1Z0-889 Copyright © 2002 by Gerhard Mourani and Open Network Architecture, Inc.

This book is dedicated to OpenNA staff. Thanks, guys (no-gender)!! –Gerhard Mourani This book is printed on acid-free paper with 85% recycled content, 15% post-consumer waste. Open Network Architecture is commited to using paper with the highest recycled 1Z0-889 content available consistent with high quality.

Copyright © 2002 by Gerhard Mourani and Open Network Architecture, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted by Canada Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the copyright holders Gerhard Mourani and Open Network Architecture, Inc. 11090 Drouart, Montreal, PQ H3M 2S3, (514) 978-6183, fax (514) 333-0236. Requests to the Publisher for permission should be addressed to the

Publishing Manager, at Open Network Architecture, Inc., E-mail: [email protected] This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that some grammatical mistakes could have occurred but this won’t jeopardize the content or the issue raised herewith. Title: Securing and Optimizing Linux: The Hacking Solution Page Count: 1208 Version: 3.0 Last Revised: 2002-06-26 Publisher: Open Network Architecture, Inc. Editor: Ted Nackad Text Design & Drawings (Graphics): Bruno Mourani Printing History: June 2000: First Publication. Author’s: Gerhard Mourani Mail: [email protected] Website: http://www.openna.com/ National Library Act. R.S., c. N-11, s. 1. Legal Deposit, 2002 Securing and Optimizing Linux: The Hacking Solution / Open Network Architecture, Inc. Published by Open Network Architecture, Inc., 11090 Drouart, Montreal, H3M 2S3, Canada. Includes Index. ISBN 0-9688793-1-4 Printed in Canada


Part I
Chapter 1 Chapter 2

Installation Security
Introduction Installation Issues

Part II
Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7

System Security & Optimization
General Security Pluggable Authentication Modules General Optimization Kernel Security & Optimization Process File System Management

Part III Network Security
Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 TCP/IP Network Management Firewall Basic Concept GIPTables Firewall Squid Proxy Server SquidGuard Filter FreeS/WAN VPN

Part IV Cryptography & Authentication
Chapter 14 Chapter 15 Chapter 16 Chapter 17 GnuPG OpenSSL OpenSSH Sudo

Part V

Monitoring & System Integrity
sXid LogSentry HostSentry PortSentry Snort Tripwire

Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23

Part VI Super-Server
Chapter 24 Chapter 25 UCSPI-TCP Xinetd

Part VII Management & Limitation
Chapter 26 Chapter 27 NTP Quota

Part VIII Domain Name System & Dynamic Host Protocol
Chapter 28 Chapter 29 ISC BIND & DNS ISC DHCP

Part IX Mail Transfer Agent Protocol
Chapter 30 Chapter 31 Exim Qmail


Part X

Internet Message Access Protocol
tpop3d UW IMAP Qpopper

Chapter 32 Chapter 33 Chapter 34

Part XI
Chapter 35 Chapter 36 Chapter 37

Anti-Spam & Anti-Virus
SpamAssassin Sophos AMaViS

Part XII Database Server
Chapter 38 Chapter 39 Chapter 40 MySQL PostgreSQL OpenLDAP

Part XIII File Transfer Protocol
Chapter 41 Chapter 42 ProFTPD vsFTPD

Part XIV Hypertext Transfer Protocol
Chapter 43 Chapter 44 Chapter 45 Apache PHP Mod_Perl

Part XV NetBios Protocol
Chapter 46 Samba

Part XVI Backup
Chapter 47 Tar & Dump

Part XVII Appendixes Appendix A
Tweaks, Tips and Administration Tasks

Appendix B
Port list


Steps of installation Author note Audience These installation instructions assume Obtaining the example configuration files Problem with Securing & Optimizing Linux Acknowledgments 13 13 14 15 15 15 15


