This page mixes most "network security" with other security topics. This seems unavoidable,
but shares this undesirable feature of most security discussions: One cannot easily ignore discussion of
network security topics when using a non-networked computer (one with only port-driven terminals).
Also see "ssh" in Shells.
Also see some related topics in IP - Internet Protocol.
Also see "firewalls" in Networking.
Introductory stuff:
General Subject:
-
Books and Book Reviews:
-
Conferences
-
News, Magazines, Alerts, Exploits, etc:
-
Reading material:
-
Sites:
-
Tools, misc:
-
Other lists:
-
AMaViS - A Mail Virus Scanner  For viruses in email to be read on a M$OS.
-
CyberSoft Inc.  $; Anti-virus SW, including CyberSoft VFind Security ToolKit (VSTK).
-
FreeS/WAN  "privacy through encrypted Internet communications"; IPSEC-based " FreeS/WAN
negotiates strong keys using Diffie-Hellman key agreement with 1024-bit keys, and encrypts each
packet with 168-bit Triple-DES (3DES). A modern $500 PC can set up a tunnel in less than a
second, and can encrypt 6 megabits of packets per second, easily handling the whole available
bandwidth at the vast majority of Internet sites."
-
H+B EDV AntiVir/X  $; Free for some. Mostly (only?) for protecting M$OS files)
-
hand  "Hand provides a secure execution environment for all types of Unix
applications including utilities, system services and graphical programs."
-
IsinGlass "IsinGlass is a firewall setup script designed to protect dial-up users (but also useful for
others). It protects your system against security holes in programs the user may not even know they're
running. Most users can run it "out of the box" without any configuration required. It will automatically detect
network interfaces and IP addresses."
-
KasperskyLab AntiViral Toolkit Pro (AVP) for Linux [Intel] 
-
McAfee ($; security SW)
-
NAI Netshield (uvscan) for Unix  $
-
slocate (FTP dir)  A "locate" command that respects permission bits.
-
Sophos Sweep for Linux [Intel/Alpha]  $ Free for some.
-
StackGuard  Version of gcc which protects programs agains stack overflow attacks;
with a protected Linux distro.
-
tcpserve  A replacement for inetd for better security. allows limiting the *_number_*
of concurrent processes forked out of the inet facilities, as opposed to the *_rate_* of forked
processes. Also, optionally, allows logging by port, with access control via a fast database, by IP, and user.
-
Titan  "collection of programs, each of which either fixes or tightens one or
more potential security problems with a particular aspect in the setup or configuration
of a Unix system." Mostly Bourne scripts; some C.
-
Trinux "A Linux Security Toolkit" (2-floppy Linux-in-RAM with many networking & security tools)
-
Wipe "for securely erasing files from magnetic media" (over-rights with various patterns)
-
xinetd - A more secure version of inetd. ??
-
Misc:
Security, specific topics:
-
Auditing of a site's or computer's security:
-
Authentication:
-
Ask Slashdot: Cryptography and Digital Signatures
-
PAM (Plugable Authentication Modules):
-
PAM Home Page
-
pam_smb "a PAM module which allows authentication of UNIX users using an NT server"
-
PAM commands & files:
-
userhelper: Non-interctive program to change user info as in /etc/passwd.
-
userpasswd: GUI program to change password.
-
userinfo: GUI version of "chfn".
-
/etc/pam.conf or /etc/pam.d:
-
Passwords:
-
LILO passwords: Adding the lines "password=your_password" and "restricted" to your
lilo config file (usually /etc/lilo.conf) and rerunning lilo will prevent anyone
from booting up without a password using a simple fairly well known trick. Except
if they boot off a floppy. The only way to prevent that is to remove it or use the
password protection of your BIOS.
-
BIOS passwords (from usenet article): "Some BIOS'es will reset/disable a password with a key combination.
I've seen ctrl-enter, ctrl-alt-ins, ctrl-alt-esc."
-
gpasman  A personal password manager which keeps list of passwords encrypted.
-
npasswd: A (non-PAM) password package (once used by Red Hat). Has some nice features.
-
vipw, vigr - edit the password or group files. (Locks the files, etc.)
-
Passync "Windows NT/UNIX password synchronization tool"
-
HOW TO allow passwords longer than 8 chars (from usenet article):
>Is there a way or a program that can be installed under Linux RedHat 5.0 to
>allow > 8 character passwords. Not only would this increase security, but
>it would keep the probablility of a reused password on a many user system
>low. Thanks for any info or suggestions 'yall might have.
Look at file:/usr/doc/pam-0.59/html/pam.html
on your system with a web browser. You basically just need to add
"md5" to /etc/pam.d/passwd on the "pwdb" line. Then force all your
users to change their passwords (they can use the same one if they
want, but they have to go through the act so that your system can
re-encrypt all the passwds to md5 format). Then everything should
just "work".
-
HOWTO handle a forgotten root password: This assumes certain things and so won't work for everyone..
-- Boot a rescue floppy.
-- Mount the partition holding /etc/passwd, ex: "mount -t ext2fs /dev/hda1 /mnt".
-- Edit the passwd file, ex: "vi /mnt/etc/passwd".
Remove second ":"-delimited field of the line who's first field is "root".
-- Unmount the just-mounted partition (said to be necessary), ex: "umount /dev/hda1"
-- Remove the boot floppy, reboot, log in as root (without password).
-- Change the password, ex: "passwd", etc.
-
Shadow Passwords:
-
Shadow Password HOWTO (How to obtain, install, and configure shadow passwords.)
-
HOW TO move info from non-shadowed passwd file to shadowed version:
Someone said there is a program called "something like pwconv5" that works great.
-
Cryptography; Encryption; Codes; Decoding
-
Intrusion Detection:
-
RSA:
-
SSL - Secure Sockets Layer
-
SUID & SGID programs, including scripts:
-
Viruses:
-
Bliss: From 1997. [link broke]
Some security tips:
-
Don't run any more daemons than needed, especially those that service the network.
Methods:
-
To disable daemons in Red Hat's /etc/rc.d/init.d directory
mv /etc/rc.d/init.d/xxxd /etc/rc.d/init.d/xxxd.is.disabled
-
Comment out unneeded lines in /etc/inetd.conf . Some sources say
to comment out lines in /etc/services, but this shouldn't be needed.
It also has the disadvantage of disabling the use of the service
(eg. ftp) by the local user too.
-
Run as few programs as seldom as practical as user "root".
-
Have as few programs as practical that run SUID or SGID to "root" ID.
These may be located using "find / -perm +6000".
-
Keep software as up-to-date as practical in order to have the latest
security bug fixes.
-
Check security sites and some download sites for "security alerts"
and notices of newly fixed software.
-
Replace your "locate" command with the "slocate" command so people can't use locate to look for files
in directories for which they have no read priviledge. See below.
-
Configure /etc/usertty and /etc/securetty after reading about them in the man pages
for "login" and "securetty". These control which users may log in from which ports.
How to make a more secure temporary directory from a shell script, by Jim Dennis:
TMPD=/tmp/$0$$$(date +%s)
## get a (hopefully unique) name
## use any reasonable method for this.
OMASK=$(umask)
umask 077 || exit 1
mkdir $TMPD || exit 1
trap 'rm -fr $TMPD; exit' 0
umask $OMASK
Last Modified 19-Apr-1999
End of page.