Free Essay

Secure Vpn

In: Business and Management

Submitted By nvphuc
Words 5898
Pages 24
Installation Guidelines
GRUB/LILO
GRUB is the boot loader of choice for RedHat installations; however LILO may always be used in the case of most flavors of LINUX. GRUB/LILO can receive many different kernel level commands and it poses a major security risk if an attacker is able to compromise the kernel. In response you can make sure that only authorized users are able to perform those commands by password protecting during the installation process. If using GRUB, the password is by default stored as clear text, and so you will want modify the /etc/grub.conf file to store the password in an MD5 checksum. $ /sbin/grub–md5–crypt Password: (at the prompt enter the GRUB password you created at installation and press enter) $ #%t%661GFGftffgctTFTDd (This is the MD5 hash) edit the grub.conf file and replace the clear text password with the MD5 Hash. You must use the –MD5 option or the password will be stored as the MD5 Hash and not the encrypted password. Password – md5 $1$m0tLR/ $#%t%661GFGftffgctTFTDd

Partitioning
Partitioning correctly will help to mitigate against one specific type of denial of service. For example and attack designed to fill up a /tmp or spool directory. If your files are on the same partition as the directory under attack, your system could be rendered unusable. One should use a partition strategy where those directories that are most likely to be filled by an attacker. Typically this is /var and /home . If you are using a server for ftp or e–mail, you may want to consider separate partitions for the application specific files. /boot contains all files for boot process /home contains individual user home directories /usr contains files shared across a system by multiple users /var contains files that are dynamic by nature. ( log files, spool files, scheduler / /tmp swap

contains files Contains contains for system temp paging files management files for memory when no management other partition is available

files etc.)

Recommended System Schemes Configurations
Workstation Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Server Swap = 2 x physical memory /boot = 50 MB / = 384 MB /var = 256 MB /usr = depends on disk space /home = depends on disk space Firewall Configuration on Installation No Firewall – Allows complete access to your system with no security check at all. Medium – restrictions are automatically on certain services • • • • Ports lower than 1023 NFS Server port 2049 Local X Windows display for remote clients X font server port Laptop Swap = 2 x physical memory /boot = 50 MB / = depends on disk space Custom Swap = 2 x physical memory /boot = 50 MB / = depends on disk space

High – Most restrictive and denies all access except DNS, DHCP and anything else explicitly allowed. If possible install IPTables; it is an improvement over the default installation. It can be found at http://www.iptables.org In RedHat 8 and above it is the default firewall daemon. Account Authentication Configuration Make sure that the root password is secure and that you maintain a MD5 checksum of all the passwords in a separate file. Make sure that the password file itself is shadowed; this should be default on RedHat installations.

Package Installation:
Install only what you think you will need. You can always install new packages in the futures. Network Security Network Parameter Modification (RedHat only) Edit /etc/sysctl.conf with the following changes Net.ipv4.ip_forward = 0 (this disables ip forwarding, it should only be enabled if you plan to use the machine as a router/gateway) Net.ipv4.conf.all.accept_source_route = 0 (disables ip source routing) Net.ipv4.tcp_max_syn_backlog = 4096 (enables syn flood protection) Net.ipv4.conf.all.rpP_filter = 1 (enables ip spoofing protection) Net.ipv4.tcp_syncookies = 1 (enables tcp syn flood protection) Net.ipv4.conf.all.send_redirects = 0 (disables the ability to send ICMP Redirects) Net.ipv4.conf.all.accept_redirects = 0 (disables ICMP Redirect acceptance) Net.ipv4.conf.default.accept_redirects = 0 also disables ICMP redirect acceptance) Save the changes and run the following commands as root # chown root:root /etc/sysctl.conf # chmod 0600 /etc/sysctl.conf # /etc/rc.d/init.d/network restart

Disallow Remote Root Login
There should never be a need for root to login remotely. Any access required by root for system maintenance should be performed on the local system console or via SSH. Edit /etc/securetty to reflect the following changes: tty1 tty2 tty3 tty4

tty5 tty6 Save the changes and run the following commands; # chown root:root /etc/securetty # chmod 400 /etc/securetty Disable CTRL–ALT–Delete For those machines with poor or non–existent physical security it is recommended to disable the almighty CTRL–ALT–Delete. Edit /etc/inittab and comment out the following line: #ca::ctrlaltdel: /sbin/shutdown –t3 –r now Save and restart the service # /sbin/init q

Warning Banners:
Although it is not clear legally, often time’s administrators will present a warning banner to assist in prosecution. Also by changing the login banners there is the additional benefit of hiding the OS version and detailed system information. Edit the following files /etc/motd – Displays message of the day for a user with successful login /etc/issue – Displayed to any user that is logging into the system locally /etc/issue.net – Displayed to users logging in remotely via SSH, Telnet, or FTP In earlier versions, before RedHat 7.3 commands in /etc/rc.d/rc.local would overwrite the issue and motd files. These commands have been removed since version 7.3.

Password Protecting Single–user–Mode
Single User Mode allows for local system maintenance and allows a user to move directly into Run Level 1 as root. Edit /etc/inittab to reflect the following changes id:3:initdefault:

~~:S:wait:/sbin/sulogin Save the changes and restart the service # /sbin/init q

User Account & Password Security:

Quick Tips:
• • • • Allow users to use root utilities as .sudo only b/c it is logged by the system Shadow the password files in /etc/shadow . Run “Crack” or “John the Ripper” to check for password integrity. Familiarity should be found with programs to manage users and groups (man 8 pwunconv) Install a boot loader password during installation

Password Aging
By default a user account is required to change its password every 9999 days and no minimum limit is set on how long a password must be kept before changing it. The following command will set limits for all existing users whose ID is greater than 500 (default for normal user accounts). # awk – F: ‘$3 >= 500 { system (“chage –M 180 –m 2 “ $1) } ‘ /etc/passwd Change the following lines in the /etc/login.defs so newly created users accounts will inherit these values PASS_MAX_DAYS 99999 –> PASS_MAX_DAYS 180 PASS_MIN_DAYS 0 –> PASS_MIN_DAYS 2 Purge any unnecessary user accounts that may have been created during the installation process First make a backup copy # for file in /etc/{passwd, shadow, group} ; do /bin/cp –p $file $file.orig ; done Remove unnecessary user accounts # for user in uucp operator games gopher ; do /usr/sbin/userdel $user ; done

