Chapter 10 - Securing Your System Flashcards
Identify the purpose of a super server
page 568 Super servers (also called super daemons), such as inetd and xinetd, manage incoming network connections connections for multiple servers. They can ass security and convenience features and they can help to minimize the memory load imposed by seldom accessed servers.
Explain the function of super server port access controls
page 568
Super servers or programs call by them (such as TCP wrappers) can restrict access to ports for the servers they manage. These restrictions occur at a higher level than a firewall’s restrictions and they apply only to the servers managed by the super server.
Summarize the tools that you can use to identify the servers running on a computer
page 568
The netstat and isof programs both provide options to list all (or a subset of) the open network connections as well as programs that are listening for connections. Remote network scanners, such as Nmap, can probe another computer for open network ports. The fuser program can determine the processes currently using a particular network port. Perusal of local configuration files can also provide clues as to what’s running on a computer.
Describe why SUID and GUID programs are potentially risky
page 568
The set user ID (SUID) and set group ID (SGID) bits tell Linux to run the program as the user or group that owns the file. This is particular risky when root owns the program file because it essentially elevates all users to root for the purpose of running the file, making bugs in the program more dangerous and raising the possibility of a clever user abusing the program to acquire full root privileges or otherwise wreaking havoc.
Explain why shadow passwords are important
page 568
Shadow passwords store password hashes in a file that can’t be read by ordinary users, thus making it harder for attackers on the local system to read the hashed passwords and use brute-force attacks to discover other user’s passwords. Modern Linux distributions use shadow passwords by default.
Explain how to generate a good password
page 568
Ideally, passwords should be random. Failing that, one good approach is to generate a base that’s hard to guess and the modify it by adding digits and punctuation, changing the case of some characters, changing letter order and significantly increasing the length of the password (even with repeat characters)
Explain the SSH is the preferred remote text-mode login tool
page 569
The SSH protocol provides encryption for all traffic, including both the password exchange and all subsequent data exchanges, whereas older tools, such as Telnet, do not. This makes SSH such safer for the exchange of sensitive data, particularly over untrusted networks such as the Internet.
Identify the most impportant SSH configuration file
page 569
The SSH server is controlled through the /etc/ssh/sshd_config file. The SSH client configuration file is /etc/ssh/ssh_config; don’t confuse the two.
Describe the SSH public and private key files
page 569
These keys are normally stored in the /etc/ssh directory. Private key files car called ssh_host_rsa_key_ssh_host_rsa1_key and ssh_host_dsa_key, depending on the encryption algorithm used. Public key files have the same filenames as their private keys, except a .pub filename extension is added.
Describe the function of GPG
page 569
GPG enables public key encryption of individul files or email messages. You can use GPG to encrypt sensitive data for transmission over email or other insecure means.
