Suse Linux 9.3 For Dummies- P21

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:15

0
39
lượt xem
2
download

Suse Linux 9.3 For Dummies- P21

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Suse Linux 9.3 For Dummies- P21:This part is all about getting you started on your way to a lasting relationship with SUSE Linux. Before you can begin your SUSE Linux experience, I spend a chapter explaining what SUSE Linux is and what you can do with SUSE Linux (pretty much anything you can do with a PC that runs Windows).

Chủ đề:
Lưu

Nội dung Text: Suse Linux 9.3 For Dummies- P21

  1. 280 Part IV: Becoming a SUSE Wizard Figure 18-9: Select the RPM packages to install from the Package Group listing. 4. In the right pane, look for the names of the RPM packages you have downloaded. Click on the check box to the left of each package name to select it for installation. 5. Click Accept. YaST may display a dialog box informing you about other packages that will automatically be installed because these packages are needed by one or more of the RPMs you are installing. Simply click Continue to pro- ceed with the installation. Remember that you may need to insert the SUSE Linux CDs or DVD because some of the needed packages may be on those media. Using RPM Commands to Work with RPM Files RPM — Red Hat Package Manager — is a format for packaging all the neces- sary files for a software product in a single file — called an RPM file or simply an RPM. In fact, the SUSE Linux distribution is made up of a whole lot of RPMs. If you do not have a GUI tool like the YaST Control Center handy, you can still work with RPMs through the RPM commands. You have to type these Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. Chapter 18: Updating SUSE and Adding New Software 281 commands at the shell prompt in a terminal window or a text console. Even if you don’t use the RPM commands to install or remove a package in SUSE Linux, you can still use the RPM commands to find out information about packages. Using the RPM commands When you install an RPM-based distribution such as SUSE Linux, the installer uses the rpm command to unpack the packages (RPM files) and to copy the contents to your hard drive. You don’t have to understand the internal structure of an RPM file, but you need to know how to use the rpm command to work with RPM files. Here are some of the things you can do with the rpm command: Find out the version numbers and other information about the RPMs installed on your system. Install a new software package from an RPM. For example, you may install a package you skipped during the initial installation. You can do that with the rpm command. Remove (uninstall) unneeded software you previously installed from an RPM. You may uninstall a package to reclaim the disk space, if you find that you rarely (or never) use the package. Upgrade an older version of an RPM with a new one. Verify that an RPM is in working order. You can verify a package to check that all necessary files are in the correct locations. As you can see, the rpm command is versatile — it can do a lot of different things, depending on the options you use. If you ever forget the rpm options, type the following command to see a list: rpm --help | more The number of rpm options will amaze you! Understanding RPM filenames An RPM contains a number of files, but it appears as a single file on your Linux system. By convention, the RPM filenames have a specific format. A typical RPM filename looks like this: samba-3.0.9-2.1.i586.rpm Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. 282 Part IV: Becoming a SUSE Wizard This filename has the following parts, the first three of which are separated by dashes (-): Package name: samba Version number: 3.0.9 Release number: 2.1 Architecture: i586 (this package is for Intel 80586 or Pentium-compatible processors) Usually, the package name is descriptive enough for you to guess what the RPM may contain. The version number is the same as that of the software package’s current version number. Developers assign the release number to keep track of changes. The architecture is i586 or noarch for the RPMs you want to install on a PC with an Intel Pentium or compatible processor. Querying RPMs As it installs packages, the rpm command builds a database of installed RPMs. You can use the rpm -q command to query this database to find out information about packages installed on your system. For example, to find out the version number of an RPM installed on your system, type the following rpm -q command: rpm -q cups You see a response similar to the following: cups-1.1.21-5.3 The response is the name of the RPM package. The name is the same as the RPM filename, except that the last part — .i586.rpm — isn’t shown. In this case, the version part of the RPM tells you that you have cups (the Common UNIX Printing System) version 1.1.21 installed. You can see a list of all installed RPMs by using the following command: rpm -qa You see a long list of RPMs scroll by your screen. To view the list one screen at a time, type rpm -qa | more Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. Chapter 18: Updating SUSE and Adding New Software 283 If you want to search for a specific package, feed the output of rpm -qa to the grep command. For example, to see all packages with kernel in their names, type rpm -qa | grep kernel The result