-
![[Buch Cover]](../covers/mfreeopenbsd.s.gif)
- Weitere Informationen zu diesem Buch:
Inhaltsverzeichnis | Index | Probekapitel | Kolophon | Rezensionen |
- Weitere Informationen zu diesem Buch:
First Edition April 2005
ISBN 978-0-596-00626-6
Weitere Informationen zu diesem Buch
Inhaltsverzeichnis |
Index |
Probekapitel |
Kolophon |
Rezensionen |
Index
[ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ Q ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Y ], [ Z ],
A[ Top ]
A (address) record
cache poisoning and, 177
creating multiple, 204
direct delivery and, 217
mail servers and, 217
MTAs and, 203
MX record and, 176
tinydns and, 202
-a option
newsyslog, 384
syslogd, 372, 373, 376
accept action (ipfw), 319
access control
administration and, 118-129
loghosts and, 385
minirsyslogd and, 376
syslogd and, 373
users and, 14
access control lists (see ACLs)
access table (Postfix), 250
accountability, security and, 126
accounts
CVS repository and, 135
default denial mindset, 28
FreeBSD and, 92
locked out, 349
logging to, 370
operator, 140
security considerations, 14-16, 17
shell, 118
toor, 107
ACID (Analysis Console for Intrusion Databases), 353-354
acid_conf.php file, 353
ACLs (access control lists)
dangers of, 120, 121
filesystem flags and, 272
FreeBSD and, 107
log files and, 385
POSIX, 33, 41-44
TSIGs and, 199, 200, 201
zone transfers and, 180
Active Directory (Microsoft Windows), 187
add command (ipfw), 319
AddModule directive, 284
address record (see A record)
address resolution protocol (arp) request, 78, 331
adduser command, 104
admincvs group, 135, 136
administration
access control, 118-129
additional resources, 168, 169
everyday security, 129-141
of firewalls, 306, 311
HIDS software, 338
monitoring system health, 163-168
multiple systems and, 77
remote, 76, 93, 188
security and, 74
security vulnerability response, 144-149
upgrading, 141-144
administrators
controlling access, 118, 121-122
false positives and, 340
administrators (continued)
logging and, 364
mailing lists, 145-146
privileged access, 122
root passwords and, 126, 127
su and sudo comparison, 126
advskew variable (CARP), 333
AES algorithm, 70, 291
AFS (Andrew File System), 151
alert level (syslog), 368
alerts
ACID and, 353, 354
false positives and, 345
IDS and, 337, 343
logcheck and, 391
Snort and, 349, 351
swatch and, 391
Tripwire and, 356
alerts file (Snort), 349
aliases
arbitrary program restriction, 247
defining, 123
jail and, 300
mail delivery and, 212, 224
mail forwarding via, 245
protecting, 229
sendmail and, 235
all keyword (pfctl), 329
Allman, Eric, 226
allow action (ipfw), 319
AllowGroups option (sshd_config), 110
AllowOveride None (mod_cgi), 275
allow-recursion option (BIND), 196
allow-transfer option (BIND), 196
AllowUsers option (sshd_config), 110
Amanda (Advanced Maryland Network Disk Archiver), 37, 137, 140
amavisd.conf file, 252
amavisd-new command, 215, 245, 252
ampersand (&), 202, 263
Analysis Console for Intrusion Databases (ACID), 353-354
Andrew File System (AFS), 151
Anonymous Diffie-Hellman ciphers, 291
Anonymous FTP, 91
Apache web servers
ACID and, 353
additional resources, 303
best practices, 283-288
chroot and, 295-299
configuring, 268, 271-274, 296
encryption and, 288-292
FreeBSD and, 92
HTTP authentication, 354
installing, 268-271
jail and, 295-299
ktrace command, 57
modules, 274-283
overview, 267-268
popularity of, 260
support files, 297
support for, 266
thttpd and, 292, 293
two-tiered architecture, 299-301
vulnerabilities, 295
apachectl command, 288
applications
events and, 364
logging to, 371
loghosts and, 378
mailing lists, 146
security and, 13, 14, 264
worms and, 209
writing restrictions, 102
(see also software)
arbitrary content filtering, 215, 238, 251
arbitrary program execution, 263
arch flag, 35, 39, 41
arp (address resolution protocol) request, 78, 331
arp poisoning, 78
ASCII characters, 263
assessment, incident response and, 400
asterisk (*), 365, 370, 382
asymmetric cryptography, 48
at command, 324
at sign (@), 202, 370
@stake, 408
atrm command, 324
attacks
ACID and, 354
buffer overflow and, 9, 68
chroot and, 298
core dumps and, 51
creating users with, 405
DNS, 177-179, 182
DoS, 208, 236-237, 249-250
false negatives and, 340
firewalls and, 49, 265, 306, 337, 342
fragmentation, 316, 327
HIDS and, 338, 354
.htaccess files and, 285
internal, 213
Internet connectivity and, 307
IPS and, 344
log analysis, 343
log files and, 347
mail servers, 208-211
minirsyslogd and, 376
MITM, 78, 81, 101
multipurpose systems and, 76
network versus local, 17
NIDS and, 339, 348
operating system level, 209
PIDs and, 50
problems in software, 7-11
ProPolice stack protection and, 69
registration hijacking, 178
responding to, 337
scripted, 232, 284
Sendmail and, 229
Snort and, 352
spoofing, 321
system availability and, 6
uchg flag and, 36
understanding impact of, 25
Unicode, 352
vulnerability discovery and, 24
web servers and, 261-264
webmail servers and, 257
(see also DoS attacks)
auditing
administrator access, 121
automated scripts, 392-394
controlling open relays, 213
defined, 363, 364
HIDS and, 339
log files and, 111, 377
logcheck and, 386-389
loghosts and, 378
OpenBSD and, 70
security and, 5, 14, 25, 26
swatch and, 389-391
syscall activity, 338
auth facility, 365, 366
authentication
auto-logout and, 115
centralized, 153
DHCP and, 80
digest, 281
DNS and, 199
dynamic updates, 200
HTTP, 354
logging commands, 126
mail access and, 256
mail servers and, 225, 226
MUAs and, 241
NFS and, 91
NTP, 162
passphrase, 159-160
pfsync and, 334
plaintext, 254, 256
POP and, 222
Postfix and, 253-255
SASL and, 221, 241, 243
security considerations, 13
Sendmail and, 239-241
SMTP and, 239, 242
ssh keys, 155
sshd and, 109-111
syslogd and, 375
two-factor, 109, 122, 257
UDP and, 178
vulnerabilities with, 11
webmail and, 257
auth.info file, 150
authoritative servers, 182, 185
authorized_keys file
creating, 158
public key and, 109, 122
risk mitigation, 160
system immutable flag and, 39
authpriv facility, 365, 366
authwarnings value (PrivacyOptions), 233
automatic logout, 115
Autopsy, 411
availability
of firewalls, 311-314
root volume and, 83
security and, 6, 81
AXFR (zone transfer)
authenticating, 200
BIND versus djbdns, 185
DNS-based risks, 180
logging, 198
B[ Top ]
B flag (newsyslog), 382
-b option (syslogd), 374
back-tick (`), 277
backup MX server, 217, 218
backups, 137-141, 379
BalaBit, 375
bandwidth, thttpd and, 293, 294
Banner configuration option, 113
banners directive, 112
base35.tgz file, 101, 189
bash shell, 115
bell action (swatch), 390
Bellovin, Steve, 305
Berkeley Internet Name Daemon (see BIND)
Berkeley Packet Filter (BPF) interface, 315
Berkeley Packet Filter (BPF) option, 97
Bernstein, Daniel J., 183, 191, 255
Big Brother monitoring tool, 164, 169
Big Sister monitoring tool, 164, 169
Binc IMAP, 255
BIND (Berkeley Internet Name Daemon)
additional resources, 205
BIND 8, 190, 195
BIND 9, 183, 189, 195, 197, 198
cache poisoning and, 177
chroot and, 55
djbdns comparison, 185-189
installing, 189-190
missing zone data and, 175
operating, 193-201
overview, 183
recursive queries, 179
remote administration, 76
security options and, 179
syslogd and, 372
unauthorized zone transfers, 180
blacklists
mail relay and, 225
open relays and, 210
RBLs, 216, 238, 252
side effects of, 208
Blaze, Matt, 151
blocker files, 40
blowfish encryption (OpenBSD), 154
bounce_size_limit variable (Postfix), 249
BPF interface, 315
BPF option (FreeBSD), 97
bpf packet filtering, 61
branches, tracking, 142-144
Broadcom Ubsec chipset, 70
bsd distribution set (OpenBSD), 101
BSD systems
filesystem, 32, 33-44
inherent protections, 33, 67-70
kernel, 32, 34, 44-53
optimization, 33
user process controls, 32
XFree86, 85
buffer overflows
audits and, 70
fighting, 68-69
identifying risk with, 8, 9, 17
Perl and, 277
ProPolice stack protection, 69
W^X memory protection, 68
buffers, 8, 115, 371
Bugtraq forum, 7, 145, 209
bulk email, 176
bump in the wire firewall, 306
C[ Top ]
CA (certificate authority), 272, 273
cache poisoning, 177, 182
California Civil Code, 262
camcontrol command (FreeBSD), 48
canary value, 69
canonical name record (see CNAME record)
Cariello, Giacomo, 193
CARP (Common Address Redundancy Protocol), 331-333
carp keyword, 333
case sensitivity, 388
cat binary, 123
categorization (security advisory), 146
catman distribution (FreeBSD), 88
CD9660 option (FreeBSD), 97
CD-ROMs, 47
CERT CA-2003-13 advisory, 348
certificate authority (CA), 272, 273
certificates
client-based, 222
Osiris and, 357
SSL and, 181, 272, 289
.cf files, 228
cfg_dir option (nagios.cfg), 165
cfg_file option (nagios.cfg), 165
CFS (Cryptographic File System), 151
CGI directory, 285
CGI module (Apache), 274, 274-275
CGI programs
Apache port options, 269
application abuse and, 264
arbitrary execution, 263
cgiwrapd and, 287
DoS attacks and, 274
mod_include and, 279, 280
