LFS Paper on Secure Servers
bertrand at juglas.name
Sat May 1 02:59:09 PDT 2004
Bruce Dubbs wrote:
> I've been working on a major paper based on LFS for the last few months
> and have now come to the point where it should be released. The paper
> is at:
> The files are also available at:
> so you might want to use that site to not overload the main lfs site.
> The html file is not what I consider well rendered and is a single file,
> but I wanted to get the paper released. I intend to redo the format in
> the new LFS XML style that Manuel and others have been working on so hard.
> The files are fairly large (306K html, 493K pdf). The paper is 59 pages
> plus about 100 pages of appendicies, so its not a quick read. I am
> interested in maintaing the paper, so if there are any suggestions for
> improvement, they are welcome.
> The abstract reads:
> "When securing a server, most administrators start with a commercial
> distribution and try to modify the configuration to
> eliminate security problem areas. The problem is that most distributions
> have many packages installed that are unnecessary on a server. For
> instance, the RedHat 9 distribution loads a minimum of 115 packages.
> Knowing what these packages are and the security implementations of each
> is very difficult.
> This paper takes a different approach. It starts by building a base
> system from "scratch" using the techniques from the Linux From Scratch
> project. To that base, the administration and security tools required to
> manage the system are added. Finally, the server applications are
> After the system is built however, configuration is not finished. Even
> though a small number of packages have been
> installed, some files need to be removed for security reasons. After
> that, final configuration tasks are required before deploying the server.
> When deployed, the job of maintaining security is never complete. The
> administrator must continue to be vigilant and enter
> an ongoing cycle of security tasks. This cycle consists of four phases:
> Planning, Implementing, Monitoring, and Analyzing security and
> performance issues for the life of the system.
> To demonstrate the principles described above, this paper will provide a
> step by step guide to implementing a Domain Name System (DNS) server for
> a medium size organization. From this description, an administrator can
> use most of the techniques described to build many types of servers by
> removing the DNS software and adding a few applications to the secured
> base system.
> There are some prerequsites for developing this type of system. A
> moderate amount of UNIX system administrator skills including
> familiarity with building software from source distributions is needed.
> Beyond that, the only other skill needed is to be able to precisely
> follow instructions. In some cases, deviations made by a knowledgeable
> administrator are appropriate, however changes to the procedures given
> are not recommended for the first build."
> -- Bruce
Thanks for your great work, i will try to test it on my development
server and write back to you my comments to help you maintain it ;)
if you are searching for a tester, i propose myself.
Thanks a lot,
More information about the lfs-security