Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Deployment Guide
Deployment, configuration and administration
of Red Hat Enterprise Linux 5
Deployment_Guide
Deployment Guide
v
1. ............................................................................................... v
I.
1.
1.1. ......................................................................................................
1.1.1. ..................................................................................
1.1.2. ........................................................................................
1.1.3. ...........................................................................................
1.2. .....................................................................................
1.3. .........................................................................................................
1.3.1. ..................................................................................................
3
3
3
3
5
7
9
9
A. Revision History
15
2. 17
iii
iv
Red Hat Enterprise Linux
Red Hat Enterprise Linux Red Hat Enterprise Linux
1.
Red Hat Enterprise Linux
Bugzillahttp://bugzilla.redhat.com/
bugzilla/
vi
I.
Red Hat Enterprise Linux
1.1.
1.1.1.
Suppose that you administer an enterprise network. Such networks are commonly comprised
of operating systems, applications, servers, network monitors, firewalls, intrusion detection
systems, and more. Now imagine trying to keep current with each of these. Given the
complexity of today's software and networking environments, exploits and bugs are a
certainty. Keeping current with patches and updates for an entire network can prove to be a
daunting task in a large organization with heterogeneous systems.
1.1.2.
Outside looking in inside
looking around
1.
When performing an outside looking in vulnerability assessment, you are attempting to
compromise your systems from the outside. Being external to your company provides you with
the cracker's viewpoint. You see what a cracker sees publicly-routable IP addresses,
systems on your DMZ, external interfaces of your firewall, and more. DMZ stands for
"demilitarized zone", which corresponds to a computer or small subnetwork that sits between
a trusted internal network, such as a corporate private LAN, and an untrusted external
network, such as the public Internet. Typically, the DMZ contains devices accessible to
Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS
servers.
(false positives) (false negatives)
1.1.2.1.
1.1.3.
(README)
man page
1.1.3.1. nmap
Nmap Red Hat Enterprise Linux
Nmap
man page nmap
nmap
nmap Nmap
1.1.3.1.1. Nmap
shell nmap nmap IP
nmap foo.example.com
1.
Nmap
Nmap
http://www.insecure.org/
1.1.3.2. Nessus
Nessus Nessus
Nessus Nessus
Nessus
Nessus
http://www.nessus.org/
1.1.3.3. Nikto
Nikto CGI CGI
CGI Nikto
Nikto
http://www.cirt.net/code/nikto.shtml
6
VLAD RAZOR
http://www.bindview.com/Support/Razor/Utilities/
1.1.3.5.
Depending upon your target and resources, there are many tools available. There are tools
for wireless networks, Novell networks, Windows systems, Linux systems, and more. Another
essential part of performing assessments may include reviewing physical security, personnel
screening, or voice/PBX network assessment. New concepts, such as war walking scanning the
perimeter of your enterprise's physical structures for wireless network vulnerabilities
are some emerging concepts that you can investigate and, if needed, incorporate into your
assessments. Imagination and exposure are the only limits of planning and conducting
vulnerability assessments.
1.2.
1.1, details some of the most common exploits and entry points
used by intruders to access organizational network resources. Key to these common exploits
are the explanations of how they are performed and how administrators can properly
safeguard their network against such attacks.
1.1.
Linux
Red Hat
Enterprise Linux
VPN
NAS
UNIX Windows
1.
IP
IP
TCP/IP
SYN-ACK
rshtelnetFTP
Telnet
FTP HTTP
IP
root
CERT CVE
DoS
2000
iptables Ingress
IETF rfc2267 Network
IDSes snort
1.3.
1.3.1.
RPM
RPMs Red Hat Inc.
Red Hat
1.
2.
1.
Tip
Red Hat Enterprise Linux Red Hat
Red Hat Enterprise Linux
https://rhn.redhat.com/rhn/help/quickstart.jsp
Before installing any security errata, be sure to read any special instructions
contained in the errata report and execute them accordingly. Refer to 1.3.1.5,
for general instructions about applying the changes made by an errata update.
1.3.1.3.
Red Hat Enterprise Linux Red Hat Inc. GPG GPG GNU Privacy
GuardGnuPG
1
http://rhn.redhat.com
10
Red Hat Red Hat
RPM
Red Hat
gpg-pubkey-37017186-45761324
rpm -qi
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK. If it
doesn't, make sure you are using the correct Red Hat public key, as well as verifying the
source of the content. Packages that do not pass GPG verifications should not be installed,
as they may have been altered by a third party.
