web/html/docs/security-guide/f12/en-US/html sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html, NONE, 1.1 sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html, NONE, 1.1 sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html, NONE, 1.1 sect-Security_Guide-Available_Network_Services-Insecure_Services.html, NONE, 1.1 sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html, NONE, 1.1 sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html, NONE, 1.1 sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html, NONE, 1.1 sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html, NONE, 1.1 sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html, NONE, 1.1 sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html, NONE, 1.1 sect-Security_Guide-Passphrases.html, NONE, 1.1 sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-Administrative_Controls.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-Available_Network_Services.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-Password_Security.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-Personal_Firewalls.html, NONE, 1.1 sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html, NONE, 1.1 sect-Security_Guide-Workstation_Security.html, NONE, 1.1
Eric Christensen
sparks at fedoraproject.org
Thu Nov 19 03:16:43 UTC 2009
Author: sparks
Update of /cvs/fedora/web/html/docs/security-guide/f12/en-US/html
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13270/en-US/html
Added Files:
sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html
sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html
sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html
sect-Security_Guide-Available_Network_Services-Insecure_Services.html
sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html
sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html
sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html
sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html
sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html
sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html
sect-Security_Guide-Passphrases.html
sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html
sect-Security_Guide-Workstation_Security-Administrative_Controls.html
sect-Security_Guide-Workstation_Security-Available_Network_Services.html
sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html
sect-Security_Guide-Workstation_Security-Password_Security.html
sect-Security_Guide-Workstation_Security-Personal_Firewalls.html
sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html
sect-Security_Guide-Workstation_Security.html
Log Message:
Added "Local users may install trusted packages" section.
--- NEW FILE sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.2. Disallowing Root Access</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html" title="2.2.4. Administrative Controls" /><link rel="prev" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html" title="2.2.4. Administrative Controls" /><link rel="next" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html" title="2.2.4.2.2. Disabling Root Logins" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site"
/></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.2. Disallowing Root Access"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access">2.2.4.2. Disallowing Root Access</h4></div></div></div><div class="para">
If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret, and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to <a class="xref" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html" title="2.2.2.2. Boot Loader Passwords">Section 2.2.2.2, “Boot Loader Passwordsâ€</a> for more information on this topic.)
</div><div class="para">
<a class="xref" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html#tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account" title="Table 2.1. Methods of Disabling the Root Account">Table 2.1, “Methods of Disabling the Root Accountâ€</a> describes ways that an administrator can further ensure that root logins are disallowed:
</div><div class="table" id="tabl-Security_Guide-Disallowing_Root_Access-Methods_of_Disabling_the_Root_Account"><div class="table-contents"><table summary="Methods of Disabling the Root Account" border="1"><colgroup><col width="12%" /><col width="29%" /><col width="29%" /><col width="29%" /></colgroup><thead><tr><th>
Method
</th><th>
Description
</th><th>
Effects
</th><th>
Does Not Affect
</th></tr></thead><tbody><tr><td>
Changing the root shell.
</td><td>
Edit the <code class="filename">/etc/passwd</code> file and change the shell from <code class="command">/bin/bash</code> to <code class="command">/sbin/nologin</code>.
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Prevents access to the root shell and logs any such attempts. </td></tr><tr><td> The following programs are prevented from accessing the root account: </td></tr><tr><td> · <code class="command">login</code></td></tr><tr><td> · <code class="command">gdm</code></td></tr><tr><td> · <code class="command">kdm</code></td></tr><tr><td> · <code class="command">xdm</code></td></tr><tr><td> · <code class="command">su</code></td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. </td></tr><tr><td> The following programs are <span class="emphasis"><em>not</em></span> prevented from accessing the root account: </td></tr><tr><td> · <code class="command">sudo</code></td></tr><tr><td> · FTP clients </td></tr><tr><td> · Email clients </td></tr></table>
</td></tr><tr><td>
Disabling root access via any console device (tty).
</td><td>
An empty <code class="filename">/etc/securetty</code> file prevents root login on any devices attached to the computer.
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account: </td></tr><tr><td> · <code class="command">login</code></td></tr><tr><td> · <code class="command">gdm</code></td></tr><tr><td> · <code class="command">kdm</code></td></tr><tr><td> · <code class="command">xdm</code></td></tr><tr><td> · Other network services that open a tty </td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. </td></tr><tr><td> The following programs are <span class="emphasis"><em>not</em></span> prevented from accessing the root account: </td></tr><tr><td> · <code class="command">su</code></td></tr><tr><td> · <code class="command">sudo</code></td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr></table>
</td></tr><tr><td>
Disabling root SSH logins.
</td><td>
Edit the <code class="filename">/etc/ssh/sshd_config</code> file and set the <code class="command">PermitRootLogin</code> parameter to <code class="command">no</code>.
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account: </td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> This only prevents root access to the OpenSSH suite of tools. </td></tr></table>
</td></tr><tr><td>
Use PAM to limit root access to services.
</td><td>
Edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory. Make sure the <code class="filename">pam_listfile.so</code> is required for authentication.<sup>[<a id="id683370" href="#ftn.id683370" class="footnote">a</a>]</sup>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Prevents root access to network services that are PAM aware. </td></tr><tr><td> The following services are prevented from accessing the root account: </td></tr><tr><td> · FTP clients </td></tr><tr><td> · Email clients </td></tr><tr><td> · <code class="command">login</code></td></tr><tr><td> · <code class="command">gdm</code></td></tr><tr><td> · <code class="command">kdm</code></td></tr><tr><td> · <code class="command">xdm</code></td></tr><tr><td> · <code class="command">ssh</code></td></tr><tr><td> · <code class="command">scp</code></td></tr><tr><td> · <code class="command">sftp</code></td></tr><tr><td> · Any PAM aware services </td></tr></table>
</td><td>
<table border="0" summary="Simple list" class="simplelist"><tr><td> Programs and services that are not PAM aware. </td></tr></table>
</td></tr></tbody><tbody class="footnotes"><tr><td colspan="4"><div class="footnote"><p><sup>[<a id="ftn.id683370" href="#id683370" class="para">a</a>] </sup>
Refer to <a class="xref" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html" title="2.2.4.2.4. Disabling Root Using PAM">Section 2.2.4.2.4, “Disabling Root Using PAMâ€</a> for details.
</p></div></td></tr></tbody></table></div><h6>Table 2.1. Methods of Disabling the Root Account</h6></div><br class="table-break" /><div class="section" title="2.2.4.2.1. Disabling the Root Shell"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_the_Root_Shell">2.2.4.2.1. Disabling the Root Shell</h5></div></div></div><div class="para">
To prevent users from logging in directly as root, the system administrator can set the root account's shell to <code class="command">/sbin/nologin</code> in the <code class="filename">/etc/passwd</code> file. This prevents access to the root account through commands that require a shell, such as the <code class="command">su</code> and the <code class="command">ssh</code> commands.
</div><div class="important"><h2>Important</h2><div class="para">
Programs that do not require access to the shell, such as email clients or the <code class="command">sudo</code> command, can still access the root account.
</div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html"><strong>Prev</strong>2.2.4. Administrative Controls</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html"><strong>Next</strong>2.2.4.2.2. Disabling Root Logins</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.3. Limiting Root Access</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html" title="2.2.4. Administrative Controls" /><link rel="prev" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html" title="2.2.4.2.4. Disabling Root Using PAM" /><link rel="next" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html" title="2.2.4.3.2. The sudo Command" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a>
<a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.3. Limiting Root Access"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access">2.2.4.3. Limiting Root Access</h4></div></div></div><div class="para">
Rather than completely denying access to the root user, the administrator may want to allow access only via setuid programs, such as <code class="command">su</code> or <code class="command">sudo</code>.
