1 |
neysx 06/09/18 09:22:48 |
2 |
|
3 |
Modified: shb-chroot.xml shb-firewalls.xml shb-intrusion.xml |
4 |
shb-kernel.xml shb-limits.xml shb-logging.xml |
5 |
shb-mounting.xml shb-pam.xml shb-perms.xml |
6 |
shb-pre.xml shb-services.xml shb-tight.xml |
7 |
shb-uptodate.xml |
8 |
Log: |
9 |
#147760 Removed all trailing spaces, no content change |
10 |
|
11 |
Revision Changes Path |
12 |
1.3 xml/htdocs/doc/en/security/shb-chroot.xml |
13 |
|
14 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&view=markup |
15 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?rev=1.3&content-type=text/plain |
16 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml?r1=1.2&r2=1.3 |
17 |
|
18 |
Index: shb-chroot.xml |
19 |
=================================================================== |
20 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v |
21 |
retrieving revision 1.2 |
22 |
retrieving revision 1.3 |
23 |
diff -u -r1.2 -r1.3 |
24 |
--- shb-chroot.xml 15 Dec 2005 22:45:57 -0000 1.2 |
25 |
+++ shb-chroot.xml 18 Sep 2006 09:22:48 -0000 1.3 |
26 |
@@ -1,5 +1,5 @@ |
27 |
<?xml version='1.0' encoding='UTF-8'?> |
28 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v 1.2 2005/12/15 22:45:57 rane Exp $ --> |
29 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-chroot.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
30 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
31 |
|
32 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
33 |
@@ -32,13 +32,13 @@ |
34 |
</p> |
35 |
|
36 |
<p> |
37 |
-Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what |
38 |
-dynamic libraries that <c>bash</c> is compiled with (if it is compiled with |
39 |
+Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what |
40 |
+dynamic libraries that <c>bash</c> is compiled with (if it is compiled with |
41 |
<c>-static</c> this step is not necessary): |
42 |
</p> |
43 |
|
44 |
<p> |
45 |
-The following command will create a list of libraries used by <c>bash</c>. |
46 |
+The following command will create a list of libraries used by <c>bash</c>. |
47 |
</p> |
48 |
|
49 |
<pre caption="Get listing of used libraries"> |
50 |
@@ -63,28 +63,28 @@ |
51 |
Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted |
52 |
<path>lib</path> and copy the bash command to the chrooted <path>bin</path> |
53 |
directory. This will create the exact same environment, just with less |
54 |
-functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>. |
55 |
+functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>. |
56 |
If you get an prompt saying <path>/</path> it works! Otherwise it will properly |
57 |
tell you what a file is missing. Some shared libraries depend on each other. |
58 |
</p> |
59 |
|
60 |
<p> |
61 |
-You will notice that inside the chroot nothing works except <c>echo</c>. This |
62 |
-is because we have no other commands in out chroot environment than bash and |
63 |
+You will notice that inside the chroot nothing works except <c>echo</c>. This |
64 |
+is because we have no other commands in out chroot environment than bash and |
65 |
<c>echo</c> is a build-in functionality. |
66 |
</p> |
67 |
|
68 |
<p> |
69 |
-This is basically the same way you would create a chrooted service. The only |
70 |
-difference is that services sometimes rely on devices and configuration files |
71 |
-in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp |
72 |
--a</c>) to the chrooted environment, edit the init script to use chroot before |
73 |
-executing. It can be difficult to find what devices and configuration files a |
74 |
-services need. This is where the <c>strace</c> command becomes handy. Start |
75 |
-the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and |
76 |
-maybe connect. This will give you a clue on what files to copy. But in most |
77 |
-cases just copy the passwd file (edit the copy and remove users that has |
78 |
-nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path> |
79 |
+This is basically the same way you would create a chrooted service. The only |
80 |
+difference is that services sometimes rely on devices and configuration files |
81 |
+in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp |
82 |
+-a</c>) to the chrooted environment, edit the init script to use chroot before |
83 |
+executing. It can be difficult to find what devices and configuration files a |
84 |
+services need. This is where the <c>strace</c> command becomes handy. Start |
85 |
+the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and |
86 |
+maybe connect. This will give you a clue on what files to copy. But in most |
87 |
+cases just copy the passwd file (edit the copy and remove users that has |
88 |
+nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path> |
89 |
and <path>/dev/random</path>. |
90 |
</p> |
91 |
|
92 |
|
93 |
|
94 |
|
95 |
1.4 xml/htdocs/doc/en/security/shb-firewalls.xml |
96 |
|
97 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&view=markup |
98 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?rev=1.4&content-type=text/plain |
99 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml?r1=1.3&r2=1.4 |
100 |
|
101 |
Index: shb-firewalls.xml |
102 |
=================================================================== |
103 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v |
104 |
retrieving revision 1.3 |
105 |
retrieving revision 1.4 |
106 |
diff -u -r1.3 -r1.4 |
107 |
--- shb-firewalls.xml 12 Dec 2005 02:10:43 -0000 1.3 |
108 |
+++ shb-firewalls.xml 18 Sep 2006 09:22:48 -0000 1.4 |
109 |
@@ -1,5 +1,5 @@ |
110 |
<?xml version='1.0' encoding='UTF-8'?> |
111 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.3 2005/12/12 02:10:43 vanquirius Exp $ --> |
112 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-firewalls.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ --> |
113 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
114 |
|
115 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
116 |
@@ -15,10 +15,10 @@ |
117 |
<body> |
118 |
|
119 |
<p> |
120 |
-People often think that a firewall provides the ultimate security, but they |
121 |
-are wrong. In most cases a misconfigured firewall gives less security than |
122 |
-not having one at all. A firewall is also a piece of software and should be |
123 |
-treated the same way as any other piece of software, because it is just as likely |
124 |
+People often think that a firewall provides the ultimate security, but they |
125 |
+are wrong. In most cases a misconfigured firewall gives less security than |
126 |
+not having one at all. A firewall is also a piece of software and should be |
127 |
+treated the same way as any other piece of software, because it is just as likely |
128 |
to contain bugs. |
129 |
</p> |
130 |
|
131 |
@@ -101,7 +101,7 @@ |
132 |
<ul> |
133 |
<li>Simple and easy to implement</li> |
134 |
<li> |
135 |
- Can give warnings of a possible attack before it happens (ie. by detecting |
136 |
+ Can give warnings of a possible attack before it happens (ie. by detecting |
137 |
port scans) |
138 |
</li> |
139 |
<li>Good for stopping SYN attacks</li> |
140 |
@@ -120,7 +120,7 @@ |
