Securing and Optimizing Linux

RedHat Edition -A Hands on Guide

Gerhard Mourani

Open Network Architecture


Madhu "Maddy"

Complete port of the Book to DocBook/XML source and Editing 

This version and its subsequent outputs whether be it HTML, PDF or any other derivatives can be distributed under the same licensing terms and conditions as the orginal Securing and Optimizing Linux i.e. as set forth in the Open Publication License; V1.0 or later, the latest version is presently available at

Please note even if i madhusudan (Madhu "Maddy"), hold the copyright for the XML source(Markup), you still need to get permission from Gerhard Mourani the orginal author of Securing and Optmising Linux, to make any changes to the content of this book. Please do read the licensing terms and conditions detailed below for additional information

This material may be distributed only subject to the terms and conditions set forth in the Open Publication License; V1.0 or later, the latest version is presently available at

Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder.

Distribution of the work or derivative of the work in any standard (paper) book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder.

Please note even if I, Gerhard Mourani have the copyright, I don't control commercial printing of the book. Please contact OpenDocs if you have questions concerning such matters.

The logos, trademarks, symbols used in this book are properties of their respective compan(y)ies.

Table of Contents

1. Why did i write this book?
2. Why fiddle?
3. DocBook !
4. DocBook/XML
4.1. Bouquets Brickbats Etc.
1. Getting Started
1. Introduction
1. Audience
2. Organization of This Book
3. Pre-requisites
4. Obtaining the book and example configuration files
4.1. Example Configuration files
5. Acknowledgements from Gerhard
5.1. Acknowledgements from "Maddy"
2. Installation
2. Overview of OS Linux
1. What is Linux?
2. A Few good reasons to use Linux
3. Fears, Uncertainity and Doubts
3. Installation of your Linux Server
1. Know your Hardware!
2. Creating the Boot Disk and Booting
3. Installation Class and Method (Install Type)
4. Disk Setup- Disk Druid
5. Disk Druid
6. An example
7. Post-Partitioning
8. Components to Install- Package Group Selection
9. Select Individual Package - Part 'A'
10. Select Individual Package -Part 'B'
11. How to use RPM Commands
12. Starting and stopping daemon services
4. Post-Install
1. Software that must be uninstalled
2. Use RPM command to uninstall.
3. Software that must be installed
4. Check,Re-confirm
5. Verify,Cross-check
6. some colors for a change
7. Update of the latest software
3. Security, Optimization and Upgrade
5. General System Security
2. Security as a Policy
3. Choose a right Password
4. The root account
5. The /etc/exports file
6. Disable console program access
7. Disable all console access
8. The inetd - /etc/inetd.conf file
9.1. Don't display system issue file
10. The /etc/host.conf file
11. The /etc/services file
12. The /etc/securetty file
13. Special accounts
14. Blocking; su to root, by one and sundry
15. Put limits on resource
16. Control mounting a file system
17. Conceal binary RPM
18. Shell logging
19. The LILO and lilo.conf file
20. Disable Ctrl-Alt-Delete keyboard shutdown command
21. Physical hard copies of all-important logs
22. Tighten scripts under /etc/rc.d/
22.1. The /etc/rc.d/rc.local file
23. Bits from root-owned programs
24. The kernel tunable parameters
24.1. Prevent your system responding to Ping
25. Refuse responding to broadcasts request
26. Routing Protocols
27. Enable TCP SYN Cookie Protection
28. Disable ICMP Redirect Acceptance
29. Enable always-defragging Protection
30. Enable bad error message Protection
31. Enable IP spoofing protection
32. Log Spoofed, Source Routed and Redirect Packets
33. Unusual or hidden files
