diff options
| author |   Azamat H. Hackimov <azamat.hackimov@gmail.com> | 2010-10-22 00:57:39 +0600 |
|---|---|---|
| committer | Azamat H. Hackimov <azamat.hackimov@gmail.com> | 2010-10-22 00:57:39 +0600 |
| commit | 3b862feea3eb7030a087c7c85f89481d32461487 (patch) | |
| tree | b70c650455bb253cd5db4a114af30d653988c86a /shandbook | |
| parent | Main section import (diff) | |
| download | gentoo-doc-translations-3b862feea3eb7030a087c7c85f89481d32461487.tar.gz gentoo-doc-translations-3b862feea3eb7030a087c7c85f89481d32461487.tar.bz2 gentoo-doc-translations-3b862feea3eb7030a087c7c85f89481d32461487.zip | |
Security Handbook
Diffstat (limited to 'shandbook')
33 files changed, 9404 insertions, 0 deletions
diff --git a/shandbook/Makefile b/shandbook/Makefile new file mode 100644 index 0000000..e23e220 --- /dev/null +++ b/shandbook/Makefile @@ -0,0 +1,58 @@ +# (c) 2010 gentoo-doc-ru team +# # https://projects.gentoo.ru/projects/gentoo-doc-ru + +include Makefile.config + +XML := $(foreach dir, $(BASEDIR), $(wildcard $(dir)/*.xml)) + +xml: $(addprefix xml-, $(LANGS)) +$(addprefix xml-, $(LANGS)): $(addprefix po-, $(LANGS)) + +po: $(addprefix po-, $(LANGS)) +$(addprefix po-, $(LANGS)): pot + +pot: $(addprefix $(POTDIR)/, $(addsuffix .pot, $(notdir $(XML)))) + +define xml-lang-template +lang:=$(subst xml-,,$(1)) +$(1): $(addprefix $(XML_OUT)/$(lang)/security/, $(notdir $(XML)) ) + +$(XML_OUT)/$(lang)/security/%: $(POTDIR)/$(lang)/%.po + @if [ ! -d $(XML_OUT)/$(lang)/ ]; then \ + mkdir -p $(XML_OUT)/$(lang)/security/; \ + fi; + $(XML2PO) -p $$? $(BASEDIR)/$$(@F) > $$@ +endef + +$(foreach lang, $(LANGS), $(eval $(call xml-lang-template, xml-$(lang)))) + +define po-lang-template +lang:= $(subst po-,,$(1)) +$(1): $(addprefix $(POTDIR)/$(lang)/, $(addsuffix .po, $(notdir $(XML)))) + +$(POTDIR)/$(lang)/%.po: $(POTDIR)/%.pot + @if [ ! -d $(POTDIR)/$(lang)/ ]; then \ + mkdir -p $(POTDIR)/$(lang)/; \ + fi; + if [ -f $$@ ]; then \ + msgmerge --quiet --backup=none -U $$@ $$?; \ + msgattrib --no-obsolete $$@ --output $$@; \ + touch $$@; \ + else \ + msginit -l $(lang) --no-translator -i $$? -o $$@; \ + fi; +endef + +$(foreach lang, $(LANGS), $(eval $(call po-lang-template, po-$(lang)))) + +$(POTDIR)/%.pot: $(BASEDIR)/% + @if [ ! -d $(POTDIR) ]; then \ + mkdir -p $(POTDIR); \ + fi; + $(XML2PO) -o $@ $? + +help: + @echo "" + @echo " Supported targets: pot po-<LANG> xml xml-<LANG>" + @echo " Substitude LANG with yours. Don't forget edit Makefile.config" + @echo "" diff --git a/shandbook/gettext/index.xml.pot b/shandbook/gettext/index.xml.pot new file mode 100644 index 0000000..a554d81 --- /dev/null +++ b/shandbook/gettext/index.xml.pot @@ -0,0 +1,112 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(guide:link):5 +msgid "/doc/en/security/index.xml" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):6 +msgid "Gentoo Security Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(author:title):8 +msgid "Author" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail:link):9 +msgid "curtis119@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail):9 +msgid "M. Curtis Napier" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(author:title):11 +msgid "Editor" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail:link):12 +msgid "neysx@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail):12 +msgid "Xavier Neys" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(abstract):15 +msgid "This handbook is a step-by-step guide for hardening Gentoo Linux." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(version):23 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(date):24 +msgid "2005-07-06" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):27 +msgid "Introduction" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(p):31 +msgid "This handbook is intended for people who are using Gentoo Linux in a server based environment or just feel the need for better security." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(p):36 +msgid "If you are interested in even more Gentoo security stuff after reading this handbook then have a look at the <uri link=\"/proj/en/hardened/\">Hardened Gentoo Project</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):46 +msgid "View the Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(th):52 +msgid "Format" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(th):53 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):56 ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):63 ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):67 +msgid "HTML" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):58 +msgid "security-handbook.xml" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):58 +msgid "One page per chapter, perfect for online viewing" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):64 +msgid "security-handbook.xml?full=1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):64 +msgid "All in one page" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):69 +msgid "security-handbook.xml?style=printable=1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):69 +msgid "All in one page, printable version" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/ru/index.xml.po b/shandbook/gettext/ru/index.xml.po new file mode 100644 index 0000000..fe88932 --- /dev/null +++ b/shandbook/gettext/ru/index.xml.po @@ -0,0 +1,121 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(guide:link):5 +msgid "/doc/en/security/index.xml" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):6 +msgid "Gentoo Security Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(author:title):8 +msgid "Author" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail:link):9 +msgid "curtis119@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail):9 +msgid "M. Curtis Napier" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(author:title):11 +msgid "Editor" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail:link):12 +msgid "neysx@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(mail):12 +msgid "Xavier Neys" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(abstract):15 +msgid "This handbook is a step-by-step guide for hardening Gentoo Linux." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(version):23 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(date):24 +msgid "2005-07-06" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):27 +msgid "Introduction" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(p):31 +msgid "" +"This handbook is intended for people who are using Gentoo Linux in a server " +"based environment or just feel the need for better security." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(p):36 +msgid "" +"If you are interested in even more Gentoo security stuff after reading this " +"handbook then have a look at the <uri link=\"/proj/en/hardened/\">Hardened " +"Gentoo Project</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(title):46 +msgid "View the Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(th):52 +msgid "Format" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(th):53 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):56 +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):63 +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(ti):67 +msgid "HTML" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):58 +msgid "security-handbook.xml" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):58 +msgid "One page per chapter, perfect for online viewing" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):64 +msgid "security-handbook.xml?full=1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):64 +msgid "All in one page" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri:link):69 +msgid "security-handbook.xml?style=printable=1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(uri):69 +msgid "All in one page, printable version" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//index.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/security-handbook.xml.po b/shandbook/gettext/ru/security-handbook.xml.po new file mode 100644 index 0000000..2c5ed0b --- /dev/null +++ b/shandbook/gettext/ru/security-handbook.xml.po @@ -0,0 +1,260 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):6 +msgid "Gentoo Security Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):8 +msgid "Author" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):9 +msgid "kn@insecurity.dk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):9 +msgid "Kim Nielsen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):11 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):14 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):17 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):20 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):23 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):26 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):29 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):32 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):35 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):38 +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):41 +msgid "Editor" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author):11 +msgid "John P. Davis" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):15 +msgid "stocke2@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):15 +msgid "Eric R. Stockbridge" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):18 +msgid "carl@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):18 +msgid "Carl Anderson" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):21 +msgid "peesh@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):21 +msgid "Jorge Paulo" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):24 +msgid "swift@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):24 +msgid "Sven Vermeulen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):27 +msgid "bennyc@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):27 +msgid "Benny Chuang" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):30 +msgid "jaervosz@itu.dk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):30 +msgid "Sune Jeppesen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):33 +msgid "blubber@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):33 +msgid "Tiemo Kieft" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):36 +msgid "klasikahl@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):36 +msgid "Zack Gilburd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):39 +msgid "krispykringle@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):39 +msgid "Dan Margolis" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):42 +msgid "nightmorph" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):45 +msgid "This is a step-by-step guide for hardening Gentoo Linux." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(version):51 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(date):52 +msgid "2010-04-02" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):96 +msgid "System Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):97 +msgid "Harden different parts of your system to make it more secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):102 +msgid "Pre-Installation Concerns" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):103 +msgid "Why is security an important part for every server admin?" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):110 +msgid "Tightening Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):111 +msgid "Tightening security during and after installation." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):118 +msgid "Logging" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):119 +msgid "Gentoo Linux lets you choose between 3 different loggers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):126 +msgid "Mounting Partitions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):127 +msgid "/etc/fstab provides many security options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):134 +msgid "User/Group Limitations" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):135 +msgid "Control your resource usage." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):142 +msgid "File Permissions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):143 +msgid "Securing your files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):150 +msgid "PAM" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):151 +msgid "Pluggable Authentication Modules." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):158 +msgid "TCP Wrappers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):159 +msgid "Control access to services." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):166 +msgid "Kernel Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):167 +msgid "Secure your kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):174 +msgid "Securing Services" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):175 +msgid "Ensure that your daemons are secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):182 +msgid "Chrooting and Virtual Servers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):183 +msgid "Isolate your servers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):190 +msgid "Firewalls" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):191 +msgid "Filter your packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):198 +msgid "Intrusion Detection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):199 +msgid "Detect intruders." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):206 +msgid "Keeping up-to-date" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):207 +msgid "Ensure you have the latest security updates." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-chroot.xml.po b/shandbook/gettext/ru/shb-chroot.xml.po new file mode 100644 index 0000000..25cec00 --- /dev/null +++ b/shandbook/gettext/ru/shb-chroot.xml.po @@ -0,0 +1,147 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(date):11 +msgid "2005-12-15" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(title):14 +msgid "Chrooting" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):17 +msgid "" +"Chrooting a service is a way of limiting a service (or user) environment to " +"only accessing what it should and not gaining access (or information) that " +"could lead to root access. By running the service as another user than " +"<c>root</c> (<c>nobody</c>, <c>apache</c>, <c>named</c>) an attacker can " +"only access files with the permissions of this user. This means that an " +"attacker cannot gain <c>root</c> access even if the services has a security " +"flaw." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):26 +msgid "" +"Some services like <c>pure-ftpd</c> and <c>bind</c> have features for " +"chrooting, and other services do not. If the service supports it, use it, " +"otherwise you have to figure out how to create your own. Lets see how to " +"create a chroot, for a basic understanding of how chroots work, we will test " +"it with <c>bash</c> (easy way of learning)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):34 +msgid "" +"Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And " +"find what dynamic libraries that <c>bash</c> is compiled with (if it is " +"compiled with <c>-static</c> this step is not necessary):" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):40 +msgid "" +"The following command will create a list of libraries used by <c>bash</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre:caption):44 +msgid "Get listing of used libraries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre):44 +#, no-wrap +msgid "" +"\n" +"# <i>ldd /bin/bash</i>\n" +" libncurses.so.5 => /lib/libncurses.so.5 (0x4001b000)\n" +" libdl.so.2 => /lib/libdl.so.2 (0x40060000)\n" +" libc.so.6 => /lib/libc.so.6 (0x40063000)\n" +" /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):52 +msgid "Now lets create the environment for <c>bash</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre:caption):56 +msgid "Create chroot-environment for bash" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre):56 +#, no-wrap +msgid "" +"\n" +"# <i>mkdir /chroot/bash</i>\n" +"# <i>mkdir /chroot/bash/bin</i>\n" +"# <i>mkdir /chroot/bash/lib</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):62 +msgid "" +"Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted " +"<path>lib</path> and copy the bash command to the chrooted <path>bin</path> " +"directory. This will create the exact same environment, just with less " +"functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</" +"c>. If you get an prompt saying <path>/</path> it works! Otherwise it will " +"properly tell you what a file is missing. Some shared libraries depend on " +"each other." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):71 +msgid "" +"You will notice that inside the chroot nothing works except <c>echo</c>. " +"This is because we have no other commands in out chroot environment than " +"bash and <c>echo</c> is a build-in functionality." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):77 +msgid "" +"This is basically the same way you would create a chrooted service. The only " +"difference is that services sometimes rely on devices and configuration " +"files in <path>/etc</path>. Simply copy them (devices can be copied with " +"<c>cp -a</c>) to the chrooted environment, edit the init script to use " +"chroot before executing. It can be difficult to find what devices and " +"configuration files a services need. This is where the <c>strace</c> command " +"becomes handy. Start the service with <c>/usr/bin/strace</c> bash and look " +"for open, read, stat and maybe connect. This will give you a clue on what " +"files to copy. But in most cases just copy the passwd file (edit the copy " +"and remove users that has nothing to do with the service), <path>/dev/zero</" +"path>, <path>/dev/log</path> and <path>/dev/random</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(title):94 +msgid "User Mode Linux" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):97 +msgid "" +"Another way of creating a more secure environment is by running a virtual " +"machine. A virtual machine, as the name implies, is a process that runs on " +"top of your real operating system providing a hardware and operating system " +"environment that appears to be its own unique machine. The security benefit " +"is that if the server running on the virtual machine is compromised, only " +"the virtual server is affected and not the parent installation." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):106 +msgid "" +"For more information about how to setup User Mode Linux consult the <uri " +"link=\"/doc/en/uml.xml\">User Mode Linux Guide</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-firewalls.xml.po b/shandbook/gettext/ru/shb-firewalls.xml.po new file mode 100644 index 0000000..a9edcab --- /dev/null +++ b/shandbook/gettext/ru/shb-firewalls.xml.po @@ -0,0 +1,1467 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(version):10 +msgid "1.4" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(date):11 +msgid "2007-02-20" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):14 +msgid "A firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):17 +msgid "" +"People often think that a firewall provides the ultimate security, but they " +"are wrong. In most cases a misconfigured firewall gives less security than " +"not having one at all. A firewall is also a piece of software and should be " +"treated the same way as any other piece of software, because it is just as " +"likely to contain bugs." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):25 +msgid "" +"So think before implementing a firewall! Do you really need one? If you " +"think you need one write a policy on how it should work, what type of " +"firewall, and who should operate it. But first read this guide." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):31 +msgid "Firewalls are used for two purposes:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):36 +msgid "To keep users (worms/attackers) out" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):37 +msgid "To keep users (employees/children) in" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):40 +msgid "Basically there are three types of firewalls:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):45 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):58 +msgid "Packet filtering" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):46 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):129 +msgid "Circuit relay" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):47 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):167 +msgid "Application gateway" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):50 +msgid "" +"A firewall should be a dedicated machine running no services (or <c>sshd</c> " +"as the only one) and secured the way this guide recommends it be." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):61 +msgid "" +"All network traffic is sent in the form of packets. Large amounts of traffic " +"is split up into small packets for easy handling and then reassembled when " +"it arrives at its destination. In the packet header every packet contains " +"information on how and where it should be delivered. And this information is " +"exactly what a packing filtering firewall uses. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):70 +msgid "Allow or disallow packets based on source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):71 +msgid "Allow or disallow packets based on source/destination port" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):72 +msgid "Allow or disallow packets based on protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):73 +msgid "Allow or disallow packets based on flags within a specific protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):76 +msgid "" +"In other words, this filtering is based on all the data within the header of " +"a packet and not its content." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):81 +msgid "Weaknesses:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):86 +msgid "" +"Address information in a packet can potentially be a bogus IP address (or as " +"we say <e>spoofed</e> by the sender)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):90 +msgid "" +"Data or requests within the allowed packet may contain unwanted data that " +"the attacker can use to exploit known bugs in the services on or behind the " +"firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):94 +msgid "Usually single point of failure" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):97 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):184 +msgid "Advantages:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):102 +msgid "Simple and easy to implement" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):103 +msgid "" +"Can give warnings of a possible attack before it happens (ie. by detecting " +"port scans)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):107 +msgid "Good for stopping SYN attacks" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):110 +msgid "Examples of free packet filters on Linux:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):115 +msgid "http://www.iptables.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):115 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):221 +msgid "Iptables" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):117 +msgid "http://www.linuxdocs.org/HOWTOs/IPCHAINS-HOWTO.html" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):117 +msgid "Ipchains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):119 +msgid "http://www.smoothwall.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):119 +msgid "SmoothWall" +msgstr "" + +#. FIXME: should SmoothWall really be included, since it uses iptables? +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):122 +msgid "It is recommended that you use iptables. Ipchains is obsoleted." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):132 +msgid "" +"A circuit level gateway is a firewall that validates connections before " +"allowing data to be exchanged. This means that it does not simply allow or " +"deny packets based on the packet header but determines whether the " +"connection between both ends is valid according to configurable rules before " +"it opens a session and allows data to be exchanged. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):141 +msgid "Source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):142 +msgid "Source/destination port" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):143 +msgid "A period of time" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):144 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):395 +msgid "Protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):145 +msgid "User" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):146 +msgid "Password" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):149 +msgid "" +"All traffic is validated and monitored, and unwanted traffic can be dropped." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):153 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):196 +msgid "Weakness:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):158 +msgid "" +"Operates at the Transport Layer and may require substantial modification of " +"the programs that normally provide transport functions." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):170 +msgid "" +"The application level gateway is a proxy for applications, exchanging data " +"with remote systems on behalf of the clients. It is kept away from the " +"public safely behind a DMZ (De-Militarized Zone: the portion of a private " +"network that is visible through the firewall) or a firewall allowing no " +"connections from the outside. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):179 +msgid "Allow or disallow based on source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):180 +msgid "Based on the packet's content" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):181 +msgid "Limiting file access based on file type or extension" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):189 +msgid "Can cache files, increasing network performance" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):190 +msgid "Detailed logging of all connections" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):191 +msgid "Scales well (some proxy servers can \"share\" the cached data)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):192 +msgid "No direct access from the outside" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):193 +msgid "Can even alter the packet content on the fly" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):201 +msgid "Configuration is complex" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):204 +msgid "" +"Application gateways are considered to be the most secure solution since " +"they do not have to run as root and the hosts behind them are not reachable " +"from the Internet." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):210 +msgid "Example of a free application gateway:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):215 +msgid "http://www.squid-cache.org/" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):215 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):825 +msgid "Squid" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):224 +msgid "" +"In order to use iptables, it must be enabled in the kernel. I have added " +"iptables as modules (the <c>iptables</c> command will load them as they are " +"needed) and recompiled my kernel (but you may want to compile iptables in, " +"if you intend to disable Loadable Kernel Modules as discussed previously). " +"For more information on how to configure your kernel for iptables go to the " +"<uri link=\"http://iptables-tutorial.frozentux.net/iptables-tutorial." +"html#PREPARATIONS\">Iptables Tutorial Chapter 5: Preparations</uri>. After " +"you have compiled your new kernel (or while compiling the kernel), you must " +"add the <c>iptables</c> command. Just <c>emerge iptables</c> and it should " +"work." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):236 +msgid "" +"Now test that it works by running <c>iptables -L</c>. If this fails " +"something is wrong and you have to check you configuration once more." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):241 +msgid "" +"Iptables is the new and heavily improved packet filter in the Linux 2.4.x " +"kernel. It is the successor of the previous ipchains packet filter in the " +"Linux 2.2.x kernel. One of the major improvements is that iptables is able " +"to perform stateful packet filtering. With stateful packet filtering it is " +"possible to keep track of each established TCP connection." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):249 +msgid "" +"A TCP connection consists of a series of packets containing information " +"about source IP address, destination IP address, source port, destination " +"port, and a sequence number so the packets can be reassembled without losing " +"data. TCP is a connection-oriented protocol, in contrast to UDP, which is " +"connectionless." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):256 +msgid "" +"By examining the TCP packet header, a stateful packet filter can determine " +"if a received TCP packet is part of an already established connection or not " +"and decide either to accept or drop the packet." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):262 +msgid "" +"With a stateless packet filter it is possible to fool the packet filter into " +"accepting packets that should be dropped by manipulating the TCP packet " +"headers. This could be done by manipulating the SYN flag or other flags in " +"the TCP header to make a malicious packet appear to be a part of an " +"established connection (since the packet filter itself does not do " +"connection tracking). With stateful packet filtering it is possible to drop " +"such packets, as they are not part of an already established connection. " +"This will also stop the possibility of \"stealth scans\", a type of port " +"scan in which the scanner sends packets with flags that are far less likely " +"to be logged by a firewall than ordinary SYN packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):275 +msgid "" +"Iptables provides several other features like NAT (Network Address " +"Translation) and rate limiting. Rate limiting is extremely useful when " +"trying to prevent certain DoS (Denial of Service) attacks like SYN floods." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):281 +msgid "" +"A TCP connection is established by a so called three-way handshake. When " +"establishing a TCP connection the client-side sends a packet to the server " +"with the SYN flag set. When the server-side receives the SYN packet it " +"responds by sending a SYN+ACK packet back to the client-side. When the SYN" +"+ACK is received the client-side responds with a third ACK packet in effect " +"acknowledging the connection." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):290 +msgid "" +"A SYN flood attack is performed by sending the SYN packet but failing to " +"respond to the SYN+ACK packet. The client-side can forge a packet with a " +"fake source IP address because it does not need a reply. The server-side " +"system will add an entry to a queue of half-open connections when it " +"receives the SYN packet and then wait for the final ACK packet before " +"deleting the entry from the queue. The queue has a limited number of slots " +"and if all the slots are filled it is unable to open any further " +"connections. If the ACK packet is not received before a specified timeout " +"period the entry will automatically be deleted from the queue. The timeout " +"settings vary but will typically be 30-60 seconds or even more. The client-" +"side initiates the attack by forging a lot of SYN packets with different " +"source IP addresses and sends them to the target IP address as fast as " +"possible and thereby filling up the queue of half-open connections and thus " +"preventing other clients from establishing a legitimate connection with the " +"server." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):307 +msgid "" +"This is where the rate limit becomes handy. It is possible to limit the rate " +"of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will " +"limit the number of SYN packets accepted to one per second and therefore " +"restricting the SYN flood on our resources." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):314 +msgid "" +"Another option for preventing SYN floods are <uri link=\"http://cr.yp.to/" +"syncookies.html\">SYN cookies</uri>, which allow your computer to respond to " +"SYN packets without filling space in the connection queue. SYN cookies can " +"be enabled in the Linux kernel configuration, but they are considered " +"experimental at this time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):322 +msgid "Now some practical stuff!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):326 +msgid "" +"When iptables is loaded in the kernel it has 5 hooks where you can place " +"your rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>, " +"<c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain " +"and consists of a list of rules. Each rule says if the packet header looks " +"like this, then here is what to do with the packet. If the rule does not " +"match the packet the next rule in the chain is consulted." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):335 +msgid "" +"You can place rules directly in the 5 main chains or create new chains and " +"add them to as a rule to an existing chain. Iptables supports the following " +"options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):342 +msgid "Option:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):343 +msgid "Description:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):346 +msgid "-A" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):347 +msgid "Append" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):350 +msgid "-D" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):351 +msgid "Delete" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):354 +msgid "-I" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):355 +msgid "Insert" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):358 +msgid "-R" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):359 +msgid "Replace" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):362 +msgid "-L" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):363 +msgid "List" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):366 +msgid "-F" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):367 +msgid "Delete all rules in chain or all chains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):370 +msgid "-Z" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):371 +msgid "Zero counters in chain or all chains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):374 +msgid "-C" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):375 +msgid "Test this packet on chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):378 +msgid "-N" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):379 +msgid "Create a new user-defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):382 +msgid "-X" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):383 +msgid "Delete a user-defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):386 +msgid "-P" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):387 +msgid "Change policy on chain to target" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):390 +msgid "-E" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):391 +msgid "Change chain name" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):394 +msgid "-p" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):398 +msgid "-s" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):399 +msgid "Source address/mask" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):402 +msgid "-d" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):403 +msgid "Destination address/mask" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):406 +msgid "-i" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):407 +msgid "Input name (Ethernet name)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):410 +msgid "-o" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):411 +msgid "Output name (Ethernet name)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):414 +msgid "-j" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):415 +msgid "Jump (target for rule)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):418 +msgid "-m" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):419 +msgid "Extended match (might use extension)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):422 +msgid "-n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):423 +msgid "Numeric output of addresses and ports" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):426 +msgid "-t" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):427 +msgid "Table to manipulate" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):430 +msgid "-v" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):431 +msgid "Verbose mode" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):434 +msgid "-x" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):435 +msgid "Expand numbers (display exact values)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):438 +msgid "-f" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):439 +msgid "Match second or further fragments only" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):442 +msgid "-V" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):443 +msgid "Packet version" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):446 +msgid "--line-numbers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):447 +msgid "Print line numbers when listing" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):451 +msgid "" +"First we will try to block all ICMP packets to our machine, just to get " +"familiar with iptables." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):456 +msgid "Block all ICMP packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):456 +#, no-wrap +msgid "" +"\n" +"# <i>iptables -A INPUT -p icmp -j DROP</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):460 +msgid "" +"First we specify the chain our rule should be appended to, then the protocol " +"of the packets to match, and finally the target. The target can be the name " +"of a user specified chain or one of the special targets <c>ACCEPT</c>, " +"<c>DROP</c>, <c>REJECT</c>, <c>LOG</c>, <c>QUEUE</c>, or <c>MASQUERADE</c>. " +"In this case we use <c>DROP</c>, which will drop the packet without " +"responding to the client." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):468 +msgid "" +"The <c>LOG</c> target is what's known as \"non-terminating\". If a packet " +"matches a rule with the <c>LOG</c> target, rather than halting evaluation, " +"the packet will continue to be matched to further rules. This allows you to " +"log packets while still processing them normally." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):475 +msgid "" +"Now try <c>ping localhost</c>. You will not get any response, since iptables " +"will drop all incoming ICMP messages. You will also not be able to ping " +"other machines, since the ICMP reply packet will be dropped as well. Now " +"flush the chain to get ICMP flowing again." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):482 +msgid "Flush all rules" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):482 +#, no-wrap +msgid "" +"\n" +"# <i>iptables -F</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):486 +msgid "" +"Now lets look at the stateful packet filtering in iptables. If we wanted to " +"enable stateful inspection of packets incoming on eth0 we would issue the " +"command:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):492 +msgid "Accept packets that originate from an already established connection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):492 +#, no-wrap +msgid "" +"\n" +"# <i>iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):496 +msgid "" +"This will accept any packet from an already established connection or " +"related in the INPUT chain. And you could drop any packet that is not in the " +"state table by issuing <c>iptables -A INPUT -i eth0 -m state --state INVALID " +"-j DROP</c> just before the previous command. This enables the stateful " +"packet filtering in iptables by loading the extension \"state\". If you " +"wanted to allow others to connect to your machine, you could use the flag " +"<c>--state NEW</c>. Iptables contains some modules for different purposes. " +"Some of them are:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):508 +msgid "Module/Match" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):509 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):510 +msgid "Extended options" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):513 +msgid "mac" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):514 +msgid "Matching extension for incoming packets mac address." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):515 +msgid "--mac-source" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):518 +msgid "state" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):519 +msgid "Enables stateful inspection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):520 +msgid "--state (states are ESTABLISHED,RELATED, INVALID, NEW)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):523 +msgid "limit" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):524 +msgid "Rate matching limiting" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):525 +msgid "--limit, --limit-burst" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):528 +msgid "owner" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):529 +msgid "Attempt to match various characteristics of the packet creator" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):530 +msgid "" +"--uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner " +"sessionid" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):536 +msgid "unclean" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):537 +msgid "Various random sanity checks on packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):541 +msgid "" +"Lets try to create a user-defined chain and apply it to one of the existing " +"chains:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):546 +msgid "Creating a user defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):546 +#, no-wrap +msgid "" +"\n" +"<comment>(Create a new chain with one rule)</comment>\n" +"# <i>iptables -X mychain</i>\n" +"# <i>iptables -N mychain</i>\n" +"# <i>iptables -A mychain -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT</i>\n" +"<comment>(The default policy is all outgoing traffic is allowed. Incoming is dropped.)</comment>\n" +"# <i>iptables -P OUTPUT ACCEPT</i>\n" +"# <i>iptables -P INPUT DROP</i>\n" +"<comment>(And add it to the INPUT chain)</comment>\n" +"# <i>iptables -A INPUT -j mychain</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):558 +msgid "" +"By applying the rule to the input chain we get the policy: All outgoing " +"packets are allowed and all incoming packets are dropped." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):563 +msgid "" +"One can find documentation at <uri link=\"http://www.iptables.org/" +"documentation/index.html#HOWTO\">Netfilter/iptables documentation</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):569 +msgid "" +"Lets see a full blown example. In this case my firewall/gateway policy " +"states:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):574 +msgid "Connections to the firewall are only allowed through SSH (port 22)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):575 +msgid "" +"The local network should have access to HTTP, HTTPS and SSH (DNS should also " +"be allowed)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):579 +msgid "" +"ICMP traffic can contain payload and should not be allowed. Of course we " +"have to allow some ICMP traffic." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):583 +msgid "Port scans should be detected and logged" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):584 +msgid "SYN attacks should be avoided" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):585 +msgid "All other traffic should be dropped and logged" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):588 +msgid "/etc/init.d/firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):588 +#, no-wrap +msgid "" +"\n" +"#!/sbin/runscript\n" +"IPTABLES=/sbin/iptables\n" +"IPTABLESSAVE=/sbin/iptables-save\n" +"IPTABLESRESTORE=/sbin/iptables-restore\n" +"FIREWALL=/etc/firewall.rules\n" +"DNS1=212.242.40.3\n" +"DNS2=212.242.40.51\n" +"#inside\n" +"IIP=10.0.0.2\n" +"IINTERFACE=eth0\n" +"LOCAL_NETWORK=10.0.0.0/24\n" +"#outside\n" +"OIP=217.157.156.144\n" +"OINTERFACE=eth1\n" +"\n" +"opts=\"${opts} showstatus panic save restore showoptions rules\"\n" +"\n" +"depend() {\n" +" need net\n" +"}\n" +"\n" +"rules() {\n" +" stop\n" +" ebegin \"Setting internal rules\"\n" +"\n" +" einfo \"Setting default rule to drop\"\n" +" $IPTABLES -P FORWARD DROP\n" +" $IPTABLES -P INPUT DROP\n" +" $IPTABLES -P OUTPUT DROP\n" +"\n" +" #default rule\n" +" einfo \"Creating states chain\"\n" +" $IPTABLES -N allowed-connection\n" +" $IPTABLES -F allowed-connection\n" +" $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT\n" +" $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \\\n" +" \"Bad packet from ${IINTERFACE}:\"\n" +" $IPTABLES -A allowed-connection -j DROP\n" +"\n" +" #ICMP traffic\n" +" einfo \"Creating icmp chain\"\n" +" $IPTABLES -N icmp_allowed\n" +" $IPTABLES -F icmp_allowed\n" +" $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \\\n" +" time-exceeded -j ACCEPT\n" +" $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \\\n" +" destination-unreachable -j ACCEPT\n" +" $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix \"Bad ICMP traffic:\"\n" +" $IPTABLES -A icmp_allowed -p icmp -j DROP\n" +"\n" +" #Incoming traffic\n" +" einfo \"Creating incoming ssh traffic chain\"\n" +" $IPTABLES -N allow-ssh-traffic-in\n" +" $IPTABLES -F allow-ssh-traffic-in\n" +" #Flood protection\n" +" $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n" +" ALL RST --dport ssh -j ACCEPT\n" +" $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n" +" ALL FIN --dport ssh -j ACCEPT\n" +" $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n" +" ALL SYN --dport ssh -j ACCEPT\n" +" $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT\n" +"\n" +" #outgoing traffic\n" +" einfo \"Creating outgoing ssh traffic chain\"\n" +" $IPTABLES -N allow-ssh-traffic-out\n" +" $IPTABLES -F allow-ssh-traffic-out\n" +" $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT\n" +"\n" +" einfo \"Creating outgoing dns traffic chain\"\n" +" $IPTABLES -N allow-dns-traffic-out\n" +" $IPTABLES -F allow-dns-traffic-out\n" +" $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \\\n" +" -j ACCEPT\n" +" $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \\\n" +" -j ACCEPT\n" +"\n" +" einfo \"Creating outgoing http/https traffic chain\"\n" +" $IPTABLES -N allow-www-traffic-out\n" +" $IPTABLES -F allow-www-traffic-out\n" +" $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT\n" +" $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT\n" +"\n" +" #Catch portscanners\n" +" einfo \"Creating portscan detection chain\"\n" +" $IPTABLES -N check-flags\n" +" $IPTABLES -F check-flags\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \\\n" +" --limit 5/minute -j LOG --log-level alert --log-prefix \"NMAP-XMAS:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \\\n" +" 5/minute -j LOG --log-level 1 --log-prefix \"XMAS:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \\\n" +" -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix \"XMAS-PSH:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \\\n" +" --limit 5/minute -j LOG --log-level 1 --log-prefix \"NULL_SCAN:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \\\n" +" --limit 5/minute -j LOG --log-level 5 --log-prefix \"SYN/RST:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \\\n" +" --limit 5/minute -j LOG --log-level 5 --log-prefix \"SYN/FIN:\"\n" +" $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\n" +"\n" +" # Apply and add invalid states to the chains\n" +" einfo \"Applying chains to INPUT\"\n" +" $IPTABLES -A INPUT -m state --state INVALID -j DROP\n" +" $IPTABLES -A INPUT -p icmp -j icmp_allowed\n" +" $IPTABLES -A INPUT -j check-flags\n" +" $IPTABLES -A INPUT -i lo -j ACCEPT\n" +" $IPTABLES -A INPUT -j allow-ssh-traffic-in\n" +" $IPTABLES -A INPUT -j allowed-connection\n" +"\n" +" einfo \"Applying chains to FORWARD\"\n" +" $IPTABLES -A FORWARD -m state --state INVALID -j DROP\n" +" $IPTABLES -A FORWARD -p icmp -j icmp_allowed\n" +" $IPTABLES -A FORWARD -j check-flags\n" +" $IPTABLES -A FORWARD -o lo -j ACCEPT\n" +" $IPTABLES -A FORWARD -j allow-ssh-traffic-in\n" +" $IPTABLES -A FORWARD -j allow-www-traffic-out\n" +" $IPTABLES -A FORWARD -j allowed-connection\n" +"\n" +" einfo \"Applying chains to OUTPUT\"\n" +" $IPTABLES -A OUTPUT -m state --state INVALID -j DROP\n" +" $IPTABLES -A OUTPUT -p icmp -j icmp_allowed\n" +" $IPTABLES -A OUTPUT -j check-flags\n" +" $IPTABLES -A OUTPUT -o lo -j ACCEPT\n" +" $IPTABLES -A OUTPUT -j allow-ssh-traffic-out\n" +" $IPTABLES -A OUTPUT -j allow-dns-traffic-out\n" +" $IPTABLES -A OUTPUT -j allow-www-traffic-out\n" +" $IPTABLES -A OUTPUT -j allowed-connection\n" +"\n" +" #Allow client to route through via NAT (Network Address Translation)\n" +" $IPTABLES -t nat -A POSTROUTING -o $OINTERFACE -j MASQUERADE\n" +" eend $?\n" +"}\n" +"\n" +"start() {\n" +" ebegin \"Starting firewall\"\n" +" if [ -e \"${FIREWALL}\" ]; then\n" +" restore\n" +" else\n" +" einfo \"${FIREWALL} does not exists. Using default rules.\"\n" +" rules\n" +" fi\n" +" eend $?\n" +"}\n" +"\n" +"stop() {\n" +" ebegin \"Stopping firewall\"\n" +" $IPTABLES -F\n" +" $IPTABLES -t nat -F\n" +" $IPTABLES -X\n" +" $IPTABLES -P FORWARD ACCEPT\n" +" $IPTABLES -P INPUT ACCEPT\n" +" $IPTABLES -P OUTPUT ACCEPT\n" +" eend $?\n" +"}\n" +"\n" +"showstatus() {\n" +" ebegin \"Status\"\n" +" $IPTABLES -L -n -v --line-numbers\n" +" einfo \"NAT status\"\n" +" $IPTABLES -L -n -v --line-numbers -t nat\n" +" eend $?\n" +"}\n" +"\n" +"panic() {\n" +" ebegin \"Setting panic rules\"\n" +" $IPTABLES -F\n" +" $IPTABLES -X\n" +" $IPTABLES -t nat -F\n" +" $IPTABLES -P FORWARD DROP\n" +" $IPTABLES -P INPUT DROP\n" +" $IPTABLES -P OUTPUT DROP\n" +" $IPTABLES -A INPUT -i lo -j ACCEPT\n" +" $IPTABLES -A OUTPUT -o lo -j ACCEPT\n" +" eend $?\n" +"}\n" +"\n" +"save() {\n" +" ebegin \"Saving Firewall rules\"\n" +" $IPTABLESSAVE > $FIREWALL\n" +" eend $?\n" +"}\n" +"\n" +"restore() {\n" +" ebegin \"Restoring Firewall rules\"\n" +" $IPTABLESRESTORE < $FIREWALL\n" +" eend $?\n" +"}\n" +"\n" +"restart() {\n" +" svc_stop; svc_start\n" +"}\n" +"\n" +"showoptions() {\n" +" echo \"Usage: $0 {start|save|restore|panic|stop|restart|showstatus}\"\n" +" echo \"start) will restore setting if exists else force rules\"\n" +" echo \"stop) delete all rules and set all to accept\"\n" +" echo \"rules) force settings of new rules\"\n" +" echo \"save) will store settings in ${FIREWALL}\"\n" +" echo \"restore) will restore settings from ${FIREWALL}\"\n" +" echo \"showstatus) Shows the status\"\n" +"}\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):798 +msgid "Some advice when creating a firewall:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):803 +msgid "Create your firewall policy before implementing it" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):804 +msgid "Keep it simple" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):805 +msgid "" +"Know how each protocol works (read the relevant <uri link=\"http://www.ietf." +"org/\">RFC</uri>(Request For Comments))" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):809 +msgid "" +"Keep in mind that a firewall is just another piece of software running as " +"root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):812 +msgid "Test your firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):815 +msgid "" +"If you think that iptables is hard to understand or takes to long to setup a " +"decent firewall you could use <uri link=\"http://www.shorewall.net" +"\">Shorewall</uri>. It basically uses iptables to generate firewall rules, " +"but concentrates on rules and not specific protocols." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):828 +msgid "" +"Squid is a very powerful proxy server. It can filter traffic based on time, " +"regular expressions on path/URI, source and destination IP addresses, " +"domain, browser, authenticated user name, MIME type, and port number " +"(protocol). I probably forgot some features, but it can be hard to cover the " +"entire list right here." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):836 +msgid "" +"In the following example I have added a banner filter instead of a filter " +"based on porn sites. The reason for this is that Gentoo.org should <e>not</" +"e> be listed as some porn site. And I do not want to waste my time trying to " +"find some good sites for you." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):843 +msgid "In this case, my policy states:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):848 +msgid "" +"Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and sat " +"8-13), but if employees are here late they should work, not surf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):852 +msgid "" +"Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi, .mpg, ." +"mpeg, etc)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):856 +msgid "" +"We do not like banners, so they are filtered and replaced with a transparent " +"gif (this is where you get creative!)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):860 +msgid "All other connections to and from the Internet are denied." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):865 +msgid "This is implemented in 4 <e>easy</e> steps." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):869 +msgid "/etc/squid/squid.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):869 +#, no-wrap +msgid "" +"\n" +"# Bind to a ip and port\n" +"http_port 10.0.2.1:3128\n" +"\n" +"# Standard configuration\n" +"hierarchy_stoplist cgi-bin ?\n" +"acl QUERY urlpath_regex cgi-bin \\?\n" +"no_cache deny QUERY\n" +"\n" +"# Add basic access control lists\n" +"acl all src 0.0.0.0/0.0.0.0\n" +"acl manager proto cache_object\n" +"acl localhost src 127.0.0.1/255.255.255.255\n" +"\n" +"# Add who can access this proxy server\n" +"acl localnet src 10.0.0.0/255.255.0.0\n" +"\n" +"# And ports\n" +"acl SSL_ports port 443\n" +"acl Safe_ports port 80\n" +"acl Safe_ports port 443\n" +"acl purge method PURGE\n" +"\n" +"# Add access control list based on regular\n" +"# expressions within urls\n" +"acl archives urlpath_regex \"/etc/squid/files.acl\"\n" +"acl url_ads url_regex \"/etc/squid/banner-ads.acl\"\n" +"\n" +"# Add access control list based on time and day\n" +"acl restricted_weekdays time MTWHF 8:00-17:00\n" +"acl restricted_weekends time A 8:00-13:00\n" +"\n" +"acl CONNECT method CONNECT\n" +"\n" +"#allow manager access from localhost\n" +"http_access allow manager localhost\n" +"http_access deny manager\n" +"\n" +"# Only allow purge requests from localhost\n" +"http_access allow purge localhost\n" +"http_access deny purge\n" +"\n" +"# Deny requests to unknown ports\n" +"http_access deny !Safe_ports\n" +"\n" +"# Deny CONNECT to other than SSL ports\n" +"http_access deny CONNECT !SSL_ports\n" +"\n" +"# My own rules\n" +"\n" +"# Add a page do be displayed when\n" +"# a banner is removed\n" +"deny_info NOTE_ADS_FILTERED url_ads\n" +"\n" +"# Then deny them\n" +"http_access deny url_ads\n" +"\n" +"# Deny all archives\n" +"http_access deny archives\n" +"\n" +"# Restrict access to work hours\n" +"http_access allow localnet restricted_weekdays\n" +"http_access allow localnet restricted_weekends\n" +"\n" +"# Deny the rest\n" +"http_access deny all\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):937 +msgid "" +"Next fill in the files you do not want your users to download files. I have " +"added zip, viv, exe, mp3, rar, ace, avi, mov, mpg, mpeg, au, ra, arj, tar, " +"gz and z files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):943 +msgid "/etc/squid/files.acl" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):943 +#, no-wrap +msgid "" +"\n" +"\\.[Zz][Ii][pP]$\n" +"\\.[Vv][Ii][Vv].*\n" +"\\.[Ee][Xx][Ee]$\n" +"\\.[Mm][Pp]3$\n" +"\\.[Rr][Aa][Rr]$\n" +"\\.[Aa][Cc][Ee]$\n" +"\\.[Aa][Ss][Ff]$\n" +"\\.[Aa][Vv][Ii]$\n" +"\\.[Mm][Oo][Vv]$\n" +"\\.[Mm][Pp][Gg]$\n" +"\\.[Mm][Pp][Ee][Gg]$\n" +"\\.[Aa][Uu]$\n" +"\\.[Rr][Aa]$\n" +"\\.[Aa][Rr][Jj]$\n" +"\\.[Tt][Aa][Rr]$\n" +"\\.[Gg][Zz]$\n" +"\\.[Zz]$\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):963 +msgid "" +"Please note the [] with upper and lowercase of every character. This is done " +"so no one can fool our filter by accessing a file called AvI instead of avi." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):968 +msgid "" +"Next we add the regular expressions for identifying banners. You will " +"probably be a lot more creative than I:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):973 +msgid "/etc/squid/banner-ads.acl" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):973 +#, no-wrap +msgid "" +"\n" +"/adv/.*\\.gif$\n" +"/[Aa]ds/.*\\.gif$\n" +"/[Aa]d[Pp]ix/\n" +"/[Aa]d[Ss]erver\n" +"/[Aa][Dd]/.*\\.[GgJj][IiPp][FfGg]$\n" +"/[Bb]annerads/\n" +"/adbanner.*\\.[GgJj][IiPp][FfGg]$\n" +"/images/ad/\n" +"/reklame/\n" +"/RealMedia/ads/.*\n" +"^http://www\\.submit-it.*\n" +"^http://www\\.eads.*\n" +"^http://ads\\.\n" +"^http://ad\\.\n" +"^http://ads02\\.\n" +"^http://adaver.*\\.\n" +"^http://adforce\\.\n" +"adbot\\.com\n" +"/ads/.*\\.gif.*\n" +"_ad\\..*cgi\n" +"/Banners/\n" +"/SmartBanner/\n" +"/Ads/Media/Images/\n" +"^http://static\\.wired\\.com/advertising/\n" +"^http://*\\.dejanews\\.com/ads/\n" +"^http://adfu\\.blockstackers\\.com/\n" +"^http://ads2\\.zdnet\\.com/adverts\n" +"^http://www2\\.burstnet\\.com/gifs/\n" +"^http://www.\\.valueclick\\.com/cgi-bin/cycle\n" +"^http://www\\.altavista\\.com/av/gifs/ie_horiz\\.gif\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1006 +msgid "" +"And as the last part we want this file to be displayed when a banner is " +"removed. It is basically a half html file with a 4x4 transparent gif image." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):1011 +msgid "/etc/squid/errors/NOTE_ADS_FILTERED" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):1011 +#, no-wrap +msgid "" +"\n" +"<HTML>\n" +"<HEAD>\n" +"<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0; URL=http://localhost/images/4x4.gif\">\n" +"<TITLE>ERROR: The requested URL could not be retrieved</TITLE>\n" +"</HEAD>\n" +"<BODY>\n" +"<H1>Add filtered!</H1>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1021 +msgid "" +"Do not close the <HTML> <BODY> tags. This will be done by squid." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1025 +msgid "" +"As you can see, Squid has a lot of possibilities and it is very effective at " +"both filtering and proxying. It can even use alternative Squid proxies to " +"scale on very large networks. The configuration I have listed here is mostly " +"suited for a small network with 1-20 users." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1032 +msgid "" +"But combining the packet filter (iptables) and the application gateway " +"(Squid) is probably the best solution, even if Squid is located somewhere " +"safe and nobody can access it from the outside. We still need to be " +"concerned about attacks from the inside." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1039 +msgid "" +"Now you have to configure your clients browsers to use the proxy server. The " +"gateway will prevent the users from having any contact with the outside " +"unless they use the proxy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1045 +msgid "" +"In Mozilla Firefox this is done in Edit->Preferences->Advanced->" +"Network." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1049 +msgid "" +"It can also be done transparently by using iptables to forward all outbound " +"traffic to a Squid proxy. This can be done by adding a forwarding/prerouting " +"rule on the gateway:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):1055 +msgid "Enable portforwarding to our proxyserver" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):1055 +#, no-wrap +msgid "" +"\n" +"# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to proxyhost:3128</i>\n" +"# <i>iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to proxyhost:3128</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1060 +msgid "" +"If the proxy is running on the packet filtering host--though this is not " +"recommended, it may be necessary if you do not have enough spare machines--" +"use a <c>REDIRECT</c> target instead of <c>DNAT</c> (<c>REDIRECT</c> directs " +"packets to the localhost)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):1070 +msgid "Lessons learned" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1073 +msgid "We have learned that:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1078 +msgid "" +"A firewall can be a risk in itself. A badly configured firewall is worse " +"than not having one at all." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1082 +msgid "How to setup a basic gateway and a transparent proxy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1083 +msgid "The key to a good firewall is to know the protocols you want do allow." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1084 +msgid "" +"That IP traffic does not always contain legitimate data, e.g. ICMP packets, " +"which can contain a malicious payload." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1088 +msgid "How to prevent SYN attack." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1089 +msgid "" +"Filtering HTTP traffic by removing offensive pictures and downloads of " +"viruses." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1090 +msgid "" +"Combining packet filters and application gateways provides better control." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1095 +msgid "" +"Now, if you <e>really</e> need to, go create a firewall that matches your " +"needs." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-intrusion.xml.po b/shandbook/gettext/ru/shb-intrusion.xml.po new file mode 100644 index 0000000..0db1f46 --- /dev/null +++ b/shandbook/gettext/ru/shb-intrusion.xml.po @@ -0,0 +1,675 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(version):10 +msgid "2" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(date):11 +msgid "2010-07-19" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):14 +msgid "AIDE (Advanced Intrusion Detection Environment)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):17 +msgid "" +"AIDE is a Host-Based Intrusion Detection System (HIDS), a free alternative " +"to Tripwire (if you already know Tripwire you should have no difficulties " +"learning the configuration file for AIDE). HIDS are used to detect changes " +"to important system configuration files and binaries, generally by making a " +"unique cryptographic hash for the files to be checked and storing it in a " +"secure place. On a regular basis (such as once a day), the stored \"known-" +"good\" hash is compared to the one generated from the current copy of each " +"file, to determine if that file has changed. HIDS are a great way to detect " +"disallowed changes to your system, but they take a little work to implement " +"properly and make good use of." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):30 +msgid "" +"The configuration file is based on regular expressions, macros and rules for " +"files and directories. We have the following macros:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):37 +msgid "Macro" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):38 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):95 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):182 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):218 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):39 +msgid "Syntax" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):42 +msgid "ifdef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):43 +msgid "If definded" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):44 +msgid "@@ifdef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):47 +msgid "ifndef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):48 +msgid "If not defined" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):49 +msgid "@@ifndef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):52 +msgid "define" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):53 +msgid "Define a variable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):54 +msgid "@@define \"name\" \"value\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):57 +msgid "undef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):58 +msgid "Undefine a variable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):59 +msgid "@@undef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):62 +msgid "ifhost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):63 +msgid "if \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):64 +msgid "@@ifhost \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):67 +msgid "ifnhost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):68 +msgid "if not \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):69 +msgid "@@ifnhost \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):72 +msgid "endif" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):73 +msgid "" +"Endif must be used after any of the above macros except define and undef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):76 +msgid "@@endif" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):80 +msgid "" +"These macros become very handy if you have more than one Gentoo box and want " +"to use AIDE on all of them. But not all machines run the same services or " +"even have the same users." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):86 +msgid "" +"Next we have sets of flags to check for on files and directories. These are " +"a combination of permissions, file properties and cryptographic hashes (i.e. " +"checksums)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):94 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):181 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):217 +msgid "Flag" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):98 +msgid "p" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):99 +msgid "permissions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):102 +msgid "i" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):103 +msgid "inode" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):106 +msgid "n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):107 +msgid "number of links" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):110 +msgid "u" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):111 +msgid "user" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):114 +msgid "g" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):115 +msgid "group" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):118 +msgid "s" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):119 +msgid "size" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):122 +msgid "b" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):123 +msgid "block count" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):126 +msgid "m" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):127 +msgid "mtime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):130 +msgid "a" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):131 +msgid "atime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):134 +msgid "c" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):135 +msgid "ctime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):138 +msgid "S" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):139 +msgid "check for growing size" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):142 +msgid "md5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):143 +msgid "md5 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):146 +msgid "sha1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):147 +msgid "sha1 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):150 +msgid "rmd160" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):151 +msgid "rmd160 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):154 +msgid "tiger" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):155 +msgid "tiger checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):158 +msgid "R" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):159 +msgid "p+i+n+u+g+s+m+c+md5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):162 +msgid "L" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):163 +msgid "p+i+n+u+g" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):166 +msgid "E" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):167 +msgid "Empty group" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):170 +msgid ">" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):171 +msgid "Growing logfile p+u+g+i+n+S" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):175 +msgid "" +"And if AIDE is compiled with mhash support it supports a few other features:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):185 +msgid "haval" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):186 +msgid "haval checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):189 +msgid "gost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):190 +msgid "gost checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):193 +msgid "crc32" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):194 +msgid "crc32 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):198 +msgid "" +"Now you can create you own rules based on the above flags by combining them " +"like this:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):203 +msgid "Create a ruleset for AIDE" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):203 +#, no-wrap +msgid "" +"\n" +"All=R+a+sha1+rmd160\n" +"Norm=s+n+b+md5+sha1+rmd160\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):208 +msgid "" +"The last thing we need to create our own configuration file is to see how to " +"add a rule to a file or directory. To enter a rule, combine the file or " +"directory name and the rule. AIDE will add all files recursively unless you " +"specify an alternate rule." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):221 +msgid "!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):222 +msgid "Don't add this file or directory." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):225 +msgid "=" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):226 +msgid "Add this directory, but not recursively." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):230 +msgid "So lets watch a full blown example:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):234 +msgid "/etc/aide/aide.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):234 +#, no-wrap +msgid "" +"\n" +"@@ifndef TOPDIR\n" +"@@define TOPDIR /\n" +"@@endif\n" +"\n" +"@@ifndef AIDEDIR\n" +"@@define AIDEDIR /etc/aide\n" +"@@endif\n" +"\n" +"@@ifhost smbserv\n" +"@@define smbactive\n" +"@@endif\n" +"\n" +"# The location of the database to be read.\n" +"database=file:@@{AIDEDIR}/aide.db\n" +"\n" +"# The location of the database to be written.\n" +"database_out=file:aide.db.new\n" +"\n" +"verbose=20\n" +"report_url=stdout\n" +"\n" +"# Rule definition\n" +"All=R+a+sha1+rmd160\n" +"Norm=s+n+b+md5+sha1+rmd160\n" +"\n" +"@@{TOPDIR} Norm\n" +"!@@{TOPDIR}etc/aide\n" +"!@@{TOPDIR}dev\n" +"!@@{TOPDIR}media\n" +"!@@{TOPDIR}mnt\n" +"!@@{TOPDIR}proc\n" +"!@@{TOPDIR}root\n" +"!@@{TOPDIR}sys\n" +"!@@{TOPDIR}tmp\n" +"!@@{TOPDIR}var/log\n" +"!@@{TOPDIR}var/run\n" +"!@@{TOPDIR}usr/portage\n" +"@@ifdef smbactive\n" +"!@@{TOPDIR}etc/smb/private/secrets.tdb\n" +"@@endif\n" +"=@@{TOPDIR}home Norm\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):278 +msgid "" +"In the above example we specify with some macros where the topdir starts and " +"where the AIDE directory is. AIDE checks the <path>/etc/aide/aide.db</path> " +"file when checking for file integrity. But when updating or creating a new " +"file it stores the information in <path>/etc/aide/aide.db.new</path>. This " +"is done so it won't automatically overwrite the old db file. The option " +"<c>report_URL</c> is not yet implemented, but the author's intention was " +"that it should be able to e-mail or maybe even execute scripts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):288 +msgid "" +"The AIDE ebuild now comes with a working default configuration file, a " +"helper script and a crontab script. The helper script does a number of tasks " +"for you and provides an interface that is a little more script friendly. To " +"see all available options, try <c>aide --help</c>. To get started, all that " +"needs to be done is <c>aide -i</c> and the crontab script should detect the " +"database and send mails as appropriate every day. We recommend that you " +"review the <path>/etc/aide/aide.conf</path> file and ensure that the " +"configuration accurately reflects what is in place on the machine." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(note):299 +msgid "" +"Depending on your CPU, disk access speed, and the flags you have set on " +"files, this can take some time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(note):304 +msgid "" +"Remember to set an alias so you get roots mail. Otherwise you will never " +"know what AIDE reports." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):309 +msgid "" +"Now there is some risk inherent with storing the db files locally, since the " +"attacker will (if they know that AIDE is installed) most certainly try to " +"alter the db file, update the db file or modify <path>/usr/bin/aide</path>. " +"So you should create a CD or other media and put on it a copy of the .db " +"file and the AIDE binaries." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):317 +msgid "" +"One can find information at the <uri link=\"http://www.cs.tut.fi/~rammer/" +"aide.html\">AIDE</uri> project page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):325 +msgid "Snort" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):328 +msgid "" +"Snort is a Network Intrusion Detection System (NIDS). To install and " +"configure it use the following examples." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):333 +msgid "/etc/conf.d/snort" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):333 +#, no-wrap +msgid "" +"\n" +"PIDFILE=/var/run/snort_eth0.pid\n" +"MODE=\"full\"\n" +"NETWORK=\"10.0.0.0/24\"\n" +"LOGDIR=\"/var/log/snort\"\n" +"CONF=/etc/snort/snort.conf\n" +"SNORT_OPTS=\"-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):342 +msgid "/etc/snort/snort.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):342 +#, no-wrap +msgid "" +"\n" +"<comment>(Step 1)</comment>\n" +"var HOME_NET 10.0.0.0/24\n" +"var EXTERNAL_NET any\n" +"var SMTP $HOME_NET\n" +"var HTTP_SERVERS $HOME_NET\n" +"var SQL_SERVERS $HOME_NET\n" +"var DNS_SERVERS [10.0.0.2/32,212.242.40.51/32]\n" +"var RULE_PATH ./\n" +"\n" +"<comment>(Step 2)</comment>\n" +"preprocessor frag2\n" +"preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts\n" +"preprocessor stream4_reassemble: ports all\n" +"preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace\n" +"preprocessor rpc_decode: 111 32771\n" +"preprocessor bo: -nobrute\n" +"preprocessor telnet_decode\n" +"\n" +"<comment>(Step 3)</comment>\n" +"include classification.config\n" +"\n" +"<comment>(Step 4)</comment>\n" +"include $RULE_PATH/bad-traffic.rules\n" +"include $RULE_PATH/exploit.rules\n" +"include $RULE_PATH/scan.rules\n" +"include $RULE_PATH/finger.rules\n" +"include $RULE_PATH/ftp.rules\n" +"include $RULE_PATH/telnet.rules\n" +"include $RULE_PATH/smtp.rules\n" +"include $RULE_PATH/rpc.rules\n" +"include $RULE_PATH/rservices.rules\n" +"include $RULE_PATH/dos.rules\n" +"include $RULE_PATH/ddos.rules\n" +"include $RULE_PATH/dns.rules\n" +"include $RULE_PATH/tftp.rules\n" +"include $RULE_PATH/web-cgi.rules\n" +"include $RULE_PATH/web-coldfusion.rules\n" +"include $RULE_PATH/web-iis.rules\n" +"include $RULE_PATH/web-frontpage.rules\n" +"include $RULE_PATH/web-misc.rules\n" +"include $RULE_PATH/web-attacks.rules\n" +"include $RULE_PATH/sql.rules\n" +"include $RULE_PATH/x11.rules\n" +"include $RULE_PATH/icmp.rules\n" +"include $RULE_PATH/netbios.rules\n" +"include $RULE_PATH/misc.rules\n" +"include $RULE_PATH/attack-responses.rules\n" +"include $RULE_PATH/backdoor.rules\n" +"include $RULE_PATH/shellcode.rules\n" +"include $RULE_PATH/policy.rules\n" +"include $RULE_PATH/porn.rules\n" +"include $RULE_PATH/info.rules\n" +"include $RULE_PATH/icmp-info.rules\n" +"include $RULE_PATH/virus.rules\n" +"# include $RULE_PATH/experimental.rules\n" +"include $RULE_PATH/local.rules\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):401 +msgid "/etc/snort/classification.config" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):401 +#, no-wrap +msgid "" +"\n" +"config classification: not-suspicious,Not Suspicious Traffic,3\n" +"config classification: unknown,Unknown Traffic,3\n" +"config classification: bad-unknown,Potentially Bad Traffic, 2\n" +"config classification: attempted-recon,Attempted Information Leak,2\n" +"config classification: successful-recon-limited,Information Leak,2\n" +"config classification: successful-recon-largescale,Large Scale Information Leak,2\n" +"config classification: attempted-dos,Attempted Denial of Service,2\n" +"config classification: successful-dos,Denial of Service,2\n" +"config classification: attempted-user,Attempted User Privilege Gain,1\n" +"config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1\n" +"config classification: successful-user,Successful User Privilege Gain,1\n" +"config classification: attempted-admin,Attempted Administrator Privilege Gain,1\n" +"config classification: successful-admin,Successful Administrator Privilege Gain,1\n" +"\n" +"# NEW CLASSIFICATIONS\n" +"config classification: rpc-portmap-decode,Decode of an RPC Query,2\n" +"config classification: shellcode-detect,Executable code was detected,1\n" +"config classification: string-detect,A suspicious string was detected,3\n" +"config classification: suspicious-filename-detect,A suspicious filename was detected,2\n" +"config classification: suspicious-login,An attempted login using a suspicious username was detected,2\n" +"config classification: system-call-detect,A system call was detected,2\n" +"config classification: tcp-connection,A TCP connection was detected,4\n" +"config classification: trojan-activity,A Network Trojan was detected, 1\n" +"config classification: unusual-client-port-connection,A client was using an unusual port,2\n" +"config classification: network-scan,Detection of a Network Scan,3\n" +"config classification: denial-of-service,Detection of a Denial of Service Attack,2\n" +"config classification: non-standard-protocol,Detection of a non-standard protocol or event,2\n" +"config classification: protocol-command-decode,Generic Protocol Command Decode,3\n" +"config classification: web-application-activity,access to a potentially vulnerable web application,2\n" +"config classification: web-application-attack,Web Application Attack,1\n" +"config classification: misc-activity,Misc activity,3\n" +"config classification: misc-attack,Misc Attack,2\n" +"config classification: icmp-event,Generic ICMP event,3\n" +"config classification: kickass-porn,SCORE! Get the lotion!,1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):438 +msgid "" +"More information is at the <uri link=\"http://www.snort.org\">Snort</uri> " +"web site." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):446 +msgid "Detecting malware with chkrootkit" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):449 +msgid "" +"HIDS like AIDE are a great way to detect changes to your system, but it " +"never hurts to have another line of defence. <c>chkrootkit</c> is a utility " +"that scans common system files for the presence of rootkits--software " +"designed to hide an intruder's actions and allow him to retain his access--" +"and scans your system for likely traces of key loggers and other \"malware" +"\". While <c>chkrootkit</c> (and alternatives like <c>rkhunter</c>) are " +"useful tools, both for system maintenance and for tracking an intruder after " +"an attack has occurred, they cannot guarantee your system is secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):460 +msgid "" +"The best way to use <c>chkrootkit</c> to detect an intrusion is to run it " +"routinely from <c>cron</c>. To start, emerge <path>app-forensics/chkrootkit</" +"path>. <c>chkrootkit</c> can be run from the command line by the command of " +"the same name, or from <c>cron</c> with an entry such as this:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):468 +msgid "Schedule chkrootkit as a cronjob" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):468 +#, no-wrap +msgid "" +"\n" +"0 3 * * * /usr/sbin/chkrootkit\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-kernel.xml.po b/shandbook/gettext/ru/shb-kernel.xml.po new file mode 100644 index 0000000..7436fdc --- /dev/null +++ b/shandbook/gettext/ru/shb-kernel.xml.po @@ -0,0 +1,337 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(version):10 +msgid "1.2" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(date):11 +msgid "2008-04-15" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):14 +msgid "Removing functionality" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):17 +msgid "" +"The basic rule when configuring the kernel is to remove everything that you " +"do not need. This will not only create a small kernel but also remove the " +"vulnerabilities that may lie inside drivers and other features." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):23 +msgid "" +"Also consider turning off loadable module support. Even though it is " +"possible to add root kits without this features, it does make it harder for " +"normal attackers to install root kits via kernel modules." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):32 +msgid "The proc filesystem" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):35 +msgid "" +"Many kernel parameters can be altered through the <path>/proc</path> file " +"system or by using <c>sysctl</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):40 +msgid "" +"To dynamically change kernel parameters and variables on the fly, you need " +"<c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in a " +"standard 2.4 kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):46 +msgid "Deactivate IP forwarding" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):46 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/ip_forward</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):50 +msgid "" +"Make sure that IP forwarding is turned off. We only want this for a multi-" +"homed host. It's advised to set or unset this flag before all other flags " +"since it enabled/disables other flags as well." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):56 +msgid "Drop ping packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):56 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_echo_ignore_all</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):60 +msgid "" +"This will cause the kernel to simply ignore all ping messages (also known as " +"ICMP type 0 messages). The reason for this is that an IP packet carrying an " +"ICMP message can contain a payload with information other than you think. " +"Administrators use ping as a diagnostic tool and often complain if it is " +"disabled, but there is no reason for an outsider to be able to ping. " +"However, since it sometimes can be handy for insiders to be able to ping, " +"you can disable ICMP type 0 messages in the firewall (allowing local " +"administrators to continue to use this tool)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):71 +msgid "Ignore broadcast pings" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):71 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):75 +msgid "" +"This disables response to ICMP broadcasts and will prevent Smurf attacks. " +"The Smurf attack works by sending an ICMP type 0 (ping) message to the " +"broadcast address of a network. Typically the attacker will use a spoofed " +"source address. All the computers on the network will respond to the ping " +"message and thereby flood the host at the spoofed source address." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):83 +msgid "Disable source routed packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):83 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/conf/all/accept_source_route</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):87 +msgid "" +"Do not accept source routed packets. Attackers can use source routing to " +"generate traffic pretending to originate from inside your network, but that " +"is actually routed back along the path from which it came, so attackers can " +"compromise your network. Source routing is rarely used for legitimate " +"purposes, so it is safe to disable it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):95 +msgid "Disable redirect acceptance" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):95 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/conf/all/accept_redirects</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):99 +msgid "" +"Do not accept ICMP redirect packets. ICMP redirects can be used to alter " +"your routing tables, possibly to a malicious end." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):104 +msgid "Protect against bad error messages" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):104 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):108 +msgid "Enable protection against bogus error message responses." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):112 +msgid "Enable reverse path filtering" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):112 +#, no-wrap +msgid "" +"\n" +"# <i>for i in /proc/sys/net/ipv4/conf/*; do\n" +" /bin/echo \"1\" > $i/rp_filter\n" +"done</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):118 +msgid "" +"Turn on reverse path filtering. This helps make sure that packets use " +"legitimate source addresses by automatically rejecting incoming packets if " +"the routing table entry for their source address does not match the network " +"interface they are arriving on. This has security advantages because it " +"prevents IP spoofing. We need to enable it for each <path>net/ipv4/conf/*</" +"path> otherwise source validation isn't fully functional." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(warn):127 +msgid "" +"However turning on reverse path filtering can be a problem if you use " +"asymmetric routing (packets from you to a host take a different path than " +"packets from that host to you) or if you operate a non-routing host which " +"has several IP addresses on different interfaces." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):134 +msgid "Log all spoofed, source routed and redirect packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):134 +#, no-wrap +msgid "" +"\n" +"# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/conf/all/log_martians</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):138 +msgid "Log spoofed packets, source routed packets and redirect packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):142 +msgid "" +"All these settings will be reset when the machine is rebooted. I suggest " +"that you add them to <path>/etc/sysctl.conf</path>, which is automatically " +"sourced by the <path>/etc/init.d/bootmisc</path> init script." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):148 +msgid "" +"The syntax for <path>/etc/sysctl.conf</path> is pretty straightforward. " +"Strip off the <path>/proc/sys/</path> from the previously mentioned paths " +"and substitute <path>/</path> with <path>.</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):154 +msgid "Translating to sysctl.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):154 +#, no-wrap +msgid "" +"\n" +"<comment>(Manual using echo):</comment>\n" +"/bin/echo \"0\" > /proc/sys/net/ipv4/ip_forward\n" +"\n" +"<comment>(Automatic in sysctl.conf:)</comment>\n" +"net.ipv4.ip_forward = 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):165 +msgid "Grsecurity" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):168 +msgid "" +"The patch from <uri link=\"http://grsecurity.net\">Grsecurity</uri> is " +"standard in the <c>sys-kernel/hardened-sources</c> but is disabled by " +"default. Configure your kernel as you normally do and then configure the " +"Grsecurity options. An in-depth explanation on the available Grsecurity " +"options is available on the <uri link=\"/proj/en/hardened\">Gentoo Hardened</" +"uri> project page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):176 +msgid "" +"Recent <c>hardened-sources</c> provide the 2.* version of Grsecurity. For " +"more information on this improved Grsecurity patch set, please consult the " +"documentation available on the <uri link=\"http://www.grsecurity.net/" +"\">Grsecurity home page</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):186 +msgid "Kerneli" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):189 +msgid "" +"<uri link=\"http://www.Kerneli.org\">Kerneli</uri> is a patch that adds " +"encryption to the existing kernel. By patching your kernel you will get new " +"options such as cryptographic ciphers, digest algorithms and cryptographic " +"loop filters." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(warn):195 +msgid "" +"The kerneli patch is currently not in a stable version for the latest " +"kernel, so be careful when using it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):203 +msgid "Other kernel patches" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):207 +msgid "http://www.openwall.com" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):207 +msgid "The OpenWall Project" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):208 +msgid "http://www.lids.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):208 +msgid "Linux Intrusion Detection System" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):209 +msgid "http://www.rsbac.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):209 +msgid "Rule Set Based Access Control" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):211 +msgid "http://www.nsa.gov/selinux" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):211 +msgid "NSA's security enhanced kernel" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):213 +msgid "http://sourceforge.net/projects/wolk/" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):213 +msgid "Wolk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):216 +msgid "And there are probably a lot more." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-limits.xml.po b/shandbook/gettext/ru/shb-limits.xml.po new file mode 100644 index 0000000..ccac8f6 --- /dev/null +++ b/shandbook/gettext/ru/shb-limits.xml.po @@ -0,0 +1,301 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(version):10 +msgid "1.5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(date):11 +msgid "2010-04-26" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):14 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):24 +msgid "/etc/security/limits.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):17 +msgid "" +"Controlling resource usage can be very effective when trying to prevent a " +"local Denial of Service or restricting the maximum allowed logins for a " +"group or user. However, too strict settings will impede on your system's " +"behavior and will result in program failures so make sure that you check " +"each setting first." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):24 +#, no-wrap +msgid "" +"\n" +"* soft core 0\n" +"* hard core 0\n" +"* hard nproc 15\n" +"* hard rss 10000\n" +"* - maxlogins 2\n" +"@dev hard core 100000\n" +"@dev soft nproc 20\n" +"@dev hard nproc 35\n" +"@dev - maxlogins 10\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):36 +msgid "" +"If you find yourself trying to set <c>nproc</c> or <c>maxlogins</c> to 0, " +"maybe you should delete the user instead. The example above sets the group " +"<c>dev</c> settings for processes, core file and <c>maxlogins</c>. The rest " +"is set to a default value." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):43 +msgid "" +"<path>/etc/security/limits.conf</path> is part of the PAM package and will " +"only apply to packages that use PAM." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):51 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):61 +msgid "/etc/limits" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):54 +msgid "" +"<path>/etc/limits</path> is very similar to the limit file <path>/etc/" +"security/limits.conf</path>. The only difference is the format and that it " +"only works on users or wild cards (not groups). Let's have a look at a " +"sample configuration:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):61 +#, no-wrap +msgid "" +"\n" +"* L2 C0 U15 R10000\n" +"kn L10 C100000 U35\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):66 +msgid "" +"Here we set the default settings and a specific setting for the user kn. " +"Limits are part of the sys-apps/shadow package. It is not necessary to set " +"any limits in this file if you have enabled <c>pam</c> in <path>/etc/make." +"conf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):75 +msgid "Quotas" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(warn):78 +msgid "" +"Make sure the file systems you are working with support quotas. In order to " +"use quotas on ReiserFS, you must patch your kernel with patches available " +"from <uri link=\"ftp://ftp.namesys.com/pub/reiserfs-for-2.4/testing/" +"quota-2.4.20\">Namesys</uri>. User tools are available from <uri link=" +"\"http://www.sf.net/projects/linuxquota/\">the Linux DiskQuota project</" +"uri>. While quotas do work with ReiserFS, you may encounter other issues " +"while trying to use them--you have been warned!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):89 +msgid "" +"Putting quotas on a file system restricts disk usage on a per-user or per-" +"group basis. Quotas are enabled in the kernel and added to a mount point in " +"<path>/etc/fstab</path>. The kernel option is enabled in the kernel " +"configuration under <c>File systems->Quota support</c>. Apply the " +"following settings, rebuild the kernel and reboot using the new kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):97 +msgid "" +"Start by installing quotas with <c>emerge quota</c>. Then modify your <path>/" +"etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the " +"partitions that you want to restrict disk usage on, like in the example " +"below." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):103 +msgid "/etc/fstab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):103 +#, no-wrap +msgid "" +"\n" +"/dev/sda1 /boot ext2 noauto,noatime 1 1\n" +"/dev/sda2 none swap sw 0 0\n" +"/dev/sda3 / reiserfs notail,noatime 0 0\n" +"/dev/sda4 /tmp ext3 noatime,nodev,nosuid,noexec,usrquota,grpquota 0 0\n" +"/dev/sda5 /var ext3 noatime,nodev,usrquota,grpquota 0 0\n" +"/dev/sda6 /home ext3 noatime,nodev,nosuid,usrquota,grpquota 0 0\n" +"/dev/sda7 /usr reiserfs notail,noatime,nodev,ro 0 0\n" +"/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0\n" +"proc /proc proc defaults 0 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):115 +msgid "" +"On every partition that you have enabled quotas, create the quota files " +"(<path>aquota.user</path> and <path>aquota.group</path>) and place them in " +"the root of the partition." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):121 +msgid "Creating the quota files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):121 +#, no-wrap +msgid "" +"\n" +"# <i>touch /tmp/aquota.user</i>\n" +"# <i>touch /tmp/aquota.group</i>\n" +"# <i>chmod 600 /tmp/aquota.user</i>\n" +"# <i>chmod 600 /tmp/aquota.group</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):128 +msgid "" +"This step has to be done on every partition where quotas are enabled. After " +"adding and configuring the quota files, we need to add the <c>quota</c> " +"script to the boot run level." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(impo):134 +msgid "" +"XFS does all quota checks internally, and does <e>not</e> need the <c>quota</" +"c> script added to the boot runlevel. There may be other filesystems not " +"listed in this document with similar behavior, so please read the manpages " +"for your filesystem to learn more about how it handles quota checks." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):141 +msgid "Adding quota to the boot runlevel" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):141 +#, no-wrap +msgid "" +"\n" +"# <i>rc-update add quota boot</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):145 +msgid "" +"We will now configure the system to check the quotas once a week by adding " +"the following line to <path>/etc/crontab</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):150 +msgid "Adding quota check to crontab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):150 +#, no-wrap +msgid "" +"\n" +"0 3 * * 0 /usr/sbin/quotacheck -avug.\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):154 +msgid "" +"After rebooting the machine, it is time to setup the quotas for users and " +"groups. <c>edquota -u kn</c> will start the editor defined in $EDITOR " +"(default is nano) and let you edit the quotas of the user kn. <c>edquota -g</" +"c> will do the same thing for groups." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):161 +msgid "Setting up quota's for user kn" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):161 +#, no-wrap +msgid "" +"\n" +"Quotas for user kn:\n" +"/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)\n" +" inodes in use: 356, limits (soft = 1000, hard = 1500)\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):167 +msgid "" +"For more detail read <c>man edquota</c> or the <uri link=\"http://www.tldp." +"org/HOWTO/Quota.html\">Quota mini howto</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):175 +msgid "/etc/login.defs" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):178 +msgid "" +"If your security policy states that users should change their password every " +"other week, change the value <c>PASS_MAX_DAYS</c> to 14 and " +"<c>PASS_WARN_AGE</c> to 7. It is recommended that you use password aging " +"since brute force methods can find any password, given enough time. We also " +"encourage you to set <c>LOG_OK_LOGINS</c> to yes." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):189 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):206 +msgid "/etc/security/access.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):192 +msgid "" +"The <path>access.conf</path> file is also part of the <c>sys-libs/pam</c> " +"package, which provides a login access control table. This table is used to " +"control who can and cannot login based on user name, group name or host " +"name. By default, all users on the system are allowed to login, so the file " +"consists only of comments and examples. Whether you are securing your server " +"or workstation, we recommend that you setup this file so no one other than " +"yourself (the admin) has access to the console." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):202 +msgid "These settings apply for root, as well." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):206 +#, no-wrap +msgid "" +"\n" +"-:ALL EXCEPT wheel sync:console\n" +"-:wheel:ALL EXCEPT LOCAL .gentoo.org\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(impo):211 +msgid "" +"Be careful when configuring these options, since mistakes will leave you " +"with no access to the machine if you do not have root access." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):216 +msgid "" +"These settings do not apply to SSH, since SSH does not execute <c>/bin/" +"login</c> per default. This can be enabled by setting <c>UseLogin yes</c> in " +"<path>/etc/ssh/sshd_config</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):222 +msgid "" +"This will setup login access so members of the wheel group can login locally " +"or from the gentoo.org domain. Maybe too paranoid, but better to be safe " +"than sorry." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-logging.xml.po b/shandbook/gettext/ru/shb-logging.xml.po new file mode 100644 index 0000000..2687fe5 --- /dev/null +++ b/shandbook/gettext/ru/shb-logging.xml.po @@ -0,0 +1,405 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(version):10 +msgid "1.3" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(date):11 +msgid "2010-04-02" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):14 +msgid "Introduction" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):16 +msgid "" +"Extra logging should be added to catch warnings or errors that might " +"indicate an ongoing attack or a successful compromise. Attackers often scan " +"or probe before attacking." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):22 +msgid "" +"It's also vital that your log files are easily readable and manageable. " +"Gentoo Linux lets you choose between 3 different loggers when installing." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):30 +msgid "Logging: Syslogd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):33 +msgid "" +"Syslogd is the most common logger for Linux and Unix in general. It has some " +"log rotation facilities, but using <path>/usr/sbin/logrotate</path> in a " +"cron job (logrotate is configured in <path>/etc/logrotate.conf</path>) might " +"prove to be more powerful as <c>logrotate</c> has many features. How often " +"log rotation should be done depends on the system load." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):42 +msgid "" +"Below is the standard <path>syslog.conf</path> with some added features. We " +"have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote " +"logging server. To further enhance security you could add logging to two " +"places." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):48 +msgid "/etc/syslog.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):48 +#, no-wrap +msgid "" +"\n" +"# /etc/syslog.conf Configuration file for syslogd.\n" +"#\n" +"# For more information see syslog.conf(5)\n" +"# manpage.\n" +"# This is from Debian, we are using it for now\n" +"# Daniel Robbins, 5/15/99\n" +"\n" +"#\n" +"# First some standard logfiles. Log by facility.\n" +"#\n" +"\n" +"auth,authpriv.* /var/log/auth.log\n" +"*.*;auth,authpriv.none -/var/log/syslog\n" +"cron.* /var/log/cron.log\n" +"daemon.* -/var/log/daemon.log\n" +"kern.* -/var/log/kern.log\n" +"lpr.* -/var/log/lpr.log\n" +"mail.* /var/log/mail.log\n" +"user.* -/var/log/user.log\n" +"uucp.* -/var/log/uucp.log\n" +"local6.debug /var/log/imapd.log\n" +"\n" +"#\n" +"# Logging for the mail system. Split it up so that\n" +"# it is easy to write scripts to parse these files.\n" +"#\n" +"mail.info -/var/log/mail.info\n" +"mail.warn -/var/log/mail.warn\n" +"mail.err /var/log/mail.err\n" +"\n" +"# Logging for INN news system\n" +"#\n" +"news.crit /var/log/news/news.crit\n" +"news.err /var/log/news/news.err\n" +"news.notice -/var/log/news/news.notice\n" +"\n" +"#\n" +"# Some `catch-all' logfiles.\n" +"#\n" +"*.=debug;\\\n" +" auth,authpriv.none;\\\n" +" news.none;mail.none -/var/log/debug\n" +"*.=info;*.=notice;*.=warn;\\\n" +" auth,authpriv.none;\\\n" +" cron,daemon.none;\\\n" +" mail,news.none -/var/log/messages\n" +"\n" +"#\n" +"# Emergencies and alerts are sent to everybody logged in.\n" +"#\n" +"*.emerg *\n" +"*.=alert *\n" +"\n" +"#\n" +"# I like to have messages displayed on the console, but only on a virtual\n" +"# console I usually leave idle.\n" +"#\n" +"daemon,mail.*;\\\n" +" news.=crit;news.=err;news.=notice;\\\n" +" *.=debug;*.=info;\\\n" +" *.=notice;*.=warn /dev/tty8\n" +"\n" +"#Setup a remote logging server\n" +"*.* @logserver\n" +"\n" +"# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,\n" +"# you must invoke `xconsole' with the `-file' option:\n" +"#\n" +"# $ xconsole -file /dev/xconsole [...]\n" +"#\n" +"# NOTE: adjust the list below, or you'll go crazy if you have a reasonably\n" +"# busy site..\n" +"#\n" +"#daemon.*,mail.*;\\\n" +"# news.crit;news.err;news.notice;\\\n" +"# *.=debug;*.=info;\\\n" +"# *.=notice;*.=warn |/dev/xconsole\n" +"\n" +"local2.* --/var/log/ppp.log\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):130 +msgid "" +"Attackers will most likely try to erase their tracks by editing or deleting " +"log files. You can make it harder for them by logging to one or more remote " +"logging servers on other machines. Get more info about syslogd by executing " +"<c>man syslog</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):140 +msgid "Metalog" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):143 +msgid "" +"<uri link=\"http://metalog.sourceforge.net\">Metalog</uri> by Frank Dennis " +"is not able to log to a remote server, but it does have advantages when it " +"comes to performance and logging flexibility. It can log by program name, " +"urgency, facility (like syslogd), and comes with regular expression matching " +"with which you can launch external scripts when specific patterns are found. " +"It is very good at taking action when needed." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):152 +msgid "" +"The standard configuration is usually enough. If you want to be notified by " +"email whenever a password failure occurs use one of the following scripts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):157 +msgid "For postfix:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):161 +msgid "/usr/local/sbin/mail_pwd_failures.sh for postfix" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):161 +#, no-wrap +msgid "" +"\n" +"#! /bin/sh\n" +"echo \"$3\" | mail -s \"Warning (program : $2)\" root\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):166 +msgid "For netqmail:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):170 +msgid "/usr/local/sbin/mail_pwd_failures.sh for netqmail" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):170 +#, no-wrap +msgid "" +"\n" +"#!/bin/sh\n" +"echo \"To: root\n" +"Subject:Failure (Warning: $2)\n" +"$3\n" +"\" | /var/qmail/bin/qmail-inject -f root\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):178 +msgid "" +"Remember to make the script executable by issuing <c>/bin/chmod +x /usr/" +"local/sbin/mail_pwd_failures.sh</c>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):183 +msgid "" +"Then uncomment the command line under \"Password failures\" in <path>/etc/" +"metalog/metalog.conf</path> like:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):188 +msgid "/etc/metalog/metalog.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):188 +#, no-wrap +msgid "" +"\n" +"command = \"/usr/local/sbin/mail_pwd_failures.sh\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):195 +msgid "Syslog-ng" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):198 +msgid "" +"Syslog-ng provides some of the same features as syslog and metalog with a " +"small difference. It can filter messages based on level and content (like " +"metalog), provide remote logging like syslog, handle logs from syslogd (even " +"streams from Solaris), write to a TTY, execute programs, and it can act as a " +"logging server. Basically it is the best of both loggers combined with " +"advanced configuration." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):206 +msgid "Below is a classic configuration file slightly modified." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):210 +msgid "/etc/syslog-ng/syslog-ng.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):210 +#, no-wrap +msgid "" +"\n" +"options {\n" +" chain_hostnames(no);\n" +"\n" +" <comment># The default action of syslog-ng is to log a STATS line\n" +" # to the file every 10 minutes. That's pretty ugly after a while.\n" +" # Change it to every 12 hours so you get a nice daily update of\n" +" # how many messages syslog-ng missed (0).</comment>\n" +" stats_freq(43200);\n" +"};\n" +"\n" +"source src {\n" +" unix-stream(\"/dev/log\" max-connections(256));\n" +" internal();\n" +"};\n" +"\n" +"source kernsrc { file(\"/proc/kmsg\"); };\n" +"\n" +"<comment># define destinations</comment>\n" +"destination authlog { file(\"/var/log/auth.log\"); };\n" +"destination syslog { file(\"/var/log/syslog\"); };\n" +"destination cron { file(\"/var/log/cron.log\"); };\n" +"destination daemon { file(\"/var/log/daemon.log\"); };\n" +"destination kern { file(\"/var/log/kern.log\"); };\n" +"destination lpr { file(\"/var/log/lpr.log\"); };\n" +"destination user { file(\"/var/log/user.log\"); };\n" +"destination mail { file(\"/var/log/mail.log\"); };\n" +"\n" +"destination mailinfo { file(\"/var/log/mail.info\"); };\n" +"destination mailwarn { file(\"/var/log/mail.warn\"); };\n" +"destination mailerr { file(\"/var/log/mail.err\"); };\n" +"\n" +"destination newscrit { file(\"/var/log/news/news.crit\"); };\n" +"destination newserr { file(\"/var/log/news/news.err\"); };\n" +"destination newsnotice { file(\"/var/log/news/news.notice\"); };\n" +"\n" +"destination debug { file(\"/var/log/debug\"); };\n" +"destination messages { file(\"/var/log/messages\"); };\n" +"destination console { usertty(\"root\"); };\n" +"\n" +"<comment># By default messages are logged to tty12...</comment>\n" +"destination console_all { file(\"/dev/tty12\"); };\n" +"\n" +"<comment># ...if you intend to use /dev/console for programs like xconsole\n" +"# you can comment out the destination line above that references /dev/tty12\n" +"# and uncomment the line below.</comment>\n" +"#destination console_all { file(\"/dev/console\"); };\n" +"\n" +"<comment># create filters</comment>\n" +"filter f_authpriv { facility(auth, authpriv); };\n" +"filter f_syslog { not facility(authpriv, mail); };\n" +"filter f_cron { facility(cron); };\n" +"filter f_daemon { facility(daemon); };\n" +"filter f_kern { facility(kern); };\n" +"filter f_lpr { facility(lpr); };\n" +"filter f_mail { facility(mail); };\n" +"filter f_user { facility(user); };\n" +"filter f_debug { not facility(auth, authpriv, news, mail); };\n" +"filter f_messages { level(info..warn)\n" +" and not facility(auth, authpriv, mail, news); };\n" +"filter f_emergency { level(emerg); };\n" +"\n" +"filter f_info { level(info); };\n" +"filter f_notice { level(notice); };\n" +"filter f_warn { level(warn); };\n" +"filter f_crit { level(crit); };\n" +"filter f_err { level(err); };\n" +"filter f_failed { message(\"failed\"); };\n" +"filter f_denied { message(\"denied\"); };\n" +"\n" +"<comment># connect filter and destination</comment>\n" +"log { source(src); filter(f_authpriv); destination(authlog); };\n" +"log { source(src); filter(f_syslog); destination(syslog); };\n" +"log { source(src); filter(f_cron); destination(cron); };\n" +"log { source(src); filter(f_daemon); destination(daemon); };\n" +"log { source(kernsrc); filter(f_kern); destination(kern); };\n" +"log { source(src); filter(f_lpr); destination(lpr); };\n" +"log { source(src); filter(f_mail); destination(mail); };\n" +"log { source(src); filter(f_user); destination(user); };\n" +"log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };\n" +"log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };\n" +"log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };\n" +"\n" +"log { source(src); filter(f_debug); destination(debug); };\n" +"log { source(src); filter(f_messages); destination(messages); };\n" +"log { source(src); filter(f_emergency); destination(console); };\n" +"\n" +"<comment># default log</comment>\n" +"log { source(src); destination(console_all); };\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):301 +msgid "" +"Syslog-ng is very easy to configure, but it is also very easy to miss " +"something in the configuration file since it is huge. The author still " +"promises some extra features like encryption, authentication, compression " +"and MAC (Mandatory Access Control) control. With these options it will be a " +"perfect for network logging, since the attacker cannot spy on the log." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):309 +msgid "" +"And syslog-ng does have one other advantage: it does not have to run as root!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):317 +msgid "Log analysis with Logcheck" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):320 +msgid "" +"Of course, keeping logs alone is only half the battle. An application such " +"as Logcheck can make regular log analysis much easier. Logcheck is a script, " +"accompanied by a binary called <c>logtail</c>, that runs from your cron " +"daemon and checks your logs against a set of rules for suspicious activity. " +"It then mails the output to root's mailbox." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):327 +msgid "" +"Logcheck and logtail are part of the <c>app-admin/logsentry</c> package." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):330 +msgid "" +"Logcheck uses four files to filter important log entries from the " +"unimportant. These files are <path>logcheck.hacking</path>, which contains " +"known hacking attack messages, <path>logcheck.violations</path>, which " +"contains patterns indicating security violations, <path>logcheck.violations." +"ignore</path>, which contains keywords likely to be matched by the " +"violations file, allowing normal entries to be ignored, and <path>logcheck." +"ignore</path>, which matches those entries to be ignored." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(warn):341 +msgid "" +"Do not leave <path>logcheck.violations.ignore</path> empty. Logcheck uses " +"<c>grep</c> to parse logs, some versions of which will take an empty file to " +"mean wildcard. All violations would thus be ignored." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-mounting.xml.po b/shandbook/gettext/ru/shb-mounting.xml.po new file mode 100644 index 0000000..0d98c76 --- /dev/null +++ b/shandbook/gettext/ru/shb-mounting.xml.po @@ -0,0 +1,107 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(version):10 +msgid "1.0" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(date):11 +msgid "2005-05-31" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(title):14 +msgid "Mounting partitions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(p):17 +msgid "" +"When mounting an <c>ext2</c>, <c>ext3</c>, or <c>reiserfs</c> partition, you " +"have several options you can apply to the file <path>/etc/fstab</path>. The " +"options are:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):24 +msgid "" +"<c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary " +"file" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):28 +msgid "<c>noexec</c> - Will prevent execution of files from this partition" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):31 +msgid "<c>nodev</c> - Ignores devices" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(p):36 +msgid "" +"Unfortunately, these settings can easily be circumvented by executing a non-" +"direct path. However, setting <path>/tmp</path> to noexec will stop the " +"majority of exploits designed to be executed directly from <path>/tmp</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(pre:caption):42 +msgid "/etc/fstab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(pre):42 +#, no-wrap +msgid "" +"\n" +"/dev/sda1 /boot ext2 noauto,noatime 1 1\n" +"/dev/sda2 none swap sw 0 0\n" +"/dev/sda3 / reiserfs notail,noatime 0 0\n" +"/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0\n" +"/dev/sda5 /var reiserfs notail,noatime,nodev 0 0\n" +"/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0\n" +"/dev/sda7 /usr reiserfs notail,noatime,nodev,ro 0 0\n" +"/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0\n" +"proc /proc proc defaults 0 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(warn):54 +msgid "" +"Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts " +"from executing properly." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):59 +msgid "" +"For disk quotas see <uri link=\"?part=1&chap=5#quotas\">the Quotas " +"section</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):63 +msgid "" +"I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if " +"files normally are never executed from this mount point. The reason for this " +"is that netqmail is installed in <path>/var/qmail</path> and must be allowed " +"to execute and access one SUID file. I setup <path>/usr</path> in read-only " +"mode since I never write anything there unless I want to update Gentoo. Then " +"I remount the file system in read-write mode, update and remount again." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):72 +msgid "" +"Even if you do not use netqmail, Gentoo still needs the executable bit set " +"on <path>/var/tmp</path> since ebuilds are made here. But an alternative " +"path can be setup if you insist on having <path>/var</path> mounted in " +"<c>noexec</c> mode." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-pam.xml.po b/shandbook/gettext/ru/shb-pam.xml.po new file mode 100644 index 0000000..bc02846 --- /dev/null +++ b/shandbook/gettext/ru/shb-pam.xml.po @@ -0,0 +1,122 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(date):11 +msgid "2006-08-03" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(title):14 +msgid "PAM" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):17 +msgid "" +"PAM is a suite of shared libraries that provide an alternative way providing " +"user authentication in programs. The <c>pam</c> USE flag is turned on by " +"default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but " +"there is always room for improvement. First install cracklib." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):24 +msgid "Installing cracklib" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):24 +#, no-wrap +msgid "" +"\n" +"# <i>emerge cracklib</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):28 +msgid "/etc/pam.d/passwd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):28 +#, no-wrap +msgid "" +"\n" +"auth required pam_unix.so shadow nullok\n" +"account required pam_unix.so\n" +"password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2\n" +"password required pam_unix.so md5 use_authtok\n" +"session required pam_unix.so\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):36 +msgid "" +"This will add the cracklib which will ensure that the user passwords are at " +"least 8 characters and contain a minimum of 2 digits, 2 other characters, " +"and are more than 3 characters different from the last password. This forces " +"the user to choose a good password (password policy). Check the <uri link=" +"\"http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib." +"html\">PAM</uri> documentation for more options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):45 +msgid "/etc/pam.d/sshd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):45 +#, no-wrap +msgid "" +"\n" +"auth required pam_unix.so nullok\n" +"auth required pam_shells.so\n" +"auth required pam_nologin.so\n" +"auth required pam_env.so\n" +"account required pam_unix.so\n" +"password required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok\n" +"password required pam_unix.so shadow md5\n" +"session required pam_unix.so\n" +"session required pam_limits.so\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):57 +msgid "" +"Every service not configured with a PAM file in <path>/etc/pam.d</path> will " +"use the rules in <path>/etc/pam.d/other</path>. The defaults are set to " +"<c>deny</c>, as they should be. But I like to have a lot of logs, which is " +"why I added <c>pam_warn.so</c>. The last configuration is <c>pam_limits</c>, " +"which is controlled by <path>/etc/security/limits.conf</path>. See the <uri " +"link=\"?part=1&chap=5#limits_conf\">/etc/security/limits.conf</uri> " +"section for more on these settings." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):67 +msgid "/etc/pam.d/other" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):67 +#, no-wrap +msgid "" +"\n" +"auth required pam_deny.so\n" +"auth required pam_warn.so\n" +"account required pam_deny.so\n" +"account required pam_warn.so\n" +"password required pam_deny.so\n" +"password required pam_warn.so\n" +"session required pam_deny.so\n" +"session required pam_warn.so\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-perms.xml.po b/shandbook/gettext/ru/shb-perms.xml.po new file mode 100644 index 0000000..6dda614 --- /dev/null +++ b/shandbook/gettext/ru/shb-perms.xml.po @@ -0,0 +1,228 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(date):11 +msgid "2006-09-16" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):14 +msgid "World readable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):17 +msgid "" +"Normal users should not have access to configuration files or passwords. An " +"attacker can steal passwords from databases or web sites and use them to " +"deface--or even worse, delete--data. This is why it is important that your " +"file permissions are correct. If you are sure that a file is only used by " +"root, assign it with the permissions <c>0600</c> and assign the file to the " +"correct user with <c>chown</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):29 +msgid "World/Group writable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):32 +msgid "Finding world-writable files and directories" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):32 +#, no-wrap +msgid "" +"\n" +"# <i>find / -type f \\( -perm -2 -o -perm -20 \\) -exec ls -lg {} \\; 2>/dev/null >writable.txt</i>\n" +"# <i>find / -type d \\( -perm -2 -o -perm -20 \\) -exec ls -ldg {} \\; 2>/dev/null >>writable.txt</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):37 +msgid "" +"This will create a huge file with permission of all files having either " +"write permission set to the group or everybody. Check the permissions and " +"eliminate world writable files to everyone, by executing <c>/bin/chmod o-w</" +"c> on the files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):47 +msgid "SUID/SGID files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):50 +msgid "" +"Files with the SUID or SGID bit set execute with privileges of the " +"<e>owning</e> user or group and not the user executing the file. Normally " +"these bits are used on files that must run as root in order to do what they " +"do. These files can lead to local root compromises (if they contain security " +"holes). This is dangerous and files with the SUID or SGID bits set should be " +"avoided at any cost. If you do not use these files, use <c>chmod 0</c> on " +"them or unmerge the package that they came from (check which package they " +"belong to by using <c>equery</c>; if you do not already have it installed " +"simply type <c>emerge gentoolkit</c>). Otherwise just turn the SUID bit off " +"with <c>chmod -s</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):62 +msgid "Finding setuid files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):62 +#, no-wrap +msgid "" +"\n" +"# <i>find / -type f \\( -perm -004000 -o -perm -002000 \\) -exec ls -lg {} \\; 2>/dev/null >suidfiles.txt</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):66 +msgid "This will create a file containing a list of all the SUID/SGID files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):70 +msgid "List of setuid binaries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):70 +#, no-wrap +msgid "" +"\n" +"/bin/su\n" +"/bin/ping\n" +"/bin/mount\n" +"/bin/umount\n" +"/var/qmail/bin/qmail-queue\n" +"/usr/bin/chfn\n" +"/usr/bin/chsh\n" +"/usr/bin/crontab\n" +"/usr/bin/chage\n" +"/usr/bin/expiry\n" +"/usr/bin/sperl5.6.1\n" +"/usr/bin/newgrp\n" +"/usr/bin/passwd\n" +"/usr/bin/gpasswd\n" +"/usr/bin/procmail\n" +"/usr/bin/suidperl\n" +"/usr/lib/misc/pt_chown\n" +"/usr/sbin/unix_chkpwd\n" +"/usr/sbin/traceroute\n" +"/usr/sbin/pwdb_chkpwd\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):93 +msgid "" +"By default Gentoo Linux does not have a lot of SUID files (though this " +"depends on what you installed), but you might get a list like the one above. " +"Most of the commands should not be used by normal users, only root. Switch " +"off the SUID bit on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, " +"<c>chsh</c>, <c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> and " +"<c>traceroute</c> by executing <c>chmod -s</c> on every file. Don't remove " +"the bit on <c>su</c>, <c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing " +"setuid from those files will prevent you from <c>su</c>'ing and receiving " +"mail. By removing the bit (where it is safe to do so) you remove the " +"possibility of a normal user (or an attacker) gaining root access through " +"any of these files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):106 +msgid "" +"The only SUID files that I have on my system are <c>su</c>, <c>passwd</c>, " +"<c>gpasswd</c>, <c>qmail-queue</c>, <c>unix_chkpwd</c> and <c>pwdb_chkpwd</" +"c>. But if you are running X, you might have some more, since X needs the " +"elevated access afforded by SUID." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):116 +msgid "SUID/SGID binaries and Hard links" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):119 +msgid "" +"A file is only considered deleted when there are no more links pointing to " +"it. This might sound like a strange concept, but consider that a filename " +"like <path>/usr/bin/perl</path> is actually a link to the inode where the " +"data is stored. Any number of links can point to the file, and until all of " +"them are gone, the file still exists." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):127 +msgid "" +"If your users have access to a partition that isn't mounted with <c>nosuid</" +"c> or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, " +"or <path>/var/tmp</path> are not separate partitions) you should take care " +"to ensure your users don't create hard links to SUID or SGID binaries, so " +"that after Portage updates they still have access to the old versions." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(warn):135 +msgid "" +"if you have received a warning from portage about remaining hard links, and " +"your users can write to a partition that allows executing SUID/SGID files, " +"you should read this section carefully. One of your users may be attempting " +"to circumvent your update by keeping an outdated version of a program. If " +"your users cannot create their own SUID files, or can only execute programs " +"using the dynamic loader (partitions mounted <c>noexec</c>), you do not have " +"to worry." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(note):145 +msgid "" +"Users do not need read access to a file to create a link to it, they only " +"need read permission to the directory that contains it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):150 +msgid "" +"To check how many links a file has, you can use the <c>stat</c> command." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):154 +msgid "Stat command" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):154 +#, no-wrap +msgid "" +"\n" +"$ stat /bin/su\n" +" File: `/bin/su'\n" +" Size: 29350 Blocks: 64 IO Block: 131072 regular file\n" +"Device: 900h/2304d Inode: 2057419 Links: 1\n" +"Access: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root)\n" +"Access: 2005-02-07 01:59:35.000000000 +0000\n" +"Modify: 2004-11-04 01:46:17.000000000 +0000\n" +"Change: 2004-11-04 01:46:17.000000000 +0000\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):165 +msgid "" +"To find the SUID and SGID files with multiple links, you can use <c>find</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):169 +msgid "Finding multiply linked suid/sgid binaries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):169 +#, no-wrap +msgid "" +"\n" +"$ find / -type f \\( -perm -004000 -o -perm -002000 \\) -links +1 -ls\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-pre.xml.po b/shandbook/gettext/ru/shb-pre.xml.po new file mode 100644 index 0000000..747efad --- /dev/null +++ b/shandbook/gettext/ru/shb-pre.xml.po @@ -0,0 +1,318 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(version):10 +msgid "1.0" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(date):11 +msgid "2005-05-31" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):14 +msgid "Physical Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):17 +msgid "" +"No matter how many safeguards you implement, they can all be easily " +"circumvented by an attacker with physical access to your computer. Despite " +"this, there are at least some measures that can be taken to provide a degree " +"of security against an attacker with physical access to your machine. " +"Putting your hardware in a locked closet prevents an attacker from simply " +"unplugging it and carting it off. Locking your computer's case is also a " +"good idea, to make sure that an attacker cannot simply walk away with your " +"hard drive. To prevent an attacker from booting from another disk, nicely " +"circumventing your permissions and login restrictions, try setting the hard " +"drive as the first boot device in your BIOS, and setting a BIOS password. It " +"is also important to set a LILO or GRUB boot password, to prevent a " +"malicious user from booting into single-user mode and gaining complete " +"access to your system. This is covered in more detail in Chapter 3, under " +"<uri link=\"?part=1&chap=2#passwording_GRUB\">Setting a GRUB password</" +"uri> and <uri link=\"?part=1&chap=2#passwording_LILO\">Setting a LILO " +"password</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):38 +msgid "Daemon/Service Planning" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):40 +msgid "" +"Start by documenting what services this machine should run. This will help " +"you compose a better partition scheme for your system, and allow you to " +"better plan your security measures. Of course, this is unnecessary if the " +"machine serves a single simple purpose, such as a desktop, or a dedicated " +"firewall. In those cases, you should not be running <e>any</e> services, " +"except perhaps sshd." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):47 +msgid "" +"This list can also be used to aid system administration. By keeping a " +"current list of version information, you will find it much easier to keep " +"everything up to date if a remote vulnerability is discovered in one of your " +"daemons." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):56 +msgid "Partitioning Schemes" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):59 +msgid "Partitioning rules:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):64 +msgid "" +"Any directory tree a user should be able to write to (e.g. <path>/home</" +"path>, <path>/tmp</path>) should be on a separate partition and use disk " +"quotas. This reduces the risk of a user filling up your whole filesystem. " +"Portage uses <path>/var/tmp</path> to compile files, so that partition " +"should be large." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):70 +msgid "" +"Any directory tree where you plan to install non-distribution software on " +"should be on a separate partition. According to the <uri link=\"http://www." +"pathname.com/fhs/\"> File Hierarchy Standard</uri>, this is <path>/opt</" +"path> or <path>/usr/local</path>. If these are separate partitions, they " +"will not be erased if you have to reinstall the system." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):77 +msgid "" +"For extra security, static data can be put on a separate partition that is " +"mounted read-only. For the truly paranoid, try using read-only media like CD-" +"ROM." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):87 +msgid "The root user" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):90 +msgid "" +"The user 'root' is the most vital user on the system and should not be used " +"for anything except when absolutely necessary. If an attacker gains root " +"access, the only way to ever trust your system again is to reinstall." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):96 +msgid "Golden rules about 'root'" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):101 +msgid "" +"Always create a user for everyday use and if this user needs to have root " +"access, add the user to the group 'wheel'. This makes it possible for a " +"normal user to <c>su</c> to root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):106 +msgid "" +"Never run X or any other user application as root. root should only be used " +"when absolutely necessary; if a vulnerability exists in an application " +"running as a user, an attacker can gain user level access. But if that " +"application is running as root, the attacker gains root access." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):112 +msgid "" +"Always use absolute paths when logged in as root (or always use <c>su -</c>, " +"which replaces the environmental variables of the user with those of root, " +"while being sure root's <c>PATH</c> only includes protected directories like " +"<path>/bin</path> and <path>/sbin</path>). It's possible to trick root into " +"running a different application rather than the one meant to be run. If " +"root's <c>PATH</c> is protected or root only uses absolute paths, we can be " +"sure this won't happen." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):121 +msgid "" +"If a user only needs to run a few commands as root, instead of everything " +"that root normally can do, consider using <c>sudo</c> instead. Just be " +"careful who you give this access to, as well!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):126 +msgid "Never leave the terminal when you are logged in as root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):131 +msgid "" +"Gentoo has some default protection against normal users trying to <c>su</c> " +"to root. The default PAM setting requires that a user be a member of the " +"group \"wheel\" in order to be able to <c>su</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):140 +msgid "Security policies" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):143 +msgid "" +"There are several reasons to draft a security policy for your system(s) and " +"network." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):149 +msgid "" +"A good security policy allows you to outline security as a \"system\", " +"rather than simply a jumble of different features. For example, without a " +"policy an administrator might decide to turn off telnet, because it " +"transmits unencrypted passwords, but leave on FTP access, which has the same " +"weakness. A good security policy allows you to identify which security " +"measures are worthwhile, and which are not." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):157 +msgid "" +"In order to diagnose problems, conduct audits, or track down intruders, it " +"may be necessary to intercept network traffic, inspect the login and command " +"history of users, and look in home directories. Without outlining this in " +"print, and making users aware of this, such actions may actually be illegal " +"and put <e>you</e> in legal jeopardy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):164 +msgid "" +"Hijacked user accounts pose one of the most common threats to system " +"security. Without explaining to users why security is important, and how to " +"practice good security (such as not writing passwords on a Post-It note on " +"their desks), it is unlikely you will have any hope of secure user accounts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):170 +msgid "" +"A well-documented network and system layout will aid you, as well as law " +"enforcement forensics examiners, if need be, in tracing an intrusion and " +"identifying weaknesses after the fact. A security policy \"issue\" banner, " +"stating that your system is a private network and all unauthorized access is " +"prohibited, will also help ensure your ability to properly prosecute an " +"intruder, once he is caught." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):180 +msgid "The need for a good security policy is hopefully now more than clear." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):184 +msgid "" +"The policy itself is a document, or several documents, that outlines the " +"network and system features (such as what services are provided), acceptable " +"use and forbidden use, security \"best practices\", and so forth. All users " +"should be made aware of your security policy, as well as changes you make to " +"keep it up to date. It is important that you take the time to help users " +"understand your policy and why that policy needs to be signed or what will " +"happens if they act directly against the policy (the policy should also " +"state this). This should be repeated at least once a year, since the policy " +"can change (but also as a reminder to the user of the policy itself)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(note):196 +msgid "" +"Create policies that are easy to read and be very precise on every subject." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):200 +msgid "A security policy should at least contain the following subjects:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):207 +msgid "Screen savers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):208 +msgid "Password handling" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):209 +msgid "Software download and installation" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):210 +msgid "Information stating if the users are being monitored" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):211 +msgid "Use of anti-virus software" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):205 +msgid "Acceptable use <placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):216 +msgid "Clean desk and locked up classified information" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):217 +msgid "PC shutdown before leaving" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):218 +msgid "Use of encryption" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):219 +msgid "Handling of keys to trusted co-workers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):220 +msgid "Handling of confidential material when traveling" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):214 +msgid "" +"Handling of sensitive information (any written form, paper or digital) " +"<placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):225 +msgid "Laptop handling during travels and hotel stays" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):223 +msgid "Handling of computer equipment when traveling <placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):230 +msgid "" +"Different users may require different levels or types of access, and as such " +"your policy may vary to accommodate them all." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):235 +msgid "" +"The security policy can become huge, and vital information can easily be " +"forgotten. The IT-staff's policy could contain information that is " +"confidential for the ordinary user, so it is wise to split it up into " +"smaller policies; e.g. Acceptable Use Policy, Password policy, Email policy " +"and Remote Access policy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):243 +msgid "" +"You can find example policies at <uri link=\"http://www.sans.org/resources/" +"policies/\">The SANS Security Policy Project</uri>. If you have a small " +"network and think these policies are too much you should look at the <uri " +"link=\"ftp://ftp.isi.edu/in-notes/rfc2196.txt\">Site Security Handbook</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-services.xml.po b/shandbook/gettext/ru/shb-services.xml.po new file mode 100644 index 0000000..a3c37e7 --- /dev/null +++ b/shandbook/gettext/ru/shb-services.xml.po @@ -0,0 +1,785 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(version):10 +msgid "1.5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(date):11 +msgid "2008-06-13" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):14 +msgid "Apache" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):17 +msgid "" +"Apache comes with a pretty decent configuration file but again, we need to " +"improve some things, like binding Apache to one address and preventing it " +"from leaking information. Below are the options that you should apply the " +"configuration file." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):24 +msgid "" +"If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before " +"installing Apache, you should have access to an ssl enabled server. Inside " +"<path>/etc/apache2/vhosts.d</path> example configuration files can be found. " +"These are working examples and it is best to verify those or disable them." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):31 +msgid "" +"It is important to define your configuration(s) to listen to a particular IP " +"address (rather than all available IP addresses on your system). For " +"instance, for the <path>00_default_vhost.conf</path> file:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):37 +msgid "/etc/apache2/vhosts.d/00_default_vhost.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):37 +#, no-wrap +msgid "" +"\n" +"<comment># Make it listen on your ip</comment>\n" +"Listen 127.0.0.1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):42 +msgid "" +"We also recommend you to disable showing any information about your Apache " +"installation to the world. By default, the configuration will add server " +"version and virtual host name to server-generated pages. To disable this, " +"change the <c>ServerSignature</c> variable to <c>Off</c>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):49 +msgid "/etc/apache2/modules.d/00_default_settings.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):49 +#, no-wrap +msgid "" +"\n" +"ServerSignature Off\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):53 +msgid "" +"Apache is compiled with <c>--enable-shared=max</c> and <c>--enable-" +"module=all</c>. This will by default enable all modules, so you should " +"comment out all modules in the <c>LoadModule</c> section (<c>LoadModule</c> " +"and <c>AddModule</c>) that you do not use in the main <path>/etc/apache2/" +"httpd.conf</path> configuration file. Restart the service by executing <c>/" +"etc/init.d/apache2 restart</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):62 +msgid "Documentation is available at <uri>http://www.apache.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):70 +msgid "Bind" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):73 +msgid "" +"One can find documentation at the <uri link=\"http://www.isc.org/products/" +"BIND/bind9.html\">Internet Software Consortium</uri>. The BIND 9 " +"Administrator Reference Manual is also in the <path>doc/arm</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):80 +msgid "" +"The newer BIND ebuilds support chrooting out of the box. After emerging " +"<c>bind</c> follow these simple instructions:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):85 +msgid "Chrooting BIND" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):85 +#, no-wrap +msgid "" +"\n" +"# <i>emerge --config bind</i>\n" +"<comment>(Before running the above command you might want to change the chroot\n" +"directory in /etc/conf.d/named. Otherwise /chroot/dns will be used.)</comment>\n" +"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):94 +msgid "Djbdns" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):97 +msgid "" +"Djbdns is a DNS implementation on the security of which its author is " +"willing to bet <uri link=\"http://cr.yp.to/djbdns/guarantee.html\">money</" +"uri>. It is very different from how Bind 9 works but worth a try. More " +"information can be obtained from <uri>http://www.djbdns.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):108 +msgid "FTP" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):111 +msgid "" +"Generally, using FTP (File Transfer Protocol) is a bad idea. It uses " +"unencrypted data (ie. passwords are sent in clear text), listens on 2 ports " +"(normally port 20 and 21), and attackers are frequently looking for " +"anonymous logins for trading warez. Since the FTP protocol contains several " +"security problems you should instead use <c>sftp</c> or HTTP. If this is not " +"possible, secure your services as well as you can and prepare yourself." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):123 +msgid "Mysql" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):126 +msgid "" +"If you only need local applications to access the <c>mysql</c> database, " +"uncomment the following line in <path>/etc/mysql/my.cnf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):131 +msgid "Disable network access" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):131 +#, no-wrap +msgid "" +"\n" +"skip-networking\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):135 +msgid "" +"Then we disable the use of the LOAD DATA LOCAL INFILE command. This is to " +"prevent against unauthorized reading from local files. This is relevant when " +"new SQL Injection vulnerabilities in PHP applications are found." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):141 +msgid "Disable LOAD DATA LOCAL INFILE in the [mysqld] section" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):141 +#, no-wrap +msgid "" +"\n" +"set-variable=local-infile=0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):145 +msgid "" +"Next, we must remove the sample database (test) and all accounts except the " +"local <c>root</c> account." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):150 +msgid "Removing sample database and all unnecessary users" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):150 +#, no-wrap +msgid "" +"\n" +"mysql> <i>drop database test;</i>\n" +"mysql> <i>use mysql;</i>\n" +"mysql> <i>delete from db;</i>\n" +"mysql> <i>delete from user where not (host=\"localhost\" and user=\"root\");</i>\n" +"mysql> <i>flush privileges;</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):158 +msgid "Be careful with the above if you have already configured user accounts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(note):162 +msgid "" +"If you have been changing passwords from the MySQL prompt, you should always " +"clean out <path>~/.mysql_history</path> and <path>/var/log/mysql/mysql.log</" +"path> as they store the executed SQL commands with passwords in clear text." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):172 +msgid "Proftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):175 +msgid "" +"Proftpd has had several security problems, but most of them seem to have " +"been fixed. Nonetheless, it is a good idea to apply some enhancements:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):180 +msgid "/etc/proftpd/proftpd.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):180 +#, no-wrap +msgid "" +"\n" +"ServerName \"My ftp daemon\"\n" +"#Don't show the ident of the server\n" +"ServerIdent on \"Go away\"\n" +"\n" +"#Makes it easier to create virtual users\n" +"RequireValidShell off\n" +"\n" +"#Use alternative password and group file (passwd uses crypt format)\n" +"AuthUserFile \"/etc/proftpd/passwd\"\n" +"AuthGroupFile \"/etc/proftpd/group\"\n" +"\n" +"# Permissions\n" +"Umask 077\n" +"\n" +"# Timeouts and limitations\n" +"MaxInstances 30\n" +"MaxClients 10 \"Only 10 connections allowed\"\n" +"MaxClientsPerHost 1 \"You have already logged on once\"\n" +"MaxClientsPerUser 1 \"You have already logged on once\"\n" +"TimeoutStalled 10\n" +"TimeoutNoTransfer 20\n" +"TimeoutLogin 20\n" +"\n" +"#Chroot everyone\n" +"DefaultRoot ~\n" +"\n" +"#don't run as root\n" +"User nobody\n" +"Group nogroup\n" +"\n" +"#Log every transfer\n" +"TransferLog /var/log/transferlog\n" +"\n" +"#Problems with globbing\n" +"DenyFilter \\*.*/\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):218 +msgid "One can find documentation at <uri>http://www.proftpd.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):225 +msgid "Pure-ftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):228 +msgid "" +"Pure-ftpd is an branch of the original trollftpd, modified for security " +"reasons and functionality by Frank Dennis." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):233 +msgid "" +"Use virtual users (never system accounts) by enabling the <c>AUTH</c> " +"option. Set this to <c>-lpuredb:/etc/pureftpd.pdb</c> and create your users " +"by using <c>/usr/bin/pure-pw</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):239 +msgid "/etc/conf.d/pure-ftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):239 +#, no-wrap +msgid "" +"\n" +"AUTH=\"-lpuredb:/etc/pureftpd.pdb\"\n" +"\n" +"## Misc. Others ##\n" +"MISC_OTHER=\"-A -E -X -U 177:077 -d -4 -L100:5 -I 15\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):246 +msgid "" +"Configure your <c>MISC_OTHER</c> setting to deny anonymous logins (<c>-E</" +"c>), chroot everyone (<c>-A</c>), prevent users from reading or writing to " +"files beginning with a . (dot) (<c>-X</c>), max idle time (<c>-I</c>), limit " +"recursion (<c>-L</c>), and a reasonable <c>umask</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):253 +msgid "" +"Do <e>not</e> use the <c>-w</c> or <c>-W</c> options! If you want to have a " +"warez site, stop reading this guide!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):258 +msgid "One can find documentation at <uri>http://www.pureftpd.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):265 +msgid "Vsftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):268 +msgid "" +"Vsftpd (short for very secure ftp) is a small ftp daemon running a " +"reasonably default configuration. It is simple and does not have as many " +"features as pureftp and proftp." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):274 +msgid "/etc/vsftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):274 +#, no-wrap +msgid "" +"\n" +"anonymous_enable=NO\n" +"local_enable=YES\n" +"\n" +"#read only\n" +"write_enable=NO\n" +"\n" +"#enable logging of transfers\n" +"xferlog_std_format=YES\n" +"\n" +"idle_session_timeout=20\n" +"data_connection_timeout=20\n" +"nopriv_user=nobody\n" +"\n" +"chroot_list_enable=YES\n" +"chroot_list_file=/etc/vsftpd/chrootlist\n" +"\n" +"ls_recurse_enable=NO\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):294 +msgid "" +"As you can see, there is no way for this service to have individual " +"permissions, but when it comes to anonymous settings it is quite good. " +"Sometimes it can be nice to have an anonymous ftp server (for sharing open " +"source), and vsftpd does a really good job at this." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):304 +msgid "Netqmail" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):307 +msgid "" +"Netqmail is often considered to be a very secure mail server. It is written " +"with security (and paranoia) in mind. It does not allow relaying by default " +"and has not had a security hole since 1996. Simply <c>emerge netqmail</c> " +"and go configure!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):316 +msgid "Samba" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):319 +msgid "" +"Samba is a protocol to share files with Microsoft/Novell networks and it " +"should <e>not</e> be used over the Internet. Nonetheless, it still needs " +"securing." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):325 +msgid "/etc/samba/smb.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):325 +#, no-wrap +msgid "" +"\n" +"[global]\n" +" #Bind to an interface\n" +" interfaces = eth0 10.0.0.1/32\n" +"\n" +" #Make sure to use encrypted password\n" +" encrypt passwords = yes\n" +" directory security mask = 0700\n" +"\n" +" #allow traffic from 10.0.0.*\n" +" hosts allow = 10.0.0.\n" +"\n" +" #Enables user authentication\n" +" #(don't use the share mode)\n" +" security = user\n" +"\n" +" #Disallow privileged accounts\n" +" invalid users = root @wheel\n" +"\n" +" #Maximum size smb shows for a share (not a limit)\n" +" max disk size = 102400\n" +"\n" +" #Uphold the password policy\n" +" min password length = 8\n" +" null passwords = no\n" +"\n" +" #Use PAM (if added support)\n" +" obey pam restrictions = yes\n" +" pam password change = yes\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):356 +msgid "" +"Make sure that permissions are set correct on every share and remember to " +"read the <uri link=\"http://www.samba.org\">documentation</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):361 +msgid "" +"Now restart the server and add the users who should have access to this " +"service. This is done though the command <path>/usr/bin/smbpasswd</path> " +"with the parameter <c>-a</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):370 +msgid "ssh" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):373 +msgid "" +"The only securing that OpenSSH needs is turning on a stronger authentication " +"based on public key encryption. Too many sites (like <uri>http://www." +"sourceforge.net</uri>, <uri>http://www.php.net</uri> and <uri>http://www." +"apache.org</uri>) have suffered unauthorized intrusion due to password leaks " +"or bad passwords." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):381 +msgid "/etc/ssh/sshd_config" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):381 +#, no-wrap +msgid "" +"\n" +"#Only enable version 2\n" +"Protocol 2\n" +"\n" +"#Disable root login. Users have to su to root\n" +"PermitRootLogin no\n" +"\n" +"#Turn on Public key authentication\n" +"PubkeyAuthentication yes\n" +"AuthorizedKeysFile .ssh/authorized_keys\n" +"\n" +"#Disable .rhost and normal password authentication\n" +"HostbasedAuthentication no\n" +"PasswordAuthentication no\n" +"PermitEmptyPasswords no\n" +"\n" +"#Only allow userin the wheel or admin group to login\n" +"AllowGroups wheel admin\n" +"\n" +"#In those groups only allow the following users\n" +"#The @<domainname> is optional but replaces the\n" +"#older AllowHosts directive\n" +"AllowUsers kn@gentoo.org bs@gentoo.org\n" +"\n" +"#Logging\n" +"SyslogFacility AUTH\n" +"LogLevel INFO\n" +"\n" +"<comment>(Change this to your address)</comment>\n" +"ListenAddress 127.0.0.1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):413 +msgid "" +"Also verify that you don't have <c>UsePAM yes</c> in your configuration file " +"as it overrides the public key authentication mechanism, or you can disable " +"either <c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</" +"c>. More information about these options can be found in the " +"<path>sshd_config</path> manual page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):421 +msgid "" +"Now all that your users have to do is create a key (on the machine they want " +"to login from) with the following command:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):426 +msgid "Create a DSA keypair" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):426 +#, no-wrap +msgid "" +"\n" +"# <i>/usr/bin/ssh-keygen -t dsa</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):430 +msgid "And type in a pass phrase." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):434 +msgid "Output of ssh-keygen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):434 +#, no-wrap +msgid "" +"\n" +"Generating public/private dsa key pair.\n" +"Enter file in which to save the key (/home/kn/.ssh/id_dsa):<i>[Press enter]</i>\n" +"Created directory '/home/kn/.ssh'.\n" +"Enter passphrase (empty for no passphrase): <i>[Enter passphrase]</i>\n" +"Enter same passphrase again: <i>[Enter passphrase again]</i>\n" +"Your identification has been saved in /home/kn/.ssh/id_dsa.\n" +"Your public key has been saved in /home/kn/.ssh/id_dsa.pub.\n" +"The key fingerprint is:\n" +"07:24:a9:12:7f:83:7e:af:b8:1f:89:a3:48:29:e2:a4 kn@knielsen\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):446 +msgid "" +"This will add two files in your <path>~/.ssh/</path> directory called " +"<path>id_dsa</path> and <path>id_dsa.pub</path>. The file called " +"<path>id_dsa</path> is your private key and should be kept from other people " +"than yourself. The other file <path>id_dsa.pub</path> is to be distributed " +"to every server that you have access to. Add the key to the users home " +"directory in <path>~/.ssh/authorized_keys</path> and the user should be able " +"to login:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):455 +msgid "Adding the id_dsa.pub file to the authorized_keys file" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):455 +#, no-wrap +msgid "" +"\n" +"$ <i>scp id_dsa.pub other-host:/var/tmp/currenthostname.pub</i>\n" +"$ <i>ssh other-host</i>\n" +"password:\n" +"$ <i>cat /var/tmp/currenthostname.pub >> ~/.ssh/authorized_keys</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):462 +msgid "" +"Now your users should guard this private key well. Put it on a media that " +"they always carry with them or keep it on their workstation (put this in the " +"<uri link=\"?part=1&chap=1#security_policies\">password</uri> policy)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):468 +msgid "" +"For more information go to the <uri link=\"http://www.openssh.org\">OpenSSH</" +"uri> web site." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):476 +msgid "Using xinetd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):479 +msgid "" +"xinetd is a replacement for <c>inetd</c> (which Gentoo does not have), the " +"Internet services daemon. It supports access control based on the address of " +"the remote host and the time of access. It also provide extensive logging " +"capabilities, including server start time, remote host address, remote user " +"name, server run time, and actions requested." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):487 +msgid "" +"As with all other services it is important to have a good default " +"configuration. But since <c>xinetd</c> is run as root and supports protocols " +"that you might not know how they work, we recommend not to use it. But if " +"you want to use it anyway, here is how you can add some security to it:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):494 +msgid "Install xinetd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):494 +#, no-wrap +msgid "" +"\n" +"# <i>emerge xinetd tcp-wrappers</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):498 +msgid "And edit the configuration file:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):502 +msgid "/etc/xinetd.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):502 +#, no-wrap +msgid "" +"\n" +"defaults\n" +"{\n" +" only_from = localhost\n" +" instances = 10\n" +" log_type = SYSLOG authpriv info\n" +" log_on_success = HOST PID\n" +" log_on_failure = HOST\n" +" cps = 25 30\n" +"}\n" +"\n" +"# This will setup pserver (cvs) via xinetd with the following settings:\n" +"# max 10 instances (10 connections at a time)\n" +"# limit the pserver to tcp only\n" +"# use the user cvs to run this service\n" +"# bind the interfaces to only 1 ip\n" +"# allow access from 10.0.0.*\n" +"# limit the time developers can use cvs from 8am to 5pm\n" +"# use tpcd wrappers (access control controlled in\n" +"# <i>/etc/hosts.allow</i> and <i>/etc/hosts.deny</i>)\n" +"# max_load on the machine set to 1.0\n" +"# The disable flag is per default set to no but I like having\n" +"# it in case of it should be disabled\n" +"service cvspserver\n" +"{\n" +" socket_type = stream\n" +" protocol = tcp\n" +" instances = 10\n" +" protocol = tcp\n" +" wait = no\n" +" user = cvs\n" +" bind = 10.0.0.2\n" +" only_from = 10.0.0.0\n" +" access_times = 8:00-17:00\n" +" server = /usr/sbin/tcpd\n" +" server_args = /usr/bin/cvs --allow-root=/mnt/cvsdisk/cvsroot pserver\n" +" max_load = 1.0\n" +" log_on_failure += RECORD\n" +" disable = no\n" +"}\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):544 +msgid "For more information read <c>man 5 xinetd.conf</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):552 +msgid "X" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):555 +msgid "" +"By default Xorg is configured to act as an Xserver. This can be dangerous " +"since X uses unencrypted TCP connections and listens for xclients." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(impo):560 +msgid "If you do not need this service disable it!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):564 +msgid "" +"But if you depend on using your workstation as a Xserver use the <c>/usr/" +"X11R6/bin/xhost</c> command with caution. This command allows clients from " +"other hosts to connect and use your display. This can become handy if you " +"need an X application from a different machine and the only way is through " +"the network, but it can also be exploited by an attacker. The syntax of this " +"command is <c>/usr/X11R6/bin/xhost +hostname</c>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):573 +msgid "" +"Do not ever use the <c>xhost +</c> feature! This will allow any client to " +"connect and take control of your X. If an attacker can get access to your X, " +"he can log your keystrokes and take control over your desktop. If you have " +"to use it always remember to specify a host." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):580 +msgid "" +"A more secure solution is to disable this feature completely by starting X " +"with <c>startx -- -nolisten tcp</c> or disable it permanently in the " +"configuration." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):585 +msgid "/usr/X11R6/bin/startx" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):585 +#, no-wrap +msgid "" +"\n" +"defaultserverargs=\"-nolisten tcp\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):589 +msgid "" +"To make sure that <path>startx</path> does not get overwritten when emerging " +"a new version of Xorg you must protect it. Add the following line to <path>/" +"etc/make.conf</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):595 +msgid "/etc/make.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):595 +#, no-wrap +msgid "" +"\n" +"CONFIG_PROTECT_MASK=\"/usr/X11R6/bin/startx\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):599 +msgid "If you use a graphical login manager you need a different approach." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):603 +msgid "For <c>gdm</c> (Gnome Display Manager)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):607 +msgid "/etc/X11/gdm/gdm.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):607 +#, no-wrap +msgid "" +"\n" +"[server-Standard]\n" +"command=/usr/X11R6/bin/X -nolisten tcp\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):612 +msgid "For <c>xdm</c> (X Display Manager) and <c>kdm</c> (Kde Display Manager)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):616 +msgid "/etc/X11/xdm/Xservers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):616 +#, no-wrap +msgid "" +"\n" +":0 local /usr/bin/X11/X -nolisten tcp\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-tcp.xml.po b/shandbook/gettext/ru/shb-tcp.xml.po new file mode 100644 index 0000000..0691bfc --- /dev/null +++ b/shandbook/gettext/ru/shb-tcp.xml.po @@ -0,0 +1,85 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(date):11 +msgid "2010-04-26" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(title):14 +msgid "TCP Wrappers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):17 +msgid "" +"This is a way of controlling access to services normally run by inetd (which " +"Gentoo does not have), but it can also be used by xinetd and other services." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(note):22 +msgid "" +"The service should be executing tcpd in its server argument (in xinetd). See " +"the chapter on xinetd for more information." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre:caption):27 +msgid "/etc/hosts.deny" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre):27 +#, no-wrap +msgid "" +"\n" +"ALL:PARANOID\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre:caption):31 +msgid "/etc/hosts.allow" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre):31 +#, no-wrap +msgid "" +"\n" +"ALL: LOCAL @wheel\n" +"time: LOCAL, .gentoo.org\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):36 +msgid "" +"As you can see the format is very similar to the one in <path>/etc/security/" +"access.conf</path>. Tcpd supports a specific service; it does not overlap " +"with <path>/etc/security/access.conf</path>. These settings only apply to " +"services using tcp wrappers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):43 +msgid "" +"It is also possible to execute commands when a service is accessed (this can " +"be used when activating relaying for dial-in users) but it is not " +"recommended, since people tend to create more problems than they are trying " +"to solve. An example could be that you configure a script to send an e-mail " +"every time someone hits the deny rule, but then an attacker could launch a " +"DoS attack by keep hitting the deny rule. This will create a lot of I/O and " +"e-mails so don't do it!. Read the <c>man 5 hosts_access</c> for more " +"information." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-tight.xml.po b/shandbook/gettext/ru/shb-tight.xml.po new file mode 100644 index 0000000..c2d8538 --- /dev/null +++ b/shandbook/gettext/ru/shb-tight.xml.po @@ -0,0 +1,217 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(date):11 +msgid "2006-03-04" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):14 +msgid "USE flags" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):17 +msgid "" +"The <path>make.conf</path> file contains user defined USE flags and <path>/" +"etc/make.profile/make.defaults</path> contains the default USE flags for " +"Gentoo Linux. For this guide's purposes, the important flags are <c>pam</c> " +"(Pluggable Authentication Modules), <c>tcpd</c> (TCP wrappers), and <c>ssl</" +"c> (Secure Socket Layer). These are all in the default USE flags." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):28 +msgid "Password protecting GRUB" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):31 +msgid "" +"GRUB supports two different ways of adding password protection to your boot " +"loader. The first uses plain text, while the latter uses md5+salt encryption." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):36 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):79 +msgid "/boot/grub/grub.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):36 +#, no-wrap +msgid "" +"\n" +"timeout 5\n" +"password changeme\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):41 +msgid "" +"This will add the password <c>changeme</c>. If no password is entered at " +"boot, GRUB will simply use the default boot setting." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):46 +msgid "" +"When adding an md5 password, you must convert your password into crypt " +"format, which is the same format used in <path>/etc/shadow</path>. For more " +"information see <c>man crypt</c>. The encrypted password <e>changeme</e>, " +"for example, could look like this: <c>$1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):53 +msgid "You can encrypt your password directly at the GRUB shell:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):57 +msgid "md5crypt in grub shell" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):57 +#, no-wrap +msgid "" +"\n" +"#<i>/sbin/grub</i>\n" +"\n" +"GRUB version 0.92 (640K lower / 3072K upper memory)\n" +"\n" +" [ Minimal BASH-like line editing is supported. For the first word, TAB lists\n" +" possible command completions. Anywhere else TAB lists the possible\n" +" completions of a device/filename. ]\n" +"\n" +"grub> <i>md5crypt</i>\n" +"\n" +"Password: <i>********</i>\n" +"<comment>(Typed changeme at the prompt)</comment>\n" +"Encrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.\n" +"\n" +"grub> <i>quit</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):75 +msgid "Then, cut and paste your password to <path>/boot/grub/grub.conf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):79 +#, no-wrap +msgid "" +"\n" +"timeout 5\n" +"password --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):84 +msgid "" +"The 5 seconds timeout becomes handy if the system is remote and should be " +"able to reboot without any keyboard interaction. Learn more about GRUB " +"passwords by executing <c>info grub</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):93 +msgid "Password protecting LILO" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):96 +msgid "" +"LILO also supports two ways of handling passwords: global and per-image, " +"both in clear text." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):101 +msgid "" +"The global password is set at the top of the configuration file, and applies " +"to every boot image:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):106 +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):116 +msgid "/etc/lilo.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):106 +#, no-wrap +msgid "" +"\n" +"password=changeme\n" +"restricted\n" +"delay=3\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):112 +msgid "The per-image password is set as below:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):116 +#, no-wrap +msgid "" +"\n" +"image=/boot/bzImage\n" +" read-only\n" +" password=changeme\n" +" restricted\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):123 +msgid "" +"If the <c>restricted</c> option is not entered, it will prompt for a " +"password every time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):128 +msgid "" +"In order to store the new information in <path>lilo.conf</path>, you must " +"run <c>/sbin/lilo</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):136 +msgid "Restricting Console Usage" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):139 +msgid "" +"The <path>/etc/securetty</path> file allows you to specify which <c>tty</c> " +"(terminal) devices root is allowed to login to." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):144 +msgid "" +"We suggest that you comment out all lines except <c>vc/1</c> if you are " +"using devfs and all lines except <c>tty1</c> if you are using udev. This " +"will ensure that root only can login once and only on one terminal." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(note):150 +msgid "" +"Users in the group \"wheel\" can still <c>su -</c> to become root on other " +"TTYs." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):154 +msgid "/etc/securetty" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):154 +#, no-wrap +msgid "" +"\n" +"<comment>(For devfs)</comment>\n" +"vc/1\n" +"<comment>(For udev)</comment>\n" +"tty1\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/ru/shb-uptodate.xml.po b/shandbook/gettext/ru/shb-uptodate.xml.po new file mode 100644 index 0000000..0464432 --- /dev/null +++ b/shandbook/gettext/ru/shb-uptodate.xml.po @@ -0,0 +1,158 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: 2010-10-22 00:56+0600\n" +"Last-Translator: Automatically generated\n" +"Language-Team: none\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(date):11 +msgid "2005-10-13" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(title):14 +msgid "Keeping up-to-date" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):17 +msgid "" +"Once you have successfully installed your system and ensured a good level of " +"security you are not done. Security is an ongoing process; the vast majority " +"of intrusions result from known vulnerabilities in unpatched systems. " +"Keeping your system up-to-date is the single most valuable step you can take " +"to greater security." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):25 +msgid "" +"If you have a recent version of <c>portage</c> installed, you can first sync " +"your portage tree with <c>emerge --sync</c> and then issue the command " +"<c>glsa-check --list</c> to check if your system is up to date security-" +"wise. <c>glsa-check</c> is part of <c>app-portage/gentoolkit</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre:caption):32 +msgid "Example output of glsa-check -l" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre):32 +#, no-wrap +msgid "" +"\n" +"# <i>glsa-check -l</i>\n" +"WARNING: This tool is completely new and not very tested, so it should not be\n" +"used on production systems. It's mainly a test tool for the new GLSA release\n" +"and distribution system, it's functionality will later be merged into emerge\n" +"and equery.\n" +"Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml\n" +"before using this tool AND before reporting a bug.\n" +"\n" +"[A] means this GLSA was already applied,\n" +"[U] means the system is not affected and\n" +"[N] indicates that the system might be affected.\n" +"\n" +"200406-03 [N] sitecopy: Multiple vulnerabilities in included libneon ( net-misc/sitecopy )\n" +"200406-04 [U] Mailman: Member password disclosure vulnerability ( net-mail/mailman )\n" +".......\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(warn):50 +msgid "" +"The <c>glsa-check</c> is still experimental, so if security really is your " +"top priority it would be wise to double check the list with other sources." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):55 +msgid "" +"All lines with a <c>[A]</c> and <c>[U]</c> can be almost safely ignored as " +"the system is not affected by this GLSA." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(impo):60 +msgid "" +"Please note that the usual <c>emerge -vpuD world</c> will not pick up all " +"package updates. You need to use <c>glsa-check</c> if you want to make sure " +"all GLSAs are fixed on your system." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre:caption):66 +msgid "Check all GLSAs" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre):66 +#, no-wrap +msgid "" +"\n" +"<comment>(Check if your system is affected by GLSAs)</comment>\n" +"# <i>glsa-check -t all</i>\n" +"WARNING: This tool is completely new and not very tested, so it should not be\n" +"used on production systems. It's mainly a test tool for the new GLSA release\n" +"and distribution system, it's functionality will later be merged into emerge\n" +"and equery.\n" +"Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml\n" +"before using this tool AND before reporting a bug.\n" +"\n" +"This system is affected by the following GLSA:\n" +"200504-06\n" +"200510-08\n" +"200506-14\n" +"200501-35\n" +"200508-12\n" +"200507-16\n" +"\n" +"<comment>(See what packages would be emerged)</comment>\n" +"# <i>glsa-check -p $(glsa-check -t all)</i>\n" +" <comment>(partial output)</comment>\n" +"Checking GLSA 200504-06\n" +"The following updates will be performed for this GLSA:\n" +" app-arch/sharutils-4.2.1-r11 (4.2.1-r10)\n" +"\n" +" **********************************************************************\n" +"\n" +" Checking GLSA 200510-08\n" +" The following updates will be performed for this GLSA:\n" +" media-libs/xine-lib-1.1.0-r5 (1.1.0-r4)\n" +"\n" +"<comment>(Apply required fixes)</comment>\n" +"# <i>glsa-check -f $(glsa-check -t all)</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):101 +msgid "" +"If you have upgraded a running service, you should not forget to restart it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):105 +msgid "" +"Keeping your <uri link=\"/doc/en/kernel-upgrade.xml\">kernel up-to-date</" +"uri> is also recommended." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):110 +msgid "" +"If you want an email each time a GLSA is released subscribe to the <c>gentoo-" +"announce</c> mailing list. Instructions for joining it and many other great " +"mailing lists can be found <uri link=\"/main/en/lists.xml\">Gentoo Linux " +"Mailing List Overview</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):117 +msgid "" +"Another great security resource is the <uri link=\"http://www.securityfocus." +"com/archive/1\">Bugtraq mailing list</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(None):0 +msgid "translator-credits" +msgstr "" diff --git a/shandbook/gettext/security-handbook.xml.pot b/shandbook/gettext/security-handbook.xml.pot new file mode 100644 index 0000000..167c54f --- /dev/null +++ b/shandbook/gettext/security-handbook.xml.pot @@ -0,0 +1,248 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):6 +msgid "Gentoo Security Handbook" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):8 +msgid "Author" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):9 +msgid "kn@insecurity.dk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):9 +msgid "Kim Nielsen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):11 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):14 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):17 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):20 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):23 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):26 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):29 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):32 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):35 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):38 ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author:title):41 +msgid "Editor" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(author):11 +msgid "John P. Davis" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):15 +msgid "stocke2@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):15 +msgid "Eric R. Stockbridge" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):18 +msgid "carl@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):18 +msgid "Carl Anderson" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):21 +msgid "peesh@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):21 +msgid "Jorge Paulo" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):24 +msgid "swift@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):24 +msgid "Sven Vermeulen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):27 +msgid "bennyc@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):27 +msgid "Benny Chuang" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):30 +msgid "jaervosz@itu.dk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):30 +msgid "Sune Jeppesen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):33 +msgid "blubber@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):33 +msgid "Tiemo Kieft" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):36 +msgid "klasikahl@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):36 +msgid "Zack Gilburd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):39 +msgid "krispykringle@gentoo.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail):39 +msgid "Dan Margolis" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(mail:link):42 +msgid "nightmorph" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):45 +msgid "This is a step-by-step guide for hardening Gentoo Linux." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(version):51 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(date):52 +msgid "2010-04-02" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):96 +msgid "System Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):97 +msgid "Harden different parts of your system to make it more secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):102 +msgid "Pre-Installation Concerns" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):103 +msgid "Why is security an important part for every server admin?" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):110 +msgid "Tightening Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):111 +msgid "Tightening security during and after installation." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):118 +msgid "Logging" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):119 +msgid "Gentoo Linux lets you choose between 3 different loggers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):126 +msgid "Mounting Partitions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):127 +msgid "/etc/fstab provides many security options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):134 +msgid "User/Group Limitations" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):135 +msgid "Control your resource usage." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):142 +msgid "File Permissions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):143 +msgid "Securing your files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):150 +msgid "PAM" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):151 +msgid "Pluggable Authentication Modules." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):158 +msgid "TCP Wrappers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):159 +msgid "Control access to services." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):166 +msgid "Kernel Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):167 +msgid "Secure your kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):174 +msgid "Securing Services" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):175 +msgid "Ensure that your daemons are secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):182 +msgid "Chrooting and Virtual Servers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):183 +msgid "Isolate your servers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):190 +msgid "Firewalls" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):191 +msgid "Filter your packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):198 +msgid "Intrusion Detection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):199 +msgid "Detect intruders." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(title):206 +msgid "Keeping up-to-date" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(abstract):207 +msgid "Ensure you have the latest security updates." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//security-handbook.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-chroot.xml.pot b/shandbook/gettext/shb-chroot.xml.pot new file mode 100644 index 0000000..345200a --- /dev/null +++ b/shandbook/gettext/shb-chroot.xml.pot @@ -0,0 +1,90 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(date):11 +msgid "2005-12-15" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(title):14 +msgid "Chrooting" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):17 +msgid "Chrooting a service is a way of limiting a service (or user) environment to only accessing what it should and not gaining access (or information) that could lead to root access. By running the service as another user than <c>root</c> (<c>nobody</c>, <c>apache</c>, <c>named</c>) an attacker can only access files with the permissions of this user. This means that an attacker cannot gain <c>root</c> access even if the services has a security flaw." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):26 +msgid "Some services like <c>pure-ftpd</c> and <c>bind</c> have features for chrooting, and other services do not. If the service supports it, use it, otherwise you have to figure out how to create your own. Lets see how to create a chroot, for a basic understanding of how chroots work, we will test it with <c>bash</c> (easy way of learning)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):34 +msgid "Create the <path>/chroot</path> directory with <c>mkdir /chroot</c>. And find what dynamic libraries that <c>bash</c> is compiled with (if it is compiled with <c>-static</c> this step is not necessary):" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):40 +msgid "The following command will create a list of libraries used by <c>bash</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre:caption):44 +msgid "Get listing of used libraries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre):44 +#, no-wrap +msgid "\n# <i>ldd /bin/bash</i>\n libncurses.so.5 => /lib/libncurses.so.5 (0x4001b000)\n libdl.so.2 => /lib/libdl.so.2 (0x40060000)\n libc.so.6 => /lib/libc.so.6 (0x40063000)\n /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):52 +msgid "Now lets create the environment for <c>bash</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre:caption):56 +msgid "Create chroot-environment for bash" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(pre):56 +#, no-wrap +msgid "\n# <i>mkdir /chroot/bash</i>\n# <i>mkdir /chroot/bash/bin</i>\n# <i>mkdir /chroot/bash/lib</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):62 +msgid "Next copy the files used by <c>bash</c> (<path>/lib</path>) to the chrooted <path>lib</path> and copy the bash command to the chrooted <path>bin</path> directory. This will create the exact same environment, just with less functionality. After copying try it out: <c>chroot /chroot/bash /bin/bash</c>. If you get an prompt saying <path>/</path> it works! Otherwise it will properly tell you what a file is missing. Some shared libraries depend on each other." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):71 +msgid "You will notice that inside the chroot nothing works except <c>echo</c>. This is because we have no other commands in out chroot environment than bash and <c>echo</c> is a build-in functionality." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):77 +msgid "This is basically the same way you would create a chrooted service. The only difference is that services sometimes rely on devices and configuration files in <path>/etc</path>. Simply copy them (devices can be copied with <c>cp -a</c>) to the chrooted environment, edit the init script to use chroot before executing. It can be difficult to find what devices and configuration files a services need. This is where the <c>strace</c> command becomes handy. Start the service with <c>/usr/bin/strace</c> bash and look for open, read, stat and maybe connect. This will give you a clue on what files to copy. But in most cases just copy the passwd file (edit the copy and remove users that has nothing to do with the service), <path>/dev/zero</path>, <path>/dev/log</path> and <path>/dev/random</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(title):94 +msgid "User Mode Linux" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):97 +msgid "Another way of creating a more secure environment is by running a virtual machine. A virtual machine, as the name implies, is a process that runs on top of your real operating system providing a hardware and operating system environment that appears to be its own unique machine. The security benefit is that if the server running on the virtual machine is compromised, only the virtual server is affected and not the parent installation." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(p):106 +msgid "For more information about how to setup User Mode Linux consult the <uri link=\"/doc/en/uml.xml\">User Mode Linux Guide</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-chroot.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-firewalls.xml.pot b/shandbook/gettext/shb-firewalls.xml.pot new file mode 100644 index 0000000..c3ccf92 --- /dev/null +++ b/shandbook/gettext/shb-firewalls.xml.pot @@ -0,0 +1,887 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(version):10 +msgid "1.4" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(date):11 +msgid "2007-02-20" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):14 +msgid "A firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):17 +msgid "People often think that a firewall provides the ultimate security, but they are wrong. In most cases a misconfigured firewall gives less security than not having one at all. A firewall is also a piece of software and should be treated the same way as any other piece of software, because it is just as likely to contain bugs." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):25 +msgid "So think before implementing a firewall! Do you really need one? If you think you need one write a policy on how it should work, what type of firewall, and who should operate it. But first read this guide." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):31 +msgid "Firewalls are used for two purposes:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):36 +msgid "To keep users (worms/attackers) out" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):37 +msgid "To keep users (employees/children) in" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):40 +msgid "Basically there are three types of firewalls:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):45 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):58 +msgid "Packet filtering" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):46 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):129 +msgid "Circuit relay" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):47 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):167 +msgid "Application gateway" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):50 +msgid "A firewall should be a dedicated machine running no services (or <c>sshd</c> as the only one) and secured the way this guide recommends it be." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):61 +msgid "All network traffic is sent in the form of packets. Large amounts of traffic is split up into small packets for easy handling and then reassembled when it arrives at its destination. In the packet header every packet contains information on how and where it should be delivered. And this information is exactly what a packing filtering firewall uses. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):70 +msgid "Allow or disallow packets based on source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):71 +msgid "Allow or disallow packets based on source/destination port" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):72 +msgid "Allow or disallow packets based on protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):73 +msgid "Allow or disallow packets based on flags within a specific protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):76 +msgid "In other words, this filtering is based on all the data within the header of a packet and not its content." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):81 +msgid "Weaknesses:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):86 +msgid "Address information in a packet can potentially be a bogus IP address (or as we say <e>spoofed</e> by the sender)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):90 +msgid "Data or requests within the allowed packet may contain unwanted data that the attacker can use to exploit known bugs in the services on or behind the firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):94 +msgid "Usually single point of failure" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):97 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):184 +msgid "Advantages:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):102 +msgid "Simple and easy to implement" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):103 +msgid "Can give warnings of a possible attack before it happens (ie. by detecting port scans)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):107 +msgid "Good for stopping SYN attacks" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):110 +msgid "Examples of free packet filters on Linux:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):115 +msgid "http://www.iptables.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):115 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):221 +msgid "Iptables" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):117 +msgid "http://www.linuxdocs.org/HOWTOs/IPCHAINS-HOWTO.html" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):117 +msgid "Ipchains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):119 +msgid "http://www.smoothwall.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):119 +msgid "SmoothWall" +msgstr "" + +#. FIXME: should SmoothWall really be included, since it uses iptables? +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):122 +msgid "It is recommended that you use iptables. Ipchains is obsoleted." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):132 +msgid "A circuit level gateway is a firewall that validates connections before allowing data to be exchanged. This means that it does not simply allow or deny packets based on the packet header but determines whether the connection between both ends is valid according to configurable rules before it opens a session and allows data to be exchanged. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):141 +msgid "Source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):142 +msgid "Source/destination port" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):143 +msgid "A period of time" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):144 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):395 +msgid "Protocol" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):145 +msgid "User" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):146 +msgid "Password" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):149 +msgid "All traffic is validated and monitored, and unwanted traffic can be dropped." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):153 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):196 +msgid "Weakness:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):158 +msgid "Operates at the Transport Layer and may require substantial modification of the programs that normally provide transport functions." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):170 +msgid "The application level gateway is a proxy for applications, exchanging data with remote systems on behalf of the clients. It is kept away from the public safely behind a DMZ (De-Militarized Zone: the portion of a private network that is visible through the firewall) or a firewall allowing no connections from the outside. Filtering is based on:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):179 +msgid "Allow or disallow based on source/destination IP address" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):180 +msgid "Based on the packet's content" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):181 +msgid "Limiting file access based on file type or extension" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):189 +msgid "Can cache files, increasing network performance" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):190 +msgid "Detailed logging of all connections" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):191 +msgid "Scales well (some proxy servers can \"share\" the cached data)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):192 +msgid "No direct access from the outside" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):193 +msgid "Can even alter the packet content on the fly" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):201 +msgid "Configuration is complex" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):204 +msgid "Application gateways are considered to be the most secure solution since they do not have to run as root and the hosts behind them are not reachable from the Internet." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):210 +msgid "Example of a free application gateway:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri:link):215 +msgid "http://www.squid-cache.org/" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(uri):215 ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):825 +msgid "Squid" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):224 +msgid "In order to use iptables, it must be enabled in the kernel. I have added iptables as modules (the <c>iptables</c> command will load them as they are needed) and recompiled my kernel (but you may want to compile iptables in, if you intend to disable Loadable Kernel Modules as discussed previously). For more information on how to configure your kernel for iptables go to the <uri link=\"http://iptables-tutorial.frozentux.net/iptables-tutorial.html#PREPARATIONS\">Iptables Tutorial Chapter 5: Preparations</uri>. After you have compiled your new kernel (or while compiling the kernel), you must add the <c>iptables</c> command. Just <c>emerge iptables</c> and it should work." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):236 +msgid "Now test that it works by running <c>iptables -L</c>. If this fails something is wrong and you have to check you configuration once more." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):241 +msgid "Iptables is the new and heavily improved packet filter in the Linux 2.4.x kernel. It is the successor of the previous ipchains packet filter in the Linux 2.2.x kernel. One of the major improvements is that iptables is able to perform stateful packet filtering. With stateful packet filtering it is possible to keep track of each established TCP connection." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):249 +msgid "A TCP connection consists of a series of packets containing information about source IP address, destination IP address, source port, destination port, and a sequence number so the packets can be reassembled without losing data. TCP is a connection-oriented protocol, in contrast to UDP, which is connectionless." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):256 +msgid "By examining the TCP packet header, a stateful packet filter can determine if a received TCP packet is part of an already established connection or not and decide either to accept or drop the packet." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):262 +msgid "With a stateless packet filter it is possible to fool the packet filter into accepting packets that should be dropped by manipulating the TCP packet headers. This could be done by manipulating the SYN flag or other flags in the TCP header to make a malicious packet appear to be a part of an established connection (since the packet filter itself does not do connection tracking). With stateful packet filtering it is possible to drop such packets, as they are not part of an already established connection. This will also stop the possibility of \"stealth scans\", a type of port scan in which the scanner sends packets with flags that are far less likely to be logged by a firewall than ordinary SYN packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):275 +msgid "Iptables provides several other features like NAT (Network Address Translation) and rate limiting. Rate limiting is extremely useful when trying to prevent certain DoS (Denial of Service) attacks like SYN floods." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):281 +msgid "A TCP connection is established by a so called three-way handshake. When establishing a TCP connection the client-side sends a packet to the server with the SYN flag set. When the server-side receives the SYN packet it responds by sending a SYN+ACK packet back to the client-side. When the SYN+ACK is received the client-side responds with a third ACK packet in effect acknowledging the connection." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):290 +msgid "A SYN flood attack is performed by sending the SYN packet but failing to respond to the SYN+ACK packet. The client-side can forge a packet with a fake source IP address because it does not need a reply. The server-side system will add an entry to a queue of half-open connections when it receives the SYN packet and then wait for the final ACK packet before deleting the entry from the queue. The queue has a limited number of slots and if all the slots are filled it is unable to open any further connections. If the ACK packet is not received before a specified timeout period the entry will automatically be deleted from the queue. The timeout settings vary but will typically be 30-60 seconds or even more. The client-side initiates the attack by forging a lot of SYN packets with different source IP addresses and sends them to the target IP address as fast as possible and thereby filling up the queue of half-open connections and thus preventing other clients from establishing a legitimate connection with the server." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):307 +msgid "This is where the rate limit becomes handy. It is possible to limit the rate of accepted SYN packets by using the <c>-m limit --limit 1/s</c>. This will limit the number of SYN packets accepted to one per second and therefore restricting the SYN flood on our resources." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):314 +msgid "Another option for preventing SYN floods are <uri link=\"http://cr.yp.to/syncookies.html\">SYN cookies</uri>, which allow your computer to respond to SYN packets without filling space in the connection queue. SYN cookies can be enabled in the Linux kernel configuration, but they are considered experimental at this time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):322 +msgid "Now some practical stuff!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):326 +msgid "When iptables is loaded in the kernel it has 5 hooks where you can place your rules. They are called <c>INPUT</c>, <c>OUTPUT</c>, <c>FORWARD</c>, <c>PREROUTING</c> and <c>POSTROUTING</c>. Each of these is called a chain and consists of a list of rules. Each rule says if the packet header looks like this, then here is what to do with the packet. If the rule does not match the packet the next rule in the chain is consulted." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):335 +msgid "You can place rules directly in the 5 main chains or create new chains and add them to as a rule to an existing chain. Iptables supports the following options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):342 +msgid "Option:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):343 +msgid "Description:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):346 +msgid "-A" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):347 +msgid "Append" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):350 +msgid "-D" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):351 +msgid "Delete" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):354 +msgid "-I" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):355 +msgid "Insert" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):358 +msgid "-R" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):359 +msgid "Replace" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):362 +msgid "-L" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):363 +msgid "List" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):366 +msgid "-F" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):367 +msgid "Delete all rules in chain or all chains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):370 +msgid "-Z" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):371 +msgid "Zero counters in chain or all chains" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):374 +msgid "-C" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):375 +msgid "Test this packet on chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):378 +msgid "-N" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):379 +msgid "Create a new user-defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):382 +msgid "-X" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):383 +msgid "Delete a user-defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):386 +msgid "-P" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):387 +msgid "Change policy on chain to target" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):390 +msgid "-E" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):391 +msgid "Change chain name" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):394 +msgid "-p" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):398 +msgid "-s" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):399 +msgid "Source address/mask" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):402 +msgid "-d" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):403 +msgid "Destination address/mask" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):406 +msgid "-i" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):407 +msgid "Input name (Ethernet name)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):410 +msgid "-o" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):411 +msgid "Output name (Ethernet name)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):414 +msgid "-j" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):415 +msgid "Jump (target for rule)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):418 +msgid "-m" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):419 +msgid "Extended match (might use extension)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):422 +msgid "-n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):423 +msgid "Numeric output of addresses and ports" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):426 +msgid "-t" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):427 +msgid "Table to manipulate" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):430 +msgid "-v" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):431 +msgid "Verbose mode" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):434 +msgid "-x" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):435 +msgid "Expand numbers (display exact values)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):438 +msgid "-f" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):439 +msgid "Match second or further fragments only" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):442 +msgid "-V" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):443 +msgid "Packet version" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):446 +msgid "--line-numbers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):447 +msgid "Print line numbers when listing" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):451 +msgid "First we will try to block all ICMP packets to our machine, just to get familiar with iptables." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):456 +msgid "Block all ICMP packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):456 +#, no-wrap +msgid "\n# <i>iptables -A INPUT -p icmp -j DROP</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):460 +msgid "First we specify the chain our rule should be appended to, then the protocol of the packets to match, and finally the target. The target can be the name of a user specified chain or one of the special targets <c>ACCEPT</c>, <c>DROP</c>, <c>REJECT</c>, <c>LOG</c>, <c>QUEUE</c>, or <c>MASQUERADE</c>. In this case we use <c>DROP</c>, which will drop the packet without responding to the client." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):468 +msgid "The <c>LOG</c> target is what's known as \"non-terminating\". If a packet matches a rule with the <c>LOG</c> target, rather than halting evaluation, the packet will continue to be matched to further rules. This allows you to log packets while still processing them normally." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):475 +msgid "Now try <c>ping localhost</c>. You will not get any response, since iptables will drop all incoming ICMP messages. You will also not be able to ping other machines, since the ICMP reply packet will be dropped as well. Now flush the chain to get ICMP flowing again." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):482 +msgid "Flush all rules" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):482 +#, no-wrap +msgid "\n# <i>iptables -F</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):486 +msgid "Now lets look at the stateful packet filtering in iptables. If we wanted to enable stateful inspection of packets incoming on eth0 we would issue the command:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):492 +msgid "Accept packets that originate from an already established connection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):492 +#, no-wrap +msgid "\n# <i>iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):496 +msgid "This will accept any packet from an already established connection or related in the INPUT chain. And you could drop any packet that is not in the state table by issuing <c>iptables -A INPUT -i eth0 -m state --state INVALID -j DROP</c> just before the previous command. This enables the stateful packet filtering in iptables by loading the extension \"state\". If you wanted to allow others to connect to your machine, you could use the flag <c>--state NEW</c>. Iptables contains some modules for different purposes. Some of them are:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):508 +msgid "Module/Match" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):509 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(th):510 +msgid "Extended options" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):513 +msgid "mac" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):514 +msgid "Matching extension for incoming packets mac address." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):515 +msgid "--mac-source" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):518 +msgid "state" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):519 +msgid "Enables stateful inspection" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):520 +msgid "--state (states are ESTABLISHED,RELATED, INVALID, NEW)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):523 +msgid "limit" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):524 +msgid "Rate matching limiting" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):525 +msgid "--limit, --limit-burst" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):528 +msgid "owner" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):529 +msgid "Attempt to match various characteristics of the packet creator" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):530 +msgid "--uid-owner userid --gid-owner groupid --pid-owner processid --sid-owner sessionid" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):536 +msgid "unclean" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(ti):537 +msgid "Various random sanity checks on packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):541 +msgid "Lets try to create a user-defined chain and apply it to one of the existing chains:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):546 +msgid "Creating a user defined chain" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):546 +#, no-wrap +msgid "\n<comment>(Create a new chain with one rule)</comment>\n# <i>iptables -X mychain</i>\n# <i>iptables -N mychain</i>\n# <i>iptables -A mychain -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT</i>\n<comment>(The default policy is all outgoing traffic is allowed. Incoming is dropped.)</comment>\n# <i>iptables -P OUTPUT ACCEPT</i>\n# <i>iptables -P INPUT DROP</i>\n<comment>(And add it to the INPUT chain)</comment>\n# <i>iptables -A INPUT -j mychain</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):558 +msgid "By applying the rule to the input chain we get the policy: All outgoing packets are allowed and all incoming packets are dropped." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):563 +msgid "One can find documentation at <uri link=\"http://www.iptables.org/documentation/index.html#HOWTO\">Netfilter/iptables documentation</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):569 +msgid "Lets see a full blown example. In this case my firewall/gateway policy states:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):574 +msgid "Connections to the firewall are only allowed through SSH (port 22)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):575 +msgid "The local network should have access to HTTP, HTTPS and SSH (DNS should also be allowed)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):579 +msgid "ICMP traffic can contain payload and should not be allowed. Of course we have to allow some ICMP traffic." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):583 +msgid "Port scans should be detected and logged" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):584 +msgid "SYN attacks should be avoided" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):585 +msgid "All other traffic should be dropped and logged" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):588 +msgid "/etc/init.d/firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):588 +#, no-wrap +msgid "\n#!/sbin/runscript\nIPTABLES=/sbin/iptables\nIPTABLESSAVE=/sbin/iptables-save\nIPTABLESRESTORE=/sbin/iptables-restore\nFIREWALL=/etc/firewall.rules\nDNS1=212.242.40.3\nDNS2=212.242.40.51\n#inside\nIIP=10.0.0.2\nIINTERFACE=eth0\nLOCAL_NETWORK=10.0.0.0/24\n#outside\nOIP=217.157.156.144\nOINTERFACE=eth1\n\nopts=\"${opts} showstatus panic save restore showoptions rules\"\n\ndepend() {\n need net\n}\n\nrules() {\n stop\n ebegin \"Setting internal rules\"\n\n einfo \"Setting default rule to drop\"\n $IPTABLES -P FORWARD DROP\n $IPTABLES -P INPUT DROP\n $IPTABLES -P OUTPUT DROP\n\n #default rule\n einfo \"Creating states chain\"\n $IPTABLES -N allowed-connection\n $IPTABLES -F allowed-connection\n $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT\n $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix \\\n \"Bad packet from ${IINTERFACE}:\"\n $IPTABLES -A allowed-connection -j DROP\n\n #ICMP traffic\n einfo \"Creating icmp chain\"\n $IPTABLES -N icmp_allowed\n $IPTABLES -F icmp_allowed\n $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \\\n time-exceeded -j ACCEPT\n $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type \\\n destination-unreachable -j ACCEPT\n $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix \"Bad ICMP traffic:\"\n $IPTABLES -A icmp_allowed -p icmp -j DROP\n\n #Incoming traffic\n einfo \"Creating incoming ssh traffic chain\"\n $IPTABLES -N allow-ssh-traffic-in\n $IPTABLES -F allow-ssh-traffic-in\n #Flood protection\n $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n ALL RST --dport ssh -j ACCEPT\n $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n ALL FIN --dport ssh -j ACCEPT\n $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \\\n ALL SYN --dport ssh -j ACCEPT\n $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT\n\n #outgoing traffic\n einfo \"Creating outgoing ssh traffic chain\"\n $IPTABLES -N allow-ssh-traffic-out\n $IPTABLES -F allow-ssh-traffic-out\n $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT\n\n einfo \"Creating outgoing dns traffic chain\"\n $IPTABLES -N allow-dns-traffic-out\n $IPTABLES -F allow-dns-traffic-out\n $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain \\\n -j ACCEPT\n $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain \\\n -j ACCEPT\n\n einfo \"Creating outgoing http/https traffic chain\"\n $IPTABLES -N allow-www-traffic-out\n $IPTABLES -F allow-www-traffic-out\n $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT\n $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT\n\n #Catch portscanners\n einfo \"Creating portscan detection chain\"\n $IPTABLES -N check-flags\n $IPTABLES -F check-flags\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \\\n --limit 5/minute -j LOG --log-level alert --log-prefix \"NMAP-XMAS:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \\\n 5/minute -j LOG --log-level 1 --log-prefix \"XMAS:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \\\n -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix \"XMAS-PSH:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \\\n --limit 5/minute -j LOG --log-level 1 --log-prefix \"NULL_SCAN:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP\n $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \\\n --limit 5/minute -j LOG --log-level 5 --log-prefix \"SYN/RST:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\n $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \\\n --limit 5/minute -j LOG --log-level 5 --log-prefix \"SYN/FIN:\"\n $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\n\n # Apply and add invalid states to the chains\n einfo \"Applying chains to INPUT\"\n $IPTABLES -A INPUT -m state --state INVALID -j DROP\n $IPTABLES -A INPUT -p icmp -j icmp_allowed\n $IPTABLES -A INPUT -j check-flags\n $IPTABLES -A INPUT -i lo -j ACCEPT\n $IPTABLES -A INPUT -j allow-ssh-traffic-in\n $IPTABLES -A INPUT -j allowed-connection\n\n einfo \"Applying chains to FORWARD\"\n $IPTABLES -A FORWARD -m state --state INVALID -j DROP\n $IPTABLES -A FORWARD -p icmp -j icmp_allowed\n $IPTABLES -A FORWARD -j check-flags\n $IPTABLES -A FORWARD -o lo -j ACCEPT\n $IPTABLES -A FORWARD -j allow-ssh-traffic-in\n $IPTABLES -A FORWARD -j allow-www-traffic-out\n $IPTABLES -A FORWARD -j allowed-connection\n\n einfo \"Applying chains to OUTPUT\"\n $IPTABLES -A OUTPUT -m state --state INVALID -j DROP\n $IPTABLES -A OUTPUT -p icmp -j icmp_allowed\n $IPTABLES -A OUTPUT -j check-flags\n $IPTABLES -A OUTPUT -o lo -j ACCEPT\n $IPTABLES -A OUTPUT -j allow-ssh-traffic-out\n $IPTABLES -A OUTPUT -j allow-dns-traffic-out\n $IPTABLES -A OUTPUT -j allow-www-traffic-out\n $IPTABLES -A OUTPUT -j allowed-connection\n\n #Allow client to route through via NAT (Network Address Translation)\n $IPTABLES -t nat -A POSTROUTING -o $OINTERFACE -j MASQUERADE\n eend $?\n}\n\nstart() {\n ebegin \"Starting firewall\"\n if [ -e \"${FIREWALL}\" ]; then\n restore\n else\n einfo \"${FIREWALL} does not exists. Using default rules.\"\n rules\n fi\n eend $?\n}\n\nstop() {\n ebegin \"Stopping firewall\"\n $IPTABLES -F\n $IPTABLES -t nat -F\n $IPTABLES -X\n $IPTABLES -P FORWARD ACCEPT\n $IPTABLES -P INPUT ACCEPT\n $IPTABLES -P OUTPUT ACCEPT\n eend $?\n}\n\nshowstatus() {\n ebegin \"Status\"\n $IPTABLES -L -n -v --line-numbers\n einfo \"NAT status\"\n $IPTABLES -L -n -v --line-numbers -t nat\n eend $?\n}\n\npanic() {\n ebegin \"Setting panic rules\"\n $IPTABLES -F\n $IPTABLES -X\n $IPTABLES -t nat -F\n $IPTABLES -P FORWARD DROP\n $IPTABLES -P INPUT DROP\n $IPTABLES -P OUTPUT DROP\n $IPTABLES -A INPUT -i lo -j ACCEPT\n $IPTABLES -A OUTPUT -o lo -j ACCEPT\n eend $?\n}\n\nsave() {\n ebegin \"Saving Firewall rules\"\n $IPTABLESSAVE > $FIREWALL\n eend $?\n}\n\nrestore() {\n ebegin \"Restoring Firewall rules\"\n $IPTABLESRESTORE < $FIREWALL\n eend $?\n}\n\nrestart() {\n svc_stop; svc_start\n}\n\nshowoptions() {\n echo \"Usage: $0 {start|save|restore|panic|stop|restart|showstatus}\"\n echo \"start) will restore setting if exists else force rules\"\n echo \"stop) delete all rules and set all to accept\"\n echo \"rules) force settings of new rules\"\n echo \"save) will store settings in ${FIREWALL}\"\n echo \"restore) will restore settings from ${FIREWALL}\"\n echo \"showstatus) Shows the status\"\n}\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):798 +msgid "Some advice when creating a firewall:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):803 +msgid "Create your firewall policy before implementing it" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):804 +msgid "Keep it simple" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):805 +msgid "Know how each protocol works (read the relevant <uri link=\"http://www.ietf.org/\">RFC</uri>(Request For Comments))" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):809 +msgid "Keep in mind that a firewall is just another piece of software running as root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):812 +msgid "Test your firewall" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):815 +msgid "If you think that iptables is hard to understand or takes to long to setup a decent firewall you could use <uri link=\"http://www.shorewall.net\">Shorewall</uri>. It basically uses iptables to generate firewall rules, but concentrates on rules and not specific protocols." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):828 +msgid "Squid is a very powerful proxy server. It can filter traffic based on time, regular expressions on path/URI, source and destination IP addresses, domain, browser, authenticated user name, MIME type, and port number (protocol). I probably forgot some features, but it can be hard to cover the entire list right here." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):836 +msgid "In the following example I have added a banner filter instead of a filter based on porn sites. The reason for this is that Gentoo.org should <e>not</e> be listed as some porn site. And I do not want to waste my time trying to find some good sites for you." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):843 +msgid "In this case, my policy states:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):848 +msgid "Surfing (HTTP/HTTPS) is allowed during work hours (mon-fri 8-17 and sat 8-13), but if employees are here late they should work, not surf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):852 +msgid "Downloading files is not allowed (.exe, .com, .arj, .zip, .asf, .avi, .mpg, .mpeg, etc)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):856 +msgid "We do not like banners, so they are filtered and replaced with a transparent gif (this is where you get creative!)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):860 +msgid "All other connections to and from the Internet are denied." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):865 +msgid "This is implemented in 4 <e>easy</e> steps." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):869 +msgid "/etc/squid/squid.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):869 +#, no-wrap +msgid "\n# Bind to a ip and port\nhttp_port 10.0.2.1:3128\n\n# Standard configuration\nhierarchy_stoplist cgi-bin ?\nacl QUERY urlpath_regex cgi-bin \\?\nno_cache deny QUERY\n\n# Add basic access control lists\nacl all src 0.0.0.0/0.0.0.0\nacl manager proto cache_object\nacl localhost src 127.0.0.1/255.255.255.255\n\n# Add who can access this proxy server\nacl localnet src 10.0.0.0/255.255.0.0\n\n# And ports\nacl SSL_ports port 443\nacl Safe_ports port 80\nacl Safe_ports port 443\nacl purge method PURGE\n\n# Add access control list based on regular\n# expressions within urls\nacl archives urlpath_regex \"/etc/squid/files.acl\"\nacl url_ads url_regex \"/etc/squid/banner-ads.acl\"\n\n# Add access control list based on time and day\nacl restricted_weekdays time MTWHF 8:00-17:00\nacl restricted_weekends time A 8:00-13:00\n\nacl CONNECT method CONNECT\n\n#allow manager access from localhost\nhttp_access allow manager localhost\nhttp_access deny manager\n\n# Only allow purge requests from localhost\nhttp_access allow purge localhost\nhttp_access deny purge\n\n# Deny requests to unknown ports\nhttp_access deny !Safe_ports\n\n# Deny CONNECT to other than SSL ports\nhttp_access deny CONNECT !SSL_ports\n\n# My own rules\n\n# Add a page do be displayed when\n# a banner is removed\ndeny_info NOTE_ADS_FILTERED url_ads\n\n# Then deny them\nhttp_access deny url_ads\n\n# Deny all archives\nhttp_access deny archives\n\n# Restrict access to work hours\nhttp_access allow localnet restricted_weekdays\nhttp_access allow localnet restricted_weekends\n\n# Deny the rest\nhttp_access deny all\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):937 +msgid "Next fill in the files you do not want your users to download files. I have added zip, viv, exe, mp3, rar, ace, avi, mov, mpg, mpeg, au, ra, arj, tar, gz and z files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):943 +msgid "/etc/squid/files.acl" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):943 +#, no-wrap +msgid "\n\\.[Zz][Ii][pP]$\n\\.[Vv][Ii][Vv].*\n\\.[Ee][Xx][Ee]$\n\\.[Mm][Pp]3$\n\\.[Rr][Aa][Rr]$\n\\.[Aa][Cc][Ee]$\n\\.[Aa][Ss][Ff]$\n\\.[Aa][Vv][Ii]$\n\\.[Mm][Oo][Vv]$\n\\.[Mm][Pp][Gg]$\n\\.[Mm][Pp][Ee][Gg]$\n\\.[Aa][Uu]$\n\\.[Rr][Aa]$\n\\.[Aa][Rr][Jj]$\n\\.[Tt][Aa][Rr]$\n\\.[Gg][Zz]$\n\\.[Zz]$\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):963 +msgid "Please note the [] with upper and lowercase of every character. This is done so no one can fool our filter by accessing a file called AvI instead of avi." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):968 +msgid "Next we add the regular expressions for identifying banners. You will probably be a lot more creative than I:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):973 +msgid "/etc/squid/banner-ads.acl" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):973 +#, no-wrap +msgid "\n/adv/.*\\.gif$\n/[Aa]ds/.*\\.gif$\n/[Aa]d[Pp]ix/\n/[Aa]d[Ss]erver\n/[Aa][Dd]/.*\\.[GgJj][IiPp][FfGg]$\n/[Bb]annerads/\n/adbanner.*\\.[GgJj][IiPp][FfGg]$\n/images/ad/\n/reklame/\n/RealMedia/ads/.*\n^http://www\\.submit-it.*\n^http://www\\.eads.*\n^http://ads\\.\n^http://ad\\.\n^http://ads02\\.\n^http://adaver.*\\.\n^http://adforce\\.\nadbot\\.com\n/ads/.*\\.gif.*\n_ad\\..*cgi\n/Banners/\n/SmartBanner/\n/Ads/Media/Images/\n^http://static\\.wired\\.com/advertising/\n^http://*\\.dejanews\\.com/ads/\n^http://adfu\\.blockstackers\\.com/\n^http://ads2\\.zdnet\\.com/adverts\n^http://www2\\.burstnet\\.com/gifs/\n^http://www.\\.valueclick\\.com/cgi-bin/cycle\n^http://www\\.altavista\\.com/av/gifs/ie_horiz\\.gif\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1006 +msgid "And as the last part we want this file to be displayed when a banner is removed. It is basically a half html file with a 4x4 transparent gif image." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):1011 +msgid "/etc/squid/errors/NOTE_ADS_FILTERED" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):1011 +#, no-wrap +msgid "\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=\"REFRESH\" CONTENT=\"0; URL=http://localhost/images/4x4.gif\">\n<TITLE>ERROR: The requested URL could not be retrieved</TITLE>\n</HEAD>\n<BODY>\n<H1>Add filtered!