depends on what parts of the kernel RPMs are installed on a system. You can query much more than a package’s version number with the rpm -q command. By adding single-letter options, you can find out other useful infor- mation. For example, try the following command to see the files in the cups package: rpm -ql cups Here are a few more useful forms of the rpm -q commands to query informa- tion about a package (to use any of these rpm -q commands, type the com- mand, followed by the package name): rpm -qc: Lists all configuration files in a package. rpm -qd: Lists all documentation files in a package. These are usually the online manual pages (also known as man pages). rpm -qf: Displays the name of the package (if any) to which a specified file belongs. rpm -qi: Displays detailed information about a package, including ver- sion number, size, installation date, and a brief description. rpm -ql: Lists all the files in a package. For some packages, you see a very long list. rpm -qs: Lists the state of all files in a package (the state of a file can be one of the following: normal, not installed, or replaced). These rpm commands provide information about installed packages only. If you want to find information about an uninstalled RPM file, add the letter p to the command line option of each command. For example, to view the list of files in the RPM file named samba-3.0.9-2.1.i586.rpm, go to the directory where that file is located and then type the following command: rpm -qpl samba-*.rpm Of course, this command works only if the current directory contains that RPM file. Two handy rpm -q commands enable you to find out which RPM file pro- vides a specific file and which RPMs need a specified package. To find out the name of the RPM that provides a file, use the following command: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. 284 Part IV: Becoming a SUSE Wizard rpm -q --whatprovides filename For example, to see which RPM provides the file /etc/vsftpd.conf, type rpm -q --whatprovides /etc/vsftpd.conf RPM then prints the name of the package that provides the file, like this: vsftpd-2.0.1-2 If you provide the name of a package instead of a filename, RPM displays the name of the RPM package that contains the specified package. On the other hand, to find the names of RPMs that need a specific package, use the following command: rpm -q --whatrequires packagename For example, to see which packages need the openssl package, type rpm -q --whatrequires openssl The output from this command shows all the RPM packages that need the openssl package. Installing an RPM To install an RPM, use the rpm -i command. You have to provide the name of the RPM file as the argument. If you want to view the progress of the RPM installation, use rpm -ivh. A series of hash marks (#) displays as the pack- age is unpacked. For example, to install an RPM file named samba-3.0.9-2. 1.i586.rpm, go the directory where the file is located and then type the fol- lowing command to install it: rpm -ivh samba-*.rpm You don’t have to type the full RPM filename — you can use a few characters from the beginning of the name followed by an asterisk (*). Make sure you type enough of the name to identify the RPM file uniquely. If you try to install an RPM that’s already installed, the rpm -i command dis- plays an error message. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. Chapter 18: Updating SUSE and Adding New Software 285 Removing an RPM You may want to remove — uninstall — a package if you realize you don’t really need the software. For example, if you have installed the X Window System development package but discover you’re not interested in writing GUI applications, you can easily remove the package by using the rpm -e command. You have to know the name of the package before you can remove it. One good way to find the name is to use rpm -qa in conjunction with grep to search for the appropriate RPM file. For example, to remove the package named qt3-devel, type rpm -e qt3-devel To remove an RPM, you don’t need the full RPM filename; all you need is the package name — the first part of the filename up to the dash (-) before the version number. The rpm -e command does not remove a package that other packages need. Upgrading an RPM Use the rpm -U command to upgrade an RPM. You must provide the name of the RPM file that contains the new software. For example, if I have version 1.1.20 of cups (printing system) installed on my system but I want to upgrade to version 1.1.21, I download the RPM file cups-1.1.21-5.3.i586.rpm from a repository and use the following command: rpm -U cups-1.1.21-5.3.i586.rpm The rpm command performs the upgrade by removing the old version of the cups package and installing the new RPM. Whenever possible, upgrade rather than remove the old package and install a new one. Upgrading automatically saves your old configuration files, which saves you the hassle of reconfiguring the software after a fresh installation. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. 