</div><div class="section" title="2.2.4.3.1. The su Command"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Limiting_Root_Access-The_su_Command">2.2.4.3.1. The <code class="command">su</code> Command</h5></div></div></div><div class="para">
When a user executes the <code class="command">su</code> command, they are prompted for the root password and, after authentication, is given a root shell prompt.
</div><div class="para">
Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="id531899" href="#ftn.id531899" class="footnote">13</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
</div><div class="para">
Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
</div><div class="para">
One of the simplest ways to do this is to add users to the special administrative group called <em class="firstterm">wheel</em>. To do this, type the following command as root:
</div><pre class="screen"><code class="command">usermod -G wheel <em class="replaceable"><code><username></code></em></code>
</pre><div class="para">
In the previous command, replace <em class="replaceable"><code><username></code></em> with the username you want to add to the <code class="command">wheel</code> group.
</div><div class="para">
You can also use the <span class="application"><strong>User Manager</strong></span> to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
</div><div class="procedure"><ol class="1"><li class="step" title="Step 1"><div class="para">
Click the <span class="guimenu"><strong>System</strong></span> menu on the Panel, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Users and Groups</strong></span> to display the User Manager. Alternatively, type the command <code class="command">system-config-users</code> at a shell prompt.
</div></li><li class="step" title="Step 2"><div class="para">
Click the <span class="guilabel"><strong>Users</strong></span> tab, and select the required user in the list of users.
</div></li><li class="step" title="Step 3"><div class="para">
Click <span class="guibutton"><strong>Properties</strong></span> on the toolbar to display the User Properties dialog box (or choose <span class="guimenuitem"><strong>Properties</strong></span> on the <span class="guimenu"><strong>File</strong></span> menu).
</div></li><li class="step" title="Step 4"><div class="para">
Click the <span class="guilabel"><strong>Groups</strong></span> tab, select the check box for the wheel group, and then click <span class="guibutton"><strong>OK</strong></span>. Refer to <a class="xref" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html#figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group." title="Figure 2.2. Adding users to the "wheel" group.">Figure 2.2, “Adding users to the "wheel" group.â€</a>.
</div></li><li class="step" title="Step 5"><div class="para">
Open the PAM configuration file for <code class="command">su</code> (<code class="filename">/etc/pam.d/su</code>) in a text editor and remove the comment <span class="keycap"><strong>#</strong></span> from the following line:
</div><pre class="screen">auth required /lib/security/$ISA/pam_wheel.so use_uid
</pre><div class="para">
This change means that only members of the administrative group <code class="computeroutput">wheel</code> can use this program.
</div></li></ol></div><div class="figure" id="figu-Security_Guide-The_su_Command-Adding_users_to_the_wheel_group."><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_groups.png" width="444" alt="Adding users to the "wheel" group." /><div class="longdesc"><div class="para">
<span class="guilabel"><strong>Groups</strong></span> pane illustration
</div></div></div></div><h6>Figure 2.2. Adding users to the "wheel" group.</h6></div><br class="figure-break" /><div class="note"><h2>Note</h2><div class="para">
The root user is part of the <code class="computeroutput">wheel</code> group by default.
</div></div></div><div class="footnotes"><br /><hr /><div class="footnote"><p><sup>[<a id="ftn.id531899" href="#id531899" class="para">13</a>] </sup>
This access is still subject to the restrictions imposed by SELinux, if it is enabled.
</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html"><strong>Prev</strong>2.2.4.2.4. Disabling Root Using PAM</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html"><strong>Next</strong>2.2.4.3.2. The sudo Command</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.5.2. Identifying and Configuring Services</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html" title="2.2.5. Available Network Services" /><link rel="prev" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html" title="2.2.5. Available Network Services" /><link rel="next" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html" title="2.2.5.3. Insecure Services" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png"
alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.5.2. Identifying and Configuring Services"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services">2.2.5.2. Identifying and Configuring Services</h4></div></div></div><div class="para">
To enhance security, most network services installed with Fedora are turned off by default. There are, however, some notable exceptions:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="command">cupsd</code> — The default print server for Fedora.
</div></li><li class="listitem"><div class="para">
<code class="command">lpd</code> — An alternative print server.
</div></li><li class="listitem"><div class="para">
<code class="command">xinetd</code> — A super server that controls connections to a range of subordinate servers, such as <code class="command">gssftp</code> and <code class="command">telnet</code>.
</div></li><li class="listitem"><div class="para">
<code class="command">sendmail</code> — The Sendmail <em class="firstterm">Mail Transport Agent</em> (<abbr class="abbrev">MTA</abbr>) is enabled by default, but only listens for connections from the <span class="interface">localhost</span>.
</div></li><li class="listitem"><div class="para">
<code class="command">sshd</code> — The OpenSSH server, which is a secure replacement for Telnet.
</div></li></ul></div><div class="para">
When determining whether to leave these services running, it is best to use common sense and err on the side of caution. For example, if a printer is not available, do not leave <code class="command">cupsd</code> running. The same is true for <code class="command">portmap</code>. If you do not mount NFSv3 volumes or use NIS (the <code class="command">ypbind</code> service), then <code class="command">portmap</code> should be disabled.
</div><div class="figure" id="figu-Security_Guide-Identifying_and_Configuring_Services-Services_Configuration_Tool"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-service_config.png" width="444" alt="Services Configuration Tool" /><div class="longdesc"><div class="para">
<span class="application"><strong>Services Configuration Tool</strong></span> illustration
</div></div></div></div><h6>Figure 2.3. <span class="application">Services Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
If unsure of the purpose for a particular service, the <span class="application"><strong>Services Configuration Tool</strong></span> has a description field, illustrated in <a class="xref" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html#figu-Security_Guide-Identifying_and_Configuring_Services-Services_Configuration_Tool" title="Figure 2.3. Services Configuration Tool">Figure 2.3, “<span class="application">Services Configuration Tool</span>â€</a>, that provides additional information.
</div><div class="para">
Checking which network services are available to start at boot time is only part of the story. You should also check which ports are open and listening. Refer to <a class="xref" href="sect-Security_Guide-Server_Security-Verifying_Which_Ports_Are_Listening.html" title="2.3.8. Verifying Which Ports Are Listening">Section 2.3.8, “Verifying Which Ports Are Listeningâ€</a> for more information.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html"><strong>Prev</strong>2.2.5. Available Network Services</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html"><strong>Next</strong>2.2.5.3. Insecure Services</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Available_Network_Services-Insecure_Services.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.5.3. Insecure Services</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html" title="2.2.5. Available Network Services" /><link rel="prev" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html" title="2.2.5.2. Identifying and Configuring Services" /><link rel="next" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html" title="2.2.6. Personal Firewalls" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.pn
g" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.5.3. Insecure Services"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Available_Network_Services-Insecure_Services">2.2.5.3. Insecure Services</h4></div></div></div><div class="para">
Potentially, any network service is insecure. This is why turning off unused services is so important. Exploits for services are routinely revealed and patched, making it very important to regularly update packages associated with any network service. Refer to <a class="xref" href="sect-Security_Guide-Security_Updates.html" title="1.5. Security Updates">Section 1.5, “Security Updatesâ€</a> for more information.
</div><div class="para">
Some network protocols are inherently more insecure than others. These include any services that:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>Transmit Usernames and Passwords Over a Network Unencrypted</em></span> — Many older protocols, such as Telnet and FTP, do not encrypt the authentication session and should be avoided whenever possible.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Transmit Sensitive Data Over a Network Unencrypted</em></span> — Many protocols transmit data over the network unencrypted. These protocols include Telnet, FTP, HTTP, and SMTP. Many network file systems, such as NFS and SMB, also transmit information over the network unencrypted. It is the user's responsibility when using these protocols to limit what type of data is transmitted.