Remove unnecessary groups done # for user in dip operator gopher games uucp ; do /usr/sbin/groupdel $group ;

When deleting groups and users you should verify that no mistakes have been made that will prevent someone from logging in. # /user/sbin/pwck # /usr/sbin/grpck These commands validate that /etc/passwd and /etc/group are properly formatted. Reassign all files originally owned by deleted users to root by using the following commands /usr/sbin/find / –nouser –exec /bin/chown root {} \; /usr/sbin/find / –nogroup –exec /bin/chgrp root {} \;

Locking System Accounts
Some user accounts are only used by a system service or daemon and never require interactive login. Interactive Login should be disabled. # for user in bin daemon adm ftp sync lp mail news nobody ; do /usr/sbin/usermod –L –s /dev/null $user ; done Verify that no account has an empty password #awk –F: ‘($2 == “”) { print $1 } ‘ /etc/shadow If nothing is printed than all is well. Otherwise add a password for the account or delete/lock the user

Tighten the default umask
A user’s umask determines permissions on any new files created by a user. The default user account (where user name is the same as group name) with user id greater than 99 is 002 (i.e. 664 for files and 775 for directories). Root is 022 (644 for files and 755 for directories) The default umask should not result in the creation of world readable files for normal users. Edit the lines in the /etc/bashrc and /etc/csh.cshrc files: umask 022 –> umask 077 (some rpm assume a default umask of 022 and may give warnings during installs) umask 002 –> umask 007

Miscellaneous Account Limits (RedHat only)
Further user account configuration can be made in the limits.conf, time.conf within the /etc/security directory.

System Resources Usage (from Bastille)
To prevent individual users from consuming too many system resources, edit /etc/security/limits.conf so that the core files will not be created, individual files sizes are limited to 100MB, and a user can only have 150 concurrent processes running Add the following lines: • • • hard core 0 hard fsize 102400 nproc 150

Securing and Disabling Services
Identify Services that are configured to start (RedHat only) # /sbin/chkconfig –list | grep –e “\(:. *on\|xinetd based \)’ The services that should be running on a given system are the following: (look at /etc/init.d/servicename to see what the services do) Keytable Syslog Network Random Crond Anacron Iptables Ntpd

Disable and remove services that should not be started
# /etc/init.d/servicename stop # /sbin/chkconfig –level 0123456 servicename off

Remove rpm packages
# /bin/rpm –e packagename

The package owning a given file can be discovered with # rpm –gf /etc/nit.d/servicemane

Configuring Access with TCPwrappers
Access controls to services compiled with TCPWrappers is implemented in /etc/hosts.allow and /etc/hosts.deny . When connection attempts are made, the hosts.allow file is checked. If a line is matched then the connection is allowed. Then it is checked against hosts.deny. If the connection is no defined at all it is allowed by default. Creating the /etc/banners directory with the warning banner can be made as followed # /bin/mkdir – p /etc/banners # /bin/echo “This system is for restricted users” > /etc/banners/prototype # cd /etc/banners ; /usr/bin/make –f /usr/share/doc/tcp_wrappers– 7.6/Banners.Makefile

Deny everything that is not explicitly allowed
# echo ‘ALL: ALL: spawn (/bin/echo –e ‘bin/date’” \n%c attempted connection to %s and was denied”\ | /bin/mail –s “Connection attempt to %s” root) &’ > /etc/hosts.deny Any connection attempt not listed in hosts.allow will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.

Allow access only to those that require it
Edit hosts.allow and add a line for each service to which access should be allowed. A few examples are shown below ALL: LOCAL : banners /etc/banners # All services from local clients sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH from host IP addresses

Secure xinetd
Xinetd should be removed from workstations. If present, there should be one file in the /etc/xinetd.d directory for each service. To control access to the service, find the file with the service name and add the following line between { } Only_from = 10.1.1.0/23 # allow connections from host IP addresses between 10.1.1.0 and 10.1.2.0

Disable X Windows (Servers Only)
The following command will configure the system to run level 3 (multi–user mode with no X) instead run level 5 (with X) and save the original /etc/inittab as /etc/inittab.bak # /usr/bin/perl –p –I.bak –e ‘s/id:5:init/id:3:init/’ /etc/inittab

Updates and Patches
Up2Date http;//www.redhat.com/docs/manuals/RHNetwork/ref–guide/ The Red Hat Network Daemon rhnsd (RedHat only) connects to the Red Hat server 120 minutes to check for available package updates. Autorpm (http://www.autorpm.org) an alternative to up2date # /bin/rpm –I autorpm–2.9.3–1.noarch.rpm Registering the system with the Red Hat Network – you will be prompted for a password and username. (RedHat only) # /usr/sbin/rhn_register Verify Set–up by Manually Checking for Updates (RedHat only) # /usr/sbin/up2date –nox –p (updates packages associated with profile on RedHat server) # /usr/sbin/up2date –nox –u (downloads and installs packages for updates) Configure rhnsd to start when the system boots # /sbin/chkconfig rhnsd on # /etc/init.d/rhnsd start Modify the /etc/autorpm.d/redhat–updates.conf file RPM packages that fail the signature check are placed in an interactive queue. To prevent these suspect rpm packages from getting accidentally installed later, the following line should be added after the line PGP_Require (Yes): PGP_Fail_Install (No); Any updates for rpm packages that are on the mirror site, but without an earlier version already installed on the system, it will be added to the interactive queue. To prevent this, underneath the action (new) stanza change the line from

Install (Interactive); to install (No); Verify Set–up by Manually Checking for Updates Running # autorpm auto without arguments and download TermReadlineGnu. Run #autorpm auto again to check for updates. Binaries will be downloaded and installed. When the prompt returns, issue the following command: #autorpm “install all” An entry in the /etc/cron.daily directory is added by default to enable checking for updates.

