Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca Linux Secure and Optimized Server A guide for information system,configuration,optimization and network security professionals. LINUX 00rem米g Quebec Canada Novmbor 1,100 Copyright 1999 Open Network Architecture
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 1 Linux Secure and Optimized Server A guide for information system, configuration, optimization and network security professionals. 50 Quintin suite 101 St-Laurent H4N 3A5 Quebec Canada Mail: gmourani@videotron.ca Author: Gerhard Mourani Version: 1.0 Last Revised: November 1, 1999
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca Linux Secure Optimized Server New ve sion of this document. PPublic Key for Gerhard Mourani llation instructions assume. and Booting Disk Setup mponents to nsta How to use RPM Commands Sarting and stopping nstallation of the serve e that must b ed after installation of the Server. Put some n yo or the 2. General system security. Linux Security. Overview. XM) General system optimization Linux Optimiz Recompiling the kemel 41 Linux Kerel These installation instructions assume gan emergency boot floppy. ncrease the Tasks Making a ne rescue floppy 49 Jpdate your XVI Install more than one Ethernet Card per Machine g I Ne ing manually with the command line inux DNS and BIND Server Taeealaiontnsnecionsasume of the tc/named. ng B Runnir 8 Further documentation Administrative Tools 63 Network Architecture
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 2 Linux Secure & Optimized Server..................................................................................................................................6 New version of this document........................................................................................................................................6 Copyright Information......................................................................................................................................................7 PGP Public Key for Gerhard Mourani...........................................................................................................................7 Overview............................................................................................................................................................................8 These installation instructions assume.........................................................................................................................8 Know your Hardware!......................................................................................................................................................8 I) Creating the Boot Disk and Booting..........................................................................................9 II) Installation Class and Method ....................................................................................................9 III) Disk Setup.....................................................................................................................................9 Warning .............................................................................................................................................................................9 IV) Components to Install ...............................................................................................................12 Individual Packages Selection.....................................................................................................................................13 V) How to use RPM Commands ...................................................................................................15 VI) Starting and stopping daemon services.................................................................................15 VII) Software that must be uninstalled after installation of the Server.....................................16 VIII) Software that must be installed after installation of the Server........................................17 IX) Installed programs on your Server..........................................................................................18 X) Put some colors on your terminal ............................................................................................20 XI) Update of the lasted software’s ...............................................................................................21 XII) For the maniacs ........................................................................................................................21 XIII) General system security.........................................................................................................22 Linux Security..................................................................................................................................................................22 Overview..........................................................................................................................................................................22 XIV) General system optimization.................................................................................................35 Linux Optimization .........................................................................................................................................................35 XV) Recompiling the Kernel...........................................................................................................41 Linux Kernel....................................................................................................................................................................41 Overview:.........................................................................................................................................................................41 These installation instructions assume.......................................................................................................................41 Packages .........................................................................................................................................................................41 Making an emergency boot floppy...............................................................................................................................42 Optimization....................................................................................................................................................................42 Increase the Tasks .........................................................................................................................................................42 Compilation .....................................................................................................................................................................43 Making a new rescue floppy.........................................................................................................................................49 Update your /dev entries...............................................................................................................................................49 XVI) Install more than one Ethernet Card per Machine ............................................................49 XVII) Configuring TCP/IP Networking manually with the command line................................50 XVIII) Install software’s ...................................................................................................................53 Linux DNS and BIND Server........................................................................................................................................53 Overview..........................................................................................................................................................................53 These installation instructions assume.......................................................................................................................53 Packages .........................................................................................................................................................................53 Tarballs ............................................................................................................................................................................53 Compilation .....................................................................................................................................................................53 Configure and Optimize.................................................................................................................................................54 Compile and Optimize ...................................................................................................................................................54 Cleanup after work.........................................................................................................................................................54 Configurations .................................................................................................................................................................55 Configuration of the /etc/named.conf file....................................................................................................................55 Configuration of the /var/named/db.127.0.0 file........................................................................................................56 Configuration of the /var/named/primary/db.192.168.1 file.....................................................................................56 Configuration of the /var/named/primary/db.openarch ............................................................................................56 Configuration of the /etc/rc.d/init.d/named script file ................................................................................................57 Securing BIND/DNS ......................................................................................................................................................58 Running BIND in a chroot jail.......................................................................................................................................58 Cleanup after work.........................................................................................................................................................62 Zone transfers .................................................................................................................................................................62 Further documentation..................................................................................................................................................63 DNS Administrative Tools.............................................................................................................................................63 dig.....................................................................................................................................................................................63
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca DNS Users Tools Linux SSH1 Server 65 Tarbalges. ion Configure the /etc/ssh/ssh config file 1 to use tcp-w netd super serve 68 68 These installation instructionsassume 95 Compile and Optimize er work letc/ss Congure ssh o use o netd super serve urther es H2 Users Tools Linux OPENSS 74 omile and Optimize anup after work. Command penssL acse in llation instructions assume ilation 8 Copyright 199 Open Netvork Architecture