</div><div class="para">
Remote memory dump services, like <code class="command">netdump</code>, transmit the contents of memory over the network unencrypted. Memory dumps can contain passwords or, even worse, database entries and other sensitive information.
</div><div class="para">
Other services like <code class="command">finger</code> and <code class="command">rwhod</code> reveal information about users of the system.
</div></li></ul></div><div class="para">
Examples of inherently insecure services include <code class="command">rlogin</code>, <code class="command">rsh</code>, <code class="command">telnet</code>, and <code class="command">vsftpd</code>.
</div><div class="para">
All remote login and shell programs (<code class="command">rlogin</code>, <code class="command">rsh</code>, and <code class="command">telnet</code>) should be avoided in favor of SSH. Refer to <a class="xref" href="sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html" title="2.2.7. Security Enhanced Communication Tools">Section 2.2.7, “Security Enhanced Communication Toolsâ€</a> for more information about <code class="command">sshd</code>.
</div><div class="para">
FTP is not as inherently dangerous to the security of the system as remote shells, but FTP servers must be carefully configured and monitored to avoid problems. Refer to <a class="xref" href="sect-Security_Guide-Server_Security-Securing_FTP.html" title="2.3.6. Securing FTP">Section 2.3.6, “Securing FTPâ€</a> for more information about securing FTP servers.
</div><div class="para">
Services that should be carefully implemented and behind a firewall include:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="command">finger</code>
</div></li><li class="listitem"><div class="para">
<code class="command">authd</code> (this was called <code class="command">identd</code> in previous Fedora releases.)
</div></li><li class="listitem"><div class="para">
<code class="command">netdump</code>
</div></li><li class="listitem"><div class="para">
<code class="command">netdump-server</code>
</div></li><li class="listitem"><div class="para">
<code class="command">nfs</code>
</div></li><li class="listitem"><div class="para">
<code class="command">rwhod</code>
</div></li><li class="listitem"><div class="para">
<code class="command">sendmail</code>
</div></li><li class="listitem"><div class="para">
<code class="command">smb</code> (Samba)
</div></li><li class="listitem"><div class="para">
<code class="command">yppasswdd</code>
</div></li><li class="listitem"><div class="para">
<code class="command">ypserv</code>
</div></li><li class="listitem"><div class="para">
<code class="command">ypxfrd</code>
</div></li></ul></div><div class="para">
More information on securing network services is available in <a class="xref" href="sect-Security_Guide-Server_Security.html" title="2.3. Server Security">Section 2.3, “Server Securityâ€</a>.
</div><div class="para">
The next section discusses tools available to set up a simple firewall.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html"><strong>Prev</strong>2.2.5.2. Identifying and Configuring Services</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html"><strong>Next</strong>2.2.6. Personal Firewalls</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.2.2. Boot Loader Passwords</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html" title="2.2.2. BIOS and Boot Loader Security" /><link rel="prev" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html" title="2.2.2. BIOS and Boot Loader Security" /><link rel="next" href="sect-Security_Guide-Workstation_Security-Password_Security.html" title="2.2.3. Password Security" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Produc
t Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Password_Security.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.2.2. Boot Loader Passwords"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords">2.2.2.2. Boot Loader Passwords</h4></div></div></div><div class="para">
The primary reasons for password protecting a Linux boot loader are as follows:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing Access to Single User Mode</em></span> — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing Access to the GRUB Console</em></span> — If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the <code class="command">cat</code> command.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing Access to Insecure Operating Systems</em></span> — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.
</div></li></ol></div><div class="para">
Fedora ships with the GRUB boot loader on the x86 platform. For a detailed look at GRUB, refer to the Red Hat Installation Guide.
</div><div class="section" title="2.2.2.2.1. Password Protecting GRUB"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Boot_Loader_Passwords-Password_Protecting_GRUB">2.2.2.2.1. Password Protecting GRUB</h5></div></div></div><div class="para">
You can configure GRUB to address the first two issues listed in <a class="xref" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html" title="2.2.2.2. Boot Loader Passwords">Section 2.2.2.2, “Boot Loader Passwordsâ€</a> by adding a password directive to its configuration file. To do this, first choose a strong password, open a shell, log in as root, and then type the following command:
</div><pre class="screen"><code class="command">/sbin/grub-md5-crypt</code>
</pre><div class="para">
When prompted, type the GRUB password and press <span class="keycap"><strong>Enter</strong></span>. This returns an MD5 hash of the password.
</div><div class="para">
Next, edit the GRUB configuration file <code class="filename">/boot/grub/grub.conf</code>. Open the file and below the <code class="command">timeout</code> line in the main section of the document, add the following line:
</div><pre class="screen"><code class="command">password --md5 <em class="replaceable"><code><password-hash></code></em></code>
</pre><div class="para">
Replace <em class="replaceable"><code><password-hash></code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="id689141" href="#ftn.id689141" class="footnote">12</a>]</sup>.
</div><div class="para">
The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing <span class="keycap"><strong>p</strong></span> followed by the GRUB password.
</div><div class="para">
Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the <code class="filename">/boot/grub/grub.conf</code> file must be edited.
</div><div class="para">
Look for the <code class="computeroutput">title</code> line of the operating system that you want to secure, and add a line with the <code class="command">lock</code> directive immediately beneath it.
</div><div class="para">
For a DOS system, the stanza should begin similar to the following:
</div><pre class="screen"><code class="computeroutput">title DOS lock</code>
</pre><div class="warning"><h2>Warning</h2><div class="para">
A <code class="computeroutput">password</code> line must be present in the main section of the <code class="filename">/boot/grub/grub.conf</code> file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.
</div></div><div class="para">
To create a different password for a particular kernel or operating system, add a <code class="command">lock</code> line to the stanza, followed by a password line.
</div><div class="para">
Each stanza protected with a unique password should begin with lines similar to the following example:
</div><pre class="screen"><code class="computeroutput">title DOS lock password --md5 <em class="replaceable"><code><password-hash></code></em></code>
</pre></div><div class="footnotes"><br /><hr /><div class="footnote"><p><sup>[<a id="ftn.id689141" href="#id689141" class="para">12</a>] </sup>
GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html"><strong>Prev</strong>2.2.2. BIOS and Boot Loader Security</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Password_Security.html"><strong>Next</strong>2.2.3. Password Security</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.3.2.3. Password Aging</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html" title="2.2.3.2. Creating User Passwords Within an Organization" /><link rel="prev" href="sect-Security_Guide-Passphrases.html" title="2.2.3.2.2. Passphrases" /><link rel="next" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html" title="2.2.4. Administrative Controls" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a
><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Passphrases.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.3.2.3. Password Aging"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging">2.2.3.2.3. Password Aging</h5></div></div></div><div class="para">
Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.
</div><div class="para">
There are two primary programs used to specify password aging under Fedora: the <code class="command">chage</code> command or the graphical <span class="application"><strong>User Manager</strong></span> (<code class="command">system-config-users</code>) application.
</div><div class="para">
The <code class="option">-M</code> option of the <code class="command">chage</code> command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command:
</div><pre class="screen"><code class="command">chage -M 90 <em class="replaceable"><code><username></code></em></code>
</pre><div class="para">
In the above command, replace <em class="replaceable"><code><username></code></em> with the name of the user. To disable password expiration, it is traditional to use a value of <code class="command">99999</code> after the <code class="option">-M</code> option (this equates to a little over 273 years).