286 Part IV: Becoming a SUSE Wizard Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. Chapter 19 Securing SUSE Linux In This Chapter Understanding host and network security issues Getting familiar with computer security terminology Practicing good host security Securing the network Keeping up with security news and updates I n this chapter, I explain why you need to worry about security and give you a high-level view of how to get a handle on security. I explain the two key aspects of security — host security and network security — and introduce you to the terminology used in discussing computer security. Then I provide an overview of how to secure the host (the stand-alone PC) and the network. Finally, I end by pointing out a few resources that can help you keep up with security news and updates. Why Worry about Security? In today’s networked world, you have to worry about your SUSE Linux system’s security. For a stand-alone system, or a system used in an isolated local area network (LAN), you have to focus on protecting the system from the users and the users from one another. In other words, you don’t want a user to modify or delete system files, whether intentionally or unintention- ally. Also, you don’t want a user destroying another user’s files. If your SUSE Linux system is connected to the Internet, you have to secure the system from unwanted accesses over the Internet. These intruders — or crackers, as they are commonly known — typically impersonate a user, steal or destroy information, and even deny you access to your own system (known as a Denial of Service or DoS attack). By its very nature, an Internet connection makes your system accessible to any other system on the Internet. After all, the Internet connects a huge number of networks across the globe. In fact, the client/server architecture Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. 288 Part IV: Becoming a SUSE Wizard of Internet services, such as HTTP (Web) and FTP, rely on the wide-open net- work access the Internet provides. Unfortunately, the easy accessibility to Internet services running on your system also means that anyone on the Net can easily access your system. If you operate an Internet host that provides information to others, you cer- tainly want everyone to access your system’s Internet services, such as FTP and Web servers. However, these servers often have vulnerabilities that crackers may exploit in order to cause harm to your system. You need to know about the potential security risks of Internet services — and the pre- cautions you can take to minimize the risk of someone exploiting the weak- nesses of your FTP or Web server. You also want to protect your company’s internal network from outsiders, even though your goal is to provide information to the outside world through a Web or FTP server. You can protect your internal network by setting up an Internet firewall — a controlled access point to the internal network — and placing the Web and FTP servers on a host outside the firewall. Understanding Linux Security To secure a Linux system, you have to tackle two broad categories of security issues: Host security issues that relate to securing the operating system and the files and directories on the system Network security issues that refer to the threat of attacks over the net- work connection Understanding the host security issues Here are some high-level guidelines to address host security (I cover some of these topics in detail later in this chapter): When installing SUSE Linux, select only the package groups that you need for your system. Don’t install unnecessary software. For example, if your system is used as a workstation, you don’t have to install most of the servers (Web server, news server, and so on). Create initial user accounts and make sure all passwords are strong enough that password-cracking programs can’t “guess” them. SUSE Linux includes tools to enforce strong passwords. Set file ownerships and permissions to protect important files and directories. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. Chapter 19: Securing SUSE Linux 289 Use the GNU Privacy Guard (GnuPG) to encrypt or decrypt files with sensitive information and to authenticate files that you download from the Internet. GnuPG comes with SUSE Linux and you can use the gpg command to perform the tasks such as encrypting or decrypting a file. Use file integrity-checking tools, such as Tripwire, to monitor any changes to crucial system files and directories. The open source version of Tripwire (which is somewhat old) is available from www.tripwire.org. Visit www.tripwire.com for the commercial version. Periodically check various log files for signs of any break-ins or attempted break-ins. These log files are in the /var/log directory of your system. Install security updates to SUSE Linux as soon as they become available. These security updates fix known vulnerabilities in SUSE Linux. You can get these updates by using the YaST Online Update that I describe in Chapter 18. Understanding network security issues The issue of network security comes up as soon as you connect your organi- zation’s internal network to the Internet. You need to think of network secu- rity even if you connect a single computer to the Internet, but security concerns are more pressing when an entire internal network is opened to the world. If you’re an experienced system administrator, you already know that the cost of managing an Internet presence doesn’t worry corporate management; their main concern is security. To get your management’s backing for the Web site, you have to lay out a plan to keep the corporate network secure from intruders. You may think that you can avoid jeopardizing the internal network by con- necting only the external servers, such as Web and FTP servers, to the Internet. However, employing this simplistic approach isn’t wise. It’s like deciding not to drive because you may have an accident. Not having a net- work connection between your Web server and your internal network also has the following drawbacks: You cannot use network file transfers, such as FTP, to copy documents and data from your internal network to the Web server. Users on the internal network cannot access the corporate Web server. Users on the internal network don’t have access to Web servers on the Internet. Such a restriction makes a valuable resource — the Web — inaccessible to the users in your organization. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. 290 Part IV: Becoming a SUSE Wizard A practical solution to this problem is to set up an Internet firewall and to put the Web server on a highly secured host outside the firewall. In addition to using a firewall, here are some of the other steps to take to address network security (I explain these further, later in this chapter): Enable only those Internet services you need on a system. In particular, don’t enable services that are not properly configured. Use Secure Shell (ssh) for remote logins. Don’t use the r commands, such as rlogin and rsh. Secure any Internet services, such as FTP or TELNET, that you want to run on your system. Better yet, don’t run them unless you need them. Promptly fix any known vulnerabilities of Internet services that you choose to run. You can download and install the latest security updates for SUSE Linux by using the YaST Online Update. Getting Familiar with Computer Security Terminology Computer books, magazine articles, and experts on computer security use a number of terms with unique meanings. You need to know these terms to understand discussions about computer security (and to communicate effec- tively with security vendors). Table 19-1 describes some of the commonly used computer security terms. Table 19-1 Commonly Used Computer Security Terminology Term Description Application gateway A proxy service that acts as a gateway for application- level protocols, such as FTP, HTTP, NNTP, and SSH. Authentication The process of confirming that a user is indeed who he or she claims to be. The typical authentication method is a challenge-response method wherein the user enters a username and secret password to confirm his or her identity. Backdoor A security weakness a cracker places on a host in order to bypass security features. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. Chapter 19: Securing SUSE Linux 291 Term Description Bastion host A highly secured computer that serves as an organiza- tion’s main point of presence on the Internet. A bastion host typically resides on the perimeter network, but a dual-homed host (with one network interface connected to the Internet and the other to the internal network) is also a bastion host. Buffer overflow A security flaw in a program that enables a cracker to send an excessive amount of data to that program and to overwrite parts of the running program with code in the data being sent. The result is that the cracker can execute arbitrary code on the system and possibly gain access to the system as a privileged user. Certificate An electronic document that identifies an entity (such as an individual, an organization, or a computer) and associ- ates a public key with that identity. A certificate contains the certificate holder’s name, a serial number, expiration date, a copy of the certificate holder’s public key, and the digital signature of the Certificate Authority so a recipient can verify that the certificate is real. Certificate An organization that validates identities and issues Authority (CA) certificates. Cracker A person who breaks into (or attempts to break into) a host, often with malicious intent. Confidentiality Of data, a state of being accessible to no one but you (usually achieved by encryption). Decryption The process of transforming encrypted information into its original, intelligible form. Denial of An attack that uses so many of the resources on your Service computer and network that legitimate users cannot (DoS) access and use the system. From a single source, the attack overwhelms the target computer with messages and blocks legitimate traffic. It can prevent one system from being able to exchange data with other systems or prevent the system from using the Internet. Distributed Denial A variant of the denial-of-service attack that uses a coor- of Service (DDoS) dinated attack from a distributed system of computers rather than a single source. It often makes use of worms to spread to multiple computers that can then attack the target. (continued) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. 