mod_suexec and, 287
mod_userdir and, 283
Perl and, 277, 302
PHP and, 276, 302
running as normal users, 286-288
ScriptAlias directory and, 275
thttpd and, 292, 294
vulnerabilities, 288
cgi.cfg file, 166
cgiwrap
additional resources, 303
containing damage with, 275
mapping privileges, 302
overview, 286-287
chain of custody, 398, 399
challenge response authentication, 109-111
change control, 133-137
(see also CVS)
Chaos class, 196
-checkall flag (Rootkit Hunter), 407
check_client_access check (Postfix), 250
checkcommands.cfg file, 167
check_external_commands option (nagios.cfg), 165
check_helo_access check (Postfix), 250
check_nrpe command, 166, 167
Checkpoint firewall, 311
check_recipient_access check (Postfix), 250
check_sender_access check (Postfix), 250
check-state action (ipfw), 321
checksums
Osiris, 404
Osiris and, 356
Rootkit Hunter, 407
Tripwire, 404
Tripwire and, 356
chflags command
finding files, 41
immutable flag and, 40
manipulating flags, 34, 36
NFS mounted filesystems and, 44
permissions and, 272
setting flags with, 34, 114
chgrp command, 123
chio command, 48
chmod command, 43, 123, 135
chown command, 123, 135
chroot environment
Apache and, 268, 270, 295, 295-299
controls and, 32
OpenBSD and, 101
Postfix and, 246
running BIND in, 193-195
separating caches, 182
Snort and, 349
syslogd and, 372, 375
two-tiered architecture, 299-301
chroot system call, 53-60
CIA Triad of security, 4
ciphers, 290-291
Clam AntiVirus (ClamAV), 239, 252
cleanup daemon (Postfix), 241
client firewall_type (IPFW), 317
client-server model, 85, 356
closed firewall_type (IPFW), 318
CNAME (canonical name) record
DNS and, 77
example, 203
logging to, 370
zones and, 181
Code Red worm, 8
code review, 70
comma (,), 370
command_file option (nagios.cfg), 165
commands
avoiding dangerous, 123
elevated privileges and, 124
NOPASSWD option, 124
restricting unneeded, 248
su and sudo comparison, 126
Common Address Redundancy Protocol (CARP), 331-333
Common Criteria for Information Technology Security Evaluation, 73
comp35.tgz distribution set (OpenBSD), 101
Compaq, 81
COMPAT_43 option (FreeBSD), 97
comsat service, 105
Concurrent Versions System (see CVS)
confCONNECTION_RATE_THROTTLE option (sendmail), 236
confidentiality
backups and, 138
domain registration and, 179
security and, 4, 5
syslogd and, 374-375
configuration
ACID, 353, 354
Apache, 268, 271-274, 296
basic logging, 111
BIND, 196-198
CARP, 332-333
default denial mindset, 28
external jail, 300
FreeBSD, 89-93
HA firewalls, 312, 313
identifying risks, 13-17
internal jails, 300
IPFW, 316-323
kernel, 96-98
log file rotation, 383-384
logcheck, 387-388
configuration (continued)
mail servers, 223-226
Nagios, 165-166
networks for OpenBSD, 101
NRPE, 167
NTP, 113-114
open relay, 210
Osiris, 357-359
PF, 325-330
PHP, 276-277
Postfix, 242-244, 247-249, 253-255
rndc command, 198
security considerations, 23, 24
Sendmail, 227-228, 230-236, 240-241
Snort, 347-348
sudo package, 93, 104, 122-125
swatch, 389-391
Syslog relay, 380
syslog.conf file, 365
thttpd web server, 293-295
vulnerabilities with, 11, 210
zone misconfiguration, 174, 175
confMAX_DAEMON_CHILDREN option (sendmail), 236
confMAX_MESSAGE_SIZE option (sendmail), 237
confMAXRCPTSPERMESSAGE option (sendmail), 237
confMIN_FREE_BLOCKS option (sendmail), 237
console facility (FreeBSD), 365, 366
console, logging to, 370
content filtering
arbitrary, 215, 238, 251
mail relay and, 225
SpamAssassin and, 215
content layer (TSK), 409
controls option (BIND), 196
controls statement (rndc), 198
cooked devices, 47, 48
core dumps, 51, 97
count field (newsyslog), 382
Courier IMAP, 255, 259, 367
cp command, 123
cpio command, 138
crit level (syslog), 368
cron facility
checking files, 161
functionality, 366
newsyslog and, 381
OpenBSD and, 365
Snort and, 347
crontab command, 123, 393
cross-site scripting (XSS), 11, 264
cryptcat command, 374, 394
cryptographic accelerators, 292
Cryptographic File System (CFS), 151
cryptography
additional resources, 169
asymmetric, 48
CPU usage, 292
critical nature of, 69, 70
djbdns and, 189
message validation and, 223
NTP authentication and, 162
public/private key, 121
spoofing, 180
TSIG and, 199
csh shell, 115
-CURRENT branch (FreeBSD), 95
cvs add command, 136
cvs checkout command, 160
cvs commit command, 136
CVS (Concurrent Versions System)
change control and, 134-137
data integrity and, 5
features, 82
list of anonymous servers, 106
MITM attacks and, 81
cvs status command, 160
cvs update command, 82
CVSROOT environment variable, 135
cvsup procedure
availability of, 94
downloading, 82
MITM attacks and, 101
supfile and, 95
cvsup-without-gui port, 94
Cyrus-IMAP, 255, 259
D[ Top ]
-d flag (pfctl), 329
--daemon command-line argument, 391
daemon facility, 365, 366, 369
daemontools, 191
DATA command (SMTP), 220
data integrity (see integrity)
data link layer, 12
data recovery, security and, 137-141
DAV module (Apache), 280-281
DBx option (Postfix), 243
dd command, 409, 410
DDoS (distributed denial-of-service) attacks, 12, 64, 261
debug level (syslog), 368
DEBUG option (FreeBSD), 97
debugging, 287, 329, 371
default deny concept, 308
default_process_limit variable (Postfix), 249
DefaultUser option (sendmail), 229, 235
default_user_name option (cgi.cfg), 166
defense in depth principle, 27, 69, 91, 211
delete command (ipfw), 319
Delivermail, 226
delivery status notifications (DSNs), 234
Dell, 81
demilitarized zone (see DMZ)
denial of service attacks (see DoS attacks)
Denver Project, 178
deny action (ipfw), 319
DenyGroups option (sshd_config), 110
DenyUsers option (sshd_config), 110
DES encryption, 153, 290
DESTDIR environment variable, 63
devfs filesystem, 138
devfs.conf file, 62
device bpf PF), 326
device nodes, 59, 62, 194
device pf (PF), 326
device pflog (PF), 326
device pfsync (PF), 326
DHCP
BIND and, 187
dangers of, 80, 90
OpenBSD and, 101
security and, 75
digest authentication, 281
digital signatures, 5, 48, 81
directories
chroot and, 54
expectations for, 120
immutable, 39
looking for strange, 405
minirsyslogd, 376
mod_userdir and, 283
Sendmail permissions, 229, 231
Snort and, 350
union mounts and, 38
world-writable, 275, 286
disaster recovery, 137
DISCARD value (Sendmail), 237
disclosure, file and data, 263
display_errors setting (PHP), 277
Distributed Authoring and Versioning (DAV) protocol, 280-281
distributed denial-of-service (DDoS) attacks, 12, 64, 261
distribution sets, 88-89, 101
divert action (ipfw), 320
djbdns
additional resources, 206
BIND comparison, 185-189
cache poisoning and, 177
installing, 190-193
missing zone data and, 175
operating, 201-204
overview, 183, 184
secure file distribution, 161
security and options and, 179
DMZ (demilitarized zone)
backup server and, 379
considerations, 79
firewalls and, 307, 309, 320-322
PF and, 327, 328
recursion servers and, 182
security policies on, 19
web servers and, 261
DNS attacks, 177-179, 182
DNS (Domain Name Service)
architecture, 184, 185
BIND, 183, 185-190, 193-201, 205
criticality of, 173-183
djbdns, 183, 184, 185-193, 201-204, 206
IP addresses and, 300
mail servers and, 216-218
real-time blacklists, 216
risks related to, 174-183
DNS servers
chroot and, 101
firewalls and, 314
MITM attacks, 79
network buffering and, 72
security and, 14, 20, 75
syscall auditing, 338
trust and, 218
user access and, 118
DNS spoofing, 178
dnscache server (djbdns), 179, 192, 201
dnscache-conf script, 193
dnsqr tool, 203
DNSSEC, 199
document templates, 398, 399
documentation
change control and, 133
djbdns and, 184, 190
Domain Name Service (see DNS)
domains
identifying internal, 214
internal mail servers and, 224
domains (continued)
masquerading, 231, 232, 247
MX records and, 175, 217
registration hijacking, 178
syslogd and, 372
DontBlameSendmail option (sendmail), 231
DoS (denial of service) attacks
Apache and, 273-274
backup MX servers and, 218
identifying risks, 12-13
logs to loghosts and, 373
mail servers and, 208
Postfix and, 249-250
Sendmail and, 209, 236-237
severity assessment and, 147
syslog-ng and, 376
thttpd and, 294
drop action (ipfw), 319
DSNs (delivery status notifications), 234
dummynet command, 49
dump command
arch flag and, 39
backups and, 137, 138, 139
nodump flag and, 35, 36, 37, 41
raw devices and, 48
dump flag, 34
dumpcommand
raw devices and, 47
dynamic updates, 187, 198, 200
E[ Top ]
-e flag (pfctl), 329
echo action (swatch), 390
echo command (smrsh), 230
e-commerce, 262, 290, 345
edit-mhost (Osiris), 357
EDITOR environment variable, 123
EHLO command, 233
802.11 wireless networks, 12
email
blocking unwanted, 237-239, 250-253
digital signatures and, 48
direct delivery, 217
DNS and, 173
legal compliance, 137
logcheck and, 386, 387
message validation, 222
Nagios notifications, 164
nodump flag and, 37
Osiris notification, 359
reliance on, 208
rerouting, 178
risks related to, 175-177
security and, 21, 75
stopping unwanted, 214-216
