website annotate en/doc/handbook/security.html @ rev 107
fixed typos in system-admin pages : tick.greyware.com is the right URL
for the time server, tick.grayware.com doesn't work
for the time server, tick.grayware.com doesn't work
| author | tux@HarimaKenji |
|---|---|
| date | Mon Jul 14 22:22:15 2008 +0200 (2008-07-14) |
| parents | 2c26e23b76f8 |
| children | 9e30e64c8198 |
| rev | line source |
|---|---|
| paul@68 | 1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
| paul@68 | 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
| paul@68 | 3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| paul@68 | 4 <head> |
| paul@68 | 5 <title>SliTaz Handbook (en) - Security</title> |
| paul@49 | 6 <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" /> |
| paul@49 | 7 <meta name="description" content="slitaz English handbook" /> |
| paul@49 | 8 <meta name="expires" content="never" /> |
| paul@49 | 9 <meta name="modified" content="2008-02-26 18:30:00" /> |
| paul@49 | 10 <meta name="publisher" content="www.slitaz.org" /> |
| paul@49 | 11 <meta name="author" content="Christophe Lincoln" /> |
| paul@49 | 12 <link rel="shortcut icon" href="favicon.ico" /> |
| paul@68 | 13 <link rel="stylesheet" type="text/css" href="book.css" /> |
| paul@68 | 14 </head> |
| paul@68 | 15 <body bgcolor="#ffffff"> |
| paul@49 | 16 |
| paul@49 | 17 <!-- Header and quick navigation --> |
| paul@49 | 18 <div id="header"> |
| paul@49 | 19 <div id="quicknav" align="right"> |
| paul@49 | 20 <a name="top"></a> |
| paul@49 | 21 <a href="index.html">Table of contents</a> |
| paul@49 | 22 </div> |
| paul@49 | 23 <h1><font color="#3e1220">SliTaz Handbook (en)</font></h1> |
| paul@49 | 24 </div> |
| paul@49 | 25 |
| paul@49 | 26 <!-- Content. --> |
| paul@49 | 27 <div id="content"> |
| paul@49 | 28 <div class="content-right"></div> |
| paul@49 | 29 |
| paul@49 | 30 <h2><font color="#df8f06">SliTaz and System Security</font></h2> |
| paul@49 | 31 |
| paul@49 | 32 <ul> |
| paul@49 | 33 <li><a href="#policy">Security Policy</a></li> |
| paul@49 | 34 <li><a href="#root">Root</a> - The system administrator.</li> |
| paul@49 | 35 <li><a href="#passwords">Passwords</a></li> |
| paul@49 | 36 <li><a href="#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li> |
| paul@49 | 37 <li><a href="#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li> |
| paul@49 | 38 <li><a href="#ssh">SSH server</a> - Default options.</li> |
| paul@49 | 39 <li><a href="#pscan">Pscan</a> - Scan for open ports.</li> |
| paul@49 | 40 <li><a href="network-config.html#firewall">Firewall (Iptables)</a> - |
| paul@49 | 41 The network firewall.</li> |
| paul@49 | 42 </ul> |
| paul@49 | 43 |
| paul@49 | 44 <a name="policy"></a> |
| paul@49 | 45 <h3>Security Policy</h3> |
| paul@49 | 46 <p> |
| paul@49 | 47 SliTaz has given a lot of consideration to system security. Applications are tested for many months before being |
| paul@49 | 48 included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete |
| paul@49 | 49 lists of daemons enabled, you can look in the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration |
| paul@49 | 50 file: |
| paul@49 | 51 </p> |
| paul@49 | 52 <pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS |
| paul@49 | 53 </pre> |
| paul@49 | 54 <p> |
| paul@49 | 55 To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop' |
| paul@49 | 56 utility: |
| paul@49 | 57 </p> |
| paul@49 | 58 <pre> $ ps |
| paul@49 | 59 $ htop |
| paul@49 | 60 </pre> |
| paul@49 | 61 |
| paul@49 | 62 <a name="root"></a> |
| paul@49 | 63 <h3>Root - The system administrator</h3> |
| paul@49 | 64 <p> |
| paul@49 | 65 In a GNU/Linux system, the <em>root</em> user is the system administrator, <em>root</em> has all the rights |
| paul@49 | 66 to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command |
| paul@49 | 67 <code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the |
| paul@49 | 68 internet for example, this allows you to create a double barrier in the case of an attack or intrusion after a |
| paul@49 | 69 download. This makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your |
| paul@49 | 70 password and then crack the <em>root</em> password of the system administrator. |
| paul@49 | 71 </p> |
| paul@49 | 72 <p> |
| paul@49 | 73 A GNU/Linux system has secured at least two users, one to work and one to administer, configure |
| paul@49 | 74 or update the system (<code>root</code>). It's also advisable to entrust the administration of the |
| paul@49 | 75 system to a person. |
| paul@49 | 76 </p> |
| paul@49 | 77 |
| paul@49 | 78 <a name="passwords"></a> |
| paul@49 | 79 <h3>Passwords</h3> |
| paul@49 | 80 <p> |
| paul@49 | 81 By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em> |
| paul@49 | 82 comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command: |
| paul@49 | 83 </p> |
| paul@49 | 84 <pre> $ passwd |
| paul@49 | 85 # passwd |
| paul@49 | 86 </pre> |
| paul@49 | 87 |
| paul@49 | 88 <a name="busybox"></a> |
| paul@49 | 89 <h3>Busybox</h3> |
| paul@49 | 90 <p> |
| paul@49 | 91 The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands: |
| paul@49 | 92 su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these |
| paul@49 | 93 commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root, |
| paul@49 | 94 using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password |
| paul@49 | 95 if it is not ssx. |
| paul@49 | 96 </p> |
| paul@49 | 97 |
| paul@49 | 98 <a name="web-server"></a> |
| paul@49 | 99 <h3>LightTPD web server</h3> |
| paul@49 | 100 <p> |
| paul@49 | 101 On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server |
| paul@49 | 102 environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the |
| paul@49 | 103 <code>/etc/rcS.conf</code> configuration file or to stop it manually: |
| paul@49 | 104 </p> |
| paul@49 | 105 <pre> # etc/init.d/lighttpd stop |
| paul@49 | 106 </pre> |
| paul@49 | 107 |
| paul@49 | 108 <a name="ssh"></a> |
| paul@49 | 109 <h3>SSH Server</h3> |
| paul@49 | 110 <p> |
| paul@49 | 111 This small section is a compliment to the |
| paul@49 | 112 <a href="secure-server.html">Secure SHell (SSH)</a> page. |
| paul@49 | 113 On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable |
| paul@49 | 114 <code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be |
| paul@49 | 115 enabled at system boot. Or to start the server manually: |
| paul@49 | 116 </p> |
| paul@49 | 117 <pre> # /etc/init.d/dropbear start |
| paul@49 | 118 </pre> |
| paul@49 | 119 <p> |
| paul@49 | 120 By default Dropbear is launched with the following options: |
| paul@49 | 121 </p> |
| paul@49 | 122 <pre class="script"> -w Disallow root logins. |
| paul@49 | 123 -g Disallow logins for root password. |
| paul@49 | 124 </pre> |
| paul@49 | 125 <p> |
| paul@49 | 126 You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>. |
| paul@49 | 127 For all options, you can type: <code>dropbear -h</code>. |
| paul@49 | 128 </p> |
| paul@49 | 129 |
| paul@49 | 130 <a name="pscan"></a> |
| paul@49 | 131 <h3>Pscan - Ports scanner</h3> |
| paul@49 | 132 <p> |
| paul@49 | 133 Pscan is a small utility of the Busybox project, it scans the ports of your machine. You can use |
| paul@49 | 134 <code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine. |
| paul@49 | 135 Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol |
| paul@49 | 136 and associated service (ssh, www, etc): |
| paul@49 | 137 </p> |
| paul@49 | 138 <pre> $ pscan localhost |
| paul@49 | 139 </pre> |
| paul@49 | 140 |
| paul@49 | 141 <!-- End of content --> |
| paul@49 | 142 </div> |
| paul@49 | 143 |
| paul@49 | 144 <!-- Footer. --> |
| paul@49 | 145 <div id="footer"> |
| paul@49 | 146 <div class="footer-right"></div> |
| paul@49 | 147 <a href="#top">Top of the page</a> | |
| paul@68 | 148 <a href="index.html">Table of contents</a> |
| paul@49 | 149 </div> |
| paul@49 | 150 |
| paul@49 | 151 <div id="copy"> |
| paul@49 | 152 Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> - |
| paul@49 | 153 <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br /> |
| paul@49 | 154 Documentation is under |
| paul@49 | 155 <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a> |
| paul@49 | 156 and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>. |
| paul@49 | 157 </div> |
| paul@49 | 158 |
| paul@68 | 159 </body> |
| paul@68 | 160 </html> |
| paul@49 | 161 |