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 3 ndc....................................................................................................................................................................................63 DNS Users Tools ...........................................................................................................................................................63 dnsquery..........................................................................................................................................................................63 host...................................................................................................................................................................................64 Installed files ...................................................................................................................................................................64 Linux SSH1 Server.........................................................................................................................................................65 Overview..........................................................................................................................................................................65 These installation instructions assume.......................................................................................................................65 Packages .........................................................................................................................................................................65 Tarballs ............................................................................................................................................................................65 Compilation .....................................................................................................................................................................65 Compile and Optimize ...................................................................................................................................................65 Cleanup after work.........................................................................................................................................................66 Configurations .................................................................................................................................................................66 Configure the /etc/ssh/ssh_config file .........................................................................................................................66 Configure the /etc/ssh/sshd_config file.......................................................................................................................67 Configure sshd1 to use tcp-wrappers inetd super server........................................................................................67 Configuration of the /etc/pam.d/ssh file......................................................................................................................68 Further documentation..................................................................................................................................................68 Per-User Configuration .................................................................................................................................................68 SSH1 Users Tools .........................................................................................................................................................69 Ssh1 .................................................................................................................................................................................69 Installed files ...................................................................................................................................................................69 Linux SSH2 Server.........................................................................................................................................................69 Overview..........................................................................................................................................................................69 These installation instructions assume.......................................................................................................................69 Packages .........................................................................................................................................................................70 Tarballs ............................................................................................................................................................................70 Compilation .....................................................................................................................................................................70 Compile and Optimize ...................................................................................................................................................70 Cleanup after work.........................................................................................................................................................70 Configurations .................................................................................................................................................................70 Configure the /etc/ssh2/ssh2_config file ....................................................................................................................71 Configure the /etc/ssh2/sshd2_config file ..................................................................................................................71 Configure sshd2 to use tcp-wrappers inetd super server........................................................................................72 Configuration of the /etc/pam.d/ssh file......................................................................................................................72 Further documentation..................................................................................................................................................73 Per-User Configuration .................................................................................................................................................73 SSH2 Users Tools .........................................................................................................................................................73 ssh2 ..................................................................................................................................................................................73 sftp2..................................................................................................................................................................................74 Installed files ...................................................................................................................................................................74 Linux OPENSSL.............................................................................................................................................................74 Overview..........................................................................................................................................................................74 These installation instructions assume.......................................................................................................................74 Tarballs ............................................................................................................................................................................75 Packages .........................................................................................................................................................................75 Compilation .....................................................................................................................................................................75 Compile and Optimize ...................................................................................................................................................75 Cleanup after work.........................................................................................................................................................76 Configuration:..................................................................................................................................................................76 Configuration of the /etc/ssl/openssl.cnf file ..............................................................................................................76 Create the /usr/bin/sign.sh program file .....................................................................................................................80 Commands ......................................................................................................................................................................81 Securing Openssl...........................................................................................................................................................82 Installed files ...................................................................................................................................................................82 Linux Imap & Pop Server..............................................................................................................................................83 Overview..........................................................................................................................................................................83 These installation instructions assume.......................................................................................................................83 Packages .........................................................................................................................................................................83 Tarballs ............................................................................................................................................................................83 Compilation .....................................................................................................................................................................83
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca Compile and Optimize .83 Cleanup after work. 4444444444444444444444444444444444444444444444444444444444 4444444444444444444444444444444444 84 Configurations. 444444444444444 .84 Configuration of the /etc/pam.d/imap file.. 85 Configuration of the /etcipam.d/pop file 85 Further documentation... 85 Installed files 85 Linux MM-Shared Memory Library. .85 Overview. .86 These installation instructions assume. 86 Packages 86 Tarballs.. 86 Compilation...... .86 Compile..... 86 Further documentation.. 86 Installed files .87 Linu Samba Server .87 Overview 87 These installation instructions assume........... 87 Packages 87 Tarballs. . Compilation 87 Configure... 88 Compile and optimize 88 Cleanup after work.. 89 Configurations... 89 Configuration of the /etc/smb.conf file 89 Configuration of the /etc/Imhosts file.... 90 Configuration of the/etc/rc.d/init.d/smb script file 90 Configuration of the /etc/pam.d/samba file.... .92 Configuration of the /etc/logrotate.d/samba file 4444444444444444444444444444444444 92 Further documentation 92 Securing Samba. 444444444 92 Create an encrypted password file 92 Samba Administrative Tools....... .93 smbstatus 93 Samba Users Tools .93 smbclient... .93 Installed files 44444 44444444444444 93 Linux OpenLDAP Server 444444444 .94 Overview. 94 These installation instructions assume.. .94 Packages .94 Tarballs.. 94 Compilation .. .94 Compile and Optimize. 4444444444444 95 Cleanup after work.. 96 Configurations 96 Configuration of the /etc/ldap/slapd.conf file. 96 Configuration of the /etc/rc.d/init.d/ldap script file Further documentation.... 98 OpenLDAP Creation and Maintenance Tools 9 Creating a database off-line.. .99 Creating a database over LDAP. 444“4444“44444 99 dapmodify..... 444444 100 OpenLDAP Users Tools............. 101 Search on LDAP for entries. 101 Installed files ..... 101 Linux PostgreSQL Database Server... 102 Overview.. 103 These installation instructions assume. 103 Packages 103 4 Copyright 1999 Open Network Architecture R