vulnerabilities of, 209
emerg level (syslog), 368
encryption
Apache web servers, 288-292
backups and, 140
ciphers and, 290
DES, 153
external mail servers and, 226
loghosts and, 374
mail access and, 256
messages and, 222
msyslog and, 377
networks and, 5
password exposure, 154
Postfix and, 253-255
private key and, 298
Sendmail and, 239-241
SMTP and, 243
SSL and, 354
syslogd and, 374, 375
syslog-ng and, 376
tunneling and, 152
webmail and, 257
envelope (SMTP), 220, 221
env_reset flag, 124
equals sign (=), 45, 202
err level (syslog), 368
error_limits variable (Postfix), 249
etc35.tgz distribution set (OpenBSD), 101
Etoh, Hiroaki, 69
ETRN command (SMTP), 233, 248
EventReporter, 367
events
applications and, 364
responding to, 337, 338
storing in flat files, 349, 350
storing in MySQL, 350-351
Windows NT and, 367
EventSLog, 367
exclamation mark (!), 369
exec command (smrsh), 230
#exec directive, 280
execute permission, 33, 41
exit command (smrsh), 230
EXPN command, 233
external mail servers, 226
EXTERNAL_NET variable (snort.conf), 347
Extreme security profile (FreeBSD), 91, 94
F[ Top ]
F command, 229
-f flag (logger), 389
-F flag (pfctl), 330
facility configuration parameter (syslog.conf), 365-368, 377
false negatives, 340
false positives, 340, 345, 388
FastCGI, 292, 303
fat jails, 62, 64, 65
Fetchmail, 212, 259
files
ACLs and, 43
Apache, 297
append-only, 41
blocker, 40
change control, 134
chroot and, 60
logging to, 370
looking for changed, 404
mod_userdir and, 283
msyslog and, 377
parsing, 57
protecting critical, 271-273
schg flag and, 39, 40
secure distribution of, 155-161
Sendmail permissions, 229, 231
storing events in, 349, 350
Tripwire and, 355
umask and, 119, 120
filesystem flags
ACLs and, 272
BSD systems, 33
common usage of, 39-41
manipulating, 34, 35
securing log files, 385
UFS, 34-39
filesystem layer (TSK), 409
filesystems
ACLs and, 120
backups and, 139
BIND and, 194
BSD systems and, 32
centralized storage, 151
chroot, 54, 60
defining partitions, 83
export control, 152
flagging, 101
FTP daemon and, 54
jail and, 62, 67, 301
mount options, 108-109
mounting and securelevel 2, 48
Osiris and, 50
slicing up, 81-85
TSK, 409
UFS, 33-44
UFS2, 33, 41, 42, 87
unionfs, 38
volatility and securelevels, 50
filtering
arbitrary content, 215, 238, 251
content, 225
Mail Filter API and, 238
MUAs and, 215
NetBIOS traffic, 307
packets, 61
Perl taint rules and, 278
SpamAssassin and, 215
filters section (pf.conf), 326
FIN bit, 52, 53
find command, 41
fingerd command, 8, 149, 209
firewall_enable option (IPFW), 317, 326
firewalls
ACID and, 354
architecture, 305-311
attacks and, 265, 337
default denial mindset, 28
DoS attacks and, 13
handling failure, 331-334
high availability, 311-314
host lockdown, 314
immutability of, 49
infrastructure servers and, 75
IPS and, 344
limitations of, 79
loghosts and, 373, 378
NAT and, 316
network scans and, 52
NFS and, 153
NTP and, 162, 163
open relays and, 213
PF and, 352
physical security and, 18
recursion servers and, 182
security and, 305, 306, 314
sensors and, 342
Snort and, 351
syslogd and, 372, 376
workstations and, 75
(see also IPFW; PF)
firewall_type (IPFW), 317
flags field (newsyslog), 382
flags (see filesystem flags)
fls tool, 410
forensic analysis
after attacks, 26
of compromised hosts, 26
data recovery and, 137
overview, 402-408
forking processes, 50, 57, 151, 228, 372
format string errors, 10, 70
formmail.pl script, 211, 264
.forward file
arbitrary program restriction, 247
attacks and, 229
mail delivery and, 224
mailing list, 230
redirecting mail, 212
forward slash (/), 279
forward zones, 175, 180
fragmentation attacks, 316, 327
FreeBSD
ACLs and, 120, 121, 199
additional resources, 116, 335
Apache and, 268-269
BIND and, 190
camcontrol command, 48
chroot and, 60
configuration, 89-93
djbdns and, 192
hostnames and, 369
httpd and, 298
installing, 87-93
IPFW, 314
jail and, 60-67
kern.randompid variable, 51
mount_unionfs, 38
multiple versions of, 132, 133
NIDS sensor and, 345
PAM, 109
periodic command, 393
PF and, 326
POSIX access control lists, 33, 41-44
Postfix and, 242-243
release engineering, 143
reliability and, ix
securelevel, 46, 49
Sendmail and, 228
sendmail-sasl port, 240
syslogd on, 372
toor account, 107
tracking branches, 144
uchg flag and, 36
UFS2 and, 33
unionfs filesystem, 38
uunlnk flag, 38
version numbers and, 78
freebsd-announce list (FreeBSD), 145
freebsd-security-notifications list (FreeBSD), 145
freebsd-stable mailing lists, 144
FreeSBIE, 399
Frenzy, 399
FreshPorts mailing list, 146
From (SMTP header), 221
fsck command, 47, 48, 87
FTP, 79, 91, 101
ftp facility, 365, 366, 369
ftpd (file transfer protocol daemon)
chroot and, 54
functionality, 366
inetd and, 149
infrastructure servers, 76
logs and, 369, 377
Full Disclosure forum, 7
functionality, security versus, 21
G[ Top ]
G flag (newsyslog), 382
GAPING_SECURITY_HOLE flag (Makefile), 374
Gauntlet firewall system, 386
GCC C/C++ compiler, 69
GENERIC configuration file, 96, 98, 106
GET request (HTTP), 210, 280
getfacl command, 43, 44
gets function, 8
GID (group ID), 61, 152, 158, 269
GNU General Public License, 267
GNU Privacy Guard (GPG), 223
goaway value (PrivacyOptions), 233
GPG (GNU Privacy Guard), 223
grep command, 156, 198, 388
group ID (GID), 61, 152, 158, 269
groups
catchall primary, 119
configuring, 107
controlling user access, 119
per-user, 119
project-based, 119
role-based, 119
security considerations and, 14
growfs command, 48, 84
GTGI, 70
gunzip command, 124
gzip command, 124
H[ Top ]
HA (high availability), 311-313
hackers
Apache web server and, 267
honeypots and, 343
rootkits, 407
web server attacks and, 261-264
halt -d command, 404
hashing
MD5 algorithm, 356
msyslog and, 377
security considerations, 81
SHA-1 algorithm, 333
TLS ciphers, 291
TSIGs and, 199
headers
envelope versus, 220, 221
information leaks, 284
pflogd and, 330
trivially faking, 221
HELO request (SMTP), 219, 233, 251
HIDS (host-based IDS)
checksums, 404
installing, 339
overview, 338, 354-360
HiFn chipsets, 69
high availability (HA), 311-313
hmac-md5 hashing algorithm, 199
HOME_NET variable (snort.conf), 347
Honeynet Project, 344
honeypots, 343, 344
host-based firewalls, 311
host-based IDS (see HIDS)
hostname
CARP interfaces and, 333
CNAME instead of, 77
HELO request, 219
httpd and, 298
internal mail servers, 224
launching jail, 63, 64
matching, 369
plus sign and, 369
hosts.allow file, 112, 150
hosts.deny file, 150
Hot Standby Router Protocol (HSRP), 331, 333
Hot-Cold firewall architecture, 312
Hot-Hot firewall architecture, 313
Hot-Standby firewall architecture, 312, 332, 334
Hot-Warm firewall architecture, 312
HSRP (Hot Standby Router Protocol), 331, 333
.htaccess files, 276, 285
HTML
Apache and, 269
entity encoding, 263
injection, 264
mod_include and, 278, 279
separating locations, 285
HTTP
ACID and, 354
DAV standard and, 280
information leaks, 284
Snort and, 351
SSL and, 288
URL encoding, 263
httpd
chroot environment and, 298
MaxClients, 273
process size, 273
root access and, 286
two-tiered architecture, 299-301
httpd.conf file
CGI module (Apache), 274
jails and, 301
launching, 298
MaxClients directive, 273
mod_include and, 278
modules and, 284
PHP and, 276
protecting, 286
SSL and, 269
SSLCipherSuite directive, 291
system immutable flag, 273
user overrides, 271
httpd.core file, 51
HTTPS, 257, 290
human interface layer (TSK), 409
I[ Top ]
IANA, 321
id_dsa private key, 109
id_dsa.pub public key, 109
IDE disks, 84
IDENT protocol, 150
identd service, 105
IDS (Intrusion Detection System)
ACID, 353-354
architectures, 338-345
BPF and, 315
DoS attacks and, 13
HIDS, 354-360
IDS (Intrusion Detection System) (continued)
monitoring, 336, 337
NIDS, 345
PF and, 316
responding to events, 337, 338
Snort, 346-353
IEEE 1003.1e standard, 73
IETF (Internet Engineering Task Force)
DAV protocol, 280
DNS standards, 183
syslog and, 375
VRRP and, 331
ignore statement (swatch), 389, 390
ignore_dot flag, 124
IIS (Internet Information Server)
Apache and, 266
buffer overflow and, 8
traversal attacks, 263
Unicode attacks, 352
vulnerability, 349
ils tool, 410
IMAP (Internet Message Access Protocol)
IPFW and, 322
mail access and, 255
mail delivery and, 207
webmail and, 257
IMP (Webmail), 257, 259
in option (ipfw), 319
incident detection, 400
incident response
additional resources, 413
incident assessment, 400
incident detection, 400
postmortem analysis, 402
preparation, 396-399
response, 400-402
security considerations, 25, 26
include directive, 198, 273, 279
:include: mailing list, 224, 229, 230, 247
Includes option (mod_include), 278
incremental zone transfers (IXFR), 187-188, 198, 200
index option (ipfw), 318
index.html file, 281
inetd (internet daemon) super server
FreeBSD and, 93
NRPE and, 167
OpenBSD and, 105
security and, 149-151
skipping configuration, 90
tcpwrappers and, 112
inetd.conf file, 149, 404
info distribution (FreeBSD), 88