34. System is compromised !
6. Linux General Optimization
1. The /etc/profile file
2. Benchmark Results
3. Benchmark results-i586
4. Benchmark results -i486
5. The bdflush parameters
6. The buffermem parameters
7. The ip_local_port_range parameters
8. The /etc/nsswitch.conf file
9. The file-max parameter
10. The ulimit parameter
11. The atime and noatime attribute
12. Tuning IDE Hard Disk Performance
13. Better manage your TCP/IP resources
7. Configuring and Building a Secure, Optimized Kernel
1. Pre-Install
1.1. Make an emergency boot floppy
2. Uninstallation and Optimization
3. Securing the kernel
4. Compilation
5. Kernel configuration -Part "A"
6. Kernel configuration -Part "B"
7. Kernel configuration -Part "C"
8. Kernel configuration -Part "D"
9. Kernel configuration -Part "E"
10. Installing the new kernel
11. Delete programs, Edit files pertaining to modules
12. Create a emergency Rescue and Boot floppy disk
4. Networking -Management, Firewall, Masquerading and Forwarding
8. TCP/IP -Network Management
1. Multiple Ethernet Card per Machine
9. Files -Networking Functionality
1. The /etc/HOSTNAME file
2. The /etc/sysconfig/network-scripts/ifcfg-ethN files
3. The /etc/resolv.conf file
4. The /etc/host.conf file
5. The /etc/sysconfig/network file
6. The /etc/sysctl.conf file
7. The /etc/hosts file
8. Config TCP/IP Networking manually -command line
10. Networking -Firewall
1. Policy, Guidelines etc.
2. The topology
3. Build a kernel with IPCHAINS Firewall support
4. Rules used in the Firewall script files
5. Source Address Filtering
11. The firewall scripts files
1. Config /etc/rc.d/init.d/firewall script file -Web Server
2. Config /etc/rc.d/init.d/firewall script file - Mail Server
12. Networking Firewall -Masquerading and Forwarding
1. Build a kernel with Firewall Masquerading and Forwarding support
2. Config /etc/rc.d/init.d/firewall script file -Gateway Server
3. Configure script for Example Gateway Server
4. Deny access to some address
5. IPCHAINS Administrative Tools
5. Software -Security
13. Linux -The Compiler functionality
1. The necessary packages
2. Why choose tarballs?
2.1. Compiling software on your system
3. Build, Install software on your system
3.1. Edit files with the vi editor
14. Software -Security/Monitoring
1. sXid
2. Configure and Optimize sXid
2.1. Configure the /etc/sxid.conf file
3. Logcheck
4. Configure and Optimize Logcheck
5. PortSentry
6. Configure and Optimise Portsentry
7. Test fire your PortSentry
6. Software -Networking
15. Software -Securities
1. OpenSSH
2. Configure and optimise Openssh
3. Configure the /etc/ssh/ssh_config file
4. Configure the /etc/ssh/sshd_config file
5. Configure OpenSSH to use TCP-Wrappers/inetd super server
6. OpenSSH Per-User Configuration
7. OpenSSH Users Tools
7.1. scp
8. Installed files
8.1. Free SSH clients for Windows
16. Software -Securties(commercial)
1. Linux SSH2 Client/Server
2. Configure and Optimise SSH2
3. Configure the /etc/ssh2/ssh2_config file
4. Configure the /etc/ssh2/sshd2_config file
5. Configure sshd2 to use tcp-wrappers/inetd super server
6. Configuration of the /etc/pam.d/ssh file
7. Ssh2 Per-User Configuration
8. SSH2 Users Tools
9. Installed files
17. Software -Securities/System Integrity
1. Linux Tripwire 2.2.1
2. Configure the /var/tmp/install.cfg file
3. Configuration files
4. Configure the /usr/TSS/policy/twpol.txt file
5. Securing Tripwire for Linux
5.1. Often used Commands
6. Integrity or Interactive Check Mode
7. Installed files
18. Linux Tripwire ASR 1.3.1
1. Install, Compile and Optimize
2. Configurations
3. Configure the /etc/tw.config file
4. Configure the /etc/cron.daily/tripwire.verify script
4.1. Security Issue
5. Tripwire in Interactive Checking Mode
6. Run Tripwire in Database Update Mode
6.1. Installed Files
19. Software -Securities/Management & Limitation
1. Linux GnuPG
