Web Design Programs, Jsp, Tomcat, J2Ee, Hibernate Programming Blog

One way to close software holes is to remove all programs you don t need. You can always add them later, if necessary. How exactly you do this taskdepends on the package-management scheme your distribution runs: Fedora:You can use yum at the command line or gyum s Remove tab(see Chapter 12). Knoppix:You run it off CD, so it s hard to remove anything! Linspire:Open the CLICK and Run client (Chapter 12), click the MyProducts tab, select the program you want to remove from the list, andthen click Uninstall Selected. Mandrake:From the main menu, choose System.Configuration. Packaging.Remove Software. In the dialog box, check the boxes for theprograms you want to remove. When you re ready to proceed, clickRemove. SuSE:Choose System.YaST.Software.Install And Remove Software. Locate the program you want to remove (see Chapter 12). Installed soft- ware has a checkmark next to it. Click the mark until it becomes a trashcan and then click Accept. Xandros:Open the Xandros Networks client as discussed in Chapter 12. Choose Installed Applications, browse to the program you want toremove, and click the Remove link. If it turns out that, as a result of dependencies, you lose other software thatyou want to keep, make sure to cancel the removal. Introducing SELinuxSELinux, or Security-Enhanced Linux (www.nsa.gov/selinux/index.cfm) was developed by the National Security Agency (NSA) in the United States toadd a new level of security on top of what s already available in Linux. To useSELinux in your distribution: Fedora:Open the firewall control tool (see the section Controlling andadjusting your firewall, earlier in this chapter) and click the SELinuxtab. If you want to just see what SELinux woulddo, check the Enabledcheck box (if it isn t already checked). If you want to enforce the policiesyou ve created, check the Enforcing Current check box. To completelydeactivate it (which will probably speed up your boot time), make surethat both boxes are unchecked. My best advice for playing with thisadvanced feature is to go and read the site mentioned at the beginningof this section and then the Fedora-specific FAQ at http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/. Knoppix:Not available. 274Part III:Getting Up to Speed with Linux

Connecting to your Linux box from another Linux box with SSHYes, you can connect from another Linux box, too. This task is a bit less com- plicated. Open a terminal window (see Chapter 14) and follow these steps: 1.Type ssh username@ipaddressto open the connection. For example, type ssh dee@192.168.1.6. After you do this step, thefollowing text appears: The authenticity of host 192.168.1.6 (192.168.1.6) can t be established. RSA key fingerprint ised:68:0f:e3:78:56:c9:b3:d6:6e:25:86:77:52:a7:66. Are you sure you want to continue connecting (yes/no)? 2.Type yesand press Enter. You now see these lines: Warning: Permanently added 192.168.1.6 (RSA) to thelist of known hosts. dee@192.168.1.6 s password: 3.Enter your login password and press Enter. Now you re in! Close the connection by logging out of the account (type logout). Connecting to your Linux box from a Macintosh running OS X with SSHThe process from a Macintosh is similar to that under Linux. Go toApplications.Utilities.Terminal.app, which opens a command line windowfor you. Then typessh IPaddressto access the same user account on the remote machine, or typessh login@IPaddressif you want to access the account logininstead of the same account you reusing on the Mac. Software holesWhen someone is already in your system whether or not they re allowedto be there you have additional security concerns to keep in mind. One ofthese involves what software you have on the machine. Believe it or not, eachpiece of software is a potential security hole. If someone can get a program tocrash in just the right way, they can get greater access to your system thanthey should. That s a very bad thing! 273Chapter 13: A Secure Linux Box Is a Happy Linux Box19_

2.Click Add to open a new profile. 3.Enter the name for this profile in the Profile Name text box. 4.Enter your Linux box s IP address in the Host text box. 5.Enter your Linux login name in the Username text box. You cannot use the root account here. Doing so is terribly bad for security. 6.Enter your Linux login password in the Password text box. 7.Click Connect to make the connection to your Linux machine. The Host Key Not Found dialog box opens the first time you connect this way. Click Connect and save the host key. You don t have to do thisstep again from this Windows machine. Check out Figure 13-5 to see aLinux command-line interface window on a Windows box! (I m not surewhy this default font is so freehand ; you can change it for all your sessions by choosing Format.Change Font or per Connection Profile in the Preferences menu by selecting the profile and clicking theAppearance tab.) When you re finished, type logoutat the command line, and your connectioncloses. Figure 13-5: Your Linuxcommandline inWindows! 272Part III:Getting Up to Speed with Linux

9.Click Finish. The PenguiNet window appears (if you checked Run PenguiNet), asshown in Figure 13-3. Setting up and making your SSH connection in WindowsEither you have PenguiNet open from having installed it, or you need to openit now from your desktop shortcut or the Start menu. After you have done so, follow these steps: 1.Choose Session.Connection Profiles. The Connection Profiles dialog box opens, as shown in Figure 13-4. Figure 13-4: ThePenguiNetConnectionProfilesdialog box. Figure 13-3: ThePenguiNetconnectionprogram inWindows. 271Chapter 13: A Secure Linux Box Is a Happy Linux Box19_