info keyword (pfctl), 329
info level (syslog), 368
infrastructure servers
controlling access, 118, 121
dual-booting, 81
OpenBSD and, 101, 106
remote access and, 85
risks to, 149
security and, 75, 76
X distribution and, 89
inherent protections, 33, 67-70
inodes, 59, 410
INSERT statement (MySQL), 351
insider attacks, 7
installation
ACID, 353
Apache web servers, 268-271
BIND, 189-190
DHCP use during, 80
djbdns, 190-193
FreeBSD, 87-93
jail and, 65-66, 296
logcheck, 387
media options, 78-79
msyslog, 377
Nagios, 165
NRPE, 166-167
OpenBSD, 100-103, 192, 193
Osiris, 357-359
Postfix, 242-244, 253
securelevels and, 50
security and, 23, 74
Sendmail, 227-228
Snort, 347-348
software, 129-133
sudo package, 92
swatch, 389
thttpd web server, 293
TSK, 408-409
install.sh shell script, 63
InstantSSL, 289
integrity
auditing and, 378
CARP and, 333
file signatures and, 130
log files and, 378
maintenance and, 24
message validation, 222
msyslog, 377
root volume and, 83
security and, 5
signatures and, 81
syslogd and, 374-375
system availability and, 6
internal mail servers
guidelines, 255-256
masquerading domains, 231, 232
overview, 224-225
Internet
backup server and, 379
confidence indicators on, 175
DNS and, 174
network scans, 52
paths to operating systems, 265
RFC 1918, 321
risks in connectivity, 307
Internet Engineering Task Force (see IETF)
Internet Information Server (see IIS)
Internet Message Access Protocol (see IMAP)
Internet Protocol FireWall (see IPFW)
Internet service providers (see ISPs)
Internet Software Consortium (ISC), 183, 187
Intrusion Detection System (see IDS)
Intrusion Prevention Systems (IPS), 344, 345
IP addresses
A records and, 203
CARP interfaces and, 333
data integrity and, 5
djbdns and, 185, 201
DNS and, 300
forward zones, 175
httpd and, 298
instances and, 295
IPFW and, 318
jail and, 61
lame delegation, 174, 175
launching jail, 63
MAC addresses and, 331
mail transport and, 214
minirsyslogd and, 376
multi-homed, 196
name resolution and, 217
NAT and, 316
network scans and, 52
pfsync and, 333
POP before SMTP and, 222
private, 299, 302
restricting access, 300
reverse lookups, 219
RFC 1918, 321
Snort and, 347
spoofing, 12, 180
syslogd and, 372
IP ID, 334
IPFilter (OpenBSD), 314
ipfirewall command, 49
ipfw command, 49, 318-320
IPFW (Internet Protocol FireWall)
basic configuration, 316-323
functionality, 323-325
overview, 314
PF and, 315-316
rules and, 327
ipfw show command, 323, 324
IPS (Intrusion Prevention Systems), 344, 345
IPSO operating system, 345
IPv6 option (FreeBSD), 97
ISC (Internet Software Consortium), 183, 187
ISIS routing protocol, 313
ISO 9660 filesystem, 98
ISPs (Internet service providers)
backup mail servers, 177
DDoS attacks and, 262
DNS-based risks and, 181
DoS attacks and, 12, 13
responding to attacks, 337
IXFR (incremental zone transfers), 187-188, 198, 200
J[ Top ]
J flag (newsyslog), 382
jail environment
Apache and, 268
controls and, 32
infrastructure servers and, 76
overview, 60-67
separating caches, 182
syslogd and, 372
web servers with, 295-302
JID (jail ID), 61, 64, 65
jls command, 65
K[ Top ]
Kamp, Poul-Henning, 60
Kaspersky Anti-Virus, 239, 252
kdump command, 57, 59, 98
keep-state option (ipfw), 319, 321
Kerberos authentication, 122, 135, 153
kern facility, 365, 367
kern.coredump variable (FreeBSD), 51
kern.corefile variable (FreeBSD), 51
kernel
BSD systems and, 32, 34
checking, 406
configuration, 96-98
cooked devices and, 47
cryptographic accelerators, 292
DHCP and, 80
dropping packets, 52
IPFW configuration, 317
jail and, 64
modularity of, 47
msyslog and, 377
PF configuration, 325
security levels, 45-50
security-related variables, 44, 50-53
swap partitions, 84
syslogd and, 365
tuning, 114
tweaking with sysctl, 44-45
uchg flag and, 36
W^X memory protection and, 68
kern.ipc.nmbclusters variable, 72
kern.ipc.somaxconn variable, 72
kern.maxfiles variable, 72
kern.nosuidcoredump variable, 52
kern.randompid variable, 51
kern.securelevel (see secure level)
kern.somaxconn variable, 72
kern.sugid_coredump variable, 52
key rndc_key statement (rndc), 198
keys to the kingdom, 123, 128
keywords, logcheck and, 386, 388
kill command, 60, 65
krb4 distribution (FreeBSD), 88
krb5 distribution (FreeBSD), 88
ktrace command, 57, 98
KTRACE option (FreeBSD), 98
ktrace.out file, 57
L[ Top ]
lame delegation, 174
latency, network, 113
layer 3 devices, 313
layered approach, 27
ldd command, 56, 151, 253
ld.so (runtime loader), 68
least privilege, 28, 119
legal compliance, 137
less binary, 123
level configuration parameter (syslog.conf), 365, 368, 377
Linux operating system, 85, 92
Listen directive (httpd), 298
load balancing, 203, 204
loader.conf file, 115
LoadModule directive, 284
local attacks, 7, 17
local facility, 365, 367
local security, 114-116
local service (Postfix), 246
localhost
Autopsy and, 411
connections from, 150
mod_include and, 302
NFS master jail and, 67
NTP and, 162
packets and, 328
restricting access to, 282
log analysis, 343, 353, 364
log files
administrators and, 364
automated monitoring, 386-392
capturing, 377
logcheck and, 387
managing, 381-386
log keyword, 328
log option (ipfw), 318
logcheck, 386, 386-389, 395
logfilename field (newsyslog), 382
logger command, 373, 389
logging
BIND 9, 197
configuring basic, 111
denied traffic, 323, 352
executed privileged commands, 126
IPFW option, 317, 318
mail access and, 256
PF and, 330
Postfix and, 245
reaching limits, 324
remote, 366
Snort and, 347
sockets, 365, 372
syslogd actions, 370-371
system, 364
loghosts
cryptcat and, 374
defined, 365
encryption and, 374
logging to, 370
protecting, 379-381
restricting access, 385
securing, 378-381
Syslog relay and, 380
syslogd and, 373
syslog-ng and, 376
login banners, 112, 113
login classes, 109, 118, 120
login.conf file, 120
logout, automatic, 115
logsentry, 386
logtail binary, 387
lpd (line printer spooler daemon), 263, 367, 370
lpr facility, 365, 367
ls command
ACLs and, 44
creating devices, 59, 194
-q option, 406
Trojan horses and, 355
viewing flags, 34
M[ Top ]
MAC addresses, 61, 331
MAC (mandatory access control), 121
MAC (message authentication code), 199
MacOS X, 33
macros section (pf.conf), 325
mail access
additional resources, 259
external mail servers and, 226
mail service and, 207
protecting, 211
securing, 255-257
mail action (swatch), 391
mail delivery agents (MDAs), 207
mail exchanger record (see MX record)
mail facility, 365, 367
Mail Filter API (milter), 238
MAIL FROM: command, 220, 233
mail relay, 225-226, 231
mail servers
architecture, 211-216
backup, 176, 177
configurations, 223-226
DNS and, 216-218
firewalls and, 307
security and, 230
SMTP and, 218-223
syscall auditing, 338
targets for attacks, 208-211
mail transfer agents (see MTAs)
mail transport, 207, 211, 214
mail user agents (see MUAs)
mailadmin group, 382
mailbox_size_limit variable (Postfix), 249
maildrop group account, 243
mailing lists, 145-146
maillog file, 364
mailq command, 234
mailwrapper command, 243
main.cf file (Postfix), 246, 252
maintenance
firewalls and, 311
security and, 23, 24, 74
simplicity in, 29
tinydns, 201-203
zone, 180-181, 186
make package (FreeBSD), 65, 66
make pretty-print-build-depends-list command, 133
make pretty-print-run-depends-list command, 133
make.conf file, 99, 131, 228
makeweb command (thttpd), 294
malware, 211, 239
man distribution (FreeBSD), 88
man35.tgz distribution set (OpenBSD), 101
mandatory access control (MAC), 121
man-in-the-middle attacks (see MITM attacks)
MAPI (Messaging Application Programming Interface), 207
mark facility, 365, 367
Maslow's pyramid of human needs, 337
masquerading domains, 231, 232, 247
master binary (Postfix), 241
master.cf file, 246, 249, 252
master.passwd file
copying, 156
encryption, 154
extracting accounts, 156
hashes and, 5
password cracking programs and, 16
MaxClients directive (Apache), 273, 294
maxusers variable, 71, 73
McAffee Virus Scan, 239, 252
McGraw, Gary, 27
McIlroy, Doug, 244
MD5 algorithm, 199
md5 encryption (FreeBSD), 154
MD5 hashing algorithm
checking against rulesets, 348
Rootkit Hunter and, 407
TLS ciphers and, 291
Tripwire and, 356
TSIGs and, 199
mdachdep.allowaperture variable, 102
MDAs (mail delivery agents), 207
Medium security profile (FreeBSD), 94
Melissa worm, 208
memory
BIND and, 183, 186
buffer overflows and, 8, 9
database server and, 351
MaxClients and, 273
Perl and, 277
sensors and, 346
tuning options, 327
mergemaster (FreeBSD), 99
message authentication code (MAC), 199
Message-Id (SMTP header), 221
messages log file, 364
message_size_limit variable (Postfix), 249
Messaging Application Programming Interface (MAPI), 207
metadata layer (TSK), 409
MFS filesystem, 48
Microsoft Internet Explorer, 290, 291
Microsoft Oullook Web Access, 281
migration from multipurpose systems, 77
milter (Mail Filter API), 238, 239
milter-regex daemon, 238
minirsyslogd, 376, 394
mirror ports, 342