141 |
</ul> |
142 |
<!--FIXME: should SmoothWall really be included, since it uses iptables?--> |
143 |
<note> |
144 |
-It is recommended that you use iptables. Ipchains is obsoleted. |
145 |
+It is recommended that you use iptables. Ipchains is obsoleted. |
146 |
</note> |
147 |
|
148 |
</body> |
149 |
@@ -241,7 +241,7 @@ |
150 |
<p> |
151 |
Iptables is the new and heavily improved packet filter in the Linux 2.4.x |
152 |
kernel. It is the successor of the previous ipchains packet filter in the Linux |
153 |
-2.2.x kernel. One of the major improvements is that iptables is able to perform |
154 |
+2.2.x kernel. One of the major improvements is that iptables is able to perform |
155 |
stateful packet filtering. With stateful packet filtering it is possible to |
156 |
keep track of each established TCP connection. |
157 |
</p> |
158 |
@@ -273,41 +273,41 @@ |
159 |
</p> |
160 |
|
161 |
<p> |
162 |
-Iptables provides several other features like NAT (Network Address Translation) |
163 |
-and rate limiting. Rate limiting is extremely useful when trying to prevent |
164 |
+Iptables provides several other features like NAT (Network Address Translation) |
165 |
+and rate limiting. Rate limiting is extremely useful when trying to prevent |
166 |
certain DoS (Denial of Service) attacks like SYN floods. |
167 |
</p> |
168 |
|
169 |
<p> |
170 |
-A TCP connection is established by a so called three-way handshake. When |
171 |
-establishing a TCP connection the client-side sends a packet to the server |
172 |
-with the SYN flag set. When the server-side receives the SYN packet it |
173 |
-responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK |
174 |
-is received the client-side responds with a third ACK packet in effect |
175 |
+A TCP connection is established by a so called three-way handshake. When |
176 |
+establishing a TCP connection the client-side sends a packet to the server |
177 |
+with the SYN flag set. When the server-side receives the SYN packet it |
178 |
+responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK |
179 |
+is received the client-side responds with a third ACK packet in effect |
180 |
acknowledging the connection. |
181 |
</p> |
182 |
|
183 |
<p> |
184 |
-A SYN flood attack is performed by sending the SYN packet but failing to |
185 |
-respond to the SYN+ACK packet. The client-side can forge a packet with a fake |
186 |
+A SYN flood attack is performed by sending the SYN packet but failing to |
187 |
+respond to the SYN+ACK packet. The client-side can forge a packet with a fake |
188 |
source IP address because it does not need a reply. The server-side system will |
189 |
-add an entry to a queue of half-open connections when it receives the SYN |
190 |
-packet and then wait for the final ACK packet before deleting the entry from |
191 |
-the queue. The queue has a limited number of slots and if all the slots are |
192 |
-filled it is unable to open any further connections. If the ACK packet is not |
193 |
-received before a specified timeout period the entry will automatically be |
194 |
-deleted from the queue. The timeout settings vary but will typically be 30-60 |
195 |
-seconds or even more. The client-side initiates the attack by forging a lot of |
196 |
-SYN packets with different source IP addresses and sends them to the target IP |
197 |
-address as fast as possible and thereby filling up the queue of half-open |
198 |
+add an entry to a queue of half-open connections when it receives the SYN |
199 |
+packet and then wait for the final ACK packet before deleting the entry from |
200 |
+the queue. The queue has a limited number of slots and if all the slots are |
201 |
+filled it is unable to open any further connections. If the ACK packet is not |
202 |
+received before a specified timeout period the entry will automatically be |
203 |
+deleted from the queue. The timeout settings vary but will typically be 30-60 |
204 |
+seconds or even more. The client-side initiates the attack by forging a lot of |
205 |
+SYN packets with different source IP addresses and sends them to the target IP |
206 |
+address as fast as possible and thereby filling up the queue of half-open |
207 |
connections and thus preventing other clients from establishing a legitimate |
208 |
connection with the server. |
209 |
</p> |
210 |
|
211 |
<p> |
212 |
-This is where the rate limit becomes handy. It is possible to limit the rate |
213 |
-of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will |
214 |
-limit the number of SYN packets accepted to one per second and therefore |
215 |
+This is where the rate limit becomes handy. It is possible to limit the rate |
216 |
+of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will |
217 |
+limit the number of SYN packets accepted to one per second and therefore |
218 |
restricting the SYN flood on our resources. |
219 |
</p> |
220 |
|
221 |
@@ -324,16 +324,16 @@ |
222 |
</p> |
223 |
|
224 |
<p> |
225 |
-When iptables is loaded in the kernel it has 5 hooks where you can place your |
226 |
-rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>, |
227 |
-<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and |
228 |
-consists of a list of rules. Each rule says if the packet header looks like |
229 |
-this, then here is what to do with the packet. If the rule does not match the |
230 |
+When iptables is loaded in the kernel it has 5 hooks where you can place your |
231 |
+rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>, |
232 |
+<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and |
233 |
+consists of a list of rules. Each rule says if the packet header looks like |
234 |
+this, then here is what to do with the packet. If the rule does not match the |
235 |
packet the next rule in the chain is consulted. |
236 |
</p> |
237 |
|
238 |
<p> |
239 |
-You can place rules directly in the 5 main chains or create new chains and add |
240 |
+You can place rules directly in the 5 main chains or create new chains and add |
241 |
them to as a rule to an existing chain. Iptables supports the following options. |
242 |
</p> |
243 |
|
244 |
@@ -528,7 +528,7 @@ |
245 |
<ti>owner</ti> |
246 |
<ti>Attempt to match various characteristics of the packet creator</ti> |
247 |
<ti> |
248 |
- --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner |
249 |
+ --uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner |
250 |
sessionid |
251 |
</ti> |
252 |
</tr> |
253 |
@@ -539,7 +539,7 @@ |
254 |
</table> |
255 |
|
256 |
<p> |
257 |
-Lets try to create a user-defined chain and apply it to one of the existing |
258 |
+Lets try to create a user-defined chain and apply it to one of the existing |
259 |
chains: |
260 |
</p> |
261 |
|
262 |
@@ -556,7 +556,7 @@ |
263 |
</pre> |
264 |
|
265 |
<p> |
266 |
-By applying the rule to the input chain we get the policy: All outgoing packets |
267 |
+By applying the rule to the input chain we get the policy: All outgoing packets |
268 |
are allowed and all incoming packets are dropped. |
269 |
</p> |
270 |
|
271 |
@@ -573,11 +573,11 @@ |
272 |
<ul> |
273 |