292 Part IV: Becoming a SUSE Wizard Table 19-1 (continued) Term Description Digital signature A one-way MD5 or SHA-1 hash of a message encrypted with the private key of the message originator, used to verify the integrity of a message and ensure nonrepudiation. DMZ Another name for the perimeter network. (DMZ originally stood for demilitarized zone, the buffer zone separating the warring North and South in Korea and Vietnam.) Dual-homed host A computer with two network interfaces (think of each network as a home). Encryption The process of transforming information so it’s unintelligi- ble to anyone but the intended recipient. The transforma- tion is done by a mathematical operation between a key and the information. Exploit tools Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems. Firewall A controlled-access gateway between an organization’s internal network and the Internet. A dual-homed host can be configured as a firewall. Hash The result when a mathematical function converts a mes- sage into a fixed-size numeric value known as a message digest (or hash). The MD5 algorithm, for example, pro- duces a 128-bit message digest; the Secure Hash Algorithm-1 (SHA-1) generates a 160-bit message digest. The hash of a message is encrypted with the private key of the sender to produce the digital signature. Host A computer on a network that is configured to offer serv- ices to other computers on the network. Integrity Of received data, a state of being the same as originally sent (that is, unaltered in transit). IPSec (IP A security protocol for the Network layer of the OSI Security Networking Model, designed to provide cryptographic Protocol) security services for IP packets. IPSec provides encryption-based authentication, integrity, access control, and confidentiality. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. Chapter 19: Securing SUSE Linux 293 Term Description IP spoofing An attack in which a cracker figures out the IP address of a trusted host and then sends packets that appear to come from the trusted host. The attacker can send pack- ets but cannot see responses. However, the attacker can predict the sequence of packets and essentially send commands that set up a backdoor for future break-ins. Logic bombs A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action, such as terminating the programmer’s employment, when some triggering event occurs, such as terminating the programmer’s employment. Nonrepudiation A security feature that prevents the sender of data from being able to deny ever having sent the data. Packet A collection of bytes, assembled according to a specific protocol, that serves as the basic unit of communication on a network. On TCP/IP networks, for example, the packet may be referred to as an IP packet or a TCP/IP packet. Packet filtering Selective blocking of packets according to type of packet (as specified by the source and destination IP address or port). Perimeter network A network between the Internet and the protected internal network. The perimeter network (also known as DMZ) is where the bastion host resides. Port scanning A method of discovering which ports are open (in other words, which Internet services are enabled) on a system, performed by sending connection requests to the ports, one by one. This procedure is usually a precursor to fur- ther attacks. Proxy server A server on the bastion host that enables internal clients to access external servers (and enables external clients to access servers inside the protected network). There are proxy servers for various Internet services, such as FTP and HTTP. Public-key An encryption method that uses a pair of keys — a private cryptography key and a public key — to encrypt and decrypt the infor- mation. Anything encrypted with the public key is decrypted only with the corresponding private key, and vice versa. (continued) Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. 294 Part IV: Becoming a SUSE Wizard Table 19-1 (continued) Term Description Public-Key Infra- A set of standards and services that enables the use of structure (PKI) public-key cryptography and certificates in a networked environment. PKI facilitates tasks, such as issuing, renew- ing, and revoking certificates, and generating and distrib- uting public- and private-key pairs. Screening router An Internet router that filters packets. Setuid program A program that runs with the permissions of the owner regardless of who runs the program. For example, if root owns a setuid program, that program has root privileges regardless of who started the program. Crackers often exploit vulnerabilities in setuid programs to gain privileged access to a system. Sniffer Synonymous with packet sniffer — a program that inter- cepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text. Symmetric-key An encryption method wherein the same key is used to encryption encrypt and decrypt the information. Spyware Any software that covertly gathers user information through the user’s Internet connection and, usually, trans- mits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users are tricked into installing spyware when they install some- thing else. Threat An event or activity, deliberate or unintentional, with the potential for causing harm to a system or network. Trojan horse A program that masquerades as a benign program, but, in fact is a backdoor used for attacking a system. Attackers often install a collection of Trojan horse programs that enable the attacker to freely access the system with root privileges, yet hide that fact from the system admin- istrator. Such collections of Trojan horse programs are called rootkits. Virus A self-replicating program that spreads from one com- puter to another by attaching itself to other programs. Vulnerability A flaw or weakness that may cause harm to a system or network. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản