452 Chapter 14 Study Guide

You should be able to get a prompt for these services. Afterwards, turn these services off.

2.Logged in as root, switch to the /etc directory, and use any text editor — vi, for example — to edit the file inetd.conf

vi inetd.conf

3.The file contains listings of popular services. Turn off the FTP and telnet services because the server is not going to be an FTP server, and you should always use SSH to remotely administer the machine.

Look for these lines in the file:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l-a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

4.To disable the services, simply comment them out of the file. Using the vi editor, add a “#” sign in front of these two statements so they look like the following:

#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l-a #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

5.Restart the inetd daemon and reload the configuration file to enable the new settings:

killall -HUP inetd

6.Try to telnet and FTP to the system; it should tell you that the connection was refused because you have turned off the services.

ftp localhost telnet localhost

Answers to Chapter Questions

Chapter Pre-test

1.The longer a password remains on an account, the easier it can be cracked or guessed through brute force methods.

2.If users are on a data-specific contract, you should set the expiration date for their last day to ensure they can’t access the system when they are no longer employees.

3.You can set the SUID (Set-User-ID) permission to allow a user to run an application with the privileges of the owner of that file.

4.Creating separate partitions enhances security by keeping system files separate from user operations, where they won’t be able to affect them.

5.Only the system administrators and one or two key members of management should know the root password.

Chapter 14 Study Guide 453

6.By periodically auditing your filesystems, you can keep track of any odd behavior, such as repeated attempts at failed logins or file access. This should be a warning flag that an unauthorized user is attempting to access the system.

7.SUID and GUID stand for Set-User-ID and Set-Group-ID, respectively, which are permissions that can be set on executable files to allow users to run that file as if they were the file’s owner.

8.A firewall can filter incoming network traffic so that only authorized network traffic can reach the local network.

9.If that application or daemon is using a root account, the service can be exploited, and an attacker may be able to gain root access through a vulnerability with that service.

10.Telnet and FTP use unencrypted clear text within their sessions, which can easily be picked up by unauthorized users using network analyzing devices.

Assessment Questions

1.B. By updating your kernel and package versions, you can ensure that you are using the latest versions that contain the most recent security updates. For review, see the “System Security” section.

2.A. Telnet is a very insecure method of remotely logging in to a Linux system, because the session is sent across the network with unencrypted text, and someone can easily use a network tool to find out the password. For review, see the “Remote logins” section.

3.C. Because the contract will run out in six months, the administrator should set the expiration date for their account at that time, so that if the employee leaves or does not have their contract renewed, the account will be automatically disabled. For review, see the “User account and password management” section.

4.D. The finger service should be disabled because a remote user can get important information about the system by using that command. The other services are essential for this system to function. For review, see the “inetd services” section.

5.C. The tapes should be sent to an offsite storage facility. This prevents the tapes from being destroyed during a natural disaster at the server site. It also prevents the tapes from being stolen. For review, see the “System Security” section.

6.B. When a user logs in to the server, they are immediately put into the root directory of the system, which gives the person a full view of the entire server. The FTP root directory should be in its own directory, away from any system critical files. For review, see the “Securing an FTP server” section.

7.A. To enhance password security, the minimum length should be set for at least six to eight characters. No rules exist for having ordered or capital letters; multiple users can duplicate a password. For review, see the “User account and password management” section.

454 Chapter 14 Study Guide

8.C. By removing the “Options Indexes” directive from the configuration file, the server won’t show directory listings if requested by a user. This is a security measure so that remote users can’t scan the directory tree of the server looking for security holes. For review, see the “Securing a Web server” section.

9.D. By enabling shadow password, the /etc/passwd file is “shadowed” to /etc/shadow, where only the root user can access the file, and the file is encrypted. For review, see the “Password encryption” section.

10.D. All of these services should be disabled if the server is not being used for mail purposes. Leaving them running can increase the chance of a security vulnerability being exploited, and unauthorized use of sendmail relay. For review, see the “inetd services” section.

11.A. Your root password should be immediately changed from your initial installation to a more secure password. For review, see the “System Security” section.

12.C. To prevent further use of the account, which is an immediate security risk, disable it and set a temporary password for the user for the next time they login. For review, see the “User account and password management” section.

13.D. Environmental security is helpful, but the most important security aspect of a server room is its ability to be secured and locked from unauthorized users. For review, see the “Securing the Environment” section.

14.D. Because the system administrator knows the root password for the system, it should be changed immediately to prevent them from tampering with the system. For review, see the “System Security” section.

15.A. The anonymous FTP account should be disabled, so that only users with a username and password can access the system. For review, see the “Securing an FTP server” section.

16.B. The Set-User-ID is a special permission that can be set on executable files so that anyone running that application can do so with the equivalent permissions of the owner of that file. This is a dangerous permission because it can create security vulnerabilities when the file owner is a root login. For review, see the “Process security” section.

17.C. By enabling password rotation, the administrator can set up a time period for which the users must change their password; for example, every 90 days. For review, see the “User account and password management” section.

18.B. SSH (secure shell) is the most secure method of remotely connecting to a system because it encrypts the entire session. Traditional access methods such as telnet or FTP use clear text during their sessions, which can be easily intercepted by unauthorized users. For review, see the “Remote logins” section.

19.A. Encryption using md5 algorithms allows encrypted passwords of up to 256 characters in length. For review, see the “Password encryption” section.

20.D. A firewall is used to filter packets coming into a local network in order to protect internal systems from external networks, such as the Internet. For review, see the “Network security” section.

Chapter 14 Study Guide 455

Scenarios

1.You can configure many different settings to enhance account and password security.

•The minimum password length should be set to six to eight characters.

•Password rotation should be set up so that users are required to change their passwords periodically. A good setting is between 90-180 days.

•Expiration dates should be set on accounts for contract or temporary employees.

•An account should be locked after a certain amount of failed login attempts. A good setting is three to five attempts.

2.Because the company’s network has no network protection, the first item to set up is a firewall. This will filter incoming network packets, and only allow certain protocols and networks to access the system. It should be set up so that only users on the local network can access the machine.

The original Web server was set up with the DocumentRoot setting set to the root filesystem. The Web documents should be in their own directory or partition, away from critical system files. Create a new directory called /home/ httpd/docs, and set the DocumentRoot to this new location.

458 Part V Maintaining the Linux System

CHAPTER PRE-TEST

1.What do you use the dump command for?

2.Why should Linux system files be backed up?

3.What is the purpose of the cpio command?

4.Why should restores not be sent to the original location?

5.What is the importance of offsite storage?

6.How often should you back up critical user data?

7.What is the purpose of the tar command?

8.What backup method backs up all files that have been modified since the last full backup?

9.What is the purpose of the restore command?

10.What backup method backs up only files that have been modified since the last backup?

Answers to these questions can be found at the end of the chapter.