<li>Connections to the firewall are only allowed through SSH (port 22)</li> |
274 |
<li> |
275 |
- The local network should have access to HTTP, HTTPS and SSH (DNS should also |
276 |
+ The local network should have access to HTTP, HTTPS and SSH (DNS should also |
277 |
be allowed) |
278 |
</li> |
279 |
<li> |
280 |
- ICMP traffic can contain payload and should not be allowed. Of course we have |
281 |
+ ICMP traffic can contain payload and should not be allowed. Of course we have |
282 |
to allow some ICMP traffic. |
283 |
</li> |
284 |
<li>Port scans should be detected and logged</li> |
285 |
@@ -621,7 +621,7 @@ |
286 |
$IPTABLES -N allowed-connection |
287 |
$IPTABLES -F allowed-connection |
288 |
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT |
289 |
- $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \ |
290 |
+ $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \ |
291 |
"Bad packet from ${IINTERFACE}:" |
292 |
$IPTABLES -A allowed-connection -j DROP |
293 |
|
294 |
@@ -629,9 +629,9 @@ |
295 |
einfo "Creating icmp chain" |
296 |
$IPTABLES -N icmp_allowed |
297 |
$IPTABLES -F icmp_allowed |
298 |
- $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ |
299 |
+ $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ |
300 |
time-exceeded -j ACCEPT |
301 |
- $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ |
302 |
+ $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \ |
303 |
destination-unreachable -j ACCEPT |
304 |
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:" |
305 |
$IPTABLES -A icmp_allowed -p icmp -j DROP |
306 |
@@ -641,11 +641,11 @@ |
307 |
$IPTABLES -N allow-ssh-traffic-in |
308 |
$IPTABLES -F allow-ssh-traffic-in |
309 |
#Flood protection |
310 |
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
311 |
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
312 |
ALL RST --dport ssh -j ACCEPT |
313 |
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
314 |
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
315 |
ALL FIN --dport ssh -j ACCEPT |
316 |
- $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
317 |
+ $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \ |
318 |
ALL SYN --dport ssh -j ACCEPT |
319 |
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT |
320 |
|
321 |
@@ -658,9 +658,9 @@ |
322 |
einfo "Creating outgoing dns traffic chain" |
323 |
$IPTABLES -N allow-dns-traffic-out |
324 |
$IPTABLES -F allow-dns-traffic-out |
325 |
- $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \ |
326 |
+ $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \ |
327 |
-j ACCEPT |
328 |
- $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \ |
329 |
+ $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \ |
330 |
-j ACCEPT |
331 |
|
332 |
einfo "Creating outgoing http/https traffic chain" |
333 |
@@ -673,29 +673,29 @@ |
334 |
einfo "Creating portscan detection chain" |
335 |
$IPTABLES -N check-flags |
336 |
$IPTABLES -F check-flags |
337 |
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \ |
338 |
- --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" |
339 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \ |
340 |
+ --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" |
341 |
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP |
342 |
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \ |
343 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \ |
344 |
5/minute -j LOG --log-level 1 --log-prefix "XMAS:" |
345 |
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP |
346 |
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ |
347 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ |
348 |
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:" |
349 |
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP |
350 |
- $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \ |
351 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \ |
352 |
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:" |
353 |
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP |
354 |
- $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \ |
355 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \ |
356 |
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:" |
357 |
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
358 |
- $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \ |
359 |
+ $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \ |
360 |
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:" |
361 |
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
362 |
|
363 |
# Apply and add invalid states to the chains |
364 |
einfo "Applying chains to INPUT" |
365 |
$IPTABLES -A INPUT -m state --state INVALID -j DROP |
366 |
- $IPTABLES -A INPUT -j icmp_allowed |
367 |
+ $IPTABLES -A INPUT -j icmp_allowed |
368 |
$IPTABLES -A INPUT -j check-flags |
369 |
$IPTABLES -A INPUT -i lo -j ACCEPT |
370 |
$IPTABLES -A INPUT -j allow-ssh-traffic-in |
371 |
@@ -703,7 +703,7 @@ |
372 |
|
373 |
einfo "Applying chains to FORWARD" |
374 |
$IPTABLES -A FORWARD -m state --state INVALID -j DROP |
375 |
- $IPTABLES -A FORWARD -j icmp_allowed |
376 |
+ $IPTABLES -A FORWARD -j icmp_allowed |
377 |
$IPTABLES -A FORWARD -j check-flags |
378 |
$IPTABLES -A FORWARD -o lo -j ACCEPT |
379 |
$IPTABLES -A FORWARD -j allow-ssh-traffic-in |
380 |
@@ -721,7 +721,7 @@ |
381 |
$IPTABLES -A OUTPUT -j allowed-connection |
382 |
|
383 |
#Allow client to route through via NAT (Network Address Translation) |
384 |
- $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE |
385 |
+ $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE |
386 |
eend $? |
387 |
} |
388 |
|
389 |
@@ -791,7 +791,7 @@ |
390 |
echo "rules) force settings of new rules" |
391 |
echo "save) will store settings in ${FIREWALL}" |
392 |
echo "restore) will restore settings from ${FIREWALL}" |
393 |
- echo "showstatus) Shows the status" |
394 |
+ echo "showstatus) Shows the status" |
395 |
} |
396 |
</pre> |
397 |
|
398 |
@@ -831,7 +831,7 @@ |
399 |
browser, authenticated user name, MIME type, and port number (protocol). I |
400 |
probably forgot some features, but it can be hard to cover the entire list right |
401 |
here. |
402 |
-</p> |
403 |
+</p> |
404 |
|
405 |
<p> |
406 |
In the following example I have added a banner filter instead of a filter based |
407 |
|
408 |
|
409 |
|
410 |
1.3 xml/htdocs/doc/en/security/shb-intrusion.xml |
411 |
|
412 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&view=markup |
413 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?rev=1.3&content-type=text/plain |
414 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml?r1=1.2&r2=1.3 |
415 |
|
416 |
Index: shb-intrusion.xml |
417 |
=================================================================== |
418 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v |
419 |
retrieving revision 1.2 |
420 |
retrieving revision 1.3 |
421 |
diff -u -r1.2 -r1.3 |
422 |
--- shb-intrusion.xml 23 Nov 2005 18:02:07 -0000 1.2 |
423 |
+++ shb-intrusion.xml 18 Sep 2006 09:22:48 -0000 1.3 |
424 |
@@ -1,5 +1,5 @@ |
425 |
<?xml version='1.0' encoding='UTF-8'?> |
426 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.2 2005/11/23 18:02:07 neysx Exp $ --> |