21 21 21 22 22 23 24 25

What is Linux? Some good reasons to use Linux Let’s dispel some of the fear, uncertainty, and doubt about Linux Why choose pristine source? Compiling software on your system Build & install software on your system Editing files with the vi editor tool Recommended software to include in each type of servers

Installation Issues

31 31 33 34 35 39 50 53 53 56 57 65 66 66

Know your Hardware! Creating the Linux Boot Disk Beginning the installation of Linux Installation Class and Method (Install Options) Partition your system for Linux Disk Partition (Manual Partitioning) Selecting Package Groups Boot Disk Creation How to use RPM Commands Starting and stopping daemon services Software that must be uninstalled after installation of the server Remove unnecessary documentation files Remove unnecessary/empty files and directories Software that must be installed after installation of the server

General Security 73
BIOS Unplug your server from the network Security as a policy Choose a right password The root account Set login time out for the root account Shell logging The single-user login mode of Linux Disabling Ctrl-Alt-Delete keyboard shutdown command Limiting the default number of started ttys on the server The LILO and /etc/lilo.conf file The GRUB and /boot/grub/grub.conf file The /etc/services file 75 75 76 76 77 77 78 79 79 80 80 82 84


The /etc/securetty file Special accounts Control mounting a file system Mounting the /usr directory of Linux as read-only Tighten scripts under /etc/init.d Tighten scripts under /etc/cron.daily/ Bits from root-owned programs Don’t let internal machines tell the server what their MAC address is Unusual or hidden files Finding Group and World Writable files and directories Unowned files Finding .rhosts files Physical hard copies of all-important logs Getting some more security by removing manual pages System is compromised!

85 85 88 89 91 91 91 93 94 95 96 96 97 99 100

Pluggable Authentication Modules

103 105 105 106 107 109 111 112 113

The password length Disabling console program access Disabling all console access The Login access control table Tighten console permissions for privileged users Putting limits on resource Controlling access time to services Blocking; su to root, by one and sundry Using sudo instead of su for logging as super-user

General Optimization

118 119 120 121 122 127 128

Static vs. shared libraries The Glibc 2.2 library of Linux Why Linux programs are distributed as source Some misunderstanding in the compiler flags options The gcc specs file Striping all binaries and libraries files Tuning IDE Hard Disk Performance

Kernel Security & Optimization

135 138 139 141 141 142 143 145 190 190 192 194 195 195

Difference between a Modularized Kernel and a Monolithic Kernel Making an emergency boot floppy Preparing the Kernel for the installation Applying the 1z0-889 dumps Grsecurity kernel patch Obtaining and Installing Grsecurity Tuning the Kernel Cleaning up the Kernel Configuring the Kernel Compiling the Kernel Installing the Kernel Verifying or upgrading your boot loader Reconfiguring /etc/modules.conf file Rebooting your system to load the new kernel Delete programs, edit files pertaining to modules


Making a new rescue floppy for Modularized Kernel Making a emergency boot floppy disk for Monolithic Kernel

196 196

Use Cisco 650-968 Discovery Protocol and show commands to verify the Layer 1 and Layer 2

Physical Topology


Required Resources
Task 1: Assign Responsibility for  650-968

Each Device (optional) Step 1: Review the lab topology together with your team members. Step 2: Assign responsibility for each device to a team member.
Device Responsibilities Table Device Description Responsible Team Member
Task 2: Load the Baseline Device Configuration Files
ip host name ip-addr
Step 1: Verify the existence and location of the lab configuration files.
show flash cd dir