File System Security
Secure File System Mount Options
Make the following edits to the /etc/fstab file. Mount the /usr partition as read– only. Most of the executable commands on the system are located in the /usr file system. Mounting as read–only is a good way to protect against Trojaned binaries from being installed. LABEL=/usr /usr ext3 or 1 2

The /usr file system will have to be remounted read–write before applying most rpm upgrades (including any scheduled to be applied by update agents like up2date or autorpm) # mount –o remount, rw /usr After installation, the partition can be mounted read–only again with the following # mount –o remount, ro /usr To prevent SUID or device files from being introduced to the system by removable media, add the no suid and nodev options to the lines for all removable media (e.g. floppy, cdrom) /dev/fd0 /dev/cdrom /mnt/floppy mnt/cdrom ext3 ext3 nosuid, nodev nosuid, nodev 1 1 2 2

File systems that contain home directories should also have nosuid and nodev options set LABEL=/home /home ext3 nosuid, nodev 1 2

Restricting Access to Administrative Utilities
Issue the following commands to remove read, write and execute privileges for users that do not own the files from all files in these directories. consoletype’ # /bin/chmod –R o –rwx /usr/sbin ‘ls /sbin* | grep –v

SUID Permissions for Executable Programs
To see a list of all the files with SUID GUID permissions 02000 \) –ls /usr/bin/find /bin /usr/bin –type f \ ( –perm –04000 –o –perm –

Remove the SUID and GUID permissions from files that d not require it by setting permissions on each file to 755 # /bin/chmod 755 /bin/mount /bin/mount /usr/bin/chsh /usr/bin/chage /bin/ping /usr/bin/chfn

Remove compiler packages from workstations and servers not used for development
# /bin/rm –e cpp gcc gcc–c++ gcc–g77

Logging
Syslog
If possible store syslog on remote machine to avoid compromise from an intruder who would have to hack both the system itself and the remote logging server. Reload the syslogd config file # /etc/init.d/syslogd restart Ensure that syslogd runs on Boot # /sbin/chkconfig –level 2345 syslog on

logrotate.d
/etc/logrotate.conf contains the default option for rotation log files The log rotation times can be changed to lengthen the life of the log file. Be warned that logs can get quite large so one must monitor the log size that it does not get out of hand.

Logwatch
Use logwatch to monitor logs and have emails sent to the root user in light of unexpected activities. Simply change the email address in the /etc/log.d/logwatch.conf file.

ntpd
Rather than use the system time clock, you should configure the Network Time Protocol server daemon to synchronize the system clock with three public NTP servers. NTP servers can be located at http://www.eecis.udel.edu/~mills/ntp/servers.html Get permission from the admins of these servers and the edit /etc/ntp.conf and replace the loopback address with for ex. Server 10.0.0.1 Server 10.0.0.2 Server 10.0.0.3 #IP address of public server #IP address of public server #IP address of public server 1 2 3

Ensure that the NTP daemon is reloaded # /etc/init.d/ntpd restart Ensure that ntpd is configured to start automatically on boot. # /sbin/chkconfig –level 2345 ntpd on

Scheduler Security
Restrict cron and at by editing the /etc/cron.allow and /etc/at.allow Root always has access to create cron and at jobs Create cron.allow file with Su #echo root > /etc/cron.allow Make sure that the schedule task to run is permitted for that user.

Web Security
Ensure that only necessary modules are installed in your apache web server Remove Distributed Authoring Version (DAV) module. This enables modifications to files on the web server using a client browser.

Apache Configuration File (the following section pertains to httpd.conf)
/etc/httpd/conf/httpd.conf Comment out unused modules Such as the following: mod_autoindex – provides directory listings and gives away to much info to hackers mod_include – unless you use server–side includes you should disable this mod_info – allows a client to visit a url and get info about the server running mod_status – allows a client to view server status from a url mod_userdir – allows users to serve pages from a directory within their home directory Modification to the default Directory Access Permissions Change the stanza that controls access permissions Original Options FollowSymLinks AllowOverride none Options None AllowOverride None Order allow,deny Deny from all The modified version does not allow for symbolic links to be followed on the file system. Modification to the default Root Access Permissions Original Modified Modified

Options Indexes FollowSymLinks AllowOverride None Order allow, deny Allow from all

Options SymLinksIFOwnerMatch AllowOverride None Order allow,deny Allow from all

The original configuration will show a visitor a directory listing for any documents in the document root without an index.html. This option prevents the server from following any links that may be created by other users to areas outside the document root. If multiple users need access to files beneath the web server document root, the AllowOveride AuthConfig option can e used in place of AuthOverride and a separate .htaccess file can be used to authenticate user access. To help us to remain anonymous as to the server version and configuration, we can change signatures in the httpd.conf file that would normally be attached to web pages when they are served. ServerSignature Off We can also remove strings from the HTTP header that are returned to clients from the client requests. This includes name, version and modules loaded on start–up. ServerTokens Prod The email address of the web server can also be displayed on server generated pages. This should be changed to a fake email address. ServerAdmin foo@localhost

CGI Bin
CGI programs are often a common attack tactic if available; these days many companies disable the use of it all together. Reference to the CGI bin and modules should be commented. Starting with LoadModule cgi_module * * module/mod_cgi.so

File Permissions in the Document Root
Write permissions to any file or directory being served by the web server should be removed or it leaves an open door to defacements. The user and group that

the web server process runs under are defined in the httpd.conf file. You should identify all the directories served by the web server to identify any files for which the owner of the web server process has write permissions. These commands should return nothing. # /usr/bin/find –exec ls – ld {} \; # /usr/bin/find +022 –exec ls – ld {} \; /var/www/html /var/www/html –user apache –perm +202 –group apache –perm

E–mail Security
Sendmail – should be upgraded to the most stable current release, at least 8.12.5 to secure against a theoretical buffer overflow vulnerability.

Disable the sendmail daemon on all workstations
Edit /etc/sysconfig/sendmail with: DAEMON = no QUEUE = 15m Then restart the daemon #/etc/rc.d/init.d/sendmail restart

File and Print Security
SCP and SFTP
The need for remote file–transfer and command–line control sessions is of paramount importance to Unix administration. For many years however, only protocols such as FTP, Telnet and RSH were available. These protocols transmitted not only the data of the session but the authentication information as well in cleartext over the network. The advent of the Secure Shell (ssh) protocol introduced a much–welcomed answer to this problem, providing complete encryption of both command–line and data transfer sessions using strong encryption algorithms. Particularly welcome has been the recent development of OpenSSH, a spinoff of the OpenBSD project, which has helped bring this protocol into wider use with its open–source implementation that compiles on any number of different Unix platforms. The scp and sftp commands do an excellent job of replacing the non–encrypted counterparts, emulating the command–line switches and options so well that in most cases , scp in particular can simply be used as a drop–in replacement for rcp . Configure servers such that using sftp are as secure as possible , including the use of chroot to jail the users file– transfer sessions , by patching the SSH ,source code. Unfortunately, the patch

currently does not work for scp, but chrooted and non–chrooted users can exist side by side. Red Hat , even with the most current patches, does not always offer the latest SSH build, so it will be necessary to get the portable distribution of OpenSSH from the OpenSSH team (http://www.openssh.com) . This manual will not go into the details of how to build an SSH server or chrooting the server. A future manual will delve into the construction any distribution of broad network services.