427 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-intrusion.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
428 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
429 |
|
430 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
431 |
@@ -196,7 +196,7 @@ |
432 |
</table> |
433 |
|
434 |
<p> |
435 |
-Now you can create you own rules based on the above flags by combining them |
436 |
+Now you can create you own rules based on the above flags by combining them |
437 |
like this: |
438 |
</p> |
439 |
|
440 |
@@ -232,11 +232,11 @@ |
441 |
</p> |
442 |
|
443 |
<pre caption="/etc/aide/aide.conf"> |
444 |
-@@ifndef TOPDIR |
445 |
+@@ifndef TOPDIR |
446 |
@@define TOPDIR / |
447 |
@@endif |
448 |
|
449 |
-@@ifndef AIDEDIR |
450 |
+@@ifndef AIDEDIR |
451 |
@@define AIDEDIR /etc/aide |
452 |
@@endif |
453 |
|
454 |
@@ -278,7 +278,7 @@ |
455 |
when checking for file integrity. But when updating or creating a new file it |
456 |
stores the information in <path>/etc/aide/aide.db.new</path>. This is done so it |
457 |
won't automatically overwrite the old db file. The option |
458 |
-<c>report_URL</c> is not yet implemented, but the author's intention was that |
459 |
+<c>report_URL</c> is not yet implemented, but the author's intention was that |
460 |
it should be able to e-mail or maybe even execute scripts. |
461 |
</p> |
462 |
|
463 |
@@ -456,7 +456,7 @@ |
464 |
|
465 |
<p> |
466 |
The best way to use <c>chkrootkit</c> to detect an intrusion is to run it |
467 |
-routinely from <c>cron</c>. To start, emerge <path>app-admin/chkrootkit</path>. |
468 |
+routinely from <c>cron</c>. To start, emerge <path>app-admin/chkrootkit</path>. |
469 |
<c>chkrootkit</c> can be run from the command line by the command of the same |
470 |
name, or from <c>cron</c> with an entry such as this: |
471 |
</p> |
472 |
|
473 |
|
474 |
|
475 |
1.3 xml/htdocs/doc/en/security/shb-kernel.xml |
476 |
|
477 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&view=markup |
478 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?rev=1.3&content-type=text/plain |
479 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml?r1=1.2&r2=1.3 |
480 |
|
481 |
Index: shb-kernel.xml |
482 |
=================================================================== |
483 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v |
484 |
retrieving revision 1.2 |
485 |
retrieving revision 1.3 |
486 |
diff -u -r1.2 -r1.3 |
487 |
--- shb-kernel.xml 4 Aug 2006 10:01:50 -0000 1.2 |
488 |
+++ shb-kernel.xml 18 Sep 2006 09:22:48 -0000 1.3 |
489 |
@@ -1,5 +1,5 @@ |
490 |
<?xml version='1.0' encoding='UTF-8'?> |
491 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v 1.2 2006/08/04 10:01:50 rane Exp $ --> |
492 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-kernel.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
493 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
494 |
|
495 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
496 |
@@ -40,7 +40,7 @@ |
497 |
<p> |
498 |
To dynamically change kernel parameters and variables on the fly, you need |
499 |
<c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in |
500 |
-a standard 2.4 kernel. |
501 |
+a standard 2.4 kernel. |
502 |
</p> |
503 |
|
504 |
<pre caption="Deactivate IP forwarding"> |
505 |
@@ -215,7 +215,7 @@ |
506 |
</ul> |
507 |
|
508 |
<p> |
509 |
-And there are probably a lot more. |
510 |
+And there are probably a lot more. |
511 |
</p> |
512 |
|
513 |
</body> |
514 |
|
515 |
|
516 |
|
517 |
1.5 xml/htdocs/doc/en/security/shb-limits.xml |
518 |
|
519 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&view=markup |
520 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?rev=1.5&content-type=text/plain |
521 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-limits.xml?r1=1.4&r2=1.5 |
522 |
|
523 |
Index: shb-limits.xml |
524 |
=================================================================== |
525 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v |
526 |
retrieving revision 1.4 |
527 |
retrieving revision 1.5 |
528 |
diff -u -r1.4 -r1.5 |
529 |
--- shb-limits.xml 26 Feb 2006 12:37:22 -0000 1.4 |
530 |
+++ shb-limits.xml 18 Sep 2006 09:22:48 -0000 1.5 |
531 |
@@ -1,5 +1,5 @@ |
532 |
<?xml version='1.0' encoding='UTF-8'?> |
533 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v 1.4 2006/02/26 12:37:22 nightmorph Exp $ --> |
534 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-limits.xml,v 1.5 2006/09/18 09:22:48 neysx Exp $ --> |
535 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
536 |
|
537 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
538 |
@@ -41,7 +41,7 @@ |
539 |
</p> |
540 |
|
541 |
<note> |
542 |
-<path>/etc/security/limits.conf</path> is part of the PAM package and will |
543 |
+<path>/etc/security/limits.conf</path> is part of the PAM package and will |
544 |
only apply to packages that use PAM. |
545 |
</note> |
546 |
|
547 |
@@ -52,7 +52,7 @@ |
548 |
<body> |
549 |
|
550 |
<p> |
551 |
-<path>/etc/limits</path> is very similar to the limit file |
552 |
+<path>/etc/limits</path> is very similar to the limit file |
553 |
<path>/etc/security/limits.conf</path>. The only difference is the format and |
554 |
that it only works on users or wild cards (not groups). Let's have a look at a |
555 |
sample configuration: |
556 |
@@ -97,7 +97,7 @@ |
557 |
|
558 |
<p> |
559 |
Start by installing quotas with <c>emerge quota</c>. Then modify your |
560 |
-<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the |
561 |
+<path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the |
562 |
partitions that you want to restrict disk usage on, like in the example below. |
563 |
</p> |
564 |
|
565 |
@@ -153,8 +153,8 @@ |
566 |
</p> |
567 |
|
568 |
<pre caption="Setting up quota's for user kn"> |
569 |
-Quotas for user kn: |
570 |
-/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500) |
571 |
+Quotas for user kn: |
572 |
+/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500) |
573 |
inodes in use: 356, limits (soft = 1000, hard = 1500) |
574 |
</pre> |
575 |
|
576 |
@@ -168,7 +168,7 @@ |
577 |
<section> |
578 |
<title>/etc/login.defs</title> |
579 |
<body> |
580 |
- |
581 |
+ |
582 |
<p> |
583 |
If your security policy states that users should change their password |
584 |
every other week, change the value <c>PASS_MAX_DAYS</c> to 14 |
585 |
@@ -203,19 +203,19 @@ |
586 |
</pre> |
587 |
|
588 |
<impo> |
589 |
-Be careful when configuring these options, since mistakes will leave you |
590 |
+Be careful when configuring these options, since mistakes will leave you |
591 |
with no access to the machine if you do not have root access. |
592 |
</impo> |
593 |
|
594 |
<note> |
595 |
-These settings do not apply to SSH, since SSH does not execute |
596 |
-<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin |
597 |
-yes</c> in <path>/etc/ssh/sshd_config</path>. |
598 |
+These settings do not apply to SSH, since SSH does not execute |
599 |
+<c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin |
600 |
+yes</c> in <path>/etc/ssh/sshd_config</path>. |
601 |
</note> |