</div><div class="para">
You can also use the <code class="command">chage</code> command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode:
</div><pre class="screen"><code class="command">chage <em class="replaceable"><code><username></code></em></code>
</pre><div class="para">
The following is a sample interactive session using this command:
</div><pre class="screen">[root at myServer ~]# chage davido
Changing the aging information for davido
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 90
Last Password Change (YYYY-MM-DD) [2006-08-18]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[root at myServer ~]#
</pre><div class="para">
Refer to the man page for chage for more information on the available options.
</div><div class="para">
You can also use the graphical <span class="application"><strong>User Manager</strong></span> application to create password aging policies, as follows. Note: you need Administrator privileges to perform this procedure.
</div><div class="procedure"><ol class="1"><li class="step" title="Step 1"><div class="para">
Click the <span class="guimenu"><strong>System</strong></span> menu on the Panel, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Users and Groups</strong></span> to display the User Manager. Alternatively, type the command <code class="command">system-config-users</code> at a shell prompt.
</div></li><li class="step" title="Step 2"><div class="para">
Click the <span class="guilabel"><strong>Users</strong></span> tab, and select the required user in the list of users.
</div></li><li class="step" title="Step 3"><div class="para">
Click <span class="guibutton"><strong>Properties</strong></span> on the toolbar to display the User Properties dialog box (or choose <span class="guimenuitem"><strong>Properties</strong></span> on the <span class="guimenu"><strong>File</strong></span> menu).
</div></li><li class="step" title="Step 4"><div class="para">
Click the <span class="guilabel"><strong>Password Info</strong></span> tab, and select the check box for <span class="guilabel"><strong>Enable password expiration</strong></span>.
</div></li><li class="step" title="Step 5"><div class="para">
Enter the required value in the <span class="guilabel"><strong>Days before change required</strong></span> field, and click <span class="guibutton"><strong>OK</strong></span>.
</div></li></ol></div><div class="figure" id="figu-Security_Guide-Password_Aging-Specifying_password_aging_options"><div class="figure-contents"><div class="mediaobject"><img src="images/fed-user_pass_info.png" width="444" alt="Specifying password aging options" /><div class="longdesc"><div class="para">
<span class="guilabel"><strong>Password Info</strong></span> pane illustration.
</div></div></div></div><h6>Figure 2.1. Specifying password aging options</h6></div><br class="figure-break" /></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Passphrases.html"><strong>Prev</strong>2.2.3.2.2. Passphrases</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Administrative_Controls.html"><strong>Next</strong>2.2.4. Administrative Controls</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.2.2. Disabling Root Logins</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html" title="2.2.4.2. Disallowing Root Access" /><link rel="prev" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html" title="2.2.4.2. Disallowing Root Access" /><link rel="next" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html" title="2.2.4.2.3. Disabling Root SSH Logins" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png"
alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.2.2. Disabling Root Logins"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins">2.2.4.2.2. Disabling Root Logins</h5></div></div></div><div class="para">
To further limit access to the root account, administrators can disable root logins at the console by editing the <code class="filename">/etc/securetty</code> file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to his machine as root via Telnet, which transmits the password in plain text over the network. By default, Fedora's <code class="filename">/etc/securetty</code> file only allows the root user to log in at the console physically attached to the machine. To prevent root from logging in, remove the contents of this file by typing the following command:
</div><pre class="screen"><code class="command">echo > /etc/securetty</code>
</pre><div class="warning"><h2>Warning</h2><div class="para">
A blank <code class="filename">/etc/securetty</code> file does <span class="emphasis"><em>not</em></span> prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication.
</div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html"><strong>Prev</strong>2.2.4.2. Disallowing Root Access</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html"><strong>Next</strong>2.2.4.2.3. Disabling Root SSH Logins</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.2.3. Disabling Root SSH Logins</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html" title="2.2.4.2. Disallowing Root Access" /><link rel="prev" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html" title="2.2.4.2.2. Disabling Root Logins" /><link rel="next" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html" title="2.2.4.2.4. Disabling Root Using PAM" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png"
alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.2.3. Disabling Root SSH Logins"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins">2.2.4.2.3. Disabling Root SSH Logins</h5></div></div></div><div class="para">
Root logins via the SSH protocol are disabled by default in Fedora; however, if this option has been enabled, it can be disabled again by editing the SSH daemon's configuration file (<code class="filename">/etc/ssh/sshd_config</code>). Change the line that reads:
</div><pre class="screen"><code class="computeroutput">PermitRootLogin yes</code>
</pre><div class="para">
to read as follows:
</div><pre class="screen"><code class="computeroutput">PermitRootLogin no</code>
</pre><div class="para">
For these changes to take effect, the SSH daemon must be restarted. This can be done via the following command:
</div><pre class="screen"><code class="computeroutput">kill -HUP `cat /var/run/sshd.pid`</code>
</pre></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Logins.html"><strong>Prev</strong>2.2.4.2.2. Disabling Root Logins</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html"><strong>Next</strong>2.2.4.2.4. Disabling Root Using PAM</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.2.4. Disabling Root Using PAM</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html" title="2.2.4.2. Disallowing Root Access" /><link rel="prev" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html" title="2.2.4.2.3. Disabling Root SSH Logins" /><link rel="next" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html" title="2.2.4.3. Limiting Root Access" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt
="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.2.4. Disabling Root Using PAM"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_Using_PAM">2.2.4.2.4. Disabling Root Using PAM</h5></div></div></div><div class="para">
PAM, through the <code class="filename">/lib/security/pam_listfile.so</code> module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. Below is an example of how the module is used for the <code class="command">vsftpd</code> FTP server in the <code class="filename">/etc/pam.d/vsftpd</code> PAM configuration file (the <code class="computeroutput">\</code> character at the end of the first line in the following example is <span class="emphasis"><em>not</em></span> necessary if the directive is on one line):
</div><pre class="screen">auth required /lib/security/pam_listfile.so item=user \
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
</pre><div class="para">
This instructs PAM to consult the <code class="filename">/etc/vsftpd.ftpusers</code> file and deny access to the service for any listed user. The administrator can change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.
</div><div class="para">
If the administrator wants to deny access to multiple services, a similar line can be added to the PAM configuration files, such as <code class="filename">/etc/pam.d/pop</code> and <code class="filename">/etc/pam.d/imap</code> for mail clients, or <code class="filename">/etc/pam.d/ssh</code> for SSH clients.
</div><div class="para">
For more information about PAM, refer to <a class="xref" href="sect-Security_Guide-Pluggable_Authentication_Modules_PAM.html" title="2.5. Pluggable Authentication Modules (PAM)">Section 2.5, “Pluggable Authentication Modules (PAM)â€</a>.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Disallowing_Root_Access-Disabling_Root_SSH_Logins.html"><strong>Prev</strong>2.2.4.2.3. Disabling Root SSH Logins</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html"><strong>Next</strong>2.2.4.3. Limiting Root Access</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4.3.2. The sudo Command</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html" title="2.2.4.3. Limiting Root Access" /><link rel="prev" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html" title="2.2.4.3. Limiting Root Access" /><link rel="next" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html" title="2.2.5. Available Network Services" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /><
/a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4.3.2. The sudo Command"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command">2.2.4.3.2. The <code class="command">sudo</code> Command</h5></div></div></div><div class="para">
The <code class="command">sudo</code> command offers another approach to giving users administrative access. When trusted users precede an administrative command with <code class="command">sudo</code>, they are prompted for <span class="emphasis"><em>their own</em></span> password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
</div><div class="para">
The basic format of the <code class="command">sudo</code> command is as follows:
</div><pre class="screen"><code class="command">sudo <em class="replaceable"><code><command></code></em></code>
</pre><div class="para">
In the above example, <em class="replaceable"><code><command></code></em> would be replaced by a command normally reserved for the root user, such as <code class="command">mount</code>.
