Linux Security Cookbook

packet filtering

    Linux, website for 

    stateful 

    stateless 

packet sniffers

    dsniff, for switched networks 

    enabling unconfigured network interfaces with ifconfig 

    network intrusion detection system (NIDS) 

    ngrep, using for 

    observing network traffic with 

        promiscuous mode on network interfaces 

        unconfigured interface for stealth sniffer 

    Snort, using as 

packets, refusing with DROP or REJECT 

PAM (Pluggable Authentication Modules) 

    access control lists (ACLs), creating  2nd 

    controlling imapd password validation 

    creating PAM-aware application 

    enforcing password strength 

    imapd validation of passwords, controlling 

    Kerberos, using with 

    Linux Developers Guide 

    Linux-PAM, web site 

    modules 

pam_stack module 

passphrases

    backing up for GnuPG private keys 

    caching SSH private keys to avoid typing 

    forcing erasure by Mailcrypt with mc-deactivate-passwd 

    secret, for GnuPG public keys 

    SSH 

passwd file, DES-based crypt( ) hashes in 

passwd program 

passwords

    authorizing changes via sudo 

    dsniff program

        captured from FTP and Telnet sessions 

        using libnids to reassemble 

    encrypting files with 

    enforcing strength with PAM 

    interactive authentication without (ssh-agent) 

    keeping track of 

    Kerberos (kpasswd command) 

    local, authentication via (Kerberos with PAM) 

    login, testing for strength 

        CrackLib, using 

        John the Ripper, using 

    mail servers (IMAP/POP), protection by SSL 

    master password for KDC database 

        storage of 

    protection with SSH 

    root 

    sudo command

        bypassing password authentication 

        forcing authentication with 

    testing and monitoring on system 

PATH environment variable, splitting with Perl script 

pathnames

    mutation in attacks against protocols 

    in remote file copying 

paths

    search path, testing 

    to server executable (inetd.conf) 

pattern matching  [See regular expressions]

payload, observing 

PEM format (certificates) 

    converting DER format to 

per_source keyword (xinetd) 

performance, effects of promiscuous mode 

period (.), in search path 

Perl scripts

    CA.pl 

    canonical hostname for SSH client, finding 

    CrackLib, using with module 

    functions provided by system logger API 

    merging lastlog databases from several systems 

    merging log files 

    process accounting records, reading and unpacking 

    writing system log entries  2nd 

permissions  2nd 

    changes since last Tripwire check 

    examining carefully for security 

    inability to track with manual integrity check 

    log files 

    preventing directory listings 

    Snort logging directory 

    world-writable files and directories, finding 

PermitRootLogin (sshd_config) 

PGP (Pretty Good Privacy) 

    Evolution mailer, using with 

    integrating with MH 

    keys, using in GnuPG operations 

    setting in mutt mailer headers 

PID (process ID)

    adding to system log messages 

    looking up 

pidof command, killing all processes with given name 

Pine

    securing POP/IMAP with SSH and Pine 

    securing POP/IMAP with SSL and 

    sending/receiving encrypted email 

PinePGP 

pings

    nmap, use of TCP and ICMP pings for host discovery 

    preventing responses to 

plaintext keys 

    including in system backups, security risks of 

    using with forced command 

Pluggable Authentication Modules  [See PAM]

policies

    default, for ipchains and iptables 

    Tripwire 

        displaying 

        generating in human-readable format and adding file to 

        modifying 

        signing with site key 

POP

    capturing messages from with dsniff mailsnarf command 

    enabling POP daemon within xinetd or inetd 

    Kerberos authentication, using with 

    mail server, running with SSL 

    running mail server with SSL 

    securing email session with SSL and mutt 

    securing mail server with SSH 

    securing mail server with SSH and Pine 

    securing mail server with stunnel and SSL 

    securing with SSL and pine 

    STLS command 

    testing SSL connection to server 

port forwarding

    disabling for authorized keys 

    SSH 

    tunneling TCP session through SSH 

port numbers, conversion to service names by netstat and lsof 

port scanners, presence evidenced by SYN_RECV state 

portmappers

    displaying registrations with lsof +M 

    querying from a different machine 

ports

    assigned to RPC services 

    default, IMAP and POP over SSL 

    nonstandard, used by network protocols 

    SSL-port on mail servers 

    testing for open 

        nc command, using 

        nmap command, port scanning capabilities 

        port scans with nmap 

        TCP port, testing with telnet connection 

        TCP RST packets returned by firewalls blocking ports 

        UDP ports, problems with 

preprocessors, Snort

    alert messages produced by 

    enabling or tuning 

prerotate and postrotate scripts 

Pretty Good Privacy  [See PGP]

principals, Kerberos 

    adding another principal to your ~/.k5login file 

    adding new with ank command 

    adding to IMAP service on server host 

    database for

        records for users and hosts 

    database, creating for KDC 

    host principal, testing for new host 

    ksu authentication 

    new host, adding to KDC database 

    POP, adding to 

    setting up with admin privileges and host principal for KDC host 

priority

    levels for Snort alerts 

    for system messages 

private keys  [See cryptographic authentication]2nd 

    GnuPG, backing up 

    PGP, exporting and using in GnuPG 

process accounting 

    displaying all executed commands 

        lastcomm utility, using 

    dump-acct command 

    enabling with accton command 

process IDs

    adding to system log messages 

    looking up 

process substitution 

processes

    /proc/<pid> directories 

    killing

        with pidof command 

        with sudo command 

    listing

        all open files (and network connections) for all processes 

        all open files for specific 

        command name (lsof -c) 

        by ID (lsof -p) 

        network connections for all 

        by username (lsof -u) 

    owned by others, examination by superuser 

    that use RPC services, examining with losf +M 

    tracing 

        strace command, using 

promiscuous mode (for network interfaces) 

    enabling for specific interfaces with ifconfig 

    performance and 

    setting for Snort 

prosum (integrity checker) 

protocol tree for selected packet (Ethereal) 

protocols

    attacks on, detection by Snort preprocessors 

    insecure, detecting use of with ngrep 

    matching a filter expression, searching network traffic for 

    network, detecting insecure 

ps command, reading /proc files 

psacct RPM  2nd 

pseudo-ttys 

    disabling allocation of for authorized keys 

    forcing ssh to allocate 

PubkeyAuthentication (sshd_config) 

public keys

    adding to GnuPG keyring 

    inserting into current mail buffer with mc-insert-public-key 

    keyserver, storing and retrieving with 

    listing for GnuPG 

    PGP, exporting and using in GnuPG 

public-key authentication  [See cryptographic authentication]

public-key encryption 

    decrypting files encrypted with GNUPG 

    expiration for keys 

    find method, use by 

    GnuPG  2nd 

        bit length of keys 

        generating key pair 

        secret passphrase for keys 

    sharing public keys 

    unique identifier for keys