602 |
|
603 |
<p> |
604 |
-This will setup login access so members of the wheel group can login locally |
605 |
-or from the gentoo.org domain. Maybe too paranoid, but better to be safe than |
606 |
+This will setup login access so members of the wheel group can login locally |
607 |
+or from the gentoo.org domain. Maybe too paranoid, but better to be safe than |
608 |
sorry. |
609 |
</p> |
610 |
|
611 |
|
612 |
|
613 |
|
614 |
1.4 xml/htdocs/doc/en/security/shb-logging.xml |
615 |
|
616 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&view=markup |
617 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?rev=1.4&content-type=text/plain |
618 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-logging.xml?r1=1.3&r2=1.4 |
619 |
|
620 |
Index: shb-logging.xml |
621 |
=================================================================== |
622 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v |
623 |
retrieving revision 1.3 |
624 |
retrieving revision 1.4 |
625 |
diff -u -r1.3 -r1.4 |
626 |
--- shb-logging.xml 25 Nov 2005 13:54:03 -0000 1.3 |
627 |
+++ shb-logging.xml 18 Sep 2006 09:22:48 -0000 1.4 |
628 |
@@ -1,5 +1,5 @@ |
629 |
<?xml version='1.0' encoding='UTF-8'?> |
630 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v 1.3 2005/11/25 13:54:03 neysx Exp $ --> |
631 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-logging.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ --> |
632 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
633 |
|
634 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
635 |
@@ -31,17 +31,17 @@ |
636 |
<body> |
637 |
|
638 |
<p> |
639 |
-Syslogd is the most common logger for Linux and Unix in general. |
640 |
-It has some log rotation facilities, but using |
641 |
+Syslogd is the most common logger for Linux and Unix in general. |
642 |
+It has some log rotation facilities, but using |
643 |
<path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in |
644 |
<path>/etc/logrotate.conf</path>) might prove to be more powerful as |
645 |
-<c>logrotate</c> has many features. How often |
646 |
+<c>logrotate</c> has many features. How often |
647 |
log rotation should be done depends on the system load. |
648 |
</p> |
649 |
|
650 |
<p> |
651 |
-Below is the standard <path>syslog.conf</path> with some added features. We |
652 |
-have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote |
653 |
+Below is the standard <path>syslog.conf</path> with some added features. We |
654 |
+have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote |
655 |
logging server. To further enhance security you could add logging to two places. |
656 |
</p> |
657 |
|
658 |
@@ -113,7 +113,7 @@ |
659 |
|
660 |
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, |
661 |
# you must invoke `xconsole' with the `-file' option: |
662 |
-# |
663 |
+# |
664 |
# $ xconsole -file /dev/xconsole [...] |
665 |
# |
666 |
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably |
667 |
@@ -147,7 +147,7 @@ |
668 |
facility (like syslogd), and comes with regular expression matching with which |
669 |
you can launch external scripts when specific patterns are found. It is very good |
670 |
at taking action when needed. |
671 |
-</p> |
672 |
+</p> |
673 |
|
674 |
<p> |
675 |
The standard configuration is usually enough. If you want to be notified by |
676 |
@@ -170,18 +170,18 @@ |
677 |
<pre caption="/usr/local/sbin/mail_pwd_failures.sh for qmail"> |
678 |
#!/bin/sh |
679 |
echo "To: root |
680 |
-Subject:Failure (Warning: $2) |
681 |
+Subject:Failure (Warning: $2) |
682 |
$3 |
683 |
" | /var/qmail/bin/qmail-inject -f root |
684 |
</pre> |
685 |
|
686 |
<p> |
687 |
-Remember to make the script executable by issuing <c>/bin/chmod +x |
688 |
+Remember to make the script executable by issuing <c>/bin/chmod +x |
689 |
/usr/local/sbin/mail_pwd_failures.sh</c> |
690 |
</p> |
691 |
|
692 |
<p> |
693 |
-Then uncomment the command line under "Password failures" in |
694 |
+Then uncomment the command line under "Password failures" in |
695 |
<path>/etc/metalog/metalog.conf</path> like: |
696 |
</p> |
697 |
|
698 |
@@ -248,7 +248,7 @@ |
699 |
filter f_mail { facility(mail); }; |
700 |
filter f_user { facility(user); }; |
701 |
filter f_debug { not facility(auth, authpriv, news, mail); }; |
702 |
-filter f_messages { level(info..warn) |
703 |
+filter f_messages { level(info..warn) |
704 |
and not facility(auth, authpriv, mail, news); }; |
705 |
filter f_emergency { level(emerg); }; |
706 |
|
707 |
|
708 |
|
709 |
|
710 |
1.3 xml/htdocs/doc/en/security/shb-mounting.xml |
711 |
|
712 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&view=markup |
713 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?rev=1.3&content-type=text/plain |
714 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml?r1=1.2&r2=1.3 |
715 |
|
716 |
Index: shb-mounting.xml |
717 |
=================================================================== |
718 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v |
719 |
retrieving revision 1.2 |
720 |
retrieving revision 1.3 |
721 |
diff -u -r1.2 -r1.3 |
722 |
--- shb-mounting.xml 1 Jun 2005 17:42:46 -0000 1.2 |
723 |
+++ shb-mounting.xml 18 Sep 2006 09:22:48 -0000 1.3 |
724 |
@@ -1,5 +1,5 @@ |
725 |
<?xml version='1.0' encoding='UTF-8'?> |
726 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.2 2005/06/01 17:42:46 neysx Exp $ --> |
727 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-mounting.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
728 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
729 |
|
730 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
731 |
@@ -22,7 +22,7 @@ |
732 |
|
733 |
<ul> |
734 |
<li> |
735 |
- <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary |
736 |
+ <c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary |
737 |
file |
738 |
</li> |
739 |
<li> |
740 |
@@ -63,14 +63,14 @@ |
741 |
<note> |
742 |
I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files |
743 |
normally are never executed from this mount point. The reason for this is that |
744 |
-qmail is installed in <path>/var/qmail</path> and must be allowed to execute |
745 |
-and access one SUID file. I setup <path>/usr</path> in read-only mode since I |
746 |
-never write anything there unless I want to update Gentoo. Then I remount the |
747 |
+qmail is installed in <path>/var/qmail</path> and must be allowed to execute |
748 |
+and access one SUID file. I setup <path>/usr</path> in read-only mode since I |
749 |
+never write anything there unless I want to update Gentoo. Then I remount the |
750 |
file system in read-write mode, update and remount again. |
751 |
</note> |
752 |
|
753 |
<note> |
754 |
-Even if you do not use qmail, Gentoo still needs the executable bit set on |
755 |
+Even if you do not use qmail, Gentoo still needs the executable bit set on |
756 |
<path>/var/tmp</path> since ebuilds are made here. But an alternative path can |
757 |
be setup if you insist on having <path>/var</path> mounted in <c>noexec</c> |
758 |
mode. |
759 |
|
760 |
|
761 |
|
762 |
1.4 xml/htdocs/doc/en/security/shb-pam.xml |
763 |
|