</div><div class="important"><h2>Important</h2><div class="para">
Users of the <code class="command">sudo</code> command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period. This setting can be altered via the configuration file, <code class="filename">/etc/sudoers</code>.
</div></div><div class="para">
The <code class="command">sudo</code> command allows for a high degree of flexibility. For instance, only users listed in the <code class="filename">/etc/sudoers</code> configuration file are allowed to use the <code class="command">sudo</code> command and the command is executed in <span class="emphasis"><em>the user's</em></span> shell, not a root shell. This means the root shell can be completely disabled, as shown in <a class="xref" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html#sect-Security_Guide-Disallowing_Root_Access-Disabling_the_Root_Shell" title="2.2.4.2.1. Disabling the Root Shell">Section 2.2.4.2.1, “Disabling the Root Shellâ€</a>.
</div><div class="para">
The <code class="command">sudo</code> command also provides a comprehensive audit trail. Each successful authentication is logged to the file <code class="filename">/var/log/messages</code> and the command issued along with the issuer's user name is logged to the file <code class="filename">/var/log/secure</code>.
</div><div class="para">
Another advantage of the <code class="command">sudo</code> command is that an administrator can allow different users access to specific commands based on their needs.
</div><div class="para">
Administrators wanting to edit the <code class="command">sudo</code> configuration file, <code class="filename">/etc/sudoers</code>, should use the <code class="command">visudo</code> command.
</div><div class="para">
To give someone full administrative privileges, type <code class="command">visudo</code> and add a line similar to the following in the user privilege specification section:
</div><pre class="screen"><code class="command">juan ALL=(ALL) ALL</code>
</pre><div class="para">
This example states that the user, <code class="computeroutput">juan</code>, can use <code class="command">sudo</code> from any host and execute any command.
</div><div class="para">
The example below illustrates the granularity possible when configuring <code class="command">sudo</code>:
</div><pre class="screen"><code class="command">%users localhost=/sbin/shutdown -h now</code>
</pre><div class="para">
This example states that any user can issue the command <code class="command">/sbin/shutdown -h now</code> as long as it is issued from the console.
</div><div class="para">
The man page for <code class="filename">sudoers</code> has a detailed listing of options for this file.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Administrative_Controls-Limiting_Root_Access.html"><strong>Prev</strong>2.2.4.3. Limiting Root Access</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Available_Network_Services.html"><strong>Next</strong>2.2.5. Available Network Services</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Passphrases.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.3.2.2. Passphrases</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html" title="2.2.3.2. Creating User Passwords Within an Organization" /><link rel="prev" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html" title="2.2.3.2. Creating User Passwords Within an Organization" /><link rel="next" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html" title="2.2.3.2.3. Password Aging" /></head><body class=""><p id="title"><a class="left" href="http://
www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.3.2.2. Passphrases"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Passphrases">2.2.3.2.2. Passphrases</h5></div></div></div><div class="para">
Passphrases and passwords are the cornerstone to security in most of today's systems. Unfortunately, techniques such as biometrics and two-factor authentication have not yet become mainstream in many systems. If passwords are going to be used to secure a system, then the use of passphrases should be considered. Passphrases are longer than passwords and provide better protection than a password even when implemented with non-standard characters such as numbers and symbols.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html"><strong>Prev</strong>2.2.3.2. Creating User Passwords Within an Organi...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html"><strong>Next</strong>2.2.3.2.3. Password Aging</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.3.2. Creating User Passwords Within an Organization</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security-Password_Security.html" title="2.2.3. Password Security" /><link rel="prev" href="sect-Security_Guide-Workstation_Security-Password_Security.html" title="2.2.3. Password Security" /><link rel="next" href="sect-Security_Guide-Passphrases.html" title="2.2.3.2.2. Passphrases" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fed
oraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Password_Security.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Passphrases.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.3.2. Creating User Passwords Within an Organization"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization">2.2.3.2. Creating User Passwords Within an Organization</h4></div></div></div><div class="para">
If an organization has a large number of users, the system administrators have two basic options available to force the use of good passwords. They can create passwords for the user, or they can let users create their own passwords, while verifying the passwords are of acceptable quality.
</div><div class="para">
Creating the passwords for the users ensures that the passwords are good, but it becomes a daunting task as the organization grows. It also increases the risk of users writing their passwords down.
</div><div class="para">
For these reasons, most system administrators prefer to have the users create their own passwords, but actively verify that the passwords are good and, in some cases, force users to change their passwords periodically through password aging.
</div><div class="section" title="2.2.3.2.1. Forcing Strong Passwords"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Forcing_Strong_Passwords">2.2.3.2.1. Forcing Strong Passwords</h5></div></div></div><div class="para">
To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application <code class="command">passwd</code>, which is <em class="firstterm">Pluggable Authentication Manager</em> (<em class="firstterm">PAM</em>) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the <code class="filename">pam_cracklib.so</code> PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as <code class="filename">pam_passwdqc</code> (available from <a href="http://www.openwall.com/passwdqc/">http://www.openwall.com/passwdqc/</a>) or to write a new module. For a list of available PAM modules, refer to <a href="http://www.kernel.org/pub/linux/libs/pam/modules.html">http://www.kernel.org/pub/linux/libs/pam/mod
ules.html</a>. For more information about PAM, refer to <a class="xref" href="sect-Security_Guide-Pluggable_Authentication_Modules_PAM.html" title="2.5. Pluggable Authentication Modules (PAM)">Section 2.5, “Pluggable Authentication Modules (PAM)â€</a>.
</div><div class="para">
The password check that is performed at the time of their creation does not discover bad passwords as effectively as running a password cracking program against the passwords.
</div><div class="para">
Many password cracking programs are available that run under Fedora, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em><span class="application"><strong>John The Ripper</strong></span></em></span> — A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available online at <a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a>.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em><span class="application"><strong>Crack</strong></span></em></span> — Perhaps the most well known password cracking software, <span class="application"><strong>Crack</strong></span> is also very fast, though not as easy to use as <span class="application"><strong>John The Ripper</strong></span>. It can be found online at <a href="http://www.crypticide.com/alecm/security/crack/c50-faq.html">http://www.crypticide.com/alecm/security/crack/c50-faq.html</a>.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em><span class="application"><strong>Slurpie</strong></span></em></span> — <span class="application"><strong>Slurpie</strong></span> is similar to <span class="application"><strong>John The Ripper</strong></span> and <span class="application"><strong>Crack</strong></span>, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at <a href="http://www.ussrback.com/distributed.htm">http://www.ussrback.com/distributed.htm</a>.
</div></li></ul></div><div class="warning"><h2>Warning</h2><div class="para">
Always get authorization in writing before attempting to crack passwords within an organization.