show flash
ALS1#show flash:
Directory of flash:/
3 -rwx 916 Mar 1 1993 00:00:29 +00:00 vlan.dat 619 -rwx 6582 Mar 1 1993 00:10:09 +00:00 config.text 6 drwx 192 Oct 9 2009 13:00:50 +00:00 c2960-lanbasek9-mz.122-46.SE.bin 622 drwx 128 Oct 9 2009 13:03:05 +00:00 tshoot
ALS1#cd tshoot ALS1#dir Directory of flash:/tshoot/
623 -rwx 6582 Oct 9 2009 13:03:05 +00:00 Lab31-ALS1-Base-Cfg.txt 624 -rwx 6578 Oct 9 2009 12:32:48 +00:00 Lab41-ALS1-TT-A-Cfg.txt <output omitted>
Alternatively, you can see the contents of the directory by specifying its name using the dir command. For example:
ALS1#dir flash:/tshoot Directory of flash:/tshoot/
5 -rwx 6515 Oct 9 2009 14:39:42 +00:00 Lab31-ALS1-Base-Cfg.txt

show flash

R1#show flash: -#—length——-date/time——path
1 38266988 Sep 24 2009 17:47:14 c1841-advipservicesk9-mz.124-24.T1.bin
2 0 Oct 09 2009 12:32:06 tshoot
3 2288 Oct 09 2009 12:32:48 tshoot/Lab31-R1-Base-Cfg.txt

<output omitted>
Step 2: Erase the startup config from NVRAM.
ALS1#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
Erase of nvram: complete

Step 3: Delete the VLAN database from flash (switches only).
ALS1#delete vlan.dat
Delete flash:vlan.dat? [confirm]
Step 4: Reload the device, but do not save the system configuration if prompted.
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

*Oct 1 00:29:28.704: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
Step 5: When the device restarts, do not enter the initial configuration dialog, but terminate autoinstall if prompted.
Press RETURN to get started!
—System Configuration Dialog —Would you like to enter the initial configuration dialog? [yes/no]: no Would you like to terminate autoinstall? [yes]: Enter
Step 6: Copy the specified lab device configuration file from flash to the running config.
Switch>enable Switch#copy flash:/tshoot/Lab31-ALS1-Base-Cfg.txt running-config Destination filename [running-config]? Enter

Step 7: Copy the running config to the startup config.
ALS1#copy running-config startup-config
Building configuration…


admin enable

Step 8: Repeat Steps 1 through 7 for the other devices in the network.
Step 9: Configure the PCs.
Step 10: Test basic network connectivity between devices.
Note: Task 3: Analyze and Document the Physical Lab Topology Note:
Step 1: Review the physical topology diagram on page 1 of the lab.
connections of the lab topology.

show cdp
Device Links Table
From Device Interface To Device Interface Layer 1 and 2 Features and Protocols Used
From Device Interface To Device Interface Layer 1 and 2 Features and Protocols Used
Step 3: Map the VLANs used in the lab to the devices in the diagram.
VLAN Definition Table
VLAN # Name Description VLAN Members
Step 4: Analyze spanning tree for the Layer 2 switched domain.
Step 5: Diagram the spanning tree for VLAN 10.

Student Notes
Task 4: Analyze and Document the Logical Cisco 650-968 Exam Lab Topology Step 1: Review the logical lab diagram and the subnets.

600-511 Cisco Systems, Inc. (NASDAQ:CSCO) News Sentiment Score At 0.299

The latest way to get the stock sentiment on listed companies in the market is algorithm-based analytics, which is also used by Alpha One. It helps retail investors to make an investment choice and earn profits from wise investments. For getting this stock sentiment, the group tracks news from numerous channels. The only thing that has 600-511 to be taken care of is the quality of articles. These articles should be latest and relevant so as to get a rational sentiment score. Cisco Systems, Inc. (NASDAQ:CSCO) has been given a 0.299 score by group.

Coming to the scale, the group assigns impact score on a 1-100 scale. The score, given on a daily basis, is referred by investors to 74-353 gauge the direction of stock in a single session. Cisco Systems, Inc. has a 80 in the last session. Following this impact score, the experts tracking the equity, have assigned a 13-month price forecast of $28.63 on the stock.