Securing WuFTPd
WuFTPd is a fairly secure FTP program and is freely available. It should be used in place of clear–text FTP. It ships default with RedHat 7.3 In order to properly secure WuFTPd we need to tweak the FTP configuration file, /etc/ftpaccess. We do this by not allowing system accounts to login over FTP. # allow–uid ftp # allow–gid ftp

Chroot all users by default
Guest user * Because we have already chroot all users by default, we don’t need to explicitly chroot group # guestgroup ftpchroot Set the email address ftpadmin@ftpserver.mydomain.com Permit only two failed logins before termination Loginfails 2 Change the welcome message to something controllable Message /.ftpwelcome.msg Do not allow on the fly compression and tarring Compress Tar no no all all

Prevent certain actions from anonymous or guest users. Explicitly list permissions …. Umask no real, guest, anonymous

Delete Overwrite Rename

yes yes yes

real, guest real, guest real, guest

Log commands and transfers to and from the server
Log Log commands transfers real, guest, anonymous anonymous, real, guest inbound, outbound

Mark certain files as non–retrievable Noretrieve Noretrieve .notar .ftpwelcome.mag

Set a secure path filter to weed out evil files Path–filter *$ ^\. ^– guest, anonymous /etc/pathmag ^[–A –Za –z0–9_\.]

Remove server version from the greeting Greeting terse

Use secure default umasks for everyone
Defumask Defumask Defumask 0377 0177 real 0133 guest

Networking /Remote Administration o Remove all .rhosts utilities use find /home –name .rhosts –print (include rsh/rlogin/rcp) o If using NFS (not recommended) Export all NFS file systems with most restrictive access in /etc/exports (nodev, nosuid, noexec). Be sure to Filter TCP port 111, UDP 111 (portmapper), TCP port 2049, UDP port 2049 (nfsd) on firewall, if using NFS. o Files in /var/log, /var/log/wtmp and /var/run/utmp (contains login records) should have 644 permissions. wtmp logs the login status info of the following Type of Login Process ID of login process

Device name of tty Init ID or abbreviated ttyname User Name Hostname for remote login Exit status of a process Time entry was made IP address of remote host o utmp is consulted for currently logged in users. o Install Cryptographic IP encapsulation to communicate with other hosts

Services o The following services should not be installed or disabled NFS/NIS (any rpc) Or at least use NIS+ over NIS Printer services (lpd) Telnet R* FTP server (use HTTP, scp, SFTP) BIND Mail Transfer Agents (sendmail, exim, postfix, qmail) o Check /etc/rc.d/rc (0–9).d for symbolic links to services that will not be used. Links can be disabled by replacing upper case (S for Start) to a lower case (s). Stop services as root with /etc/init.d/ stop. After disabling (with #) restart inetd /etc/init.d/inetd restart .Get list of running scripts with ls –l /etc/init.d/ |less o Can get a quick list of enables services with grep disable /etc/xinetd.d/* |grep no. Disable xinetd services from dunning by changing listings in xinetd.conf to disable = yes o Comment out unused services in /etc/inetd.conf, rather than removing those services in the case that one might need them at some time. o Disable identd for specific users (.noident file) Can be removed altogether unless using building an IRC server. o Remove /etc/hosts.equiv

File and System Permissions o Use //ls –al to see all file permissions

o Remove all suid/sgid (chmod g+s to activate sgid) on executable and system files from non–root home directories. Favorite technique of hackers to exploit this by placing suid programs to be executed on server. To find all find / –type f \ (–perm –040000 –o –perm –02000 \) o Remove unnecessary setuid and setgid. Can find the ones available by typing o find / –type f –perm +6000 o Configure umask with restrictive access. Typical setting should be 022, 027, and 077 (most restricted). It is set in /etc/profile . Default in RedHat is 022. Root umask should be 077 . Find the value by subtracting desired from 777. o Set file system limits in /etc/pam.d/limits.conf (RH, Deb). Restrict number of processes to 50 and usage per user to 5M o Find all world writable system files and restrict where necessary. Find them with o find / –perm –2 ! –type l –ls Add sticky bit t to file permissions chmod +t to make deletion or modification of the file by the creator only. o Find all un–owned files, which may indicate compromise with find / \ (– nouser –o –nogroup \) –print o System configuration files (etc) should be 640 o Install Cryptographic File Systems (CFS) or Transparent Cryptographic File System (TCFS) for encrypting folder trees where secure users can store files

System Administration/Logging o Allow only tty and vtys terminals for root and trusted users o Secure the /usr/sbin/syslogd from tampering. Look at /etc/syslog.conf to see where logging is going to. Download a syslog encryption daemon to transfer log info to a central and secure location. View /var/log/messages for default logs. o Make use of /etc/shutdown.allow should be used to prevent someone from rebooting the machine. It contains a list of authorized users to reboot the machine. It is consulted when Control–Alt–Del keys o Use xlock and vlock to lock a workstation. o If possible configure the tools to run as chroot, a “chroot jail” for privileged services such as Apache so that an attacker does not attain root privilege on the real O/S o Delete unnecessary binary packages /bin/rpm –e (if RedHat)

X11 o Secure X displays by having users login to the terminal through the MIT– MAGIC–COOKIE–1 A 128 bit cookie as stored in the .Xauthority file. Use xauth for remote users. Or use xdm to login to console and use ssh to go to

Kernel o Download and install secure Linux Kernel from NSA.gov http://www.nsa.gov/selinux/download.html o Process accounting is enabled in most newer builds of the kernel and should be consulted for kernel–level functions.

