| | | Copyright |
| | | Prentice Hall PTR Open Source Technology Series |
| | | About Prentice Hall Professional Technical Reference |
| | | List of Figures |
| | | List of Tables |
| | | Foreword |
| | | Acknowledgments |
| | | About the Author |
| | | Chapter 1. Introduction |
| | | | Section 1.1. Introduction to the Second Edition |
| | | | Section 1.2. Who Should Read This Book? |
| | | | Section 1.3. How This Book Is Organized |
| | | | Section 1.4. What Are You Protecting? |
| | | | Section 1.5. Who Are Your Enemies? |
| | | | Section 1.6. What They Hope to Accomplish |
| | | | Section 1.7. Costs: Protection versus Break-Ins |
| | | | Section 1.8. Protecting Hardware |
| | | | Section 1.9. Protecting Network and Modem Access |
| | | | Section 1.10. Protecting System Access |
| | | | Section 1.11. Protecting Files |
| | | | Section 1.12. Preparing for and Detecting an Intrusion |
| | | | Section 1.13. Recovering from an Intrusion |
|
| | | Part I. Securing Your System |
| | | | Chapter 2. Quick Fixes for Common Problems |
| | | | Section 2.1. Understanding Linux Security |
| | | | Section 2.2. The Seven Most Deadly Sins |
| | | | Section 2.3. Passwords A Key Point for Good Security |
| | | | Section 2.4. Advanced Password Techniques |
| | | | Section 2.5. Protecting the System from User Mistakes |
| | | | Section 2.6. Forgiveness Is Better than Permission |
| | | | Section 2.7. Dangers and Countermeasures During Initial System Setup |
| | | | Section 2.8. Limiting Unreasonable Access |
| | | | Section 2.9. Firewalls and the Corporate Moat |
| | | | Section 2.10. Turn Off Unneeded Services |
| | | | Section 2.11. High Security Requires Minimum Services |
| | | | Section 2.12. Replace These Weak Doors with Brick |
| | | | Section 2.13. New Lamps for Old |
| | | | Section 2.14. United We Fall, Divided We Stand |
|
| | | | Chapter 3. Quick and Easy Hacking and How to Avoid It |
| | | | Section 3.1. X Marks the Hole |
| | | | Section 3.2. Law of the Jungle Physical Security |
| | | | Section 3.3. Physical Actions |
| | | | Section 3.4. Selected Short Subjects |
| | | | Section 3.5. Terminal Device Attacks |
| | | | Section 3.6. Disk Sniffing |
|
| | | | Chapter 4. Common Hacking by Subsystem |
| | | | Section 4.1. NFS, mountd, and portmap |
| | | | Section 4.2. Sendmail |
| | | | Section 4.3. Telnet |
| | | | Section 4.4. FTP |
| | | | Section 4.5. The rsh, rcp, rexec, and rlogin Services |
| | | | Section 4.6. DNS (named, a.k.a. BIND) |
| | | | Section 4.7. POP and IMAP Servers |
| | | | Section 4.8. Doing the Samba |
| | | | Section 4.9. Stop Squid from Inking Out Their Trail |
| | | | Section 4.10. The syslogd Service |
| | | | Section 4.11. The print Service (lpd) |
| | | | Section 4.12. The ident Service |
| | | | Section 4.13. INND and News |
| | | | Section 4.14. Protecting Your DNS Registration |
|
| | | | Chapter 5. Common Hacker Attacks |
| | | | Section 5.1. Rootkit Attacks (Script Kiddies) |
| | | | Section 5.2. Packet Spoofing Explained |
| | | | Section 5.3. SYN Flood Attack Explained |
| | | | Section 5.4. Defeating SYN Flood Attacks |
| | | | Section 5.5. Defeating TCP Sequence Spoofing |
| | | | Section 5.6. Packet Storms, Smurf Attacks, and Fraggles |
| | | | Section 5.7. Buffer Overflows or Stamping on Memory with gets() |