MITM (man-in-the-middle) attacks
CVS updates and, 81
defined, 78
DNS and, 174
OpenBSD and, 101
untrusted certificates and, 289
mk.conf file, 131
mkdir command, 135
mknod command, 59, 62
mod_access (Apache), 302
mod_autoindex (Apache), 281-282, 296
mod_cgi (Apache), 274-275
mod_dav (Apache), 280-281
mode field (newsyslog), 382
Moderate security profile (FreeBSD), 91
mod_include (Apache), 278-280, 302
mod_info (Apache), 282
mod_perl (Apache), 277-278, 302, 303
mod_php (Apache), 274, 275-277, 302
mod_proxy (Apache), 299, 300
mod_ssl (Apache), 269, 291
mod_status (Apache), 282
mod_suexec (Apache), 275, 287-288
modularity, 302
mod_userdir (Apache), 283, 294
monitoring
automated, 386-392
system health, 163-168, 169
more binary, 123
Morris Internet worm, 8, 209
motd (message of the day) file, 112
mount command, 47, 108-109
mount_union (OpenBSD), 38
mount_unionfs (FreeBSD), 38
Mozilla Firefox, 291
MPMs (multiprocessing modules), 268
MSDOSFS option (FreeBSD), 98
MS-SQL database, 347
msyslog (Modular Syslog), 377, 394
MTAs (mail transfer agents)
A records and, 203
additional resources, 258
DNS and, 176
internal mail servers and, 224
mailwrapper command, 243
purpose, 207
qmail and, 255
Sendmail as, 227
SPF and, 222
mtools command, 98
mtree tool, 114, 229, 393
mtx command, 48
MUAs (mail user agents)
authentication and, 241
defined, 207
filtering and, 215
header information and, 220
mailwrapper command and, 243
plaintext authentication and, 256
Postfix and, 254
multiprocessing modules (MPMs), 268
mv command, 123
MX (mail exchanger) record
at sign and, 202
direct delivery and, 217
DNS and mail risks, 175-177
domains and, 217
MTAs and, 203
MySQL database
ACID and, 353
authentication and, 254
permissions storage, 275
storing alert information, 347
storing events, 350-351
MySQL option (Postfix), 243
N[ Top ]
-N flag (ipfw), 318
Nagios, 164-168, 169
Nagios Remote Plugin Executor (NRPE), 164, 166-167
nagios.cfg file, 165
nagios-plugins package, 164, 165, 167
name resolution
DNS and, 174
mail servers and, 217
registration hijacking and, 178
SMTP and, 217
name servers
attacks and, 178
BIND and, 193
caching, 185
DNS-based risks, 179
naming, 204
registration hijacking and, 178
tinydns and, 202
zone misconfigurations and, 175
zone transfers and, 180, 187
named daemon, 198, 200
named_chroot_autoupdate variable (BIND), 195
named.conf file
BIND 9 and, 190
controls option and, 196
filesystems and, 194
include directive, 198
trusted hosts, 180
TSIGs and, 200
named_enable variable, 195
named_flags variable, 195
NAMI (name-to-inode) translation, 57
NAT (Network Address Translation)
firewalls and, 323
ipfw command and, 320
PF and, 315
routers and, 49, 90
ndc command, 198
needexpnhelo value (PrivacyOptions), 233
needmailhelo value (PrivacyOptions), 233
needvrfyhelo value (PrivacyOptions), 233
Nelson, Russell, 255
nessus tool, 386
NetBSD, 33
netcat command, 374
Netcraft web server survey, 266
NetCryptX, 70
net.inet.carp.allow variable, 332
net.inet.carp.preempt variable, 332
net.inet.ip.forwarding variable, 323
net.inet.ip.fw.enable variable, 323
net.inet.tcp.blackhole variable, 52
net.inet.tcp.drop_synfin variable, 53
net.inet.tcp.recvspace variable, 72
net.inet.tcp.sendspace variable, 72
net.inet.udp.blackhole variable, 52
Netscape, 290
netstat command
attacks and, 404
mbufs and, 72
Osiris and, 359
suspect changes, 360
Trojan horses and, 355
Network Address Translation (see NAT)
network attacks, 7, 12, 17
network buffering, 72
Network File System (see NFS protocol)
Network Information Services (NIS), 153-155
network latency, 113
network layer, 12
Network Sensor (Real Secure), 345
Network Time Protocol (see NTP)
network-based IDS (see NIDS)
networks
backups and, 140-141
configuring for OpenBSD, 101
DoS attacks, 12
encryption and, 5
firewall architectures, 305-314
installation considerations, 78-79
isolating, 79
monitoring, 164
reducing visibility on, 52
scanning, 52
security and, 162-163
troubleshooting, 322
newfs command, 47, 48
new-host script (Osiris), 358
news facility, 365, 367
newsyslog command, 381-383, 384, 385
newsyslog.conf file, 112, 381
NFS (Network File System) protocol
ACLs and, 44
FreeBSD and, 91
jail and, 67
security and, 151-153
NFS option (FreeBSD), 98
NFS server security profile (FreeBSD), 90
NIC cards, 346
NIDS (network-based IDS)
ACID and, 353-354
overview, 339-343, 345
Snort, 346-353
NIS (Network Information Services), 153-155
nmap command, 52, 53, 386
NMBCLUSTERS variable, 73
noauto option (mount), 108
NO_BIND option (FreeBSD), 190
nobodyreturn value (PrivacyOptions), 233
nodev option
mount, 108
OpenBSD, 101
nodump flag, 34-37, 41
noetrn value (PrivacyOptions), 233
noexec option (mount), 108
noexpn value (PrivacyOptions), 233
Nokia, 345
none level (syslog), 368
NOPASSWD option, 124
noreceipts value (PrivacyOptions), 234
noschg flag, 34
NO_SENDMAIL option (make.conf), 228
nosuid option
fstab, 227
mount, 108
OpenBSD, 101
notice level (syslog), 368
Notice of Security Breach (California Civil Code), 262
NOTIFY messages, 187, 189
noverb value (PrivacyOptions), 234
novrfy value (PrivacyOptions), 234
NRPE (Nagios Remote Plugin Executor), 164, 166-167
NS record, 203, 204
NTP (Network Time Protocol)
configuring, 113-114
developing, 91
security and, 75, 161-163
ntpd command, 48, 55-57, 113
ntpd.conf file (OpenBSD), 162
ntp-genkeys command, 162
null client, 224
O[ Top ]
offline analysis, 404
online analysis, 403
opaque flag, 35
open firewall_type (IPFW), 317
Open NMS monitoring tool, 164
Open Relay Database, 216
open relays
avoiding, 213-214
mail servers and, 210, 222
Open Webmail, 257
OpenBSD
ACLs and, 121
additional resources, 116
Apache and, 268, 270-271
calendar schedule and, 78
CARP and, 332
code review, 70
as IDS sensor, 345
installing, 100-103, 192, 193
login classes, 109
MAC and, 121
mount_union, 38
NTP daemon, 55
pervasiveness of, ix
PF, 314
Postfix and, 243-244
ProPolice stack protection, 69
release engineering, 143
security script, 392
setting securelevel, 49
syslogd on, 372
tcpdump command, 330
tracking branches, 142, 143
W^X memory protection, 68
openbsd-localhost.mc file, 228
OpenLDAP option (Postfix), 243
OpenLDAP servers, 254
OpenNMS monitoring tool, 169
OpenSSH, 52, 149
OPENSSH_OVERWRITE_BASE flag, 132
OpenSSL
additional resources, 258
cryptography and, 70
information leaks, 284
NRPE and, 166
operating systems
additional resources, 168
attacks and, 208, 209
compatible backups across platforms, 138
dual-booting, 81
fingerprinting, 53
Internet paths to, 265
protecting, 211-213
tuning, 70-73
viruses and, 209
operator account, 140
optimization
BSD systems, 33
PF and, 315
Snort and, 351
option TCP_DROP_SYNFIN statement, 53
options INET (PF), 326
options IPFIREWALL (IPFW), 317
options IPFIREWALL_DEFAULT_TO_ACCEPT (IPFW), 317
options IPFIREWALL_VERBOSE (IPFW), 317
options IPFIREWALL_VERBOSE_LIMIT (IPFW), 317
Options None (mod_cgi), 275
options PFIL_HOOKS (PF), 326
options RANDOM_IP_ID (PF), 326
options section (pf.conf), 326, 327
OSI reference model, 288
Osiris
additional resources, 360
overview, 356-360
security and, 50, 229
OSPF routing protocol, 313
out option (ipfw), 319
output database directives, 351
outsider attacks, 7
owner:group field (newsyslog), 382
P[ Top ]
packages, installing software, 130-131
Packet Filter (see PF)
packets
dropping, 52, 343
filtering, 61
fragmentation, 316
IPFW kernel options, 317
localhost and, 328
PF and, 327
pflog interface and, 352
RFC 1918, 321
Snort and, 348
spoofed, 328
synfin, 52, 53
PAM (Pluggable Authentication Modules), 109
PARANOID directive, 150
partitions, 83, 84
pass action (ipfw), 319
passphrases
authentication and, 159-160
CVS and, 135
private key and, 298
two-factor authentication and, 109
password authentication, 109, 110, 121, 122
PasswordAuthentication option (sshd_config), 110
passwords
CARP and, 333
clear-text protocols and, 121
CVS repository and, 135
DAV and, 281
encryption and, 256
format compatibility, 153
master.passwd file, 5
root, 128, 129
secure installation and, 86
security considerations, 16, 17
shadow, 154
strong, 16, 86, 92, 101
su and sudo comparison, 125
patches
disruptive nature of, 25
FreeBSD and, 95
importance of applying, 22
keeping abreast, 145-146
mitigating vulnerabilities, 210
OpenBSD and, 106
security and, 24, 141
PATH environment variable
Apache and, 269
BIND and, 195
cgiwrap and, 286
FreeBSD and, 190
PHP and, 277
sudo and, 124
pcap data structure, 330
peochk command, 377
performance
Apache, 268
firewalls and, 305
root volume and, 84
tweaking, 71
two-tiered architecture and, 302
period (.), 202, 220
periodic command (FreeBSD), 393
perl distribution (FreeBSD), 89
Perl language, 277, 278, 292
Perl module (Apache), 274, 277-278
PerlTaintCheck option, 278
permissions
accounts and, 14
ACLs and, 43
data integrity and, 5
DAV and, 281
deleting files and, 38
downloading source code and, 94
fine-grained control, 33