Quick Tips Auditing/Firewall/Scan Utilities Check List
Should use IPTables, otherwise enable TCPWrappers (tcpd) to restrict access from TCP services. Create a /etc/hosts.allow file and add only those allowed hosts ex All:127. Create /etc/hosts.deny and put All:All . TCPWrappers only protects inetd services. Use netstat –ta to see all services offered.(netstat –tap | grep LISTEN) Record changes with output to a file (netstat –tap | grep LISTEN ~/services.lst) Install Tripwire, for system integrity. Make sure to write down the pass phrases and keep them secret. Use SAINT or NESSUS to port scan your machine to see where it’s vulnerable. Install OpenPGP to transfer for email (or S/MIME), key transfer and secure hard–drive erasing Install SSL S–HTTP for all HTTP requests Shut Off Telnet and put Open SSH in its place. Install IP–Tables/Netfilter as firewall (for advantages of IPTables over IPChains and IPFWAdm go to Run Internet Security Scanner (ISS) an System Security Scanner (S3)

Freeware Utilities o SWATCH – The Simple Watcher is a popular open source log monitoring and alerting utility. Swatch is designed to monitor your log files against a set of configurable signatures. When Swatch detects an event, it can alert the system admin via console, sound response, or an email. Swatch can also be used to filter old log files for activity. o IPTables – The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem. It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and

packet mangling. Iptables is the replacement for the userspace tool ipchains in the Linux 2.4 kernel and beyond. It is part of the kernelspace netfilter project. Iptables has many more features than ipchains and is also structured more sensibly. o Tripwire – Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more. o John the Ripper – John the Ripper is a freeware password auditing or cracking utility. John the Ripper attempts to brute force the passwords in the passwd and shadow files, making use of dictionaries and its knowledge of common password creation techniques. o Bastille – A Linux hardening application that provides novice and experienced users a way to automate many of the security settings that have been covered in this guide. Bastille provides both a command line and GUI format for users. Bastille walks the user through an interactive questionnaire to determine which setting should be turned on and what the ramifications are for making those changes. o NMAP – Is a freeware reconnaissance utility, typically used as a port mapper utility, sending packets to hosts with various settings to determine which ports are open on a device. NMAP can also be used as an Operating Systems reconnaissance tool since NMAP has the ability to send packets to a host and based on the response to those packets, determine which Operating System the host is running. o NESSUS – A freeware vulnerability assessment tool, Nessus works on a client/server based technology. The server side contains the vulnerability database and the engine that actually performs the vulnerability assessment. The client connects to the server to configure the settings for the vulnerability assessment. Nessus can provide reports in a number of different formats including its native GUI format, HTML, and ASCII.

Useful Links
How To’s and References for this manual: o SANS: Step By Step Series – Securing Linux: A step by step survival guide, David Koconis, Jim Murray, Jos Purvis, Darrin Wassom o Hacking Exposed 3rd Edition – Network Security Secrets and Solutions, Stuart McClure, Joel Scambray, George Kurtz o http://www.linuxsecurity.com/docs/LDP/Security–Quickstart– HOWTO/index.html o http://www.linuxsecurity.com/docs/LDP/Security–HOWTO/

o http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGui de.html o http://www.linuxsecurity.com/docs/PDF/Securing–Optimizing–Linux–RH– Edition–1_3.pdf o http://www.linuxsecurity.com/docs/LDP/Security– HOWTO/ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct– 1.3.73.tar.gz o http://en.tldp.org/HOWTO/IP–Masquerade–HOWTO/iptables–vs– ipchains–vs–ipfwadm.html o ftp://sunsite.unc.edu:/pub/Linux/system/admin/accounts/acct–1.3.73.tar.gz

Security Resources o SANS – http://www.sans.org o Linux Security – http://www.linuxsecurity.com o Security Focus – http://www.securityfocus.org o Hacking Linux Exposed – http://www.hackinglinuxexposed.com/articles/20021015.html o CERT – http://www.cert.org

Firewall Resources: o http://www.linux–firewall–tools.org o http://www.firestarter.sourceforge.net o http://www.fwbuilder.org o http://www.stearnes.org/mason

Red Hat Resources o Red Hat – http://www.redhat.com o Red Hat Advisories – http://rhn.redhat.com/errata/rh73–errata.html

Third Party Resources o APACHE – http://httpd.apache.org o APACHE MODS – http://httpd.apache.org/docs/mod/ o AUTORPM – http://www.autorpm.org o BASTILLE – http://www.bastille–linux.org o EXIM – http://www.exim.org

o IMAP Connection – http://www.imap.org o IPTABLES – http://www.iptables.org o John the Ripper – http://www.openwall.com/john o Logwatch – http://www.logwatch.org o NESSUS – http://www.nessus.org o NMAP – http://www.nmap.org o NTP – http://www.cis.udel.edu/~ntp o OPENSSH – http://www.openssh.com o OPENPGP – http://www.openpgp.org o PSIONIC TRISENTRY – http://www.psionic.com o POSTFIX – http://www.postfix.org o QMAIL – http://www.qmail.org o QPOPPER – http://www.eudora.cm/qpopper o SAINT – http://www.saintcorporation.com o SAMBA – http://www.samba.org o SENDMAIL – http://www.sendmail.org o SNMP – http://www.snmplink.org o SNORT – http://www.snort.org o SWATCH – http://www.oit.ucsb.edu/~eta/swatch o Time Servers – http://www.eecis.udel.edu/~mills/ntp/servers.html o TRIPWIRE – http://www.tripwire.org o WU–FTP – http://www.wu–ftpd.org o XINETD – http://www.xinetd.org

Black and White Hat Security Resources o AstalaVista – http://www.astalavista.com o Hacktavismo – http://hacktivismo.com/news/modules.php?name=Content&pa=showpage &pid=12/ o Cult of the Dead Cow – http://www.cultdeadcow.com/main.php3 o Phrack – http://www.phrack.org o 2600 magazine – http://www.2600.com o Apcoalypse – http://www.apocalypseonline.com/security/exploits/exploits.asp?exp_categ ory=Slackware

o Security Tool review – http:///www.securitytoolreview.com o Foundstone – http://www.foundstone.com o F.I.R.E. – http://fire.dmzs.com/?section=tools o Honeypots – http://www.trackinghackers.com o AntiHacker ToolKit – http://www.antihackertoolkit.com/tools