| | | | Section 5.8. Spoofing Techniques |
| | | | Section 5.9. Man-in-the-Middle Attack |
|
| | | | Chapter 6. Advanced Security Issues |
| | | | Section 6.1. Configuring Netscape for Higher Security |
| | | | Section 6.2. Stopping Access to I/O Devices |
| | | | Section 6.3. Scouting Out Apache (httpd) Problems |
| | | | Section 6.4. Special Techniques for Web Servers |
| | | | Section 6.5. One-Way Credit Card Data Path for Top Security |
| | | | Section 6.6. Hardening for Very High Security |
| | | | Section 6.7. Restricting Login Location and Times |
| | | | Section 6.8. Obscure but Deadly Problems |
| | | | Section 6.9. Defeating Login Simulators |
| | | | Section 6.10. Stopping Buffer Overflows with Libsafe |
|
| | | | Chapter 7. Establishing Security Policies |
| | | | Section 7.1. General Policy |
| | | | Section 7.2. Personal Use Policy |
| | | | Section 7.3. Accounts Policy |
| | | | Section 7.4. E-Mail Policy |
| | | | Section 7.5. Instant Messenger (IM) Policy |
| | | | Section 7.6. Web Server Policy |
| | | | Section 7.7. File Server and Database Policy |
| | | | Section 7.8. Firewall Policy |
| | | | Section 7.9. Desktop Policy |
| | | | Section 7.10. Laptop Policy |
| | | | Section 7.11. Disposal Policy |
| | | | Section 7.12. Network Topology Policy |
| | | | Section 7.13. Problem Reporting Policy |
| | | | Section 7.14. Ownership Policy |
| | | | Section 7.15. Policy Policy |
|
| | | | Chapter 8. Trusting Other Computers |
| | | | Section 8.1. Secure Systems and Insecure Systems |
| | | | Section 8.2. Trust No One The Highest Security |
| | | | Section 8.3. Linux and UNIX Systems Within Your Control |
| | | | Section 8.4. Mainframes Within Your Control |
| | | | Section 8.5. A Window Is Worth a Thousand Cannons |
| | | | Section 8.6. Firewall Vulnerabilities |
| | | | Section 8.7. Virtual Private Networks |
| | | | Section 8.8. Viruses and Linux |
|
| | | | Chapter 9. Gutsy Break-Ins |
| | | | Section 9.1. Mission Impossible Techniques |
| | | | Section 9.2. Spies |
| | | | Section 9.3. Fanatics and Suicide Attacks |
|
| | | | Chapter 10. Case Studies |
| | | | Section 10.1. Confessions of a Berkeley System Mole |
| | | | Section 10.2. Knights of the Realm (Forensics) |
| | | | Section 10.3. Ken Thompson Cracks the Navy |
| | | | Section 10.4. The Virtual Machine Trojan |
| | | | Section 10.5. AOL's DNS Change Fiasco |
| | | | Section 10.6. I'm Innocent, I Tell Ya! |
| | | | Section 10.7. Cracking with a Laptop and a Pay Phone |
| | | | Section 10.8. Take a Few Cents off the Top |
| | | | Section 10.9. Nonprofit Organization Runs Out of Luck |
| | | | Section 10.10. Persistence with Recalcitrant SysAdmins Pays Off |
| | | | Section 10.11. .Net Shipped with Nimda |
|
| | | | Chapter 11. Recent Break-Ins |
| | | | Section 11.1. Fragmentation Attacks |
| | | | Section 11.2. IP Masquerading Fails for ICMP |
| | | | Section 11.3. The Ping of Death Sinks Dutch Shipping Company |
| | | | Section 11.4. Captain, We're Being Scanned! (Stealth Scans) |
| | | | Section 11.5. Cable Modems: A Cracker's Dream |
| | | | Section 11.6. Using Sendmail to Block E-Mail Attacks |
| | | | Section 11.7. Sendmail Account Guessing |
| | | | Section 11.8. The Mysterious Ingreslock |
| | | | Section 11.9. You're Being Tracked |
| | | | Section 11.10. Distributed Denial of Service (Coordinated) Attacks |
