LFS Paper on Secure Servers
bdubbs at swbell.net
Fri Apr 30 23:58:02 PDT 2004
I've been working on a major paper based on LFS for the last few months
and have now come to the point where it should be released. The paper
The files are also available at:
so you might want to use that site to not overload the main lfs site.
The html file is not what I consider well rendered and is a single file,
but I wanted to get the paper released. I intend to redo the format in
the new LFS XML style that Manuel and others have been working on so hard.
The files are fairly large (306K html, 493K pdf). The paper is 59 pages
plus about 100 pages of appendicies, so its not a quick read. I am
interested in maintaing the paper, so if there are any suggestions for
improvement, they are welcome.
The abstract reads:
"When securing a server, most administrators start with a commercial
distribution and try to modify the configuration to
eliminate security problem areas. The problem is that most distributions
have many packages installed that are unnecessary on a server. For
instance, the RedHat 9 distribution loads a minimum of 115 packages.
Knowing what these packages are and the security implementations of each
is very difficult.
This paper takes a different approach. It starts by building a base
system from "scratch" using the techniques from the Linux From Scratch
project. To that base, the administration and security tools required to
manage the system are added. Finally, the server applications are installed.
After the system is built however, configuration is not finished. Even
though a small number of packages have been
installed, some files need to be removed for security reasons. After
that, final configuration tasks are required before deploying the server.
When deployed, the job of maintaining security is never complete. The
administrator must continue to be vigilant and enter
an ongoing cycle of security tasks. This cycle consists of four phases:
Planning, Implementing, Monitoring, and Analyzing security and
performance issues for the life of the system.
To demonstrate the principles described above, this paper will provide a
step by step guide to implementing a Domain Name System (DNS) server for
a medium size organization. From this description, an administrator can
use most of the techniques described to build many types of servers by
removing the DNS software and adding a few applications to the secured
There are some prerequsites for developing this type of system. A
moderate amount of UNIX system administrator skills including
familiarity with building software from source distributions is needed.
Beyond that, the only other skill needed is to be able to precisely
follow instructions. In some cases, deviations made by a knowledgeable
administrator are appropriate, however changes to the procedures given
are not recommended for the first build."
More information about the lfs-security