/dev/sda6 /usr ext2 ro 0 0 in .NET Make Code 128B in .NET /dev/sda6 /usr ext2 ro 0 0

/dev/sda6 /usr ext2 ro 0 0 using vs .net tocreate barcode 128 in web,windows application 4-State Customer Barcode This approach may make y visual .net Code-128 our machine difficult to update, so use this tactic with care. Mount filesystems other than / and /usr nosuid to prevent setuid programs from executing on this filesystem.

For example,. /dev/sda4 /dev/sda5 /var /usr/local ext3 ext3 nosuid nosuid 0 0 0 0 Host Security 1053 Use a barrier or firew all product between your network and the Internet. Several valuable mailing lists cover firewalls, including the

firewalls newsgroup and the free firewalls Web site,

Fedora/RHEL includes iptables (page 819), which allows you to implement a firewall.. Host Security Your host must be secure . Simple security steps include preventing remote logins and leaving the /etc/hosts.equiv and individual users ~/.

rhosts files empty (or not having them at all). Complex security steps include installing IPSec for VPNs between hosts. Many common security measures fall somewhere in between these two extremes.

A few of these follow. See Table C-1 on page 1058 for relevant URLs. Although potentially tricky to implement and manage, intrusion detection systems (IDSs) are an excellent way to keep an eye on the integrity of a device.

An IDS can warn of possible attempts to subvert security on the host on which it runs. The great-granddaddy of intrusion detection systems is tripwire. This host-based system checks modification times and integrity of files by using strong algorithms (cryptographic checksums or signatures) that can detect even the most minor modifications.

A commercial version of tripwire is also available. Another commercial IDS is DragonSquire. Other free, popular, and flexible IDSs include samhain and AIDE.

The last two IDSs offer even more features and means of remaining invisible to users than tripwire does. Commercial IDSs that are popular in enterprise environments include Cisco Secure IDS (formerly NetRanger), Enterasys Dragon, and ISS RealSecure. Keep Fedora systems up-to-date by downloading and installing the latest updates.

Use yum to update the system regularly (page 500) or set up the system to update itself every night automatically (page 504). Go to fedora.redhat.

com/download/updates.html for more information. Red Hat Network (RHN, page 516) can automatically or semiautomatically keep one or more systems up-to-date, preventing the system from becoming prey to fixed security bugs.

Complementing host-based IDSs are network-based IDSs. The latter programs monitor the network and nodes on the network and report suspicious occurrences (attack signatures) via user-defined alerts. These signatures can be matched based on known worms, overflow attacks against programs, or unauthorized scans of network ports.

Such programs as snort, klaxon, and NFR are used in this capacity. Commercial programs, such as DragonSentry, also fill this role. Provided with Fedora/RHEL is PAM, which allows you to set up different methods and levels of authentication in many ways (page 458).

. 1054 Appendix C Security Process accounting a g ood supplement to system security can provide a continuous record of user actions on your system. See the accton man page for more information. Emerging standards for such things as Role Based Access Control (RBAC) allow tighter delegation of privileges along defined organizational boundaries.

You can delegate a role or roles to each user as appropriate to the access required. General mailing lists and archives are extremely useful repositories of security information, statistics, and papers. The most useful are the bugtraq mailing list and CERT.

7 The bugtraq site and email service offer immediate notifications about specific vulnerabilities, whereas CERT provides notice of widespread vulnerabilities and useful techniques to fix them, as well as links to vendor patches. The rsyslog facility (provided with Fedora/RHEL) can direct messages from system daemons to specific files such as those in /var/log. On larger groups of systems, you can send all important rsyslog information to a secure host, where that host s only function is to store rsyslog data so that it cannot be tampered with.

See page 390 and the rsyslogd man page for more information..
Copyright © . All rights reserved.