| | | | Section 11.11. Stealth Trojan Horses |
| | | | Section 11.12. Linuxconf via TCP Port 98 |
| | | | Section 11.13. Evil HTML Tags and Script |
| | | | Section 11.14. Format Problems with syslog() |
|
|
| | | Part II. Preparing for an Intrusion |
| | | | Chapter 12. Hardening Your System |
| | | | Section 12.1. Protecting User Sessions with SSH |
| | | | Section 12.2. Virtual Private Networks (VPNs) |
| | | | Section 12.3. Pretty Good Privacy (PGP) |
| | | | Section 12.4. Using GPG to Encrypt Files the Easy Way |
| | | | Section 12.5. Firewalls with IP Tables and DMZ |
| | | | Section 12.6. Firewalls with IP Chains and DMZ |
|
| | | | Chapter 13. Preparing Your Hardware |
| | | | Section 13.1. Timing Is Everything |
| | | | Section 13.2. Advanced Preparation |
| | | | Section 13.3. Switch to Auxiliary Control (Hot Backups) |
|
| | | | Chapter 14. Preparing Your Configuration |
| | | | Section 14.1. TCP Wrappers |
| | | | Section 14.2. Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap |
| | | | Section 14.3. Ending Cracker Servers with a Kernel Mod |
| | | | Section 14.4. Fire Drills |
| | | | Section 14.5. Break into Your Own System with Tiger Teams |
|
| | | | Chapter 15. Scanning Your Own System |
| | | | Section 15.1. The Nessus Security Scanner |
| | | | Section 15.2. The SARA and SAINT Security Auditors |
| | | | Section 15.3. The nmap Network Mapper |
| | | | Section 15.4. The Snort Attack Detector |
| | | | Section 15.5. Scanning and Analyzing with SHADOW |
| | | | Section 15.6. John the Ripper |
| | | | Section 15.7. Store the RPM Database Checksums |
|
|
| | | Part III. Detecting an Intrusion |
| | | | Chapter 16. Monitoring Activity |
| | | | Section 16.1. Log Files |
| | | | Section 16.2. Log Files: Measures and Countermeasures |
| | | | Section 16.3. Using Logcheck to Check Log Files You Never Check |
| | | | Section 16.4. Using PortSentry to Lock Out Hackers |
| | | | Section 16.5. HostSentry |
| | | | Section 16.6. Paging the SysAdmin: Cracking in Progress! |
| | | | Section 16.7. An Example for Automatic Paging |
| | | | Section 16.8. Building on Your Example for Automatic Paging |
| | | | Section 16.9. Paging telnet and rsh Usage |
| | | | Section 16.10. Using Arpwatch to Catch ARP and MAC Attacks |
| | | | Section 16.11. Monitoring Port Usage |
| | | | Section 16.12. Monitoring Attacks with Ethereal |
| | | | Section 16.13. Using tcpdump to Monitor Your LAN |
| | | | Section 16.14. Monitoring the Scanners with Deception Tool Kit (DTK) |
| | | | Section 16.15. Monitoring Processes |
| | | | Section 16.16. Cron: Watching the Crackers |
| | | | Section 16.17. Caller ID |
|
| | | | Chapter 17. Scanning Your System for Anomalies |
| | | | Section 17.1. Finding Suspicious Files |
| | | | Section 17.2. Tripwire |
| | | | Section 17.3. Detecting Deleted Executables |
| | | | Section 17.4. Detecting Promiscuous Network Interface Cards |
| | | | Section 17.5. Finding Promiscuous Processes |
| | | | Section 17.6. Detecting Defaced Web Pages Automatically |
|
|
| | | Part IV. Recovering From an Intrusion |
| | | | Chapter 18. Regaining Control of Your System |
| | | | Section 18.1. Finding the Cracker's Running Processes |
| | | | Section 18.2. Handling Running Cracker Processes |
| | | | Section 18.3. Drop the Modems, Network, Printers, and System |