</div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Password_Security.html"><strong>Prev</strong>2.2.3. Password Security</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Passphrases.html"><strong>Next</strong>2.2.3.2.2. Passphrases</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-Administrative_Controls.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.4. Administrative Controls</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html" title="2.2.3.2.3. Password Aging" /><link rel="next" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html" title="2.2.4.2. Disallowing Root Access" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="
right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.4. Administrative Controls"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Administrative_Controls">2.2.4. Administrative Controls</h3></div></div></div><div class="para">
When administering a home machine, the user must perform some tasks as the root user or by acquiring effective root privileges via a <em class="firstterm">setuid</em> program, such as <code class="command">sudo</code> or <code class="command">su</code>. A setuid program is one that operates with the user ID (<span class="emphasis"><em>UID</em></span>) of the program's owner rather than the user operating the program. Such programs are denoted by an <code class="computeroutput">s</code> in the owner section of a long format listing, as in the following example:
</div><pre class="screen"><code class="computeroutput">-rwsr-xr-x 1 root root 47324 May 1 08:09 /bin/su</code>
</pre><div class="note"><h2>Note</h2><div class="para">
The <code class="computeroutput">s</code> may be upper case or lower case. If it appears as upper case, it means that the underlying permission bit has not been set.
</div></div><div class="para">
For the system administrators of an organization, however, choices must be made as to how much administrative access users within the organization should have to their machine. Through a PAM module called <code class="filename">pam_console.so</code>, some activities normally reserved only for the root user, such as rebooting and mounting removable media are allowed for the first user that logs in at the physical console (refer to <a class="xref" href="sect-Security_Guide-Pluggable_Authentication_Modules_PAM.html" title="2.5. Pluggable Authentication Modules (PAM)">Section 2.5, “Pluggable Authentication Modules (PAM)â€</a> for more information about the <code class="filename">pam_console.so</code> module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users
on their network should receive.
</div><div class="section" title="2.2.4.1. Allowing Root Access"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Administrative_Controls-Allowing_Root_Access">2.2.4.1. Allowing Root Access</h4></div></div></div><div class="para">
If the users within an organization are trusted and computer-literate, then allowing them root access may not be an issue. Allowing root access by users means that minor activities, like adding devices or configuring network interfaces, can be handled by the individual users, leaving system administrators free to deal with network security and other important issues.
</div><div class="para">
On the other hand, giving root access to individual users can lead to the following issues:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>Machine Misconfiguration</em></span> — Users with root access can misconfigure their machines and require assistance to resolve issues. Even worse, they might open up security holes without knowing it.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Running Insecure Services</em></span> — Users with root access might run insecure servers on their machine, such as FTP or Telnet, potentially putting usernames and passwords at risk. These services transmit this information over the network in plain text.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Running Email Attachments As Root</em></span> — Although rare, email viruses that affect Linux do exist. The only time they are a threat, however, is when they are run by the root user.
</div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Creating_User_Passwords_Within_an_Organization-Password_Aging.html"><strong>Prev</strong>2.2.3.2.3. Password Aging</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Administrative_Controls-Disallowing_Root_Access.html"><strong>Next</strong>2.2.4.2. Disallowing Root Access</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-Available_Network_Services.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.5. Available Network Services</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html" title="2.2.4.3.2. The sudo Command" /><link rel="next" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html" title="2.2.5.2. Identifying and Configuring Services" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a>
<a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.5. Available Network Services"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Available_Network_Services">2.2.5. Available Network Services</h3></div></div></div><div class="para">
While user access to administrative controls is an important issue for system administrators within an organization, monitoring which network services are active is of paramount importance to anyone who administers and operates a Linux system.
</div><div class="para">
Many services under Fedora behave as network servers. If a network service is running on a machine, then a server application (called a <em class="firstterm">daemon</em>), is listening for connections on one or more network ports. Each of these servers should be treated as a potential avenue of attack.
</div><div class="section" title="2.2.5.1. Risks To Services"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Available_Network_Services-Risks_To_Services">2.2.5.1. Risks To Services</h4></div></div></div><div class="para">
Network services can pose many risks for Linux systems. Below is a list of some of the primary issues:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>Denial of Service Attacks (DoS)</em></span> — By flooding a service with requests, a denial of service attack can render a system unusable as it tries to log and answer each request.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Distributed Denial of Service Attack (DDoS)</em></span> — A type of DoS attack which uses multiple compromised machines (often numbering in the thousands or more) to direct a co-ordinated attack on a service, flooding it with requests and making it unusable.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Script Vulnerability Attacks</em></span> — If a server is using scripts to execute server-side actions, as Web servers commonly do, a cracker can attack improperly written scripts. These script vulnerability attacks can lead to a buffer overflow condition or allow the attacker to alter files on the system.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Buffer Overflow Attacks</em></span> — Services that connect to ports numbered 0 through 1023 must run as an administrative user. If the application has an exploitable buffer overflow, an attacker could gain access to the system as the user running the daemon. Because exploitable buffer overflows exist, crackers use automated tools to identify systems with vulnerabilities, and once they have gained access, they use automated rootkits to maintain their access to the system.
</div></li></ul></div><div class="note"><h2>Note</h2><div class="para">
The threat of buffer overflow vulnerabilities is mitigated in Fedora by <em class="firstterm">ExecShield</em>, an executable memory segmentation and protection technology supported by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by separating virtual memory into executable and non-executable segments. Any program code that tries to execute outside of the executable segment (such as malicious code injected from a buffer overflow exploit) triggers a segmentation fault and terminates.
</div><div class="para">
Execshield also includes support for <em class="firstterm">No eXecute</em> (<acronym class="acronym">NX</acronym>) technology on AMD64 platforms and <em class="firstterm">eXecute Disable</em> (<acronym class="acronym">XD</acronym>) technology on Itanium and <span class="trademark">Intel</span>® 64 systems. These technologies work in conjunction with ExecShield to prevent malicious code from running in the executable portion of virtual memory with a granularity of 4KB of executable code, lowering the risk of attack from stealthy buffer overflow exploits.
</div></div><div class="important"><h2>Important</h2><div class="para">
To limit exposure to attacks over the network, all services that are unused should be turned off.
</div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Limiting_Root_Access-The_sudo_Command.html"><strong>Prev</strong>2.2.4.3.2. The sudo Command</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Available_Network_Services-Identifying_and_Configuring_Services.html"><strong>Next</strong>2.2.5.2. Identifying and Configuring Services</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.2. BIOS and Boot Loader Security</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="next" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html" title="2.2.2.2. Boot Loader Passwords" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedorapr
oject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.2. BIOS and Boot Loader Security"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security">2.2.2. BIOS and Boot Loader Security</h3></div></div></div><div class="para">
Password protection for the BIOS (or BIOS equivalent) and the boot loader can prevent unauthorized users who have physical access to systems from booting using removable media or obtaining root privileges through single user mode. The security measures you should take to protect against such attacks depends both on the sensitivity of the information on the workstation and the location of the machine.
</div><div class="para">
For example, if a machine is used in a trade show and contains no sensitive information, then it may not be critical to prevent such attacks. However, if an employee's laptop with private, unencrypted SSH keys for the corporate network is left unattended at that same trade show, it could lead to a major security breach with ramifications for the entire company.
</div><div class="para">
If the workstation is located in a place where only authorized or trusted people have access, however, then securing the BIOS or the boot loader may not be necessary.
</div><div class="section" title="2.2.2.1. BIOS Passwords"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-BIOS_and_Boot_Loader_Security-BIOS_Passwords">2.2.2.1. BIOS Passwords</h4></div></div></div><div class="para">
The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="id689325" href="#ftn.id689325" class="footnote">11</a>]</sup>:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing Changes to BIOS Settings</em></span> — If an intruder has access to the BIOS, they can set it to boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Preventing System Booting</em></span> — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader.
</div></li></ol></div><div class="para">
Because the methods for setting a BIOS password vary between computer manufacturers, consult the computer's manual for specific instructions.
</div><div class="para">
If you forget the BIOS password, it can either be reset with jumpers on the motherboard or by disconnecting the CMOS battery. For this reason, it is good practice to lock the computer case if possible. However, consult the manual for the computer or motherboard before attempting to disconnect the CMOS battery.