764 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&view=markup |
765 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?rev=1.4&content-type=text/plain |
766 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pam.xml?r1=1.3&r2=1.4 |
767 |
|
768 |
Index: shb-pam.xml |
769 |
=================================================================== |
770 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v |
771 |
retrieving revision 1.3 |
772 |
retrieving revision 1.4 |
773 |
diff -u -r1.3 -r1.4 |
774 |
--- shb-pam.xml 4 Aug 2006 10:20:13 -0000 1.3 |
775 |
+++ shb-pam.xml 18 Sep 2006 09:22:48 -0000 1.4 |
776 |
@@ -1,5 +1,5 @@ |
777 |
<?xml version='1.0' encoding='UTF-8'?> |
778 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.3 2006/08/04 10:20:13 rane Exp $ --> |
779 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pam.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ --> |
780 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
781 |
|
782 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
783 |
@@ -43,7 +43,7 @@ |
784 |
</p> |
785 |
|
786 |
<pre caption="/etc/pam.d/sshd"> |
787 |
-auth required pam_unix.so nullok |
788 |
+auth required pam_unix.so nullok |
789 |
auth required pam_shells.so |
790 |
auth required pam_nologin.so |
791 |
auth required pam_env.so |
792 |
@@ -65,13 +65,13 @@ |
793 |
</p> |
794 |
|
795 |
<pre caption="/etc/pam.d/other"> |
796 |
-auth required pam_deny.so |
797 |
-auth required pam_warn.so |
798 |
-account required pam_deny.so |
799 |
-account required pam_warn.so |
800 |
-password required pam_deny.so |
801 |
-password required pam_warn.so |
802 |
-session required pam_deny.so |
803 |
+auth required pam_deny.so |
804 |
+auth required pam_warn.so |
805 |
+account required pam_deny.so |
806 |
+account required pam_warn.so |
807 |
+password required pam_deny.so |
808 |
+password required pam_warn.so |
809 |
+session required pam_deny.so |
810 |
session required pam_warn.so |
811 |
</pre> |
812 |
|
813 |
|
814 |
|
815 |
|
816 |
1.4 xml/htdocs/doc/en/security/shb-perms.xml |
817 |
|
818 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&view=markup |
819 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.4&content-type=text/plain |
820 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?r1=1.3&r2=1.4 |
821 |
|
822 |
Index: shb-perms.xml |
823 |
=================================================================== |
824 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v |
825 |
retrieving revision 1.3 |
826 |
retrieving revision 1.4 |
827 |
diff -u -r1.3 -r1.4 |
828 |
--- shb-perms.xml 16 Sep 2006 20:52:02 -0000 1.3 |
829 |
+++ shb-perms.xml 18 Sep 2006 09:22:48 -0000 1.4 |
830 |
@@ -1,5 +1,5 @@ |
831 |
<?xml version='1.0' encoding='UTF-8'?> |
832 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.3 2006/09/16 20:52:02 neysx Exp $ --> |
833 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ --> |
834 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
835 |
|
836 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
837 |
@@ -117,33 +117,33 @@ |
838 |
<body> |
839 |
|
840 |
<p> |
841 |
-A file is only considered deleted when there are no more links pointing to it. |
842 |
-This might sound like a strange concept, but consider that a filename like |
843 |
-<path>/usr/bin/perl</path> is actually a link to the inode where the data is |
844 |
+A file is only considered deleted when there are no more links pointing to it. |
845 |
+This might sound like a strange concept, but consider that a filename like |
846 |
+<path>/usr/bin/perl</path> is actually a link to the inode where the data is |
847 |
stored. Any number of links can point to the file, and until all of them are |
848 |
gone, the file still exists. |
849 |
</p> |
850 |
|
851 |
<p> |
852 |
If your users have access to a partition that isn't mounted with <c>nosuid</c> |
853 |
-or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or |
854 |
-<path>/var/tmp</path> are not separate partitions) you should take care to |
855 |
-ensure your users don't create hard links to SUID or SGID binaries, so that |
856 |
+or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or |
857 |
+<path>/var/tmp</path> are not separate partitions) you should take care to |
858 |
+ensure your users don't create hard links to SUID or SGID binaries, so that |
859 |
after Portage updates they still have access to the old versions. |
860 |
</p> |
861 |
|
862 |
<warn> |
863 |
-if you have received a warning from portage about remaining hard links, and your |
864 |
-users can write to a partition that allows executing SUID/SGID files, you |
865 |
-should read this section carefully. One of your users may be attempting to |
866 |
-circumvent your update by keeping an outdated version of a program. If your |
867 |
+if you have received a warning from portage about remaining hard links, and your |
868 |
+users can write to a partition that allows executing SUID/SGID files, you |
869 |
+should read this section carefully. One of your users may be attempting to |
870 |
+circumvent your update by keeping an outdated version of a program. If your |
871 |
users cannot create their own SUID files, or can only execute programs using |
872 |
-the dynamic loader (partitions mounted <c>noexec</c>), you do not have to |
873 |
+the dynamic loader (partitions mounted <c>noexec</c>), you do not have to |
874 |
worry. |
875 |
</warn> |
876 |
|
877 |
<note> |
878 |
-Users do not need read access to a file to create a link to it, they only need |
879 |
+Users do not need read access to a file to create a link to it, they only need |
880 |
read permission to the directory that contains it. |
881 |
</note> |
882 |
|
883 |
@@ -152,7 +152,7 @@ |
884 |
</p> |
885 |
|
886 |
<pre caption="Stat command"> |
887 |
-$ stat /bin/su |
888 |
+$ stat /bin/su |
889 |
File: `/bin/su' |
890 |
Size: 29350 Blocks: 64 IO Block: 131072 regular file |
891 |
Device: 900h/2304d Inode: 2057419 Links: 1 |
892 |
|
893 |
|
894 |
|
895 |
1.3 xml/htdocs/doc/en/security/shb-pre.xml |
896 |
|
897 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&view=markup |
898 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?rev=1.3&content-type=text/plain |
899 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-pre.xml?r1=1.2&r2=1.3 |
900 |
|
901 |
Index: shb-pre.xml |
902 |
=================================================================== |
903 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v |
904 |
retrieving revision 1.2 |
905 |
retrieving revision 1.3 |
906 |
diff -u -r1.2 -r1.3 |
907 |
--- shb-pre.xml 1 Jun 2005 17:42:46 -0000 1.2 |
908 |
+++ shb-pre.xml 18 Sep 2006 09:22:48 -0000 1.3 |
909 |
@@ -1,5 +1,5 @@ |
910 |
<?xml version='1.0' encoding='UTF-8'?> |
911 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.2 2005/06/01 17:42:46 neysx Exp $ --> |
912 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-pre.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
913 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
914 |
|
915 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
916 |
@@ -62,7 +62,7 @@ |
917 |
|
918 |