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 4 Compile and Optimize ...................................................................................................................................................83 Cleanup after work.........................................................................................................................................................84 Configurations .................................................................................................................................................................84 Configuration of the /etc/pam.d/imap file....................................................................................................................85 Configuration of the /etc/pam.d/pop file......................................................................................................................85 Further documentation..................................................................................................................................................85 Installed files ...................................................................................................................................................................85 Linux MM – Shared Memory Library...........................................................................................................................85 Overview..........................................................................................................................................................................86 These installation instructions assume.......................................................................................................................86 Packages .........................................................................................................................................................................86 Tarballs ............................................................................................................................................................................86 Compilation .....................................................................................................................................................................86 Compile............................................................................................................................................................................86 Further documentation..................................................................................................................................................86 Installed files ...................................................................................................................................................................87 Linux Samba Server ......................................................................................................................................................87 Overview..........................................................................................................................................................................87 These installation instructions assume.......................................................................................................................87 Packages .........................................................................................................................................................................87 Tarballs ............................................................................................................................................................................87 Compilation .....................................................................................................................................................................87 Configure.........................................................................................................................................................................88 Compile and optimize ....................................................................................................................................................88 Cleanup after work.........................................................................................................................................................89 Configurations .................................................................................................................................................................89 Configuration of the /etc/smb.conf file ........................................................................................................................89 Configuration of the /etc/lmhosts file...........................................................................................................................90 Configuration of the /etc/rc.d/init.d/smb script file.....................................................................................................90 Configuration of the /etc/pam.d/samba file ................................................................................................................92 Configuration of the /etc/logrotate.d/samba file ........................................................................................................92 Further documentation..................................................................................................................................................92 Securing Samba.............................................................................................................................................................92 Create an encrypted password file..............................................................................................................................92 Samba Administrative Tools .........................................................................................................................................93 smbstatus ........................................................................................................................................................................93 Samba Users Tools .......................................................................................................................................................93 smbclient..........................................................................................................................................................................93 Installed files ...................................................................................................................................................................93 Linux OpenLDAP Server...............................................................................................................................................94 Overview..........................................................................................................................................................................94 These installation instructions assume.......................................................................................................................94 Packages .........................................................................................................................................................................94 Tarballs ............................................................................................................................................................................94 Compilation .....................................................................................................................................................................94 Compile and Optimize ...................................................................................................................................................95 Cleanup after work.........................................................................................................................................................96 Configurations .................................................................................................................................................................96 Configuration of the /etc/ldap/slapd.conf file..............................................................................................................96 Configuration of the /etc/rc.d/init.d/ldap script file.....................................................................................................97 Further documentation..................................................................................................................................................98 OpenLDAP Creation and Maintenance Tools ...........................................................................................................99 Creating a database off-line .........................................................................................................................................99 Creating a database over LDAP ..................................................................................................................................99 ldapmodify....................................................................................................................................................................100 OpenLDAP Users Tools .............................................................................................................................................101 Search on LDAP for entries.......................................................................................................................................101 Installed files ................................................................................................................................................................101 Linux PostgreSQL Database Server........................................................................................................................102 Overview.......................................................................................................................................................................103 These installation instructions assume....................................................................................................................103 Packages ......................................................................................................................................................................103