</div><div class="section" title="2.2.2.1.1. Securing Non-x86 Platforms"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-BIOS_Passwords-Securing_Non_x86_Platforms">2.2.2.1.1. Securing Non-x86 Platforms</h5></div></div></div><div class="para">
Other architectures use different programs to perform low-level tasks roughly equivalent to those of the BIOS on x86 systems. For instance, <span class="trademark">Intel</span>® <span class="trademark">Itanium</span>™ computers use the <em class="firstterm">Extensible Firmware Interface</em> (<em class="firstterm">EFI</em>) shell.
</div><div class="para">
For instructions on password protecting BIOS-like programs on other architectures, refer to the manufacturer's instructions.
</div></div></div><div class="footnotes"><br /><hr /><div class="footnote"><p><sup>[<a id="ftn.id689325" href="#id689325" class="para">11</a>] </sup>
Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.
</p></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security.html"><strong>Prev</strong>2.2. Workstation Security</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html"><strong>Next</strong>2.2.2.2. Boot Loader Passwords</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-Password_Security.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.3. Password Security</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html" title="2.2.2.2. Boot Loader Passwords" /><link rel="next" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html" title="2.2.3.2. Creating User Passwords Within an Organization" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="P
roduct Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.3. Password Security"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Password_Security">2.2.3. Password Security</h3></div></div></div><div class="para">
Passwords are the primary method that Fedora uses to verify a user's identity. This is why password security is so important for protection of the user, the workstation, and the network.
</div><div class="para">
For security purposes, the installation program configures the system to use <em class="firstterm">Message-Digest Algorithm</em> (<span class="emphasis"><em>MD5</em></span>) and shadow passwords. It is highly recommended that you do not alter these settings.
</div><div class="para">
If MD5 passwords are deselected during installation, the older <em class="firstterm">Data Encryption Standard</em> (<em class="firstterm"><acronym class="acronym">DES</acronym></em>) format is used. This format limits passwords to eight alphanumeric characters (disallowing punctuation and other special characters), and provides a modest 56-bit level of encryption.
</div><div class="para">
If shadow passwords are deselected during installation, all passwords are stored as a one-way hash in the world-readable <code class="filename">/etc/passwd</code> file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, he can copy the <code class="filename">/etc/passwd</code> file to his own machine and run any number of password cracking programs against it. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
</div><div class="para">
Shadow passwords eliminate this type of attack by storing the password hashes in the file <code class="filename">/etc/shadow</code>, which is readable only by the root user.
</div><div class="para">
This forces a potential attacker to attempt password cracking remotely by logging into a network service on the machine, such as SSH or FTP. This sort of brute-force attack is much slower and leaves an obvious trail as hundreds of failed login attempts are written to system files. Of course, if the cracker starts an attack in the middle of the night on a system with weak passwords, the cracker may have gained access before dawn and edited the log files to cover his tracks.
</div><div class="para">
In addition to format and storage considerations is the issue of content. The single most important thing a user can do to protect his account against a password cracking attack is create a strong password.
</div><div class="section" title="2.2.3.1. Creating Strong Passwords"><div class="titlepage"><div><div><h4 class="title" id="sect-Security_Guide-Password_Security-Creating_Strong_Passwords">2.2.3.1. Creating Strong Passwords</h4></div></div></div><div class="para">
When creating a secure password, it is a good idea to follow these guidelines:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use Only Words or Numbers</em></span> — Never use only numbers or words in a password.
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
8675309
</div></li><li class="listitem"><div class="para">
juan
</div></li><li class="listitem"><div class="para">
hackme
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use Recognizable Words</em></span> — Words such as proper names, dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
john1
</div></li><li class="listitem"><div class="para">
DS-9
</div></li><li class="listitem"><div class="para">
mentat123
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use Words in Foreign Languages</em></span> — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not secure.
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
cheguevara
</div></li><li class="listitem"><div class="para">
bienvenido1
</div></li><li class="listitem"><div class="para">
1dumbKopf
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use Hacker Terminology</em></span> — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
H4X0R
</div></li><li class="listitem"><div class="para">
1337
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use Personal Information</em></span> — Avoid using any personal information in your passwords. If the attacker knows your identity, the task of deducing your password becomes easier. The following is a list of the types of information to avoid when creating a password:
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Your name
</div></li><li class="listitem"><div class="para">
The names of pets
</div></li><li class="listitem"><div class="para">
The names of family members
</div></li><li class="listitem"><div class="para">
Any birth dates
</div></li><li class="listitem"><div class="para">
Your phone number or zip code
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Invert Recognizable Words</em></span> — Good password checkers always reverse common words, so inverting a bad password does not make it any more secure.
</div><div class="para">
Some insecure examples include the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
R0X4H
</div></li><li class="listitem"><div class="para">
nauj
</div></li><li class="listitem"><div class="para">
9-DS
</div></li></ul></div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Write Down Your Password</em></span> — Never store a password on paper. It is much safer to memorize it.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Do Not Use the Same Password For All Machines</em></span> — It is important to make separate passwords for each machine. This way if one system is compromised, all of your machines are not immediately at risk.
</div></li></ul></div><div class="para">
The following guidelines will help you to create a strong password:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>Make the Password at Least Eight Characters Long</em></span> — The longer the password, the better. If using MD5 passwords, it should be 15 characters or longer. With DES passwords, use the maximum length (eight characters).
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Mix Upper and Lower Case Letters</em></span> — Fedora is case sensitive, so mix cases to enhance the strength of the password.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Mix Letters and Numbers</em></span> — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Include Non-Alphanumeric Characters</em></span> — Special characters such as &, $, and > can greatly improve the strength of a password (this is not possible if using DES passwords).
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Pick a Password You Can Remember</em></span> — The best password in the world does little good if you cannot remember it; use acronyms or other mnemonic devices to aid in memorizing passwords.
</div></li></ul></div><div class="para">
With all these rules, it may seem difficult to create a password that meets all of the criteria for good passwords while avoiding the traits of a bad one. Fortunately, there are some steps you can take to generate an easily-remembered, secure password.
</div><div class="section" title="2.2.3.1.1. Secure Password Creation Methodology"><div class="titlepage"><div><div><h5 class="title" id="sect-Security_Guide-Creating_Strong_Passwords-Secure_Password_Creation_Methodology">2.2.3.1.1. Secure Password Creation Methodology</h5></div></div></div><div class="para">
There are many methods that people use to create secure passwords. One of the more popular methods involves acronyms. For example:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Think of an easily-remembered phrase, such as:
</div><div class="para">
"over the river and through the woods, to grandmother's house we go."
</div></li><li class="listitem"><div class="para">
Next, turn it into an acronym (including the punctuation).
</div><div class="para">
<strong class="userinput"><code>otrattw,tghwg.</code></strong>
</div></li><li class="listitem"><div class="para">
Add complexity by substituting numbers and symbols for letters in the acronym. For example, substitute <strong class="userinput"><code>7</code></strong> for <strong class="userinput"><code>t</code></strong> and the at symbol (<strong class="userinput"><code>@</code></strong>) for <strong class="userinput"><code>a</code></strong>:
</div><div class="para">
<strong class="userinput"><code>o7r at 77w,7ghwg.</code></strong>
</div></li><li class="listitem"><div class="para">
Add more complexity by capitalizing at least one letter, such as <strong class="userinput"><code>H</code></strong>.
</div><div class="para">
<strong class="userinput"><code>o7r at 77w,7gHwg.</code></strong>
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Finally, do not use the example password above for any systems, ever</em></span>.
