This site will work and look better in a browser that supports
web standards, but it should be accessible for any browser or Internet device.
If you're seeing this message, you may have to scroll to the bottom of the page to
see the navigation links.
Security Links
General Notes
This page is devoted to sites on the web that provide information that's useful in securing an internet server. Needless to say, we can only say that we found these resources useful. We cannot vouch for their quality, accuracy or even how well they would function, once printed, as toilet-paper. But, here they are.
Most of these resources are focused on Linux. You'll also find material here relevant to other Unix-like OSes and Windows NT. If you're using other variants of Windows, you should looking at either upgrading to NT or switching to some Unix-variant for your server. Mac OS X Server is part of the BSD Unix family, so much of the information you'll find on these sites should be relevant. Mac OS X is not in general release at this time, so it's an unknown quality. Based on Apple's official statements, it should be treated as a BSD-variant for security purposes, though. Older versions of the MacOS are not the fastest servers, but they don't have a command line, so they tend to be pretty secure as is.
White Papers, How-Tos
Armoring Linux at enteract.com bills itself as the beginner's guide to armoring linux.
Whitepapers & Publications on Security: a good, readable collection of documents that really focuses on the process of catching someone sneaking into your computer and foiling them in the future. A good starting point to the whole security quagmire is an article like Armoring Linux. There are various and sundry other articles, including several how-to's here.
:wq Detecting Intruders in Linux is an article along the same lines at Securiy Portal that covers the same ground but in much more concise manner, focusing on specific *nix programs. Through the Looking Glass is an article at Linux Gazette that also covers this topic, but is written around one specific break-in.
Break into Your Own System by Mark Nielsen. If you want to stop something, it helps to understand how that something works. So go learn how, know thy enemy and kick royal ba-hootie.
Linux Administrator's Security Guide (LASG) by Kurt Seifried. The grand-daddy of them all.
Securing Your Linux Box by Peter Vertes. Published in the Linux Gazette.
Enhancing System Security With TCP Wrappers by Paul Dunne, published in Performance Computing.
Passwords is an such an important topic, it deserves at least one good article. This one is at Security Portal.
News/Portal Sites
CERT Advisories. The CERT Coordination Center, located at Carnegie Mellon University, also has a collection of other resources avaiable.
CIAC Bulletins maintained by the U.S. Department of Energy.
Packet Storm Security was one of the main security sites on the web, until the university that was hosting the site pulled it. They returned in September 1999.
The "Enemy"
First, repeat after me: information is not the enemy. People who publish information are not the enemy. They are my friends. Because they give away all the secrets of the people messing with you and because it's a free country. And this does come from someone who's been on the receiving end. Just be thankful that the "good guys" get to publish, too. Just look farther up the page. There's almost too much information.
Second, remember that some places may call them "Hackers". They're not. They're crackers, phrakers, phreaks and other things, but Hackers, they're not. Some say they misappropriated the term. Some blame the media. Both are probably at fault.
2600 can be found at newstands, has been around forever and may be the most ethical of the group.
Hackers.com screams polish, but has enough information to drown you.
Packages/Applications
FreeS/WAN is an open source package that "allow(s) you to build secure tunnels through untrusted networks". Unfortunately, there only seem to be *nix and windows clients. If you've got clients running another OS, this one is probably not for you.
SSH is considered a definitive security package for mail and telnet connections. Unfortunately, there are various legal issues with using it. Current version (those after 1.x) are only free for non-commercial use. Due to copyrights that hold inside the U.S. and restrictions on 'exporting' from the U.S., you'll have to watch which options you choose (see the 32bitsonline article below). You can download it (get the last 1.x version; at least 1.2.20) and the 32bitsonline article should get you going. There are several important things that are not pointed out in the article itself. First, don't compile as root (e.g. issue the # make command). Second, remember your passphrase. Without this you're lost. Third, as always, watch your file ownership and permissions. You'll end up with a .ssh directory in your home (~) directory. If you're 'bob', it should look like this:
-rwx------ 1 bob bob 328 Apr 7 03:04 authorized_keys -rw------- 1 bob bob 660 Apr 14 15:23 known_hosts -rw------- 1 bob bob 512 Apr 21 10:03 random_seed
The 32bitsonline article refers to ./configure help, when it should really refer to ./configure -help. Next, after you run configure, double-check all the text that scrolled by for any problems. You'll want to make sure that it included the encryption algorithms that you want. The configure given in 32bitsonline doesn't enable DES encryption, for example. Adding DES encryption seems to really stretch out compilation (# make). And, like many other programs, SSH stores it's config files in /etc/. Watch how you configure these. For instance, you'll want to make sure that the encryption you specify in the config files was one that is included in the compile and that you use that when you try to connect to the machine.
Additional Basic How-To's are available at UWSG and ITSO. There's a Getting Started with SSH, the VPN Howto and a SSH FAQ.
IP Firewall Chaining How-To: how to obtain, install and configure the enhanced IP firewalling chains software for Linux, and some ideas on how you might use them.
TCP Wrappers "provide wrapper daemons that can be installed without any changes to existing software... In the basic service, the wrapper logs the name of the client host and requested service, then hands the communication over to the real daemon." is the opening of this article on the program.
IPSec is the standard open-source way to provide encrypted communications over TCP/IP. This Linux Today article provides an overview.