website diff en/doc/handbook/security.html @ rev 63
Add Apps to Handbook (en) and typos
| author | Paul Issott <paul@slitaz.org> |
|---|---|
| date | Thu Jun 05 22:18:23 2008 +0000 (2008-06-05) |
| parents | |
| children | f0c0c73578c0 |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/en/doc/handbook/security.html Thu Jun 05 22:18:23 2008 +0000 1.3 @@ -0,0 +1,158 @@ 1.4 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 1.5 +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><title>SliTaz Handbook (en) - Template</title> 1.6 + 1.7 + 1.8 + 1.9 + <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" /> 1.10 + <meta name="description" content="slitaz English handbook" /> 1.11 + <meta name="expires" content="never" /> 1.12 + <meta name="modified" content="2008-02-26 18:30:00" /> 1.13 + <meta name="publisher" content="www.slitaz.org" /> 1.14 + <meta name="author" content="Christophe Lincoln" /> 1.15 + <link rel="shortcut icon" href="favicon.ico" /> 1.16 + <link rel="stylesheet" type="text/css" href="book.css" /></head><body bgcolor="#ffffff"> 1.17 + 1.18 +<!-- Header and quick navigation --> 1.19 +<div id="header"> 1.20 +<div id="quicknav" align="right"> 1.21 + <a name="top"></a> 1.22 + <a href="index.html">Table of contents</a> 1.23 +</div> 1.24 +<h1><font color="#3e1220">SliTaz Handbook (en)</font></h1> 1.25 +</div> 1.26 + 1.27 +<!-- Content. --> 1.28 +<div id="content"> 1.29 +<div class="content-right"></div> 1.30 + 1.31 +<h2><font color="#df8f06">SliTaz and System Security</font></h2> 1.32 + 1.33 +<ul> 1.34 + <li><a href="#policy">Security Policy</a></li> 1.35 + <li><a href="#root">Root</a> - The system administrator.</li> 1.36 + <li><a href="#passwords">Passwords</a></li> 1.37 + <li><a href="#busybox">Busybox</a> - Configuration file /etc/busybox.conf.</li> 1.38 + <li><a href="#web-server">LightTPD web server</a> - Disable the LightTPD web server.</li> 1.39 + <li><a href="#ssh">SSH server</a> - Default options.</li> 1.40 + <li><a href="#pscan">Pscan</a> - Scan for open ports.</li> 1.41 + <li><a href="network-config.html#firewall">Firewall (Iptables)</a> - 1.42 + The network firewall.</li> 1.43 +</ul> 1.44 + 1.45 +<a name="policy"></a> 1.46 +<h3>Security Policy</h3> 1.47 +<p> 1.48 +SliTaz has given a lot of consideration to system security. Applications are tested for many months before being 1.49 +included in the distribution. At boot time, a minimum of services are launched by the rc scripts. For a complete 1.50 +lists of daemons enabled, you can look in the <code>RUN_DAEMONS</code> variable in the <code>/etc/rcS.conf</code> configuration 1.51 +file: 1.52 +</p> 1.53 +<pre> $ cat /etc/rcS.conf | grep RUN_DAEMONS 1.54 +</pre> 1.55 +<p> 1.56 +To view the actual processes, their PID and memory usage, you can use the 'ps' command or the 'htop' 1.57 +utility: 1.58 +</p> 1.59 +<pre> $ ps 1.60 + $ htop 1.61 +</pre> 1.62 + 1.63 +<a name="root"></a> 1.64 +<h3>Root - The system administrator</h3> 1.65 +<p> 1.66 +In a GNU/Linux system, the <em>root</em> user is the system administrator, <em>root</em> has all the rights 1.67 +to the system files and that of the users. It is advisable never to log in as <em>root</em> by using the command 1.68 +<code>su</code> followed by the password to obtain absolute rights over the system. Never log in as <em>root</em> and surf the 1.69 +internet for example, this allows you to create a double barrier in the case of an attack or intrusion after a 1.70 +download. This makes it harder for a <em>cracker</em> to take control of your machine - first he must crack your 1.71 +password and then crack the <em>root</em> password of the system administrator. 