flag usage, 39-41
jails and, 301
locking down, 385
overview, 33, 34
PHP and, 275-276
ports system and, 131
private key and, 272
security and, 5
security considerations, 14-16
segregating, 302
Sendmail and, 229, 231
UFS filesystem flags, 34-39
user/group/other model, 119
world, 119, 120, 385
permit action (ipfw), 319
PermitRootLogin option (sshd_config), 105, 110
permit_sasl_authenticated directive, 254
PF (Packet Filter)
additional resources, 335
basic configuration, 325-330
IPFW and, 315-316
overview, 314
Snort and, 352, 353
pf_enable option (IPFW), 326
pflog interface
BPF and, 315
logging, 330
packets and, 328, 352
Snort and, 352
pflog_enable option (PF), 326
pf_rules configuration option, 326
pfsync keyword, 334
PGP (Pretty Good Privacy), 48, 223
PgSQL option (Postfix), 243
PHP
ACID and, 353
additional resources, 303
configuring, 276-277
disabling, 271
mod_userdir and, 283
SquirrelMail, 257
thttpd and, 292
PHP module (Apache), 274, 275-277, 302
php.ini file, 276
php.ini-dist file, 276
php.ini-recommended file, 276
physical layer, 12
physical security, 18
PIDs (process IDs), 50
ping command, 322
pipe (|), 371
pipe service (Postfix), 246
pkg_add executable, 66
plaintext authentication, 254, 256
Pluggable Authentication Modules (PAM), 109
plus sign (+), 202, 369
pointer record (see PTR record)
POP (Post Office Protocol)
authentication and, 222
mail access and, 255
mail delivery and, 207
syslogd and, 367
webmail and, 257
portmap command, 153
portmap security profile (FreeBSD), 90
PORT_REPLACES_BASE_BIND9 flag, 132, 190
ports
Apache and, 293, 298
HTTPS, 290
logcheck and, 387
mirror, 342
monitoring, 164
network scans, 52
OpenBSD and, 193
Sendmail and, 227, 228
SMTP and, 322
span, 342
TCP, 351
UDP, 365, 374, 376, 379, 380
ports distribution (FreeBSD), 89
ports system
FreeBSD, 65
installing software, 130-133
OpenBSD, 70
portupgrade command, 131, 133, 270
POSIX access control lists (FreeBSD), 33, 41-44
Poskanzer, Jef, 292
Post Office Protocol (see POP)
POST request (HTTP), 210, 280
Postfix
additional resources, 258
authentication, 253-255
author of, 408
blocking unwanted email, 250-253
configuring, 247-249
installing, 242-244, 253
limiting DoS attacks, 249-250
overview, 241
restarting, 247
secure file distribution, 161
security and, 11, 244-249
syslogd and, 367, 375
PostgreSQL database, 254
preferred MX server, 217
PREFIX environment variable, 227
Premium thttpd, 292, 303
Pretty Good Privacy (PGP), 223
printers, logging to, 370
printf function, 10
PrintMotd option, 113
PrivacyOptions option (sendmail), 232-234
private IP address, 299, 302
private keys
Apache and, 298
cryptography and, 121, 162
id_dsa, 109
OpenSSL and, 284
SSL and, 51, 272, 290
privilege separation, 372, 375
process IDs (PIDs), 50
processes
BIND versus djbdns, 186
forking, 50, 57, 151, 228, 372
jail and, 61
looking for, 406
programs (see applications)
PROPFIND method (DAV), 281
ProPolice stack protection, 69, 73
Protocol option (sshd_config), 110
proxymap service (Postfix), 246
Psionic, 386
PTR (pointer) record
mail servers and, 217
MX record and, 176
reverse, 181, 202
public key authentication, 109
public key certificates, 272, 290
public keys
cryptography and, 121, 162
id_dsa.pub, 109
ssh and, 109
public value (PrivacyOptions), 234
Q[ Top ]
qmail mailer, 11, 255
QoS (Quality of Service), 315, 326
Qpopper, 255, 259
Quality of Service (QoS), 315, 326
quarantine, 214
queries
ACID and, 353
HIDS and, 338
recursive, 179, 182, 185, 203
query-source option (BIND), 196
QUERY_STRING environment variable, 280
queso command, 53
question mark (?), 359
queue files, 232
QueueFileMode option (sendmail), 232
queuing section (pf.conf), 326
quick keyword, 328
QUIT command (SMTP), 220
R[ Top ]
race conditions, 10, 50
random number generators, 292
raw devices, 47, 48
Raymond, Eric, 15
RBLs (real-time blacklists), 216, 238, 252
RC2 algorithm, 290, 291
RC4 algorithm, 290, 291
rc.conf file
BIND 9 and, 190
immutability of, 49
IPFW firewall_type, 317
launching BIND from, 195
OpenBSD and, 103
screen blanking, 115
syslogd_flags variable, 372
turning off services, 94
tweaking, 79
rc.conf.local file
disabling services, 103
immutability of, 49
PF and, 325
pflogd and, 330
rdate and, 114
rdate_flags, 113
syslogd_flags variable, 372
tweaking, 79
rc.firewall file, 318
rcmd command, 141
RCPT TO: command (SMTP), 220
RCS (Revision Control System), 134, 137
rdate command (OpenBSD), 113
rdate_flags option, 113
rdist command, 127
rdonly option (mount), 108
rdump command, 141
read permission
ACLs and, 41
expectations for, 120
securelevel and, 48
Unix standard, 33
wheel group and, 107
Real Secure, 345
real-time blacklists (RBLs), 216, 238
Received (SMTP header), 221
recursion, limiting, 179, 182
recursive queries, 179, 182, 185, 203
RedHat operating system, 345
REFERER checks, 211
refuse files, 96
register_globals setting (PHP), 276
registration hijacking, 178, 179
regression testing, 25
regular expressions, 390
reject suspect mail, 214
REJECT value (Sendmail), 237
reject_rbl_clcient directive, 252
RELAY value (Sendmail), 237
relay-domains file, 237
reliability
FreeBSD and, ix
syslogd and, 375
syslog-ng and, 376
UDP and, 373
remote administration, 76, 93, 188
repository, CVS, 134-137, 160
Request for Comments (see RFCs)
reset action (ipfw), 319
resolv.conf file, 5, 79
--restart-time command-line argument, 391
restore command, 138
restrictexpand value (PrivacyOptions), 234
restrictmailq value (PrivacyOptions), 234
restrictqrun value (PrivacyOptions), 234
reverse zones, 175, 180
Revision Control System (RCS), 134, 137
RFC 931, 111
RFC 1135, 209
RFC 1918, 299, 321, 327
RFC 1945, 281
RFC 2068, 281
RFC 2196, 19
RFC 2246, 288
RFC 2518, 280
RFC 2554, 221
RFC 2845, 199
RFC 3195, 375
RFC 3330, 321
RFC-ignorant.org, 216
RFCs (Request for Comments)
DNS-related, 206
logging-related, 395
mail-related, 216, 259
security-related, 31
web-related, 304
RIP routing protocol, 313
risk mitigation
authorized_keys file and, 160
considerations, 3
controlling mail flow, 212
DNS attacks and, 177-179
DoS attacks and, 13
listening services, 103
malware and, 11
NTP servers, 163
overview, 19-23
recommendations, 11
response planning and execution, 147-149
syslogd and, 373, 375
risks
accepting, 22
and consequences, 20-21
DNS and, 174-183
DoS attacks, 12-13
identifying, 6
identifying attacks, 7
improper configuration and use, 13-17
infrastructure servers and, 149
Internet connectivity and, 307
network installations and, 78
network versus local attacks, 17
physical security, 18
problems in software, 7-11
security and, 3, 4, 6
transferring, 23
(see also vulnerabilities)
rlogin protocol, 121
rlogind command, 149
rm command, 123
rndc command, 183, 198
rndc.conf file, 198, 199
rndc-confgen script (BIND 9), 198
rndc.key file, 199
Roesch, Marty, 346
root access
log monitoring and, 386
NIS and, 154
ports system and, 131
safeguarding, 128, 129
sendmail and, 228
setuid binary and, 229
su command and, 127
syslogd and, 375
Rootkit Hunter, 407
rootkits, 407
routers
denied traffic, 323
NAT and, 49, 316
protocols and, 313
Rowland, Craig, 386
RPC, 153, 154, 348
RSA algorithm, 291
rsh protocol, 121
RSH variable, 140
rsync command, 127, 180, 189
rules keyword (pfctl), 329
rulesets
IPFW and, 315, 319, 327
PF and, 326
updating, 324
validating, 329
verbose output, 329
RunAsUser option (sendmail), 235
ruserok command, 141
S[ Top ]
-s flag
pfctl, 329
pflogd, 330
-s option (syslogd), 372, 380
SafeFileEnvironment option (sendmail), 235
SANS Security Policy Project, 19
sappnd flag
behavior, 35, 37
kernel and, 47
locking down files, 385
log files and, 385
newsyslog and, 112
SASL (Simple Authentication and Security Layer)
additional resources, 258
authentication and, 221, 241, 243
overview, 239-241
Postfix and, 246, 253-255
TLS and, 243
SASL2 option (Postfix), 242
saslauthd daemon, 241, 255
SASLAUTHD option (Postfix), 242
saslpasswd command, 241
saslpasswd2 command, 254
schg flag
behavior, 35
directories and, 35
files and, 39, 40
FreeBSD and, 91
httpd.conf and, 273
kernel and, 47
setting on, 34
scp (secure copy) command, 155-161
scponly product, 76
scrollback buffers, 115
scrub section (pf.conf), 326
SCSI bus, 48, 62, 84
SEARCH method (DAV), 281
secure by default approach, 103
secure level
locking down permissions, 385
securelevel 0, 47
securelevel -1, 46
securelevel 1, 47, 102
securelevel 2, 48
securelevel 3, 49
securelevel variable, 34, 45-50
Secure MIME (S/MIME) standard, 223
Secure Sockets Layer (see SSL)
securelevel 0, 47
securenets file, 154
security
accountability and, 126
ACID and, 354
additional resources, 31, 169
administration and, 129-141
Apache and, 267
applications and, 264
audits and, 363
availability and, 6, 81
BIND and, 196
CIA Triad of, 4
confidentiality and, 4, 5
data integrity and, 5
DHCP and, 80
djbdns and, 184
DNS and, 173
firewalls and, 305, 306, 314
HTTP URL encoding and, 263