2. Often used Commands
3. Importing keys
3.1. Key signing
4. Encrypt and decrypt
4.1. Exporting your public key
20. Set Limits using Qouta
1. Qouta
1.1. Modify the /etc/fstab file
2. Create of the quota.user and
3. edquota
3.1. The grace period parameter
4. Assign quota for a particular group
4.1. Assign quota for groups of users with the same value
5. Often used Commands
21. Software -Networking
1. Linux DNS and BIND Server
2. Configure
3. Caching-only name Server
4. Primary master name Server
5. Secondary slave name Server
5.1. /etc/rc.d/init.d/named script
6. Run ISC BIND/DNS in a chroot jail
7. The syslog daemon
8. Clean-up and Test the new chrooted jail
9. DNS Administrative Tools
10. DNS Users Tools
11. Installed files
22. Software -Server/Mail Network
1. Linux Sendmail Server
2. Compile and optimize
3. Configurations
4. The /etc/ file /Central Mail Hub
5. Build and Tweak Sendmail
5.1. The file
6. The /etc/mail/access and access.db files
7. The /etc/mail/aliases and aliases.db files
7.1. The /etc/mail/ Directory
8. The /etc/mail/local-host-names file
8.1. Configure the /etc/sysconfig/sendmail file
9. The /etc/rc.d/init.d/sendmail script file
10. Secure Sendmail using smrsh
11. The /etc/mail/aliases file
12. Limit queue processing to root
12.1. The SMTP greeting message
13. Sendmail Administrative Tools
13.1. Sendmail Users Tools
14. Installed files: Sendmail -Central Mail Hub
15. Installed files: Sendmail -Local server/client
23. Linux IMAP & POP Server
1. Configure and Compile
2. Configure to tweak
2.1. The /etc/pam.d/imap file
3. Enable IMAP or POP via the tcp-wrappers inetd super server
3.1. Securing IMAP/POP
4. Installed files
24. Software -Networking/Encryption
1. Linux OPENSSL Server
2. Compile and Optimize
3. Configure OpenSSL to optimise
4. The /etc/ssl/openssl.cnf file
5. Create the /usr/bin/ program file
6. Commands -often used
7. Securing OpenSSL
8. Installed files
25. Linux FreeS/WAN VPN
2. Compile, insert FreeS/WAN into the kernel
3. Reconfigure and install the kernel with FreeS/WAN VPN support
4. Configure to optimise
5. Automatic or Manual Key connections
6. The /etc/ipsec.conf file
7. The /etc/ipsec.secrets file
8. Configure RSA private keys secrets
9. Required network setup for IPSec
10. Testing the installation
11. Further documentation
12. Installed files
26. Linux OpenLDAP Server
1. Compile ans Install
2. Compile and Optimize
3. Configurations
4. Configure the /etc/ldap/slapd.conf file
5. Configure the /etc/rc.d/init.d/ldap script file
6. Securing OpenLDAP
7. OpenLDAP Creation and Maintenance Tools
7.1. LDMB backend database off-line
8. Create the LDMB backend database on-line
8.1. ldapmodify
9. OpenLDAP Users Tools
9.1. The Netscape Address Book client for LDAP
10. Installed files
27. Linux PostgreSQL Database Server
1. Install PostgreSQL
2. Compile and Optimize
3. Database installation using superuser account
4. Configuration files
5. Configure the /etc/rc.d/init.d/postgresql script file
6. Commands often used
7. Installed files
28. Software -Server/Proxy Network
1. Linux Squid Proxy Server
2. Configure and Optimize
3. Improve performance Using GNU malloc library
4. Compile and Optimize
5. Configurations
6. Configure the /etc/squid/squid.conf file -in httpd-accelerator mode
7. Configure of the /etc/squid/squid.conf file -/proxy-caching mode
8. Configure the /etc/rc.d/init.d/squid script file -/all configurations
9. Configure the /etc/logrotate.d/squid file
9.1. Securing and Immunize Squid
10. Optimizing Squid
10.1. The cachemgr.cgi
11. Netscape Proxies Configuration
12. Installed files
29. Software -Network Server, web/Apache
1. Linux MM Shared Memory Library
2. Compile
2.1. Installed files
3. Linux Apache Web Server
4. Compile and Optimize
5. Configure and apply PHP4 to Apache source
6. Apply mod_perl to Apache source tree
7. Install Apache