<ul> |
919 |
<li> |
920 |
- Any directory tree a user should be able to write to (e.g. <path>/home</path>, |
921 |
+ Any directory tree a user should be able to write to (e.g. <path>/home</path>, |
922 |
<path>/tmp</path>) should be on a separate partition and use disk quotas. This |
923 |
reduces the risk of a user filling up your whole filesystem. Portage |
924 |
uses <path>/var/tmp</path> to compile files, so that partition should be large. |
925 |
@@ -143,7 +143,7 @@ |
926 |
<p> |
927 |
There are several reasons to draft a security policy for your system(s) and |
928 |
network. |
929 |
-</p> |
930 |
+</p> |
931 |
|
932 |
<ul> |
933 |
<li> |
934 |
|
935 |
|
936 |
|
937 |
1.4 xml/htdocs/doc/en/security/shb-services.xml |
938 |
|
939 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&view=markup |
940 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?rev=1.4&content-type=text/plain |
941 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-services.xml?r1=1.3&r2=1.4 |
942 |
|
943 |
Index: shb-services.xml |
944 |
=================================================================== |
945 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v |
946 |
retrieving revision 1.3 |
947 |
retrieving revision 1.4 |
948 |
diff -u -r1.3 -r1.4 |
949 |
--- shb-services.xml 11 Mar 2006 16:44:44 -0000 1.3 |
950 |
+++ shb-services.xml 18 Sep 2006 09:22:48 -0000 1.4 |
951 |
@@ -1,5 +1,5 @@ |
952 |
<?xml version='1.0' encoding='UTF-8'?> |
953 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.3 2006/03/11 16:44:44 swift Exp $ --> |
954 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-services.xml,v 1.4 2006/09/18 09:22:48 neysx Exp $ --> |
955 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
956 |
|
957 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
958 |
@@ -35,8 +35,8 @@ |
959 |
#Make it listen on your ip |
960 |
Listen 127.0.0.1 |
961 |
BindAddress 127.0.0.1 |
962 |
-#It is not a good idea to use nobody or nogroup - |
963 |
-#for every service not running as root |
964 |
+#It is not a good idea to use nobody or nogroup - |
965 |
+#for every service not running as root |
966 |
#(just add the user apache with group apache) |
967 |
User apache |
968 |
Group apache |
969 |
@@ -46,7 +46,7 @@ |
970 |
</pre> |
971 |
|
972 |
<p> |
973 |
-Apache is compiled with <c>--enable-shared=max</c> and |
974 |
+Apache is compiled with <c>--enable-shared=max</c> and |
975 |
<c>--enable-module=all</c>. This will by default enable all modules, so you |
976 |
should comment out all modules in the <c>LoadModule</c> section |
977 |
(<c>LoadModule</c> and <c>AddModule</c>) that you do not use. Restart the |
978 |
@@ -72,13 +72,13 @@ |
979 |
</p> |
980 |
|
981 |
<p> |
982 |
-The newer BIND ebuilds support chrooting out of the box. After emerging |
983 |
+The newer BIND ebuilds support chrooting out of the box. After emerging |
984 |
<c>bind</c> follow these simple instructions: |
985 |
</p> |
986 |
|
987 |
<pre caption="Chrooting BIND"> |
988 |
ebuild /var/db/pkg/net-dns/bind-9.2.2-r2/bind-9.2.2-r2.ebuild config\`" |
989 |
-<comment>(Before running the above command you might want to change the chroot |
990 |
+<comment>(Before running the above command you might want to change the chroot |
991 |
directory in /etc/conf.d/named. Otherwise /chroot/dns will be used.)</comment> |
992 |
<comment>(You might need to substitute the version number with the current version number )</comment> |
993 |
</pre> |
994 |
@@ -118,7 +118,7 @@ |
995 |
<body> |
996 |
|
997 |
<p> |
998 |
-If you only need local applications to access the <c>mysql</c> database, |
999 |
+If you only need local applications to access the <c>mysql</c> database, |
1000 |
uncomment the following line in <path>/etc/mysql/my.cnf</path>. |
1001 |
</p> |
1002 |
|
1003 |
@@ -227,7 +227,7 @@ |
1004 |
<p> |
1005 |
Use virtual users (never system accounts) by enabling the <c>AUTH</c> option. |
1006 |
Set this to <c>-lpuredb:/etc/pureftpd.pdb</c> and create your users by using |
1007 |
-<c>/usr/bin/pure-pw</c>. |
1008 |
+<c>/usr/bin/pure-pw</c>. |
1009 |
</p> |
1010 |
|
1011 |
<pre caption="/etc/conf.d/pure-ftpd"> |
1012 |
@@ -261,7 +261,7 @@ |
1013 |
|
1014 |
<p> |
1015 |
Vsftpd (short for very secure ftp) is a small ftp daemon running a reasonably |
1016 |
-default configuration. It is simple and does not have as many features as |
1017 |
+default configuration. It is simple and does not have as many features as |
1018 |
pureftp and proftp. |
1019 |
</p> |
1020 |
|
1021 |
@@ -327,7 +327,7 @@ |
1022 |
#allow traffic from 10.0.0.* |
1023 |
hosts allow = 10.0.0. |
1024 |
|
1025 |
- #Enables user authentication |
1026 |
+ #Enables user authentication |
1027 |
#(don't use the share mode) |
1028 |
security = user |
1029 |
|
1030 |
@@ -366,7 +366,7 @@ |
1031 |
<p> |
1032 |
The only securing that OpenSSH needs is turning on a stronger authentication |
1033 |
based on public key encryption. Too many sites (like |
1034 |
-<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and |
1035 |
+<uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and |
1036 |
<uri>http://www.apache.org</uri>) have suffered unauthorized intrusion |
1037 |
due to password leaks or bad passwords. |
1038 |
</p> |
1039 |
@@ -391,11 +391,11 @@ |
1040 |
AllowGroups wheel admin |
1041 |
|
1042 |
#In those groups only allow the following users |
1043 |
-#The @<domainname> is optional but replaces the |
1044 |
+#The @<domainname> is optional but replaces the |
1045 |
#older AllowHosts directive |
1046 |
AllowUsers kn@g.o bs@g.o |
1047 |
|
1048 |
-#Logging |
1049 |
+#Logging |
1050 |
SyslogFacility AUTH |
1051 |
LogLevel INFO |
1052 |
|
1053 |
@@ -433,8 +433,8 @@ |
1054 |
</pre> |
1055 |
|
1056 |
<p> |
1057 |
-This will add two files in your <path>~/.ssh/</path> directory called |
1058 |
-<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called |
1059 |
+This will add two files in your <path>~/.ssh/</path> directory called |
1060 |
+<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called |
1061 |
<path>id_dsa</path> is your private key and should be kept from other people |
1062 |
than yourself. The other file <path>id_dsa.pub</path> is to be distributed to |
1063 |
every server that you have access to. Add the key to the users home directory |
1064 |
@@ -444,7 +444,7 @@ |
1065 |
<pre caption="Adding the id_dsa.pub file to the authorized_keys file"> |
1066 |
$ <i>scp id_dsa.pub other-host:/var/tmp/currenthostname.pub</i> |
1067 |
$ <i>ssh other-host</i> |
1068 |
-password: |
1069 |
+password: |
1070 |
$ <i>cat /var/tmp/currenthostname.pub >> ~/.ssh/authorized_keys</i> |
1071 |
</pre> |
1072 |
|
1073 |
@@ -466,10 +466,10 @@ |
1074 |
<body> |
1075 |
|
1076 |
<p> |
1077 |
-xinetd is a replacement for <c>inetd</c> (which Gentoo does not have), |
1078 |
+xinetd is a replacement for <c>inetd</c> (which Gentoo does not have), |
1079 |
the Internet services daemon. It supports access control based on the address of |
1080 |
-the remote host and the time of access. It also provide extensive logging |
1081 |
-capabilities, including server start time, remote host address, remote user |