IDS events and, 337
infrastructure servers, 75, 76
inherent protections, 33
jail options, 64
as a journey, 3
kernel and, 45-50
security (continued)
kernel variables, 44, 50-53
local, 114-116
log consolidation and, 378
logcheck.sh script, 387
loghosts and, 378, 379
mail access and, 255-257
mailing lists, 145
mod_dav and, 281
mod_perl module and, 278
mod_userdir and, 283
multipurpose systems, 76-78
MX records and, 176
NAT and, 316
network service and, 162-163
NTP and, 162
obscurity and, 29
overhead in, 74
physical, 18
Postfix, 244-249
process and principles, 23-31
responding to risk, 19-23
response to vulnerabilities, 144-149
risk and, 3, 4, 6-18
root volume and, 83
securelevel and, 49
Sendmail and, 227, 229-236
sensors and, 345
SMTP and, 221-223
spider architecture and, 309
thttpd and, 292
web servers and, 302
webmail and, 257
workgroup servers, 75
workstations, 75
XFree86 and, 85
security facility (FreeBSD), 365, 367
Security Focus web site, 386, 413
security script (OpenBSD), 392
security-announce list (OpenBSD), 145
security.bsd.see_other_gids variable, 60
security.bsd.see_other_uids variable, 60
SecurityFocus mailing lists, 145, 169
security.jail.socket_unixiproute_only variable, 64
security.jail.sysvipc_allowed variable, 65
security-through-obscurity, 282
sed command, 156
SELECT statement (MySQL), 351
Self-Certifying File System (SFS), 151
Sender Policy Framework (see SPF)
Sendmail mailer
additional resources, 258
attacks and, 209
authentication, 239-241
blocking unwanted mail, 237-239
configuring, 227-236, 240-241
encryption, 239-241
limiting DoS attacks, 236-237
overview, 226-227
syslogd and, 367
sendmail security profile (FreeBSD), 90
sendmail service
forking processes and, 50
FreeBSD and, 93
ktrace command and, 57
OpenBSD and, 105
security and, 11
sendmail.cf file, 229, 230
sendmail.mc file, 237
sendmail-sasl port (FreeBSD), 240
sensors
ACID and, 353
attacks and, 348
firewalls and, 342
hardware, 346
NIDS and, 339, 340
security and, 345
Snort and, 346, 349, 351
server.crt file, 272, 290
server.key file, 272, 273, 290
server-parsed handler, 278
server-side-include (SSI), 278-280, 283
SERVICEDIR environment variable, 191
services
availability of, 6
determining conditions for starting, 103
infrastructure servers and, 76
listening, 103
multipurpose systems and, 76
restarting key, 121
segregating, 28, 77
turning off unnecessary, 93, 105
seteuid command, 228
setfacl command, 43, 44
setgid command
changing group owner, 15
nosuid option (mount), 108
security and, 83
sendmail binary and, 228
sysctl variables and, 52
setreuid command, 228
setuid command
BIND and, 193
cgiwrap and, 286
danger of, 14
mod_suexec and, 287
nosuid option (mount), 108
removing, 15
root access and, 229
security and, 83
sendmail binary and, 228
sysctl variables and, 52
setup option (ipfw), 319
SFS (Self-Certifying File System), 151
sgid command, 15
SHA-1 hashing algorithm, 333
shadow passwords, 154
shell accounts, 118
SHELL environment variable, 126
show command (ipfw), 323, 324
Simple Authentication and Security Layer (see SASL)
simple firewall_type (IPFW), 318
Simple Mail Transfer Protocol (see SMTP)
size field (newsyslog), 382
-skip-keypress flag (Rootkit Hunter), 407
skipto action (ipfw), 320
S/MIME (Secure MIME) standard, 48, 223
smrsh command, 230
SMTP AUTH, 221
SMTP (Simple Mail Transfer Protocol)
additional resources, 258
authentication and, 239, 242
commands, 218-220
design problems, 208
encryption and, 243
envelope and header, 220-221
ETRN command, 233
external mail servers and, 226
milters and, 238
name resolution and, 217
port accessibility, 322
restricting unneeded commands, 248
security and, 221-223
Sendmail and, 227
webmail and, 257
smtpd banner, 248
smtpd daemon (Postfix)
chroot and, 244, 246
error thresholds, 249
root access and, 245
spawning, 241
smtpd_error_sleep_time variable (Postfix), 249
smtpd_helo_restrictions variable (Postfix), 251
smtpd_recipient_limit variable (Postfix), 250
smtpd_recipient_restrictions variable (Postfix), 251, 252, 254
smtpd_sasl_auth_enable option (Postfix), 254
smtpd_soft_error_limit variable (Postfix), 249
Snort, 346-353, 360
SOA (start of authority) record, 202, 204
sockets
jails and, 64
logging, 365, 372
syslogd and, 372, 375
sockstat command (FreeBSD), 94
software
buffer overflows, 8, 9
change control, 133-137
chroot and, 55
format string error, 10
identifying problems in, 7, 8
installing, 129-133
installing in jail, 65-66
protecting, 11
race conditions, 10
SQL injection and, 9, 10
web server choices, 266-267
web-based attacks, 11
(see also applications)
Solaris operating system, 345
Sourcefire, 346
spam
additional resources, 258
backup MX servers and, 218
DNS and, 176
HELO request and, 251
increase in, 208
open relay and, 208
SPF and, 222
stopping, 214-216
as unwanted mail, 211
Spam Cop, 216
SpamAssassin
additional resources, 258
content filtering with, 215
internal mail servers and, 225
mail relays and, 226
milter-regex file and, 238
Postfix and, 245
SPF and, 222
SpamCop, 258
spanning tree protocol, 313
SPF option (Postfix), 243
SPF (Sender Policy Framework)
additional resources, 258
functionality, 243
overview, 222
spider architecture, 308-309
spoofed packets, 328
spoofing
DNS, 178
false positives and, 345
IP addresses, 12
jail and, 61
zone transfers and, 180
spoofing attacks, 321
spyware, 211
SQL injection, 9, 10, 11, 264
SquirrelMail, 257, 259
src distribution (FreeBSD), 89
SSH
cryptography and, 69
NFS over, 152
Protocol option (sshd_config), 110
schg flag and, 39
ssh (secure shell) service
backups and, 140
connecting using, 121, 122
CVS repository and, 135
file distribution over, 155
zone transfers and, 180
ssh-add command, 160
ssh-agent command, 159, 160
sshd (secure shell daemon)
access control and, 121
activating, 102
Banner configuration option, 113
enabling, 90
FreeBSD and, 93
inewtd and, 151
locking down, 109-111
OpenBSD and, 105
security and, 379
Snort and, 347
sshd security profile (FreeBSD), 90
sshd_config file, 105, 110-111, 122, 158
ssh-keygen command, 109, 122
SSI (server-side-include), 278-280, 283
SSL (Secure Sockets Layer)
additional resources, 303
Apache and, 269
authentication and, 354
certificates and, 181, 272, 289
CPU usage, 292
cryptography and, 69
DAV and, 281
enabling, 290
private keys and, 51
SSL/TLS connection, 173, 175
starting servers and, 298
thttpd and, 293
TLS and, 221, 288
web servers and, 272
SSLCipherSuite directive, 290
-STABLE branch (FreeBSD), 95, 144
stack protection, 69
staff group, 118
start of authority (SOA) record, 202, 204
state keyword (pfctl), 329
stream4 preprocessor, 348
StrictModes option (sshd_config), 111
strong passwords
creating, 16
FreeBSD and, 92
mail access and, 256
OpenBSD and, 101
recommendations, 86
stunnel command, 376, 394
su command
privileged access, 122
sudo package and, 125-128
super-user privileges, 86
wheel group and, 15, 86, 107
submit.cf file, 235
SU_CMD option (make.conf), 131
SUDO option (mk.conf), 131
sudo package
apachectl, 288
configuring, 93, 104, 122-125
creating devices, 194
installing, 92
privileged access, 122
privileged commands, 104
restarting key service, 121
Sendmail and, 231
su command and, 125-128
super-user privileges, 86
wheel group and, 107
sudoers configuration file
creating customized, 123
editing, 93, 104
revoking privileges, 126
root access and, 127
suexec module (Apache), 283, 287-288, 302
SUEXEC_CALLER option (Apache), 269, 270
SUEXEC_DOCROOT option (Apache), 269, 270
SUEXEC_GIDMIN option (Apache), 269, 270
SUEXEC_LOGFILE option (Apache), 269, 270
SUEXEC_SAFEPATH option (Apache), 269, 270
SUEXEC_UIDMIN option (Apache), 269, 270
SUEXEC_UMASK option (Apache), 269, 270
SUEXEC_USERDIR option (Apache), 269, 270
suiddir option (mount), 108
sunlnk flag, 35, 38
SunONE, 266
swatch, 343, 386, 389-391, 395
swatch_oldrc2newrc binary, 389
switches, 313, 342
symmetric keys, 374
SYN packets
dropping, 53
firewalls and, 352
ipfw and, 318, 319
network scans, 52
synchronization, 76, 331
sysctl command, 44-53, 323
sysctl variables, 51, 60, 64
sysctl.conf file, 70, 102
sysinstall command, 87, 88, 113
syslog facility
actions, 370-371
functionality, 367
IPFW and, 315, 317
OpenBSD and, 365
Syslog relay, 379-381
syslog system call, 373
syslog.conf file
configuring, 365
debugging and, 371
keeping smaller logs, 383
logs and, 380
program/hostname matching, 369
syslog facilities, 365-368
syslog levels, 369
syslogd (syslog daemon)
actions, 370-371
configuring, 365
debugging, 371
drawbacks of, 373-375
FreeBSD and, 372
as monolithic, 375
OpenBSD and, 372
replacements for, 375-377
running, 371-373
UDP datagrams and, 103
syslogd_flags configuration entry, 244
syslogd_flags variable (rc.conf), 372
syslogd_flags variable (rc.conf.local), 372
syslog-ng, 375, 376, 394
system administrators (see administrators)
system logging (see logging)
system no unlink flag (sunlnk), 35, 38
