LFS Paper on Secure Servers

Bruce Dubbs bdubbs at swbell.net
Fri Apr 30 23:58:02 PDT 2004

I've been working on a major paper based on LFS for the last few months 
and have now come to the point where it should be released.  The paper 
is at:


The files are also available at:


so you might want to use that site to not overload the main lfs site.

The html file is not what I consider well rendered and is a single file, 
but I wanted to get the paper released. I intend to redo the format in 
the new LFS XML style that Manuel and others have been working on so hard. 

The files are fairly large (306K html, 493K pdf).  The paper is 59 pages 
plus about 100 pages of appendicies, so its not a quick read.  I am 
interested in maintaing the paper, so if there are any suggestions for 
improvement, they are welcome.

The abstract reads:

"When securing a server, most administrators start with a commercial 
distribution and try to modify the configuration to
eliminate security problem areas. The problem is that most distributions 
have many packages installed that are unnecessary on a server. For 
instance, the RedHat 9 distribution loads a minimum of 115 packages. 
Knowing what these packages are and the security implementations of each 
is very difficult.

This paper takes a different approach. It starts by building a base 
system from "scratch" using the techniques from the Linux From Scratch 
project. To that base, the administration and security tools required to 
manage the system are added. Finally, the server applications are installed.

After the system is built however, configuration is not finished. Even 
though a small number of packages have been
installed, some files need to be removed for security reasons. After 
that, final configuration tasks are required before deploying the server.

When deployed, the job of maintaining security is never complete. The 
administrator must continue to be vigilant and enter
an ongoing cycle of security tasks. This cycle consists of four phases: 
Planning, Implementing, Monitoring, and Analyzing security and 
performance issues for the life of the system.

To demonstrate the principles described above, this paper will provide a 
step by step guide to implementing a Domain Name System (DNS) server for 
a medium size organization. From this description, an administrator can 
use most of the techniques described to build many types of servers by 
removing the DNS software and adding a few applications to the secured 
base system.

There are some prerequsites for developing this type of system. A 
moderate amount of UNIX system administrator skills including 
familiarity with building software from source distributions is needed. 
Beyond that, the only other skill needed is to be able to precisely 
follow instructions. In some cases, deviations made by a knowledgeable 
administrator are appropriate, however changes to the procedures given 
are not recommended for the first build."


  -- Bruce

More information about the lfs-security mailing list