5.In Start Mode, select System Startup. 6.Click OK. 7.If in the Status column, the ssh row doesn t say Running, clickStart to start the server. 8.Choose File.Quit. Installing a Windows SSH programIf you want to connect to your SSH-enabled Linux box or, actually, to anycomputer set up to accept SSH connections, not just a Linux one from aWindows computer, go to www.siliconcircus.com/penguinet/and getthe PenguiNet telnet and SSH client for Windows (please don t use this fortelnet, just SSH). A 30-day trial version is available, and if you like it, the fullversion is only around $25. To install PenguiNet under Windows after downloading PN2setup.exe, justfollow these steps: 1.Open your file manager (such as Windows Explorer), browse to whereyou saved the download, and double-click the PN2setup.exeprogram. This action opens the PenguiNet Setup Wizard. 2.Click Next to proceed. The License Agreement dialog box opens. 3.After you read the agreement (something you should always do), clickI Accept This Agreement and then click Next to proceed. The Select Destination Directory dialog box opens. I usually just stickwith the defaults. 4.After you select the directory in which to install PenguiNet, click Next. The Select Start Menu Folder dialog box appears. 5.After you select the proper folder, click Next. The Select Additional Tasks dialog box appears. If you want to create adesktop icon or Quick Launch button, select the appropriate check boxes. 6.After you have chosen your additional tasks, click Next. The Ready To Install dialog box appears. 7.Click Install to begin your PenguiNet installation. An installation progress dialog box appears. When the installation is fin- ished, the final installation screen appears. 8.Select one or both of the final items. I recommend that you check at least Run PenguiNet. You may also wantto select View The PenguiNet Documentation if you like to get familiarwith programs by reading their manuals. 270Part III:Getting Up to Speed with Linux

FTP and FTPS:FTP server stuff; you don t need it if you re not runningan FTP server. SSH:Select this one to keep open. I explain it in the next section. Additional security products from Linspire include (in their Click And RunWarehouse under Services) SurfSafe parental controls and VirusSafe antivirussoftware. The Secure Shell game (SSH) One cool thing about Linux is that you can use the command line to connectto your account from anywhere, as long as you have the right software (andthe machine you re connecting to isn t behind some kind of blocking soft- ware). Some people tell you to use the telnetprogram to do this, but I begyou not to. Do not open the Telnet port in the security tool and do not usethe telnetprogram. It sends information across the Internet in nice, raw textthat anyone can snoop through. First, you need to make sure that you enable SSH in your firewall. (See thesection Controlling and adjusting your firewall, earlier in this chapter). InLinspire, you need to add the program to connect out fromyour machineusing SSH: 1.Open the CNR Warehouse (see Chapter 12). 2.Choose Install CNR Warehouse.Utilities.Security & Encryption. Secure Shell. In some other distributions, you need to do the following to let people sshintothe machine (the distributions not mentioned here are set up to do so bydefault): Knoppix:From the main menu, choose KNOPPIX.Services. Start SSH Server. Mandrake:Use the software installer (see Chapter 12) to add theopenssh-serverprogram. Then, use the services control interface (seethe section Controlling your services, earlier in this chapter) to acti- vate sshd. Xandros:Do the following: 1.Choose Control Center.Services. 2.Click the Administrator button and enter your root (administra- tor) password. 3.Select ssh in the list. 4.Click Properties. 269Chapter 13: A Secure Linux Box Is a Happy Linux Box19_

Mandrake:From the main menu, choose System.Configuration. Configure Your Computer.Security.Firewall. Uncheck the first box and when asked if you want to install Shorewall, say yes. SuSE:From the main menu, choose System.YaST.Security and Users. Firewall. Xandros:Go to the Xandros Networks tool (see Chapter 12) and chooseNew Applications.System.Administrator Tools.Firestarter. This toolhelps you set up your firewall and is installed under Launch. Applications.System.Administrator Tools.Firestarter. Your options are typically something like Enable Firewall and Disable Firewall. If you have your computer directly connected to the Internet and most com- puters are make sure to use Enable Firewall. The only time that you shouldnot have this firewall in place is when your machine(s) are behind a strong fire- wall already, or you have a critical application that won t work otherwise. Forjust one application, though, that s one huge risk! You can find out how to openup the proper doors in the firewall for that one program instead. Firewall lingo you may find handy includes eth0:Your first Ethernet (network) card. ppp0:Your first modem. HTTP and HTTPS:Web stuff; only needed if you re running a Webserver. Figure 13-2: The Fedorafirewallcontroldialog box. 268Part III:Getting Up to Speed with Linux