system time
FreeBSD and, 91
NTP and, 161-163
restriction on, 48
securelevel and, 113
System V IPC, 64, 65
systems
administration considerations, 77
monitoring health, 163-168, 169
patching and, 141
security and, 76-78
as Syslog relay, 379-381
T[ Top ]
-t flag (snort), 349
tables section (pf.conf), 325
tag suspect mail, 215
taint rules (Perl), 278
tap, 341, 342
tar command, 124, 138
TASK (The @stake Sleuth Kit), 408
TCO (total cost of ownership), 77, 338
TCP
DNS and, 199
inetd and, 149
IPFW and, 322
ipfw command and, 318, 319
monitoring port, 164
msyslog and, 377
net.inet.tcp.drop_synfin variable, 53
network scans, 52
PF configuration and, 326
port, 351
SYN packet, 318, 319
syslog-ng and, 375, 376
UCSPI, 192
zone transfers and, 188
tcpd (tcpwrappers daemon), 150
tcpdump command, 315, 330
TCP/IP, 227
tcpwrappers
inetd and, 149-151
login banners and, 112
NFS and, 153
NRPE and, 167
tcsh shell, 115
TCT (The Coroner's Toolkit), 408
telnet protocol, 121
telnetd command, 149
TempFileMode option (sendmail), 232
temporary files, 232
testing, regression, 25
The Coroner's Toolkit (TCT), 408
The Sleuth Kit (TSK), 408-412
The @stake Sleuth Kit (TASK), 408
thin jails, 62
three-legged firewall, 308
threshold.conf file (Snort), 348
throttle action (swatch), 391
throttling rules, 293, 294
thttpd web server
additional resources, 303
configuring, 293-295
installing, 293
overview, 292
popularity of, 260
static pages and, 266
time (see system time)
time-of-check-to-time-of-use (TOCTTOU) vulnerability, 10
Tiny HTTP daemon (see thttpd web server)
tinydns server (djbdns)
daemontools and, 192
maintenance, 201-203
recursion and, 179
running, 201
zone data and, 191
TLD (top-level domain) servers, 178, 179
TLS option (Postfix), 243
TLS (Transport Layer Security), 240
encryption and, 243
overview, 221
Postfix and, 253-255
RFC 2246, 288
SMTP and, 240, 243
/tmp filesystem, 84
To (SMTP header), 221
TOCTTOU vulnerability, 10
toor account (FreeBSD), 107
top-level domain (TLD) servers, 178, 179
total cost of ownership (TCO), 77, 338
traceroute command, 15, 322
transaction signatures (see TSIG)
transient files, 232
translation section (pf.conf), 326
transparent firewalls, 309, 310
Transport Layer Security (see TLS)
Tripwire
checksums and, 404
as HIDS, 355
monitoring and, 385
permissions and, 229
Trojan horses, 182, 355
trust
certificates and, 30, 174
data integrity and, 5
DHCP and, 80
DNS servers and, 218
external messages and, 214
implicit, 151
internal hosts, 210
servers and, 199
SSL/TLS, 173
zone transfers and, 180
Trusted Information Systems, Inc., 386
TrustedBSD project, 73
TrustedUser option (sendmail), 236
TSIG (transaction signatures)
BIND and, 183
overview, 199-201
permissions and, 198
zone transfers and, 180
TSK (The Sleuth Kit), 408-412
tty, logging to, 371
tunefs command, 42
tunneling, 97, 152, 374
two-factor authentication, 109, 122, 257
twofish encryption, 374
U[ Top ]
-u flag (snort), 349
-u option (syslogd), 372
uappnd flag, 35, 37
UCE (see spam)
uchg flag, 35, 36, 273
UCONSOLE option (FreeBSD), 98
UCSPI (Unixi Client-Server Program Interface), 192
ucspi-tcp tools, 192
UDP (User Datagram Protocol)
DNS and, 199
inetd and, 149
IPFW and, 318, 322, 324
loghosts and, 379
minirsyslogd and, 376
monitoring port, 164
msyslog and, 377
netcat and, 374
network scans, 52
port used, 365
reliability and, 373
spoofing, 178
syslogd and, 372
system logger and, 103
zone transfers and, 188
UFS (Unix filesystem)
ACLs and, 41-44
filesystem flags, 34-39
support for, 33
UFS2 filesystem
ACLs and, 42
FreeBSD and, 33, 41, 87
UFS_ACL option, 42
UID (user ID)
CGIs and, 269
implicit trust, 151
PHP and, 276
processes and, 61
scripts using, 158
of zero, 405
umask (user file-creation mask), 119, 120
UNICODE characters, 263
Unicode decoder (IIS), 349
unionfs filesystem, 38
Unix Client-Server Program Interface (UCSPI), 192
Unix filesystem (UFS)
ACLs and, 41-44
filesystem flags, 34-39
support for, 33
Unix operating system
accounts and permissions, 14
BSD systems and, 32
chroot and, 59
defects in software, 53
device styles, 47
direct delivery and, 217
kernel securelevels and, 46, 47
Sendmail and, 226
syslogd, 373
system security and, 4
TCT, 408
user/group/other permissions, 119
viruses and worms, 239
wheel groups and, 15
workgroup servers and, 75
UNSECURE mode, 154
unsolicited commercial email (see spam)
UPDATE statement (MySQL), 351
updating
dynamic, 187, 198, 200
FreeBSD, 94-99
OpenBSD, 106
Osiris and, 360
upgrading
administration and, 141-144
FreeBSD, 99
mitigating vulnerabilities, 210
Osiris and, 360
response planning and execution, 148
security considerations, 30, 81
URIs, 210
URLs, 210, 281
USB option (FreeBSD), 98
UsePrivilegeSeparation option (sshd_config), 111
user accounts (see accounts)
User Datagram Protocol (see UDP)
user facility, 365, 368
user ID (see UID)
users
configuring, 107
controlling access, 118-121
creating in OpenBSD, 104
looking for added, 405
secure installation and, 86
security considerations and, 14
tracking, 164
uucp facility, 365, 368
uunlnk flag, 35, 38, 41
V[ Top ]
-v flag
pfctl, 329
syslogd, 371
/var filesystem, 84
variables_order setting (PHP), 277
Venema, Wietse, 241, 408
VerifyReverseMapping option (sshd_config), 111
Verisign, 289
version option (BIND), 196
version.bind TXT record, 196
versions
Apache web server, 267
conflicts with, 131, 132
multiple, 132, 133
release engineering, 143
reporting fake numbers, 285
tracking branches, 142
two-tiered architecture and, 302
vertical bar (|), 371
vhid (virtual host ID) variable, 333
vi binary, 123
via option (ipfw), 319
Viega, John, 27
vipw command, 104, 123
virtual host ID (vhid) variable, 333
virtual private networks (VPNs), 256
Virtual Routing Redundancy Protocol (VRRP), 331
virtual service (Postfix), 246
virtual tty, logging to, 371
virus protection
internal mail servers, 225
mail relay and, 225
malware and, 239
Postfix, 252
resource savings and, 211
viruses
defined, 209
mail relay and, 225
mail servers and, 208
malware and, 211
stopping, 214-216
Unix and, 239
VISUAL environment variable, 123
visudo command, 123
VMailer, 241
VPNs (virtual private networks), 256
VRFY command, 234
vrfy command (Postfix), 249
VRRP (Virtual Routing Redundancy Protocol), 331
vuln-dev (Vulnerability Development) list, 145
vulnerabilities
Apache and, 295
arbitrary program execution, 263
buffer overflow, 17
CGI programs, 288
DNS software, 174
DoS attacks and, 12
honeypots and, 343
hosts and, 78
mail access and, 256
mail software, 209
monitoring suites and, 164
OpenBSD install and, 100
patching, 21, 24
Perl and, 277
preexisting, 80, 81
scanning for, 29
security response, 144-149
Sendmail and, 209, 227
Snort and, 348
TOCTTOU, 10
X Window System and, 85
(see also risks)
W[ Top ]
warning level (syslog), 368
watchfor statement (swatch), 389, 390
Watson, Robert, 60
weakest link principle, 27
web browsers, 290
web servers
architecture, 265-267
attacks on, 261-264
ciphers and, 290
core dumps and, 51
effects of hacking, 261
firewalls and, 307, 314
information leaks, 284
jails and, 295-302
problems and, 260
security and, 302
software choices, 266-267
Zeus, 267
(see also Apache web servers; thttpd web server)
web spiders, 11
WebDAV, 301
webmail, 21, 257
wheel group
OpenBSD and, 104, 107
su command and, 15, 86, 127
when field (newsyslog), 382
when option (swatch), 391
WiFi hotspots, 221, 311
Windows Advanced Server 2003, 187
Windows NT, 367
Windows XP, 311
WITH_APACHE2 flag (Apache), 269
--with-mysql flag (Snort), 347
WITHOUT_MAN environment variable, 192
WITHOUT_SSL option (Apache), 269, 270
WITH_SUEXEC option (Apache), 269, 270
workgroup servers
controlling access, 118
mail servers as, 212, 213
security and, 75
X applications and, 85
workstations
authentication and, 110
defined, 307
DHCP and, 80
null client, 224
OpenBSD and, 105, 106
redirecting mail to, 212
reduced costs for, 77
security and, 75
worms
defined, 209
mail servers and, 208
malware and, 211
stopping, 214-216
Unix and, 239
Wright, Matt, 210
write permission
ACLs and, 41
expectations for, 120
securelevel and, 48
Unix standard, 33
wsconsctl (OpenBSD), 115
WU-IMAP, 255
www user, 286
W^X memory protection, 68
X[ Top ]
X distribution (FreeBSD), 89
X server, 85, 102
X Window System, 75, 85
X11Forwarding option (sshd_config), 111
X11UseLocalhost option (sshd_config), 111
X-Authentication-Warning headers, 233
xbase35.tgz distribution set (OpenBSD), 101
XBitHack directive, 278
xconsole command, 98
XFree86, 85, 92
XSS (cross-site scripting), 11, 264
Y[ Top ]
Yellow Pages (yp), 153
yp (Yellow Pages), 153
ypbind daemon, 154
ypinit daemon, 161
ypserv daemon, 154
Z[ Top ]
Z flag (newsyslog), 382
Z record, 202
Zeus web server, 267
zone maintenance, 180-181, 186
zone transfer (AXFR)
authenticating, 200
BIND versus djbdns, 185
DNS-based risks, 180
logging, 198
ZoneAlarm firewall, 311
Zurück zu Mastering FreeBSD and OpenBSD Security
