrypted
form
- PHP -
Information on security issues and remedies for PHP
applications
- Ping
of Death - How the Ping of Death worked against
perennially vulnerable Microsoft OSes, circa 1997
- Port
Forwarding - Various techniques for forwarding ports
across networks
-
Portsentry Considered Harmful - Comparison of Psionics's
proprietary Portsentry dynamic scanning-detection and
port-blocking utility with snort, explaining why the former
category is actively bad for system security
- Resources/Deter
- Matthew Deter's security resources
- Resources/Farmer - Dan
Farmer's security resources
- Resources/Stokely
- Resources for system administrators from Stokely
Consulting
- Root
Compromise - Outlines for a talk on response to Linux
system root compromise
-
Root Password Lost - How do I recover a lost root
password?
- Root
w/X11 - List of methods for running X11 applications with
root-user authority (without having to run X11 generally as
root)
- ROPE iptables
scripting - ROPE Iptables module: scripting engine that
runs inside the kernel, helps write iptables match modules
for complex protocols, e.g., blocking gnutella and
bittorrent.
- SATAN
on Linux - Modifications to make the (now-obsolete) SATAN
security-checker compile and run on Linux
- scp
Shells - Shells for naive-user access to
sftp/scp/sftp2
- Security
Breach - What should I do if I detect that my systems
have been security-compromised?
-
Security HOWTO Corrections - Corrections to the Linux
Security HOWTO, unfortunately ignored by its maintainers
- Security
Snake Oil - Discussion of how software security experts
and antivirus software companies mislead users by distracting
from the key factor of execution mechanism, and instead
focusing on trivia while ignoring real security concerns
- Security Tools -
Fyodor's catalogue of the top 100 network security tools.
Indispensible.
- Smoothwall
GPL - Analysis of claims that Smoothwall's maintainers
violated the GNU GPL (they didn't)
-
Squid Transparent Proxy - How to set up a transparent
proxy with Squid, in three easy steps
- ssh-agent
Tip - Tips for integrating ssh-agent into one's desktop
setup
- SSH Agent
- Mark A. Hershberger's tips on use of ssh-agent
-
SSH Agent - Radu Rugina's tips on use of ssh-agent
- SSH
Hints - Tips for effective use of ssh
-
SSH Public-key Process - Safely automating inter-host
processes using ssh keypairs
- SSH
Quoting Syntax - Avoiding problems with shells parsing
quoted strings intended to be passed to ssh
- SSH
scp-Emulation - Emulating scp using only bare ssh
-
sshd Always Running - Tip to make sure sshd always
respawns, using init's 'respawn' directive
- sshd
Debugging - Tip for debugging sshd problems
- SSH
OPIE - Configuration details for running OpenSSH with
OPIE one-time password authentication
- SSH Software -
SSH-Protocol Software for Sundry Platforms —
most-comprehensive list known
-
SSL Cert Self-signing - Creating and self-signing SSL
site certificates
- Tips -
General security tips
- Tools/Fyodor - List
of security tools maintained by Fyodor, author of nmap
- VPNs -
Virtual Private Network options on Linux
- VPNs by N.
Treadway - Virtual Private Network options on Linux, list
maintained by Nathan Stratton Treadway
-
Virus - Linux software for detecting/purging MS-Windows
viruses
- VXing - Cyneox's
Linux virus and security site.
- Wireless
Security - How and why to use WPA2-AES-Enterprise and a
RADIUS server for your wireless security if security
matters
-
Zimmermann-Sassaman Protocol - Details a method for
conducting rapid mass GPG/PGP keysigning events
Except where otherwise noted, this knowledgebase's contents are
freely redistributable under the CC
BY-SA 4.0 licence, or, at your option, any later version.