8. Post install Configuration
9. Configure the /etc/httpd/conf/httpd.conf file
10. Configure the /etc/logrotate.d/apache file
11. Configure the /etc/rc.d/init.d/httpd script file
12. PHP4 server-side scripting
13. Perl module Devel::Symdump
13.1. Installed files
14. Perl library
14.1. Installed files
15. Securing Apache
16. users authentication with .dbmpasswd password file
16.1. Immunize configuration files like httpd.conf
17. Apache in a chroot jail
18. Apache to use shared libraries
19. The /chroot/etc directory
20. Test the new chrooted jail
21. Configure the new /etc/logrotate.d/apache file
22. Optimizing Apache
23. Installed files for Apache Web Server
24. Installed files /PHP4
25. Installed files by mod_perl
30. Optional component to install with Apache
1. Linux Webalizer
2. Compile
2.1. Configurations
3. Configure the /etc/webalizer.conf file
4. Make Apache aware of Webalizer output directory
4.1. Running Webalizer manually first time
5. Run Webalizer automatically with a cron job
5.1. Installed files
6. Linux FAQ-O-Matic
7. Compile and install FAQ-O-Matic
8. Make Apache aware Faq-O-Matic file's location
9. Configure your FAQ-O-Matic
10. Installed files
11. Linux Webmail IMP
12. Set up PHPLib
13. Compile to install Webmail IMP
14. Configure and create Webmail IMP SQL database
15. Configure your php.ini from PHP4
15.1. Configure Apache to recognize Webmail IMP
16. Configure Webmail IMP via your web browser
31. Software -Server/File Sharing-Network
1. Linux Samba Server
2. Configure Samba
3. Compile and optimize
4. Configurations
5. Configuration of the /etc/smb.conf file
6. Configure the /etc/lmhosts file
6.1. Configure the /etc/pam.d/samba file
7. Encrypted Samba password file for clients
8. Optimizing Samba
8.1. Tuning the buffer cache
9. Tuning the buffermem
10. Further documentation
11. Samba Administrative Tools
11.1. Samba Users Tools
12. The /etc/rc.d/init.d/smb script file
12.1. Securing Samba
13. Installed files
32. Linux FTP Server
1. chroot'd Guest FTP access
2. Setup an FTP user account minus shells
3. Setup a chroot user environment
4. Configurations
5. Configure the /etc/ftphosts file
5.1. Configure the /etc/ftpusers file
6. Configure the /etc/ftpconversions file
6.1. Configure the /etc/pam.d/ftp file
7. Configure the /etc/logrotate.d/ftpd file
7.1. Configure ftpd to use tcp-wrappers inetd
8. FTP Administrative Tools
9. Securing FTP
10. The special file .notar
11. Installed files
7. Backup and Restore
33. Why's and When's of Backup and Restore
1. What to backup
2. The tar backup program
3. Automating backups with tar
4. Restore files with tar
5. The dump backup program
6. Making backups with dump
7. Restoring files with dump
8. Backing up and restoring over the network
8.1. Using the scp SSH command
I. Appendixes
A. Resources
B. Tweaks, Tips and Administration tasks
C. Obtaining Requests for Comments (RFCs)

List of Tables

3.1. Sample representaion of partitions
33.1. Dump scheme

List of Examples

3.1. Starting and Stopping various Daemon's
5.1. Export file systems using NFS
5.2. Disable console-equivalent access
5.3. Print log reports
5.4. Use man pages
5.5. Use find to find
6.1. For 128 MB of RAM
7.1. SMP support
8.1. Two ISA ethernet cards
12.1. rc.firewall.blocked
13.1. Using tar
15.1. Remote login using ssh
15.2. scp Secure Copy utility
15.3. local to remote
16.1. login to a remote using ssh2
16.2. sftp2, Secure File Transfer
18.1. Usage of Tripwire
19.1. Importing using gpg
19.2. Signing key
19.3. Encrypting
19.4. Decrypting
20.1. usrquota
20.2. grpquota
21.1. dnsquery
21.2. Look up host names
21.3. Using host
21.4. List a complete domain
22.1. Overriding RBL
22.2. Alternative names
26.1. my-data-file
26.2. LDMB backend
26.3. modifyentry
26.4. Address Book
30.1. Using Netscape browser
33.1. Backup directory of a week
33.2. scp SSH command
33.3. scp SSH command