</div></li></ul></div><div class="para">
While creating secure passwords is imperative, managing them properly is also important, especially for system administrators within larger organizations. The following section details good practices for creating and managing user passwords within an organization.
</div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-BIOS_and_Boot_Loader_Security-Boot_Loader_Passwords.html"><strong>Prev</strong>2.2.2.2. Boot Loader Passwords</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Password_Security-Creating_User_Passwords_Within_an_Organization.html"><strong>Next</strong>2.2.3.2. Creating User Passwords Within an Organi...</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-Personal_Firewalls.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.6. Personal Firewalls</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html" title="2.2.5.3. Insecure Services" /><link rel="next" href="sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html" title="2.2.7. Security Enhanced Communication Tools" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class
="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.6. Personal Firewalls"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Personal_Firewalls">2.2.6. Personal Firewalls</h3></div></div></div><div class="para">
After the <span class="emphasis"><em>necessary</em></span> network services are configured, it is important to implement a firewall.
</div><div class="important"><h2>Important</h2><div class="para">
You should configure the necessary services and implement a firewall <span class="emphasis"><em>before</em></span> connecting to the Internet or any other network that you do not trust.
</div></div><div class="para">
Firewalls prevent network packets from accessing the system's network interface. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled. For this reason, care should be taken when configuring a firewall to block access to ports not in use, while not blocking access to ports used by configured services.
</div><div class="para">
For most users, the best tool for configuring a simple firewall is the graphical firewall configuration tool which ships with Fedora: the <span class="application"><strong>Firewall Configuration Tool</strong></span> (<code class="command">system-config-firewall</code>). This tool creates broad <code class="command">iptables</code> rules for a general-purpose firewall using a control panel interface.
</div><div class="para">
Refer to <a class="xref" href="sect-Security_Guide-Firewalls-Basic_Firewall_Configuration.html" title="2.9.2. Basic Firewall Configuration">Section 2.9.2, “Basic Firewall Configurationâ€</a> for more information about using this application and its available options.
</div><div class="para">
For advanced users and server administrators, manually configuring a firewall with <code class="command">iptables</code> is probably a better option. Refer to <a class="xref" href="sect-Security_Guide-Firewalls.html" title="2.9. Firewalls">Section 2.9, “Firewallsâ€</a> for more information. Refer to <a class="xref" href="sect-Security_Guide-IPTables.html" title="2.10. IPTables">Section 2.10, “IPTablesâ€</a> for a comprehensive guide to the <code class="command">iptables</code> command.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Available_Network_Services-Insecure_Services.html"><strong>Prev</strong>2.2.5.3. Insecure Services</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html"><strong>Next</strong>2.2.7. Security Enhanced Communication Tools</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2.7. Security Enhanced Communication Tools</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="sect-Security_Guide-Workstation_Security.html" title="2.2. Workstation Security" /><link rel="prev" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html" title="2.2.6. Personal Firewalls" /><link rel="next" href="sect-Security_Guide-Server_Security.html" title="2.3. Server Security" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src
="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Server_Security.html"><strong>Next</strong></a></li></ul><div class="section" title="2.2.7. Security Enhanced Communication Tools"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Security_Enhanced_Communication_Tools">2.2.7. Security Enhanced Communication Tools</h3></div></div></div><div class="para">
As the size and popularity of the Internet has grown, so has the threat of communication interception. Over the years, tools have been developed to encrypt communications as they are transferred over the network.
</div><div class="para">
Fedora ships with two basic tools that use high-level, public-key-cryptography-based encryption algorithms to protect information as it travels over the network.
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>OpenSSH</em></span> — A free implementation of the SSH protocol for encrypting network communication.
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Gnu Privacy Guard (GPG)</em></span> — A free implementation of the PGP (Pretty Good Privacy) encryption application for encrypting data.
</div></li></ul></div><div class="para">
OpenSSH is a safer way to access a remote machine and replaces older, unencrypted services like <code class="command">telnet</code> and <code class="command">rsh</code>. OpenSSH includes a network service called <code class="command">sshd</code> and three command line client applications:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="command">ssh</code> — A secure remote console access client.
</div></li><li class="listitem"><div class="para">
<code class="command">scp</code> — A secure remote copy command.
</div></li><li class="listitem"><div class="para">
<code class="command">sftp</code> — A secure pseudo-ftp client that allows interactive file transfer sessions.
</div></li></ul></div><div class="para">
Refer to <a class="xref" href="Security_Guide-Encryption-Data_in_Motion-Secure_Shell.html" title="3.6. Secure Shell">Section 3.6, “Secure Shellâ€</a> for more information regarding OpenSSH.
</div><div class="important"><h2>Important</h2><div class="para">
Although the <code class="command">sshd</code> service is inherently secure, the service <span class="emphasis"><em>must</em></span> be kept up-to-date to prevent security threats. Refer to <a class="xref" href="sect-Security_Guide-Security_Updates.html" title="1.5. Security Updates">Section 1.5, “Security Updatesâ€</a> for more information.
</div></div><div class="para">
GPG is one way to ensure private email communication. It can be used both to email sensitive data over public networks and to protect sensitive data on hard drives.
</div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Security_Guide-Workstation_Security-Personal_Firewalls.html"><strong>Prev</strong>2.2.6. Personal Firewalls</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Server_Security.html"><strong>Next</strong>2.3. Server Security</a></li></ul></body></html>
--- NEW FILE sect-Security_Guide-Workstation_Security.html ---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2. Workstation Security</title><link rel="stylesheet" href="./Common_Content/css/default.css" type="text/css" /><meta name="generator" content="publican 0.60" /><meta name="package" content="Fedora-security-guide-12-en-US-1.0-21" /><link rel="home" href="index.html" title="security-guide" /><link rel="up" href="chap-Security_Guide-Securing_Your_Network.html" title="Chapter 2. Securing Your Network" /><link rel="prev" href="chap-Security_Guide-Securing_Your_Network.html" title="Chapter 2. Securing Your Network" /><link rel="next" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html" title="2.2.2. BIOS and Boot Loader Security" /></head><body class=""><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://d
ocs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security_Guide-Securing_Your_Network.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="section" title="2.2. Workstation Security" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sect-Security_Guide-Workstation_Security">2.2. Workstation Security</h2></div></div></div><div class="para">
Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. A computer network is only as secure as its weakest node.
</div><div class="section" title="2.2.1. Evaluating Workstation Security"><div class="titlepage"><div><div><h3 class="title" id="sect-Security_Guide-Workstation_Security-Evaluating_Workstation_Security">2.2.1. Evaluating Workstation Security</h3></div></div></div><div class="para">
When evaluating the security of a Fedora workstation, consider the following:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="emphasis"><em>BIOS and Boot Loader Security</em></span> — Can an unauthorized user physically access the machine and boot into single user or rescue mode without a password?
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Password Security</em></span> — How secure are the user account passwords on the machine?
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Administrative Controls</em></span> — Who has an account on the system and how much administrative control do they have?
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Available Network Services</em></span> — What services are listening for requests from the network and should they be running at all?
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Personal Firewalls</em></span> — What type of firewall, if any, is necessary?
</div></li><li class="listitem"><div class="para">
<span class="emphasis"><em>Security Enhanced Communication Tools</em></span> — Which tools should be used to communicate between workstations and which should be avoided?
</div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Security_Guide-Securing_Your_Network.html"><strong>Prev</strong>Chapter 2. Securing Your Network</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Security_Guide-Workstation_Security-BIOS_and_Boot_Loader_Security.html"><strong>Next</strong>2.2.2. BIOS and Boot Loader Security</a></li></ul></body></html>
More information about the Fedora-docs-commits
mailing list