pcmcia:You only need this on laptops. It s for PCMCIA card support. sendmail:Even though you re probably not in need of a full-fledged mailserver, shutting this service off can have unintended consequencessince it s used to even handle internal mail on your system. Leave it on. smartd:If you re getting errors for this one at boot time, shut it off. Itonly works with certain IDE hard drives, so if you re not using that typeof drive, it gives a (harmless) error. spamassassin:If you want to use this program in conjunction with yourmail program, go for it! This program is used by default with Evolution inFedora (see Chapter 9), so if you re using this combination of tools leavethis service on. yum:On Fedora, lets you run a nightly automatic update for thosewhose machines are connected overnight. In Fedora, when you check or uncheck a service, you make sure that it doesor doesn t turn on when you reboot. You need to use the Start and Stop but- tons to deal with it immediately. Use the bottom right part of the dialog tosee whether Fedora is running right now. Controlling and adjusting your firewallEven better (but just as essential) than turning off unnecessary services is tomake sure that you have a firewall in place. A firewall is like putting a bigbunker around your house. It would then have openings that only fit peoplewanting to do certain kinds of things. Friends could fit in through one door, family another, and package deliveries to another. In computer networks, each of the services discussed earlier always comes inthrough the same door (port, in computer-world lingo). You use firewalls toprevent anyone from being able to so much as touch a door, or port, unlessyou ve explicitly set it up so that they can do so. This technique is especiallyimportant if you re on a cable network (see Chapter , where there s alwayssome overactive jerk out there using his computer to knock on every othercomputer on the network s doors to see where it can get in. You probably already did some basic firewall setup during installation. If youever want to make changes, do the following: Fedora:Choose Applications.System Settings.SecurityLevel (seeFigure 13-2). Knoppix:None. But, then, what could they change on a system runningfrom CD-ROM? Not much. Linspire:From the main menu, choose Programs.Utilities.CNR More. Firestarter. This tool helps you set up your firewall and is installed underthe Utilities menu. 267Chapter 13: A Secure Linux Box Is a Happy Linux Box19_

Services you may be interested in turning on or off include apmd:This service may not be necessary in anything but a laptop. It sused for monitoring battery power. iptables:This service is your firewall (more on the firewall in the section Controlling and adjusting your firewall later in this chapter). If youneed to momentarily shut it down, you can do so using the service con- trol dialog box. isdn:This daemon is typically on by default in some distributions justin case, but if you re not using ISDN networking (see Chapter youdon t need it. kudzu:If you re using Fedora and keep getting bugged about hardwarestuff at boot time, shutting off this service will stop those messages. Youcan run it manually as root if you change hardware later. lisa:Discussed earlier in Chapter 11 in conjunction with network brows- ing in certain distributions. mDNSresponder:Shut this service off unless you re a Howl (www.porchdogsoft.com/products/howl) devotee. The nifd service should alsobe on or off (matching) with this one since it s related. mdmonitor:Shut this service off unless you implemented software RAIDduring your installation. (You had to go out of your way to do so, so ifyou don t know, you probably didn t!) If you change this service to on oroff, make sure that mdmpd is also on or off (matching) as well. Figure 13-1: The FedoraService Con- figurationdialog box. 266Part III:Getting Up to Speed with Linux

whether you can trust a particular Web site, do some research and perhapsask others for their opinions. Chapter 12 details how to keep your distribution and its software up to date. Please, please, please, do so! After all, as the person in charge, your job is tomake sure that this computer stays intruder-free. In addition to making surethat you do all the same things a user would do for both your user accountsand the superuser (root) account, no matter which Linux distribution you rerunning, you must keep up-to-date with security problems. Network holesOn a Linux server or workstation or any computer at all, using any operat- ing system you should not have any network services running that youdon t intend to use. Think of each network program running as a glasswindow or sliding glass door in your house. Each network service is a weakspot, and many nasty folks are out there on the Internet who like to go up toall the houses and make note of how many windows and glass are on them, what kinds they are, and how easy they are to breach. Controlling your servicesThe more flexible your distribution as far as its ability to run desktops andmany types of servers the more services it may have running in the back- ground by default. To open the network service management program foryour distribution: Fedora:Choose Applications.System Settings.Server Settings. Services (see Figure 13-1). Knoppix:From the main menu, choose KNOPPIX.Services. There is nocentral service control unit, but because this distribution is designed asa desktop, few services are available. This menu contains each serviceyou have access to. Linspire: There is no central service configuration point, but this distri- bution is designed to be purely desktop, so there is little to do hereanyway. Mandrake:From the main menu, choose System.Configuration. Configure Your Computer.System.Services. SuSE:From the main menu, choose System.YaST.Network Services. There is no central service control unit, but in this section, you canselect each service individually to see whether it s on and find out moreabout it. If you re asked to install software when selecting a service, sayno if you don t intend to use it! Clicking Cancel does the trick. Xandros:Choose Launch.Control Center.System Administration. Services. There are few services here to deal with, however, because thissystem is designed strictly as a desktop. 265Chapter 13: A Secure Linux Box Is a Happy Linux Box19_