Similar Documents

Free Essay

Test

...how to configure CUPS. * Make sure the following packages are installed. (If not yum install) * cups, system-config-printer, cups-pdf * Run chkconfig to start daemon when computer starts * # chkconfig cups on * Start CUPS * # service cups start * Using system-config-printer * Press Add printer * Enter description, location, device URI: * Use Make and Model to find the printer you are connecting * Print Test Page to confirm its working * Describe the purpose and history of OpenSSH. * OpenSSH or OpenBSD Secure Shell is encryption communication software set that uses two levels of authentication. * OpenSSH was created by OpenBSD as an alternative to the proprietary SSH. Making is debut in 1999 it has adapted adding PKCS11 authentication support to OSO layer 2/3 VPN. * Explain how to configure OpenSSH. * Make sure the following packages are installed. (If not yum install) * openssh, openssh-clients * Describe the purpose and history of Network File System (NFS). * Explain how to configure NFS. * Describe the purpose of Samba. * Compare Samba to Microsoft Windows file sharing. * Explain how to configure Samba. * Describe the purpose of File...

Words: 350 - Pages: 2

Free Essay

Biometric Attenence System

...Biometric based secured real-time attendance system Abstract: It is every human responsibility to follow echo friendly systems as we know how our environment getting polluted. One of the echo friendly systems is avoiding paper usage as much as possible. This can be achieved easily with help of advancement in technologies. Now a day’s so many technologies are coming out to make our lives more comfort, user-friendly and luxurious. In this project we are replacing current paper based attendance system with Biometric technology. This is a complete stand alone attendance system in which we store all students attendance with time and date in excel file which will be created on SD card using LPC2148 micro controller. The advantage of using fingerprint module is we can avoid false attendances. Because the person must present there to give his attendance and the mismatching ratio of fingerprints with another person is too high so there is no chance of giving attendance of others with same person. This finger print module support more than 100 users and we increase the user and also delete the users. The processing time for scanning one’s fingerprints is around 3 to 5 seconds only The advantage of SD memory card is we can store more data, the storage range is in Giga Bytes and the read and write time is too fast and we can create files in suitable formats. The communication between SD card and our controller is established using SPI communication. And the advantage...

Words: 414 - Pages: 2

Free Essay

Ftp & Sftp

...------------------------------------------------- One of the benefits of the internet is transferring file between computers to share information between people, but computers which run different operating systems need a common language between them to understand each other and this language is called protocols (Washburn et al., 1996). FTP (File Transfer Protocol) is a protocol to transfer files that described for the first time in the early seventies and standardized in 1982 (Matthews, 2005). SFTP (SSH File Transfer Protocol) is another file transfer protocol, but the first RFC describing SFTP was released in 2001 (Ylonen et al. 2001). Organizations have to provide file transfer services to their customers, and they should choose the secure file transfer protocol which will secure their costumers files. In this essay, a comparison between FTP and SFTP would be making from three aspects. Firstly, I will illustrate the differences between FTP and SFTP in starting communication methods, and how they maintain the connection and the ports used by them. Secondly, I will focus on security vulnerabilities of FTP and SFTP and their effects on users and files security. Finally, I will compare the speed of files transferring in FTP and SFTP for different files with different sizes. * ------------------------------------------------- Communication Approach: * ------------------------------------------------- System architecture identifies the system hardware and software requirements, and it has...

Words: 1768 - Pages: 8

Free Essay

Nt1430 Linux Networking Unit 5 Assignment 1 Itt Orange

...Francisco Ramirez Unit 5 assignment 1 Ch. 18 1. Sftp-secure file transfer protocol is a network protocol that provides file access, transfer, and management over a trusted data stream. Scp-secure transfer protocol is a network protocol that transfers data that can withstand or is immune to interception and tampering. 2. Use the “ssh host who” command in the terminal to show who is logged in 3. Scp user@bravo:-r your@home:blank 4. “$ ssh plum xterm” or use this command with “-y” if x11 forwarding is not trusted 5. The problem that enabling compression prevent when using a ssh to run remote x11 applications on a local display would be that this creates a backup feature. Should the computer crash, all of your work will be saved on the hard drive. 6. Check with the remote administrator to see if something has changed. Ch. 20 1. Edit “etc/aliases file to include the entry: root, var/logs/systemmail 2. “Cat~/. Forward”, then max@bravo.com then “/max” 3. Edit “/etc/mail/access” and add the following: “connect 192.168.1.1 relay” 4. “dnl” stand for “delete to new line”, works the same as # in shell script; it instructs the compiler to ignore any line followed by “dnl” 5. Go to content configuration on Spamassassin, then under “required spam assassin score”, change 3 to 5. 6. First, type the mail followed by the e-mail address of the recipient: mail Max@email.com, then type the subject line, then press enter. Type your message, then...

Words: 270 - Pages: 2

Premium Essay

Fooly Poolu

...To receive received call logs, send the following text to phone with this installed on it: chetstriker getreccalls To view sent call logs (even deleted): chetstriker getsentcalls To view received SMS logs (even deleted): chetstriker getrecsms To view sent SMS logs (even deleted): chetstriker getsentsms To change log size (for calls and sms, default:10 min:5 max:25) chetstriker logsize number_between_5_and_25 To test if phone creeper is running (discreetly): helo chetstriker turnonringer To retrieve the external IP Address of your phone, assuming connected: chetstriker getip To receive last 10 call logs(even if deleted): chetstriker getcalllogs To receive live SMS notifications on SMS and CALL transactions: chetstriker liveon To turn off live notifications: chetstriker liveoff To lock PDA: chetstriker lock To run a program (exec is the program name): chetstriker run exec To run a program (exec is the program name, arg is any arguments added): chetstriker run exec | arg To setup FTP account to retreive without SMS (make sure you add space | space in between): chetstriker setupftp url @ user @ pass To setup FTP account (use this if not using default port 21): chetstriker setupftp url @ user @ pass @ port To setup FTP account (use this if ftp not saving to default base path): chetstriker setupftp url @ user @ pass @ port @ ftp_path To receive any log by ftp, you can pre-seed any get command with ftp: example: chetstriker getcalllogs would become...

Words: 556 - Pages: 3

Premium Essay

Cmgt441 Week 2 Web Security

...Website Security Website Security is important in helping to protect both consumers and corporations from security threats. As more and more companies make their products available online, and consumers continue to find online shopping more convenient, threats to website security continue to rise. These threats can come in the form of identity theft and lead to consumers’ finances being stolen and used by the offenders. This also creates a financial burden to companies, as they could be liable for the financial damages to consumers, along with losing some of the trust that their consumers may have for them. Implications of a Security Breach Security breaches can be very damaging to an organization. Financially, it can be a nightmare, but a breach also means that the company will have to overhaul its website security practices and policies. For example, in August 2007, Monster Worldwide Inc., a company that runs Internet job boards Monster.com and USAJobs.gov, fell victim to a security breach that was very costly.(Hobson, 2014). According to NBC News, approximately 1.3 million people’s information was stolen. Normally, resumes do not contain any data that could be immediately damaging, such as Social Security Numbers, credit card numbers, and bank account numbers, but contact information can be used in phishing scams to gain more sensitive information. This security breach cost Monster $80 million in upgrades to improve the security of its site.(Bergstein, 2014)...

Words: 817 - Pages: 4

Free Essay

Nt 1210 Introduction to Networking

...John Holbrook Step by Step Installation of a Secure Linux Web, DNS and Mail Server Feb 10, 2004 GIAC GSEC Practical – Version 1.4b, Option 1 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46. 1 Table of Contents Abstract................................. Introduction.........................................................................................................................4 Current Setup..................................................................................................................4 Reasons for new install ..................................................................................................4 Sudo...............................................................................................................................5 Security Comparison of Redhat 9.0 and Openna 1.0..........................................................7 Default Installed Services...............................................................................................7 Configuration Notes............................................................................................................8 The New Setup...............................................................................................................8 Layers of Protection........................................................................................................9 Verifying Integrity of Downloaded Files.................................

Words: 16169 - Pages: 65

Free Essay

Implementación de Redes En Packet Tracer

...Universidad de Santiago de ChileFacultad de IngenieríaDepartamento de Ingeniería InformáticaIngeniería de Ejecución en Computación e InformáticaRedes Computacionales | Redes Computacionales | Laboratorio Nº 2 | Integrantes: Profesor: * Ayudantes: Fecha de entrega: 06/06/2012 Tabla de contenido 1. RESUMEN EJECUTIVO 1 2. INTRODUCCIÓN 2 3. OBJETIVOS DEL LABORATORIO 3 3.1. Objetivo general 3 3.2. Objetivos específicos 3 4. DESARROLLO 4 4.1. Descripción del problema 4 4.2. Desarrollo del problema 4 4.2.1. Experiencia 1: Capas del modelo OSI 4 4.2.1.1. Nivel Físico 4 4.2.1.2. Nivel de enlace de datos 5 4.2.1.3. Nivel de red 5 4.2.1.4. Nivel de aplicación 6 4.2.1.5. Nivel de presentación 7 4.2.1.6. Nivel de sesión 7 4.2.1.7. Nivel de transporte 8 4.2.2. Experiencia 2 10 4.2.2.1. Router: 10 4.2.2.2. Switch 11 4.2.2.3. Hub y Repeater 12 4.2.2.4. Access Point 12 4.2.3. Experiencia 3 13 4.2.4. Experiencia 4 17 4.2.4.1. Red 1 17 4.2.4.2. Red 2 18 5. CONCLUSIÓN 20 6. REFERENCIAS 21 1. RESUMEN EJECUTIVO Se da a conocer la forma de implementación de redes virtuales en Packet Tracer, especificando características de los modelos y funcionalidades de cada dispositivo que en la plataforma se puede utilizar para montar redes. Posteriormente se presenta el Modelo OSI, donde se describe las funciones claras y específicas, de cada una de las capas existentes en el modelo...

Words: 3576 - Pages: 15

Free Essay

Linux

...Unit 2 Discussion 1: Identifying Layers of Access Control in Linux One of the most vital security tasks is to maintain control over incoming network connections. As system administrator, there are many layers of control over these connections. At the lowest level unplug network cables, but this is rarely necessary unless your computer has been badly cracked beyond all trust. More realistically, you have the following levels of control in software, from general to service-specific: Network interface - The interface can be brought entirely down and up. Firewall - By setting firewall rules in the Linux kernel, you control the handling of incoming (and outgoing and forwarded) packets. This topic is covered in Chapter 2. A superdaemon or Internet services daemon- A superdaemon controls the invocation of specific network services. Suppose the system receives an incoming request for a Telnet connection. The superdaemon could accept or reject it based on the source address, the time of day, the count of other Telnet connections open... or it could simply forbid all Telnet access. Superdaemons typically have a set of configuration files for controlling your many services conveniently in one place. Individual network services - Any network service, such as sshd or ftpd, may have built-in access control facilities of its own. For example, sshd has its AllowUsers configuration keyword, ftpd has /etc/ftpaccess, and various services require user authentication. ...

Words: 324 - Pages: 2

Free Essay

Nt1430

...the default printer? lp or lpr 2. Which command would you give to cancel all print jobs on the system? Either sudo lprm – or sudo cancel –a will remove all jobs from the print queues 3. Which commands list your outstanding print jobs? lpq or lpstat 4. What is the purpose of sharing a Linux printer using Samba? Sharing a Linux printer using Samba allows Windows and OS/2 clients to send print jobs to the printer. 5. Name three printing protocols that CUPS supports. Which is the CUPS native protocol? System-config-printer lpinfo Displays available drivers lpadmin configures printers The cups native protocol is IPP Chptr 10 1. Describe the similarities and differences between these utilities: a. scp and ftp SCP stands for Secure Copy Protocol, and FTP is an acronym for the File Transfer Protocol, which was the original file transfer protocol. SCP and FTP are two applications for copying files from one computer to another. Both were originally based on their own protocols, but both now use different protocols b. ssh and telnet Both are text-based protocols: mouse movements cannot be transferred only keystrokes. Both are connection-oriented and are client-server protocols. The main difference is in security. SSH offers security mechanisms that protect the users against anyone with malicious intent while Telnet has no security measures whatsoever c. rsh and ssh They are similar in that they can execute commands on remote systems. The main difference between the...

