Linux Security Cookbook

daemons

    IMAP, within xinetd 

    imapd  [See imapd]

    inetd  [See inetd]

    Kerberized Telnet daemon, enabling 

    mail, receiving mail without running 

    POP, enabling within xinetd or inetd 

    sendmail, security risks with visibility of 

    Snort, running as 

    sshd  [See sshd]

    starting/stopping via sudo 

    tcpd

        using with inetd 

        using with xinetd 

    Telnet, disabling standard 

    xinetd  [See xinetd]

dangling network connections, avoiding 

date command 

DATE environment variable 

datestamps, handling by logwatch 

Debian Linux, debsums tool 

debugging

    debug facility, system messages 

    Kerberized authentication on Telnet 

    Kerberos authentication on POP 

    Kerberos for SSH 

    PAM modules 

    SSL connection problems from server-side 

dedicated server, protecting with firewall 

denial-of-service (DOS) attacks

    preventing 

    Snort detection of 

    vulnerability to using REJECT 

DENY

    absorbing incoming packets (ipchains) with no response 

    pings, preventing 

    REJECT vs. (firewalls) 

DER (binary format for certificates) 

    converting to PEM 

DES-based crypt( ) hashes in passwd file 

destination name for remote file copying 

detached digital signature (GnuPG) 

devfs 

device special files

    inability to verify with manual integrity check 

    securing 

DHCP, initialization scripts 

dictionary attacks against terminals 

diff command, using for integrity checks 

DIGEST-MD5 authentication (SMTP) 

digital signatures 

    ASCII-format detached signature, creating in GnuPG 

    binary-format detached signature (GnuPG), creating 

    email messages, verifying with mc-verify function 

    encrypted email messages, checking with mc-verify 

    GnuPG-signed file, checking for alteration 

    signing a text file with GnuPG 

    signing and encrypting files 

    signing email messages with mc-sign function 

    uploading new to keyserver 

    verifying for keys imported from keyserver 

    verifying on downloaded software 

    for X.509 certificates 

directories

    encrypting entire directory tree 

    fully-qualified name 

    inability to verify with manual integrity check 

    marking files for inclusion or exclusion from Tripwire database 

    recurse=n attribute (Tripwire) 

    recursive remote copying with scp 

    restricting a service to a particular directory 

    setgid bit 

    shared, securing 

    skipping with find -prune command 

    specifying another directory for remote file copying 

    sticky bit set on 

disallowed connections  [See hosts.deny file]

DISPLAY environment variable (X windows)  2nd 

display filter expressions

    using with Ethereal 

    using with tcpdump 

display-filters for email (PinePGP) 

Distinguished Encoding Rules  [See DER]

DNS

    Common Name for certificate subjects 

    using domain name in Kerberos realm name 

dormant accounts 

    monitoring login activity 

DOS  [See denial-of-service attacks]

DROP

    pings, preventing 

    REJECT and, refusing packets (iptables) 

    specifying targets for iptables 

dsniff program 

    -m option (matching protocols used on nonstandard ports) 

    Berkeley database library, requirement of 

    downloading and installing 

    filesnarf command 

    insecure network protocols

        auditing use of 

        detecting 

    libnet, downloading and compiling 

    libnids

        downloading and installing 

        reassembling TCP streams with 

    libpcap snapshot, adjusting size of 

    mailsnarf command 

    urlsnarf command 

dual-ported disk array 

dump-acct command