GPG shell
root
1.3.1.4.
11
1.
Replace <kernel-package> in the previous example with the name of the kernel RPM.
rpm -e <old-kernel-package>
Replace <old-kernel-package> in the previous example with the name of the older kernel
RPM.
GRUB
Before installing any security errata, be sure to read any special instructions
contained in the errata report and execute them accordingly. Refer to 1.3.1.5,
for general instructions about applying the changes made by an errata update.
1.3.1.5.
Red Hat Network Red Hat
User-space
user-space
glibc
12 lsof
lsof /usr/lib/libwrap.so*
TCP
tcp_wrappers
SysV
SysV SysV sshd, vsftpd
xinetd
SysV
root
shell /sbin/service
In the previous example, replace <service-name> with the name of the service, such as
sshd.
xinetd
xinetd xinetd
Telnet, IMAP POP3
xinetd
xinetd
xinetd
ps kill killall
imap root
shell
IMAP
kill <PID>
kill -9 <PID>
In the previous examples, replace <PID> with the process identification number (found in
the second column of the ps command) for an IMAP session.
IMAP
killall imapd
13
14
A. Revision History
8
Thu July 30 2010
Douglas Silas dhensley@redhat.com
Resolve BZ#239313: document oom_adj and oom_score.
Resolve BZ#526502: correct quotaon instructions with proper, safe operating procedures.
Resolve BZ#551367: correct SELinux dhcpd_disable_trans description.
Resolve BZ#521215: clarify NFS interaction with portmapper, rpc.mountd, rpc.lockd and
rpc.statd.
Resolve BZ#453875: various OpenSSH chapter corrections.
Resolve BZ#455162: correct zone example configuration file, description.
Resolve BZ#460767: make it a proper daemon.
Resolve BZ#600702: correct directories used for SSL key generation.
Change heading titles to correspond with actual headings used in 'man rpm'.
Resolve BZ#499053: /usr/sbin/racoon is correct install path.
Remove any mention of 'pkgpolicy' in /etc/yum.conf as per BZ#237773.
Resolve BZ#455162: correct example zone file with regard to records, description.
Resolve BZ#510851: /proc/cmdline has confusing descriptions of sample output.
Resolve BZ#510847: page with multiple footnotes formatted incorrectly in online PDF.
Resolve BZ#214326: more detailed usage info concerning vsftpd banners and secueerity.
Resolve BZ#241314: formatting problems in screen elements.
Resolve BZ#466239: postfix connect-from-remote-host configuration fix.
7
Resolve
Resolve
Resolve
Resolve
Resolve
Resolve
Resolve
Resolve BZ#492539: "This directive is useful..." to "This directive must be used in machines
containing more than one NIC to ensure...".
Resolve BZ#241314: re: kernel-pae and hugemem support on RHEL 4 and 5.
Resolve BZ#453071: incorrect tag use led to config files and other screen elements being
displayed on single lines.
Resolve BZ#507987: clarify and correct statements about partitions being in use while
resizing or removing.
Resolve BZ#462550: recommended amount of swap space, according to http://
kbase.redhat.com/faq/docs/DOC-15252.
Resolve BZ#466239: line omitted from Postfix configuration meant connecting remotely
failed
15
A. Revision History
Resolving other MODIFIED BZs (fixed previously): 468483, 480324, 481246, 481247, 438823,
454841, 485187, 429989, 452065, 453466.
5
Wed Jan 28 2009
Michael Hideo Smith mhideo@redhat.com
Resolves: #460981
Changing 64GB *tested* support to support for 16GB.
16
17
2.
Jean-Paul Aubry
Fabien Decroux
Myriam Malga
Audrey Simons
Corina Roe
Jasna Dimanoski
Verena Furhuer
Bernd Groh
Daniela Kugelmann
Timo Trinks
Francesco Valente
Glaucia de Freitas
Leticia de Lima
David Barzilay
Angela Garcia
Gladys Guerrero
Yelitza Louze
Manuel Ospina
Yuliya Poyarkova
Runa Bhattacharjee
Ankitkumar Rameshchandra Patel
18
Sweta Kothari
Rajesh Ranjan
Ani Peter
Sandeep Shedmake
Amanpreet Singh Alam
Jaswinder Singh
I Felix
N Jayaradha
19
20