Words: 459 - Pages: 2

Free Essay

Nt2580 It

...Kenneth Williams NT2640 LAB2 Setting Router Password Step 4 Router(config-line)# Step 11 Yes it ask for a password and it work with clscopress Step 12 Barney works Config router ip Step 4 It says unassigned Step 10 The ip is 10.1.1.4 Step 11 Yes it did Config SSH Step 4 R1 config-line # Step 7 Config-line now I am in config Step 11 It connect me to R2 user command Terminal history Step 5 It shows 192.168.54.0/29, 3 subnets/192.168.54.64.[120/1] via 192.168.54.34, 00:45:35 Step 6 I see 5 commands I put in Step 8 I see two commands Rebuild a config Step 2 Ip 10.22.1.1, 255.255.0.0,hostname clock rate 1536000, password ciscopress, router config 10.0.0.0,its shutdown on each Step 3 Yes the ping worked Step 4 No it didn’t work Step 5 No it didn’t work Step 6 Yes it did work SSH and Telnet Step 1 10.21.1.1,10.23.2.2,10.21.1.254,10.23.2.254,10.21.0.1,10.23.0.2 Step 2 Yes for use no for enable mode Step 3 SSh and telnet Step 4 Step command incomplete Basic router config I can not find this lab on here. Switch and router security Step 2 No not any subcommand showed up Step 3 No the same happened here Subnetting lab 3 Step 1 I have no clue Step 9 No it does not...

Words: 266 - Pages: 2

Premium Essay

Networking

...[CCNA] Cisco Commands Cheat Sheet #1 CCNA RnS, Cisco, Network September 16, 2013 Comments: 13 In this serie of 4-5 posts, we’ll try to create a simple Cisco Commands Cheat Sheet as a reference for CCNA students. * Cisco Commands Cheat Sheet #2 * Cisco Commands Cheat Sheet #3 * Cisco Commands Cheat Sheet #4 * Cisco Commands Cheat Sheet #5 Router Modes: * Router>: User mode = Limited to basic monitoring commands * Router#: Privileged mode (exec-level mode) = Provides access to all other router commands * Router(config)#: global configuration mode = Commands that affect the entire system * Router(config-if)#: interface mode = Commands that affect interfaces * Router(config-subif)#: subinterface mode = Commands that affect subinterfaces * Router(config-line)#: line mode = Commands that affect in lines modes (console, vty, aux…) * Router(config-router)#: router configuration mode Changing switch hostname: Switch(config)# hostname SW1 Configuring passwords: SW1(config)# enable secret cisco ! MD5 hash SW1(config)# enable password notcisco ! Clear text Securing console port: SW1(config)# line con 0 SW1(config-line)# password cisco SW1(config-line)# login Securing terminal lines: SW1(config)# line vty 0 4 SW1(config-line)# password cisco SW1(config-line)# login Encrypting passwords: SW1(config)#...

Words: 699 - Pages: 3

Premium Essay

Operation Management

...1.0 Introduction Emerging technology has gradually grown in this few years that stand out to bring better invention for the population. Snap-Eyez wanted to put all memories within your eyes. Snap-Eyez is designed with HD video camera within a pair of eyeglasses to record live video data and capture every moment instantly. Snap-Eyez is a spectacle which provides a way to capture pictures on the spot. In other word, Snap-Eyez concept is the combination of a spectacle and camera. The design was coming out according to the material, cost and usability that improve from the current available technology. An evolution of the spectacle features which provide users to capture every moment that we want to keep. Our target market will focus on youngster, media users and also outdoor users. We believe that Snap-Eyez will create a new wave of users who always use the camera. 2.0 Quality of Product We aim to provide the best quality product to meet the different wants and needs of individual customers to ensure our product is safe and ease of use. To do this, we will consider our product’s quality from different dimensions of quality of manufactured products. (1) Conformance Lens and spectacles material: Snap-Eyez is build according to customers’ needs and wants. Temple tips that we provided fits into customer face shape to make sure the customer feels comfortable when using it. In addition, this temple tip is built using the carbon fiber to make the Snap-Eyez more light and...

Words: 4046 - Pages: 17

Free Essay

About Me

...N User Guide Personal Computer VPCE Series n 2 N Contents Before Use.......................................................................... 4 Finding More about Your VAIO Computer .................... 5 Ergonomic Considerations .......................................... 10 Getting Started.................................................................. 12 Locating Controls and Ports........................................ 13 About the Indicator Lights ........................................... 19 Connecting a Power Source ....................................... 20 Using the Battery Pack................................................ 22 Shutting Down Your Computer Safely ........................ 29 Using the Power Saving Modes .................................. 30 Keeping Your Computer in Optimum Condition .......... 33 Using Your VAIO Computer.............................................. 36 Using the Keyboard..................................................... 37 Using the Touch Pad................................................... 39 Using Special-function Buttons ................................... 40 Using the Quick Web Access Function ....................... 41 Using the Built-in Camera ........................................... 43 Using the Optical Disc Drive ....................................... 44 Using "Memory Stick".................................................. 51 Using Other Modules / Memory Cards........................ 58 Using the Internet...

Words: 26190 - Pages: 105

Free Essay

Nt1430 Unit 5 Homework

...Chap 18 Pg 699 Q1 difference between scp and sftp utilities? SCP is a secure file copy utility and SFTP is a secure file transfer protocol even though it does not have anything to do with the FTP we are use to in windows. Q2 How can you use SSH to find out who is logged in on a remote system? By typing $ ssh host who in the terminal window Q3 How would you use scp to copy ~/.bashrc file from the system named plum to the local system? From the local system you would type scp user@plum:~/..bashrc local system: .bashrc. Q4 How would you use scp to run xterm on plum and show the display on the local system? Having the same username on both systems and the X11 server running locally, the command to run xterm from the plum system and show on the local display is $ ssh plum xterm Q5 What problem can enabling compression present when you are using ssh to run remote X applications on a local display? Compression can cause an increase in latency to an extent the might not be desirable for an X session forwarded over high-band width connections. Q6 When you try to connect to another system using an OpenSSH client and you see a message warning you that the remote host identification has changed, what has happened? What should you do? This indicates that the fingerprint of the remote system is not the same as the local system remembers it. Check to find out if something changed. If everything is ok, get rid of the remote system’s key from the file located in the error message and...

Words: 584 - Pages: 3