|
| | | | Chapter 19. Finding and Repairing the Damage |
| | | | Section 19.1. Check Your /var/log Logs |
| | | | Section 19.2. The syslogd and klogd Daemons |
| | | | Section 19.3. Remote Logging |
| | | | Section 19.4. Interpreting Log File Entries |
| | | | Section 19.5. Check Other Logs |
| | | | Section 19.6. Check TCP Wrapper Responses |
| | | | Section 19.7. How the File System Can Be Damaged |
| | | | Section 19.8. Planting False Data |
| | | | Section 19.9. Altered Monitoring Programs |
| | | | Section 19.10. Stuck in the House of Mirrors |
| | | | Section 19.11. Getting Back in Control |
| | | | Section 19.12. Finding Cracker-Altered Files |
| | | | Section 19.13. Sealing the Crack |
| | | | Section 19.14. Finding set-UID Programs |
| | | | Section 19.15. Finding the mstream Trojan |
|
| | | | Chapter 20. Finding the Attacker's System |
| | | | Section 20.1. Tracing a Numeric IP Address with nslookup |
| | | | Section 20.2. Tracing a Numeric IP Address with dig |
| | | | Section 20.3. Who's a Commie: Finding .com Owners |
| | | | Section 20.4. Finding Entities Directly from the IP Address |
| | | | Section 20.5. Finding a G-Man: Looking Up .gov Systems |
| | | | Section 20.6. Using ping |
| | | | Section 20.7. Using traceroute |
| | | | Section 20.8. Neighboring Systems' Results |
| | | | Section 20.9. A Recent International Tracking of a Cracker |
| | | | Section 20.10. Be Sure You Found the Attacker |
| | | | Section 20.11. Other SysAdmins: Do They Care? |
|
| | | | Chapter 21. Having the Cracker Crack Rocks |
| | | | Section 21.1. Police: Dragnet or Keystone Kops? |
| | | | Section 21.2. Prosecution |
| | | | Section 21.3. Liability of ISPs Allowing Illegal Activity |
| | | | Section 21.4. Counteroffenses |
|
| | | | Appendix A. Internet Resources for the Latest Intrusions and Defenses |
| | | | Section A.1. Mailing Lists The Mandatory Ones |
| | | | Section A.2. Mailing Lists The Optional Ones |
| | | | Section A.3. News Groups |
| | | | Section A.4. URLs for Security Sites |
| | | | Section A.5. URLs for Security Tools |
| | | | Section A.6. URLs for Documentation |
| | | | Section A.7. URLs for General Tools |
| | | | Section A.8. URLs for Specifications and Definitions |
| | | | Section A.9. Vendor Software and Updates |
| | | | Section A.10. Other Software Updates |
|
| | | | Appendix B. Books, CD-ROMs, and Videos |
| | | | Section B.1. Linux System Security |
| | | | Section B.2. Building Linux and OpenBSD Firewalls |
| | | | Section B.3. Samba: Integrating UNIX and Windows |
| | | | Section B.4. Linux Sendmail Administration |
| | | | Section B.5. Secrets and Lies: Digital Security in a Networked World |
| | | | Section B.6. The Cuckoo's Egg |
| | | | Section B.7. Hackers |
| | | | Section B.8. UNIX Complete |
| | | | Section B.9. The Computer Contradictionary |
| | | | Section B.10. U.S. Department of Defense DISA Resources |
| | | | Section B.11. Internetworking with TCP/IP Vols. I, II, and III |
| | | | Section B.12. Linux Application Development |
| | | | Section B.13. Consultants: The Good, the Bad, and the Slick |
|
| | | | Appendix C. Network Services and Ports |
| | | | Appendix D. Danger Levels |
| | | | Appendix E. About the CD-ROM |
| | | | Section E.1. The Author's GPG Public Key |
|
| | | | Appendix F. Abbreviations |
|