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca Tarballs… 103 Compilation 444444444444444444444444444444444444 44444444444444444444444444444444444444444444444 103 Compile and Optimize 103 Configurations 105 Configuration of the /etc/rc.d/init.d/postgresql script file 105 Commands 106 Installed files 107 Linux Squid Proxy Server......... 107 Overview.... 108 These installation instructions assume. 108 Packages 108 Tarballs.. 108 Compilation........ 108 Configure and Optimize 108 malloc.. 109 Compile and Optimize 109 Cleanup after work.... 110 Configurations ........... 110 Configuration of the /etc/squid/squid.conf file.. 110 Configuration of the /etc/rc.d/init.d/squid script file 111 Configuration of the /etc/logrotate.d/squid file 113 Securing Squid.... 113 More control on mounting a file system 113 Optimizing Squid 114 Increases the system limit on open files 114 The ulimit. 114 The atime 114 The noatime attribute. 114 The bdflush parameter....... 115 The ip_local_port_range parameter. 115 Physical memory 115 Installed files 115 Linux Apache Server.. 44444444444 116 Overview. 116 These installation instructions assume. 116 Packages 116 Prerequisites 116 Tarballs.. 117 Compilation 444444444444444444444444444444444444444 117 Compile and Optimize 117 Configurations 119 Configuration of the /etc/httpd/conf/httpd.conf file. 120 Configuration of the /etc/logrotate.d/apache file 122 Configuration of the /etc/rc.d/init.d/httpd script file. 123 Securing Apache... 124 More control on mounting a file system................. 444“44444 124 Create the .dbmpasswd password file for authentication 125 Running Apache in a chroot jail....... 125 Configuration of the new /etc/logrotate.d/apache file 129 Optimizing Apache.................. 129 The static file.... 129 The ulimit. 130 Increases the system limit on open files 130 The noatime. 44444444“4“444 131 The ip local port range parameter 131 Installed files ......... 131 Optional component to install with Apache. 131 Devel-Symdump... 131 Packages 132 CGl.pm 132 Packages 132 Packages 132 5 Copyright 1999 Open Network Architecture R
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 5 Tarballs .........................................................................................................................................................................103 Compilation ..................................................................................................................................................................103 Compile and Optimize ................................................................................................................................................103 Configurations ..............................................................................................................................................................105 Configuration of the /etc/rc.d/init.d/postgresql script file.......................................................................................105 Commands ...................................................................................................................................................................106 Installed files ................................................................................................................................................................107 Linux Squid Proxy Server...........................................................................................................................................107 Overview.......................................................................................................................................................................108 These installation instructions assume....................................................................................................................108 Packages ......................................................................................................................................................................108 Tarballs .........................................................................................................................................................................108 Compilation ..................................................................................................................................................................108 Configure and Optimize..............................................................................................................................................108 malloc............................................................................................................................................................................109 Compile and Optimize ................................................................................................................................................109 Cleanup after work......................................................................................................................................................110 Configurations ..............................................................................................................................................................110 Configuration of the /etc/squid/squid.conf file.........................................................................................................110 Configuration of the /etc/rc.d/init.d/squid script file................................................................................................111 Configuration of the /etc/logrotate.d/squid file ........................................................................................................113 Securing Squid ............................................................................................................................................................113 More control on mounting a file system ...................................................................................................................113 Optimizing Squid.........................................................................................................................................................114 Increases the system limit on open files .................................................................................................................114 The ulimit......................................................................................................................................................................114 The atime......................................................................................................................................................................114 The noatime attribute..................................................................................................................................................114 The bdflush parameter...............................................................................................................................................115 The ip_local_port_range parameter.........................................................................................................................115 Physical memory.........................................................................................................................................................115 Installed files ................................................................................................................................................................115 Linux Apache Server...................................................................................................................................................116 Overview.......................................................................................................................................................................116 These installation instructions assume....................................................................................................................116 Packages ......................................................................................................................................................................116 Prerequisites ................................................................................................................................................................116 Tarballs .........................................................................................................................................................................117 Compilation ..................................................................................................................................................................117 Compile and Optimize ................................................................................................................................................117 Configurations ..............................................................................................................................................................119 Configuration of the /etc/httpd/conf/httpd.conf file..................................................................................................120 Configuration of the /etc/logrotate.d/apache file ....................................................................................................122 Configuration of the /etc/rc.d/init.d/httpd script file.................................................................................................123 Securing Apache.........................................................................................................................................................124 More control on mounting a file system ...................................................................................................................124 Create the .dbmpasswd password file for authentication.....................................................................................125 Running Apache in a chroot jail ................................................................................................................................125 Configuration of the new /etc/logrotate.d/apache file ............................................................................................129 Optimizing Apache......................................................................................................................................................129 The static file................................................................................................................................................................129 The ulimit......................................................................................................................................................................130 Increases the system limit on open files .................................................................................................................130 The noatime.................................................................................................................................................................131 The ip_local_port_range parameter.........................................................................................................................131 Installed files ................................................................................................................................................................131 Optional component to install with Apache.............................................................................................................131 Devel-Symdump..........................................................................................................................................................131 Packages ......................................................................................................................................................................132 CGI.pm..........................................................................................................................................................................132 Packages ......................................................................................................................................................................132 Packages ......................................................................................................................................................................132