[ Pobierz całość w formacie PDF ]
.Please, if the optimization flags above, or the ones you have chosen for your CPU architecture donot work for you, don t try to absolutely force it to work.I wouldn t want to make your systemunstable like Microsoft Windows.Securing the kernelThe secure Linux kernel patches from the Openwall Project are a great way to prevent attackslike Stack Buffer Overflows, and others.The Openwall patch is a collection of security-relatedfeatures for the Linux kernel, all configurable via the new ' Security options configuration sectionthat will be added to your new Linux kernel.This patch may change from version to version, andsome may contain various other security fixes.New features of patch version linux-2_2_14-ow2_tar.gz are:Non-executable user stack areaRestricted links in /tmpRestricted FIFOs in /tmpRestricted /procSpecial handling of fd 0, 1, and 2Enforce RLIMIT_NPROC on execve(2)Destroy shared memory segments not in useNOTE: When applying the linux-2_2_14-ow2 patch, a new Security options section will be addedat the end of your kernel configuration.For more information and description of the different89Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingLinux Kernel 0CHAPTER 5features available with this patch, see the README file that come with the source code of thepatch.Applying the patch[root@deep /]# cp linux-2_2_14-ow2_tar.gz /usr/src/[root@deep /]# cd /usr/src/[root@deep src]# tar xzpf linux.2_2_14-ow2_tar.gz[root@deep src]# cd linux-2.2.14-ow2/[root@deep linux-2.2.14-ow2]# mv linux-2.2.14-ow2.diff /usr/src/[root@deep linux-2.2.14-ow2]# cd.[root@deep src]# patch -p0 /proc/sys/net/ipv4/ip_forwardYou can add the above line in your /etc/rc.d/rc.local script file so IP forwarding is enabledautomatically for you even if your server is rebooted.In Red Hat Linux 6.1 this can also beaccomplished by changing the line in /etc/sysconfig/network file from:140Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingLinux Masquerading and Forwarding 0CHAPTER 8FORWARD_IPV4="falseTo read:FORWARD_IPV4="yes"" You must restart your network for the change to take effect:[root@deep /]# /etc/rc.d/init.d/network restartBringing up interface lo [ OK ]Bringing up interface eth0 [ OK ]Bringing up interface eth1 [ OK ]So you can either add the echo 1 > /proc/sys/net/ipv4/ip_forward command line to your rc.local script file or you change the value of the line FORWARD_IPV4=false to yes in the network file to set this feature to ON.Personally I prefer the second choice.Under Red Hat Linux 6.2" To enable IPv4 forwarding on your RH 6.2 system, use the following command:Edit the /etc/sysctl.conf file and add the following line:# Enable packet forwardingnet.ipv4.ip_forward = 1You must restart your network for the change to take effect.The command to restart the networkis the following:" To restart all network devices manually on your system, use the following command:[root@deep /]# /etc/rc.d/init.d/network restartSetting network parameters [ OK ]Bringing up interface lo [ OK ]Bringing up interface eth0 [ OK ]Bringing up interface eth1 [ OK ]NOTE: The IP forwarding line above is only required if you answered Yes to the kernel option IP:Masquerading (CONFIG_IP_MASQUERADE) and choose to have a server act as a Gatewayand masquerade for your inside network.If you enabled IP Masquerading, then the modules ip_masq_ftp.o (for ftp file transfers),ip_masq_irc.o (for irc chats), ip_masq_quake.o (you guessed it), ip_masq_vdolive.o (for VDOLivevideo connections), ip_masq_cuseeme.o (for CU-SeeMe broadcasts) and ip_masq_raudio.o (forRealAudio downloads) will automatically be compiled.They are needed to make masqueradingfor these protocols work.Also, you ll need to build a modularized kernel and answer Yes to the Enable loadable module support (CONFIG_MODULES) option instead of a monolithic kernel tobe able to use masquerading functions and modules like ip_masq_ftp.o on your Gateway server(see the Linux Kernel section above in this book for more information).The basic masquerade code described for "IP: masquerading" above only handles TCP or UDPpackets (and ICMP errors for existing connections).The IP:ICMP Masquerading option addsadditional support for masquerading ICMP packets, such as ping or the probes used by theWindows 95 tracer program.NOTE: Remember that other servers like the Web Server and Mail Server examples don t need tohave these options enabled since they either have a real IP address assigned or don t act as aGateway for the inside network.141Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs PublishingLinux Masquerading and Forwarding 0CHAPTER 8Some Points to ConsiderYou can safely assume that you are potentially at risk if you connect your system to the Internet.Your gateway to the Internet is your greatest exposure, so we recommend the following:The gateway should not run any more applications than are absolutely necessary.The gateway should strictly limit the type and number of protocols allowed to flow throughit (protocols potentially provide security holes, such as FTP and telnet).Any system containing confidential or sensitive information should not be directlyaccessible from the Internet.Configuration of the /etc/rc.d/init.d/firewall script file for the GatewayServerThis is the configuration script file for our Gateway Server.This configuration allows unlimitedtraffic on the Loopback interface, ICMP, DNS Server and Client (53), SSH Server and Client (22),HTTP Server and Client (80), HTTPS Server and Client (443), POP Client (110), NNTP NEWSClient (119), SMTP Server and Client (25), IMAP Server (143), IRC Client (6667), ICQ Client(4000), FTP Client (20, 21), RealAudio / QuickTime Client, and OUTGOING TRACEROUTErequests by default.If you don t want some services listed in the firewall rules files for the Gateway Server that I makeON by default, comment them out with a "#" at the beginning of the line.If you want some otherservices that I commented out with a "#", then remove the "#" at the beginning of their lines.If youhave configured Masquerading on your server, don t forget to uncomment the modules necessaryto masquerade their respective services that you need like ip_masq_irc.o, ip_masq_raudio.o, etcunder the MODULES MASQUERADING section of the firewall script file.Create the firewall script file (touch /etc/rc.d/init
[ Pobierz całość w formacie PDF ]