1082 |
+the remote host and the time of access. It also provide extensive logging |
1083 |
+capabilities, including server start time, remote host address, remote user |
1084 |
name, server run time, and actions requested. |
1085 |
</p> |
1086 |
|
1087 |
@@ -506,10 +506,10 @@ |
1088 |
# bind the interfaces to only 1 ip |
1089 |
# allow access from 10.0.0.* |
1090 |
# limit the time developers can use cvs from 8am to 5pm |
1091 |
-# use tpcd wrappers (access control controlled in |
1092 |
+# use tpcd wrappers (access control controlled in |
1093 |
# <i>/etc/hosts.allow</i> and <i>/etc/hosts.deny</i>) |
1094 |
# max_load on the machine set to 1.0 |
1095 |
-# The disable flag is per default set to no but I like having |
1096 |
+# The disable flag is per default set to no but I like having |
1097 |
# it in case of it should be disabled |
1098 |
service cvspserver |
1099 |
{ |
1100 |
@@ -547,28 +547,28 @@ |
1101 |
</p> |
1102 |
|
1103 |
<impo> |
1104 |
-If you do not need this service disable it! |
1105 |
+If you do not need this service disable it! |
1106 |
</impo> |
1107 |
|
1108 |
<p> |
1109 |
-But if you depend on using your workstation as a Xserver use the |
1110 |
-<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients |
1111 |
-from other hosts to connect and use your display. This can become handy if you |
1112 |
-need an X application from a different machine and the only way is through the |
1113 |
+But if you depend on using your workstation as a Xserver use the |
1114 |
+<c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients |
1115 |
+from other hosts to connect and use your display. This can become handy if you |
1116 |
+need an X application from a different machine and the only way is through the |
1117 |
network, but it can also be exploited by an attacker. The syntax of this |
1118 |
command is <c>/usr/X11R6/bin/xhost +hostname</c> |
1119 |
</p> |
1120 |
|
1121 |
<warn> |
1122 |
-Do not ever use the <c>xhost +</c> feature! This will allow any client to |
1123 |
-connect and take control of your X. If an attacker can get access to your X, |
1124 |
-he can log your keystrokes and take control over your desktop. If you have to |
1125 |
+Do not ever use the <c>xhost +</c> feature! This will allow any client to |
1126 |
+connect and take control of your X. If an attacker can get access to your X, |
1127 |
+he can log your keystrokes and take control over your desktop. If you have to |
1128 |
use it always remember to specify a host. |
1129 |
</warn> |
1130 |
|
1131 |
<p> |
1132 |
-A more secure solution is to disable this feature completely by starting X with |
1133 |
-<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration. |
1134 |
+A more secure solution is to disable this feature completely by starting X with |
1135 |
+<c>startx -- -nolisten tcp</c> or disable it permanently in the configuration. |
1136 |
</p> |
1137 |
|
1138 |
<pre caption="/usr/X11R6/bin/startx"> |
1139 |
@@ -603,7 +603,7 @@ |
1140 |
</p> |
1141 |
|
1142 |
<pre caption="/etc/X11/xdm/Xservers"> |
1143 |
-:0 local /usr/bin/X11/X -nolisten tcp |
1144 |
+:0 local /usr/bin/X11/X -nolisten tcp |
1145 |
</pre> |
1146 |
|
1147 |
</body> |
1148 |
|
1149 |
|
1150 |
|
1151 |
1.3 xml/htdocs/doc/en/security/shb-tight.xml |
1152 |
|
1153 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&view=markup |
1154 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?rev=1.3&content-type=text/plain |
1155 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-tight.xml?r1=1.2&r2=1.3 |
1156 |
|
1157 |
Index: shb-tight.xml |
1158 |
=================================================================== |
1159 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v |
1160 |
retrieving revision 1.2 |
1161 |
retrieving revision 1.3 |
1162 |
diff -u -r1.2 -r1.3 |
1163 |
--- shb-tight.xml 4 Mar 2006 05:58:44 -0000 1.2 |
1164 |
+++ shb-tight.xml 18 Sep 2006 09:22:48 -0000 1.3 |
1165 |
@@ -1,5 +1,5 @@ |
1166 |
<?xml version='1.0' encoding='UTF-8'?> |
1167 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v 1.2 2006/03/04 05:58:44 fox2mike Exp $ --> |
1168 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-tight.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
1169 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1170 |
|
1171 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
1172 |
@@ -66,7 +66,7 @@ |
1173 |
grub> <i>md5crypt</i> |
1174 |
|
1175 |
Password: <i>********</i> |
1176 |
-<comment>(Typed changeme at the prompt)</comment> |
1177 |
+<comment>(Typed changeme at the prompt)</comment> |
1178 |
Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs. |
1179 |
|
1180 |
grub> <i>quit</i> |
1181 |
@@ -77,7 +77,7 @@ |
1182 |
</p> |
1183 |
|
1184 |
<pre caption="/boot/grub/grub.conf"> |
1185 |
-timeout 5 |
1186 |
+timeout 5 |
1187 |
password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs. |
1188 |
</pre> |
1189 |
|
1190 |
@@ -104,8 +104,8 @@ |
1191 |
</p> |
1192 |
|
1193 |
<pre caption="/etc/lilo.conf"> |
1194 |
-password=changeme |
1195 |
-restricted |
1196 |
+password=changeme |
1197 |
+restricted |
1198 |
delay=3 |
1199 |
</pre> |
1200 |
|
1201 |
@@ -114,9 +114,9 @@ |
1202 |
</p> |
1203 |
|
1204 |
<pre caption="/etc/lilo.conf"> |
1205 |
-image=/boot/bzImage |
1206 |
- read-only |
1207 |
- password=changeme |
1208 |
+image=/boot/bzImage |
1209 |
+ read-only |
1210 |
+ password=changeme |
1211 |
restricted |
1212 |
</pre> |
1213 |
|
1214 |
|
1215 |
|
1216 |
|
1217 |
1.3 xml/htdocs/doc/en/security/shb-uptodate.xml |
1218 |
|
1219 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&view=markup |
1220 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?rev=1.3&content-type=text/plain |
1221 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml?r1=1.2&r2=1.3 |
1222 |
|
1223 |
Index: shb-uptodate.xml |
1224 |
=================================================================== |
1225 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v |
1226 |
retrieving revision 1.2 |
1227 |
retrieving revision 1.3 |
1228 |
diff -u -r1.2 -r1.3 |
1229 |
--- shb-uptodate.xml 13 Oct 2005 15:34:30 -0000 1.2 |
1230 |
+++ shb-uptodate.xml 18 Sep 2006 09:22:48 -0000 1.3 |
1231 |
@@ -1,5 +1,5 @@ |
1232 |
<?xml version='1.0' encoding='UTF-8'?> |
1233 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.2 2005/10/13 15:34:30 neysx Exp $ --> |
1234 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-uptodate.xml,v 1.3 2006/09/18 09:22:48 neysx Exp $ --> |
1235 |
<!DOCTYPE sections SYSTEM "/dtd/book.dtd"> |
1236 |
|
1237 |
<!-- The content of this document is licensed under the CC-BY-SA license --> |
1238 |
@@ -108,7 +108,7 @@ |
1239 |
</p> |
1240 |
|
1241 |
<p> |
1242 |
-If you want an email each time a GLSA is released subscribe to the |
1243 |
+If you want an email each time a GLSA is released subscribe to the |
1244 |
<c>gentoo-announce</c> mailing list. Instructions for joining it and many other |
1245 |
great mailing lists can be found <uri link="/main/en/lists.xml">Gentoo Linux |
1246 |
Mailing List Overview</uri>. |
1247 |
|
1248 |
|
1249 |
|
1250 |
-- |
1251 |
gentoo-doc-cvs@g.o mailing list |