It is computed by A4040-332 considering the stock recommendations of 23 analysts. These market experts took part in Zacks poll, and designed a price range of varying from the bullish target of $37 to the bearish target of $17.

It is process advanced by Zacks wherein it collects analysts’ views and gets an average score on a beginner’s scale. It in turns makes it easy for shareholders to interpret the analysts’ lingo and obtain a clear direction stock. The Zacks ABR range varies in A4040-226 a range of 1 to 5. The stock holds bullish view when it has a rating of one while the outlook is the street in case stock has a rating of 5. Cisco Systems, Inc. (NASDAQ:CSCO) ABR stands at 1.81 while it was 1.81 three months ago.

The firm can report its quarterly earnings around 2016-05-11. It is a probable date calculated by the last update issued by the company. Zacks had specified C_BOWI_30 EPS target of $0.55 for this quarter, which may be not matching with First Call EPS projected numbers.

Shareholders will be following the revised earnings estimates prior the earnings date. Cisco Systems, Inc. posted C_TBW55_73 EPS of $0.53 for quarter closed on 2016-01-31. It missed Zacks estimate by $0.09 leading to a alarming deviation of 20.45%.

It is an accustomed trend for the publicly listed companies to react to the announced quarterly report. In case, Cisco Systems, Inc. posts numbers better than the market expectations, the stock price can record sharp gains in the sessions after the earnings release.

Cisco Systems, Inc. (NASDAQ:CSCO) Sentiment Rating At 3.67

Cisco Systems, Inc. (NASDAQ:CSCO) has succeeded in getting a sentiment rating of 3.67, which was nailed after ClosingBell.co ended its poll. It collected all important data to obtain an average score on a ‘1-5’ scale. For record, it is imperative to detail C2010-570 that rating of one signifies upbeat opinion on the stock and score of five highlights bearish outlook. These ratings direct investors get an additional outlook on investment sentiment in contrast to research group’s view on the stock.

Cisco Systems, Inc. (NASDAQ:CSCO) stock has fetched 21 active ratings. In all, the average buy rating count is computed at 13 while the bullish statements count stands at 1. Another group PsychSignal prefers to C2050-241 get mass stock sentiment using “Natural Language Processing Engine”. This advanced system is well designed and directs investors in reading the digital terminology of Wall Street analysts. PsychSignal recorded 21 messages on leading social media platforms such as Twitter.

The novel ‘Natural Language Processing’ method gathers the C2070-588 mass sentiment to get an outlook on a stock. It is used to provide a basic understanding of analysts terminology to investors. As per the 21 posts recorded on N/A, bullish statements count was N/A while negative posts count was N/A.

PsycgSignal’s methodology is an excellent process, which evaluates latest online posts pertaining to stock for Bullishness and C2090-463 Bearishness intensity. As per this mechanism, the score of ‘0’ stands for bullish sentiment and ‘4’ is for increased intensity of Bullish sentiment. Cisco Systems, Inc. (NASDAQ:CSCO)’s Bullish Sentiment is N/A. Similarly, the bearishness extent ranges from 0-4, where 4 indicate strong bearishness sentiment on a given stock.

On N/A, the Bearish Sentiment score of N/A was N/A. Of C2090-611 the total 21 posts on Twitter, N/A had positive sentiment while N/A leaded to bearish views. There were N/A on StockTwits, of which, N/A were negative against N/A positive messages.

The bullish degree C2090-730 stood at N/A while N/A was the intensity of bearishness. This analysis is compared against the analysts’ recommendations. Cisco Systems, Inc. has a score of 1.81, which reflects the combined view of Wall Street analysts surveyed in Zacks poll.

Cisco Systems, Inc. has a consensus 600-511 npdes aci score of 1.81 a quarter earlier. The wide range of price estimate is put from $17 to $37. The mean price estimation of $28.63 was reached after polling 23 experts. Cisco Systems, Inc. can post its earnings around 2016-05-11.