1.72 +</p> 1.73 +<p> 1.74 +A GNU/Linux system has secured at least two users, one to work and one to administer, configure 1.75 +or update the system (<code>root</code>). It's also advisable to entrust the administration of the 1.76 +system to a person. 1.77 +</p> 1.78 + 1.79 +<a name="passwords"></a> 1.80 +<h3>Passwords</h3> 1.81 +<p> 1.82 +By default the SliTaz user <em>hacker</em> doesn't have a password and the system administrator <em>root</em> 1.83 +comes with the password (<em>root</em>). You can easily change these by using the <code>passwd</code> command: 1.84 +</p> 1.85 +<pre> $ passwd 1.86 + # passwd 1.87 +</pre> 1.88 + 1.89 +<a name="busybox"></a> 1.90 +<h3>Busybox</h3> 1.91 +<p> 1.92 +The file busybox.conf configures the applets and their respective rights. On the SliTaz LiveCD the commands: 1.93 +su, passwd, loadkmap, mount, reboot and halt can be initiated by all users - the owner and group of these 1.94 +commands is <em>root</em> (<code>* = ssx root.root</code>). The busybox.conf file is readable by root, 1.95 +using the rights 600. Note that the <code>passwd</code> command will not allow users to change their own password 1.96 +if it is not ssx. 1.97 +</p> 1.98 + 1.99 +<a name="web-server"></a> 1.100 +<h3>LightTPD web server</h3> 1.101 +<p> 1.102 +On SliTaz the LightTPD web server is enabled by default at system startup, if you don't intend to use SliTaz in a server 1.103 +environment, you can safely disable it by removing it from the <code>RUN_DAEMONS</code> variable in the 1.104 +<code>/etc/rcS.conf</code> configuration file or to stop it manually: 1.105 +</p> 1.106 +<pre> # etc/init.d/lighttpd stop 1.107 +</pre> 1.108 + 1.109 +<a name="ssh"></a> 1.110 +<h3>SSH Server</h3> 1.111 +<p> 1.112 +This small section is a compliment to the 1.113 +<a href="secure-server.html">Secure SHell (SSH)</a> page. 1.114 +On SliTaz the Dropbear SSH server is not run by default, we must add it to the variable 1.115 +<code>RUN_DAEMONS</code> in the configuration file <code>/etc/rcS.conf</code> for it to be 1.116 +enabled at system boot. Or to start the server manually: 1.117 +</p> 1.118 +<pre> # /etc/init.d/dropbear start 1.119 +</pre> 1.120 +<p> 1.121 +By default Dropbear is launched with the following options: 1.122 +</p> 1.123 +<pre class="script"> -w Disallow root logins. 1.124 + -g Disallow logins for root password. 1.125 +</pre> 1.126 +<p> 1.127 +You can add new options by editing the daemons configuration file: <code>/etc/daemons.conf</code>. 1.128 +For all options, you can type: <code>dropbear -h</code>. 1.129 +</p> 1.130 + 1.131 +<a name="pscan"></a> 1.132 +<h3>Pscan - Ports scanner</h3> 1.133 +<p> 1.134 +Pscan is a small utility of the Busybox project, it scans the ports of your machine. You can use 1.135 +<code>pscan</code> to scan the localhost or a remote host using the name or IP address of the machine. 1.136 +Pscan will test all the ports from 1 - 1024 by default and list those that are open, their protocol 1.137 +and associated service (ssh, www, etc): 1.138 +</p> 1.139 +<pre> $ pscan localhost 1.140 +</pre> 1.141 + 1.142 +<!-- End of content --> 1.143 +</div> 1.144 + 1.145 +<!-- Footer. --> 1.146 +<div id="footer"> 1.147 + <div class="footer-right"></div> 1.148 + <a href="#top">Top of the page</a> | 1.149 + <a href="http://www.slitaz.org/en/doc/handbook/index.html">Table of contents</a> 1.150 +</div> 1.151 + 1.152 +<div id="copy"> 1.153 + Copyright © 2008 <a href="http://www.slitaz.org/en/">SliTaz</a> - 1.154 + <a href="http://www.gnu.org/licenses/gpl.html">GNU General Public License</a>;<br /> 1.155 + Documentation is under 1.156 + <a href="http://www.gnu.org/copyleft/fdl.html">GNU Free Documentation License</a> 1.157 + and code is <a href="http://validator.w3.org/">valid xHTML 1.0</a>. 1.158 +</div> 1.159 + 1.160 +</body></html> 1.161 +