</H1>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1021 +msgid "Do not close the <HTML> <BODY> tags. This will be done by squid." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1025 +msgid "As you can see, Squid has a lot of possibilities and it is very effective at both filtering and proxying. It can even use alternative Squid proxies to scale on very large networks. The configuration I have listed here is mostly suited for a small network with 1-20 users." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1032 +msgid "But combining the packet filter (iptables) and the application gateway (Squid) is probably the best solution, even if Squid is located somewhere safe and nobody can access it from the outside. We still need to be concerned about attacks from the inside." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1039 +msgid "Now you have to configure your clients browsers to use the proxy server. The gateway will prevent the users from having any contact with the outside unless they use the proxy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1045 +msgid "In Mozilla Firefox this is done in Edit->Preferences->Advanced->Network." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1049 +msgid "It can also be done transparently by using iptables to forward all outbound traffic to a Squid proxy. This can be done by adding a forwarding/prerouting rule on the gateway:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre:caption):1055 +msgid "Enable portforwarding to our proxyserver" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(pre):1055 +#, no-wrap +msgid "\n# <i>iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to proxyhost:3128</i>\n# <i>iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to proxyhost:3128</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(note):1060 +msgid "If the proxy is running on the packet filtering host--though this is not recommended, it may be necessary if you do not have enough spare machines--use a <c>REDIRECT</c> target instead of <c>DNAT</c> (<c>REDIRECT</c> directs packets to the localhost)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(title):1070 +msgid "Lessons learned" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1073 +msgid "We have learned that:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1078 +msgid "A firewall can be a risk in itself. A badly configured firewall is worse than not having one at all." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1082 +msgid "How to setup a basic gateway and a transparent proxy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1083 +msgid "The key to a good firewall is to know the protocols you want do allow." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1084 +msgid "That IP traffic does not always contain legitimate data, e.g. ICMP packets, which can contain a malicious payload." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1088 +msgid "How to prevent SYN attack." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1089 +msgid "Filtering HTTP traffic by removing offensive pictures and downloads of viruses." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(li):1090 +msgid "Combining packet filters and application gateways provides better control." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(p):1095 +msgid "Now, if you <e>really</e> need to, go create a firewall that matches your needs." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-firewalls.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-intrusion.xml.pot b/shandbook/gettext/shb-intrusion.xml.pot new file mode 100644 index 0000000..11aac18 --- /dev/null +++ b/shandbook/gettext/shb-intrusion.xml.pot @@ -0,0 +1,454 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(version):10 +msgid "2" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(date):11 +msgid "2010-07-19" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):14 +msgid "AIDE (Advanced Intrusion Detection Environment)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):17 +msgid "AIDE is a Host-Based Intrusion Detection System (HIDS), a free alternative to Tripwire (if you already know Tripwire you should have no difficulties learning the configuration file for AIDE). HIDS are used to detect changes to important system configuration files and binaries, generally by making a unique cryptographic hash for the files to be checked and storing it in a secure place. On a regular basis (such as once a day), the stored \"known-good\" hash is compared to the one generated from the current copy of each file, to determine if that file has changed. HIDS are a great way to detect disallowed changes to your system, but they take a little work to implement properly and make good use of." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):30 +msgid "The configuration file is based on regular expressions, macros and rules for files and directories. We have the following macros:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):37 +msgid "Macro" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):38 ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):95 ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):182 ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):218 +msgid "Description" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):39 +msgid "Syntax" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):42 +msgid "ifdef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):43 +msgid "If definded" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):44 +msgid "@@ifdef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):47 +msgid "ifndef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):48 +msgid "If not defined" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):49 +msgid "@@ifndef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):52 +msgid "define" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):53 +msgid "Define a variable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):54 +msgid "@@define \"name\" \"value\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):57 +msgid "undef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):58 +msgid "Undefine a variable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):59 +msgid "@@undef \"name\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):62 +msgid "ifhost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):63 +msgid "if \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):64 +msgid "@@ifhost \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):67 +msgid "ifnhost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):68 +msgid "if not \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):69 +msgid "@@ifnhost \"hostname\"" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):72 +msgid "endif" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):73 +msgid "Endif must be used after any of the above macros except define and undef" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):76 +msgid "@@endif" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):80 +msgid "These macros become very handy if you have more than one Gentoo box and want to use AIDE on all of them. But not all machines run the same services or even have the same users." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):86 +msgid "Next we have sets of flags to check for on files and directories. These are a combination of permissions, file properties and cryptographic hashes (i.e. checksums)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):94 ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):181 ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(th):217 +msgid "Flag" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):98 +msgid "p" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):99 +msgid "permissions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):102 +msgid "i" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):103 +msgid "inode" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):106 +msgid "n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):107 +msgid "number of links" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):110 +msgid "u" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):111 +msgid "user" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):114 +msgid "g" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):115 +msgid "group" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):118 +msgid "s" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):119 +msgid "size" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):122 +msgid "b" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):123 +msgid "block count" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):126 +msgid "m" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):127 +msgid "mtime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):130 +msgid "a" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):131 +msgid "atime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):134 +msgid "c" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):135 +msgid "ctime" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):138 +msgid "S" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):139 +msgid "check for growing size" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):142 +msgid "md5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):143 +msgid "md5 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):146 +msgid "sha1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):147 +msgid "sha1 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):150 +msgid "rmd160" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):151 +msgid "rmd160 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):154 +msgid "tiger" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):155 +msgid "tiger checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):158 +msgid "R" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):159 +msgid "p+i+n+u+g+s+m+c+md5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):162 +msgid "L" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):163 +msgid "p+i+n+u+g" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):166 +msgid "E" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):167 +msgid "Empty group" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):170 +msgid ">" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):171 +msgid "Growing logfile p+u+g+i+n+S" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):175 +msgid "And if AIDE is compiled with mhash support it supports a few other features:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):185 +msgid "haval" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):186 +msgid "haval checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):189 +msgid "gost" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):190 +msgid "gost checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):193 +msgid "crc32" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):194 +msgid "crc32 checksum" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):198 +msgid "Now you can create you own rules based on the above flags by combining them like this:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):203 +msgid "Create a ruleset for AIDE" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):203 +#, no-wrap +msgid "\nAll=R+a+sha1+rmd160\nNorm=s+n+b+md5+sha1+rmd160\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):208 +msgid "The last thing we need to create our own configuration file is to see how to add a rule to a file or directory. To enter a rule, combine the file or directory name and the rule. AIDE will add all files recursively unless you specify an alternate rule." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):221 +msgid "!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):222 +msgid "Don't add this file or directory." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):225 +msgid "=" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(ti):226 +msgid "Add this directory, but not recursively." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):230 +msgid "So lets watch a full blown example:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):234 +msgid "/etc/aide/aide.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):234 +#, no-wrap +msgid "\n@@ifndef TOPDIR\n@@define TOPDIR /\n@@endif\n\n@@ifndef AIDEDIR\n@@define AIDEDIR /etc/aide\n@@endif\n\n@@ifhost smbserv\n@@define smbactive\n@@endif\n\n# The location of the database to be read.\ndatabase=file:@@{AIDEDIR}/aide.db\n\n# The location of the database to be written.\ndatabase_out=file:aide.db.new\n\nverbose=20\nreport_url=stdout\n\n# Rule definition\nAll=R+a+sha1+rmd160\nNorm=s+n+b+md5+sha1+rmd160\n\n@@{TOPDIR} Norm\n!@@{TOPDIR}etc/aide\n!@@{TOPDIR}dev\n!@@{TOPDIR}media\n!@@{TOPDIR}mnt\n!@@{TOPDIR}proc\n!@@{TOPDIR}root\n!@@{TOPDIR}sys\n!@@{TOPDIR}tmp\n!@@{TOPDIR}var/log\n!@@{TOPDIR}var/run\n!@@{TOPDIR}usr/portage\n@@ifdef smbactive\n!@@{TOPDIR}etc/smb/private/secrets.tdb\n@@endif\n=@@{TOPDIR}home Norm\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):278 +msgid "In the above example we specify with some macros where the topdir starts and where the AIDE directory is. AIDE checks the <path>/etc/aide/aide.db</path> file when checking for file integrity. But when updating or creating a new file it stores the information in <path>/etc/aide/aide.db.new</path>. This is done so it won't automatically overwrite the old db file. The option <c>report_URL</c> is not yet implemented, but the author's intention was that it should be able to e-mail or maybe even execute scripts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):288 +msgid "The AIDE ebuild now comes with a working default configuration file, a helper script and a crontab script. The helper script does a number of tasks for you and provides an interface that is a little more script friendly. To see all available options, try <c>aide --help</c>. To get started, all that needs to be done is <c>aide -i</c> and the crontab script should detect the database and send mails as appropriate every day. We recommend that you review the <path>/etc/aide/aide.conf</path> file and ensure that the configuration accurately reflects what is in place on the machine." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(note):299 +msgid "Depending on your CPU, disk access speed, and the flags you have set on files, this can take some time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(note):304 +msgid "Remember to set an alias so you get roots mail. Otherwise you will never know what AIDE reports." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):309 +msgid "Now there is some risk inherent with storing the db files locally, since the attacker will (if they know that AIDE is installed) most certainly try to alter the db file, update the db file or modify <path>/usr/bin/aide</path>. So you should create a CD or other media and put on it a copy of the .db file and the AIDE binaries." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):317 +msgid "One can find information at the <uri link=\"http://www.cs.tut.fi/~rammer/aide.html\">AIDE</uri> project page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):325 +msgid "Snort" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):328 +msgid "Snort is a Network Intrusion Detection System (NIDS). To install and configure it use the following examples." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):333 +msgid "/etc/conf.d/snort" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):333 +#, no-wrap +msgid "\nPIDFILE=/var/run/snort_eth0.pid\nMODE=\"full\"\nNETWORK=\"10.0.0.0/24\"\nLOGDIR=\"/var/log/snort\"\nCONF=/etc/snort/snort.conf\nSNORT_OPTS=\"-D -s -u snort -dev -l $LOGDIR -h $NETWORK -c $CONF\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):342 +msgid "/etc/snort/snort.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):342 +#, no-wrap +msgid "\n<comment>(Step 1)</comment>\nvar HOME_NET 10.0.0.0/24\nvar EXTERNAL_NET any\nvar SMTP $HOME_NET\nvar HTTP_SERVERS $HOME_NET\nvar SQL_SERVERS $HOME_NET\nvar DNS_SERVERS [10.0.0.2/32,212.242.40.51/32]\nvar RULE_PATH ./\n\n<comment>(Step 2)</comment>\npreprocessor frag2\npreprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts\npreprocessor stream4_reassemble: ports all\npreprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace\npreprocessor rpc_decode: 111 32771\npreprocessor bo: -nobrute\npreprocessor telnet_decode\n\n<comment>(Step 3)</comment>\ninclude classification.config\n\n<comment>(Step 4)</comment>\ninclude $RULE_PATH/bad-traffic.rules\ninclude $RULE_PATH/exploit.rules\ninclude $RULE_PATH/scan.rules\ninclude $RULE_PATH/finger.rules\ninclude $RULE_PATH/ftp.rules\ninclude $RULE_PATH/telnet.rules\ninclude $RULE_PATH/smtp.rules\ninclude $RULE_PATH/rpc.rules\ninclude $RULE_PATH/rservices.rules\ninclude $RULE_PATH/dos.rules\ninclude $RULE_PATH/ddos.rules\ninclude $RULE_PATH/dns.rules\ninclude $RULE_PATH/tftp.rules\ninclude $RULE_PATH/web-cgi.rules\ninclude $RULE_PATH/web-coldfusion.rules\ninclude $RULE_PATH/web-iis.rules\ninclude $RULE_PATH/web-frontpage.rules\ninclude $RULE_PATH/web-misc.rules\ninclude $RULE_PATH/web-attacks.rules\ninclude $RULE_PATH/sql.rules\ninclude $RULE_PATH/x11.rules\ninclude $RULE_PATH/icmp.rules\ninclude $RULE_PATH/netbios.rules\ninclude $RULE_PATH/misc.rules\ninclude $RULE_PATH/attack-responses.rules\ninclude $RULE_PATH/backdoor.rules\ninclude $RULE_PATH/shellcode.rules\ninclude $RULE_PATH/policy.rules\ninclude $RULE_PATH/porn.rules\ninclude $RULE_PATH/info.rules\ninclude $RULE_PATH/icmp-info.rules\ninclude $RULE_PATH/virus.rules\n# include $RULE_PATH/experimental.rules\ninclude $RULE_PATH/local.rules\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):401 +msgid "/etc/snort/classification.config" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):401 +#, no-wrap +msgid "\nconfig classification: not-suspicious,Not Suspicious Traffic,3\nconfig classification: unknown,Unknown Traffic,3\nconfig classification: bad-unknown,Potentially Bad Traffic, 2\nconfig classification: attempted-recon,Attempted Information Leak,2\nconfig classification: successful-recon-limited,Information Leak,2\nconfig classification: successful-recon-largescale,Large Scale Information Leak,2\nconfig classification: attempted-dos,Attempted Denial of Service,2\nconfig classification: successful-dos,Denial of Service,2\nconfig classification: attempted-user,Attempted User Privilege Gain,1\nconfig classification: unsuccessful-user,Unsuccessful User Privilege Gain,1\nconfig classification: successful-user,Successful User Privilege Gain,1\nconfig classification: attempted-admin,Attempted Administrator Privilege Gain,1\nconfig classification: successful-admin,Successful Administrator Privilege Gain,1\n\n# NEW CLASSIFICATIONS\nconfig classification: rpc-portmap-decode,Decode of an RPC Query,2\nconfig classification: shellcode-detect,Executable code was detected,1\nconfig classification: string-detect,A suspicious string was detected,3\nconfig classification: suspicious-filename-detect,A suspicious filename was detected,2\nconfig classification: suspicious-login,An attempted login using a suspicious username was detected,2\nconfig classification: system-call-detect,A system call was detected,2\nconfig classification: tcp-connection,A TCP connection was detected,4\nconfig classification: trojan-activity,A Network Trojan was detected, 1\nconfig classification: unusual-client-port-connection,A client was using an unusual port,2\nconfig classification: network-scan,Detection of a Network Scan,3\nconfig classification: denial-of-service,Detection of a Denial of Service Attack,2\nconfig classification: non-standard-protocol,Detection of a non-standard protocol or event,2\nconfig classification: protocol-command-decode,Generic Protocol Command Decode,3\nconfig classification: web-application-activity,access to a potentially vulnerable web application,2\nconfig classification: web-application-attack,Web Application Attack,1\nconfig classification: misc-activity,Misc activity,3\nconfig classification: misc-attack,Misc Attack,2\nconfig classification: icmp-event,Generic ICMP event,3\nconfig classification: kickass-porn,SCORE! Get the lotion!,1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):438 +msgid "More information is at the <uri link=\"http://www.snort.org\">Snort</uri> web site." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(title):446 +msgid "Detecting malware with chkrootkit" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):449 +msgid "HIDS like AIDE are a great way to detect changes to your system, but it never hurts to have another line of defence. <c>chkrootkit</c> is a utility that scans common system files for the presence of rootkits--software designed to hide an intruder's actions and allow him to retain his access--and scans your system for likely traces of key loggers and other \"malware\". While <c>chkrootkit</c> (and alternatives like <c>rkhunter</c>) are useful tools, both for system maintenance and for tracking an intruder after an attack has occurred, they cannot guarantee your system is secure." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(p):460 +msgid "The best way to use <c>chkrootkit</c> to detect an intrusion is to run it routinely from <c>cron</c>. To start, emerge <path>app-forensics/chkrootkit</path>. <c>chkrootkit</c> can be run from the command line by the command of the same name, or from <c>cron</c> with an entry such as this:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre:caption):468 +msgid "Schedule chkrootkit as a cronjob" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(pre):468 +#, no-wrap +msgid "\n0 3 * * * /usr/sbin/chkrootkit\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-intrusion.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-kernel.xml.pot b/shandbook/gettext/shb-kernel.xml.pot new file mode 100644 index 0000000..060c9d3 --- /dev/null +++ b/shandbook/gettext/shb-kernel.xml.pot @@ -0,0 +1,245 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(version):10 +msgid "1.2" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(date):11 +msgid "2008-04-15" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):14 +msgid "Removing functionality" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):17 +msgid "The basic rule when configuring the kernel is to remove everything that you do not need. This will not only create a small kernel but also remove the vulnerabilities that may lie inside drivers and other features." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):23 +msgid "Also consider turning off loadable module support. Even though it is possible to add root kits without this features, it does make it harder for normal attackers to install root kits via kernel modules." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):32 +msgid "The proc filesystem" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):35 +msgid "Many kernel parameters can be altered through the <path>/proc</path> file system or by using <c>sysctl</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):40 +msgid "To dynamically change kernel parameters and variables on the fly, you need <c>CONFIG_SYSCTL</c> defined in your kernel. This is on by default in a standard 2.4 kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):46 +msgid "Deactivate IP forwarding" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):46 +#, no-wrap +msgid "\n# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/ip_forward</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):50 +msgid "Make sure that IP forwarding is turned off. We only want this for a multi-homed host. It's advised to set or unset this flag before all other flags since it enabled/disables other flags as well." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):56 +msgid "Drop ping packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):56 +#, no-wrap +msgid "\n# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_echo_ignore_all</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):60 +msgid "This will cause the kernel to simply ignore all ping messages (also known as ICMP type 0 messages). The reason for this is that an IP packet carrying an ICMP message can contain a payload with information other than you think. Administrators use ping as a diagnostic tool and often complain if it is disabled, but there is no reason for an outsider to be able to ping. However, since it sometimes can be handy for insiders to be able to ping, you can disable ICMP type 0 messages in the firewall (allowing local administrators to continue to use this tool)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):71 +msgid "Ignore broadcast pings" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):71 +#, no-wrap +msgid "\n# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):75 +msgid "This disables response to ICMP broadcasts and will prevent Smurf attacks. The Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast address of a network. Typically the attacker will use a spoofed source address. All the computers on the network will respond to the ping message and thereby flood the host at the spoofed source address." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):83 +msgid "Disable source routed packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):83 +#, no-wrap +msgid "\n# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/conf/all/accept_source_route</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):87 +msgid "Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):95 +msgid "Disable redirect acceptance" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):95 +#, no-wrap +msgid "\n# <i>/bin/echo \"0\" > /proc/sys/net/ipv4/conf/all/accept_redirects</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):99 +msgid "Do not accept ICMP redirect packets. ICMP redirects can be used to alter your routing tables, possibly to a malicious end." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):104 +msgid "Protect against bad error messages" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):104 +#, no-wrap +msgid "\n# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):108 +msgid "Enable protection against bogus error message responses." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):112 +msgid "Enable reverse path filtering" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):112 +#, no-wrap +msgid "\n# <i>for i in /proc/sys/net/ipv4/conf/*; do\n /bin/echo \"1\" > $i/rp_filter\ndone</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):118 +msgid "Turn on reverse path filtering. This helps make sure that packets use legitimate source addresses by automatically rejecting incoming packets if the routing table entry for their source address does not match the network interface they are arriving on. This has security advantages because it prevents IP spoofing. We need to enable it for each <path>net/ipv4/conf/*</path> otherwise source validation isn't fully functional." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(warn):127 +msgid "However turning on reverse path filtering can be a problem if you use asymmetric routing (packets from you to a host take a different path than packets from that host to you) or if you operate a non-routing host which has several IP addresses on different interfaces." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):134 +msgid "Log all spoofed, source routed and redirect packets" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):134 +#, no-wrap +msgid "\n# <i>/bin/echo \"1\" > /proc/sys/net/ipv4/conf/all/log_martians</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):138 +msgid "Log spoofed packets, source routed packets and redirect packets." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):142 +msgid "All these settings will be reset when the machine is rebooted. I suggest that you add them to <path>/etc/sysctl.conf</path>, which is automatically sourced by the <path>/etc/init.d/bootmisc</path> init script." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):148 +msgid "The syntax for <path>/etc/sysctl.conf</path> is pretty straightforward. Strip off the <path>/proc/sys/</path> from the previously mentioned paths and substitute <path>/</path> with <path>.</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre:caption):154 +msgid "Translating to sysctl.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(pre):154 +#, no-wrap +msgid "\n<comment>(Manual using echo):</comment>\n/bin/echo \"0\" > /proc/sys/net/ipv4/ip_forward\n\n<comment>(Automatic in sysctl.conf:)</comment>\nnet.ipv4.ip_forward = 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):165 +msgid "Grsecurity" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):168 +msgid "The patch from <uri link=\"http://grsecurity.net\">Grsecurity</uri> is standard in the <c>sys-kernel/hardened-sources</c> but is disabled by default. Configure your kernel as you normally do and then configure the Grsecurity options. An in-depth explanation on the available Grsecurity options is available on the <uri link=\"/proj/en/hardened\">Gentoo Hardened</uri> project page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):176 +msgid "Recent <c>hardened-sources</c> provide the 2.* version of Grsecurity. For more information on this improved Grsecurity patch set, please consult the documentation available on the <uri link=\"http://www.grsecurity.net/\">Grsecurity home page</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):186 +msgid "Kerneli" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):189 +msgid "<uri link=\"http://www.Kerneli.org\">Kerneli</uri> is a patch that adds encryption to the existing kernel. By patching your kernel you will get new options such as cryptographic ciphers, digest algorithms and cryptographic loop filters." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(warn):195 +msgid "The kerneli patch is currently not in a stable version for the latest kernel, so be careful when using it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(title):203 +msgid "Other kernel patches" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):207 +msgid "http://www.openwall.com" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):207 +msgid "The OpenWall Project" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):208 +msgid "http://www.lids.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):208 +msgid "Linux Intrusion Detection System" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):209 +msgid "http://www.rsbac.org" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):209 +msgid "Rule Set Based Access Control" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):211 +msgid "http://www.nsa.gov/selinux" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):211 +msgid "NSA's security enhanced kernel" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri:link):213 +msgid "http://sourceforge.net/projects/wolk/" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(uri):213 +msgid "Wolk" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(p):216 +msgid "And there are probably a lot more." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-kernel.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-limits.xml.pot b/shandbook/gettext/shb-limits.xml.pot new file mode 100644 index 0000000..d317a10 --- /dev/null +++ b/shandbook/gettext/shb-limits.xml.pot @@ -0,0 +1,184 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(version):10 +msgid "1.5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(date):11 +msgid "2010-04-26" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):14 ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):24 +msgid "/etc/security/limits.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):17 +msgid "Controlling resource usage can be very effective when trying to prevent a local Denial of Service or restricting the maximum allowed logins for a group or user. However, too strict settings will impede on your system's behavior and will result in program failures so make sure that you check each setting first." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):24 +#, no-wrap +msgid "\n* soft core 0\n* hard core 0\n* hard nproc 15\n* hard rss 10000\n* - maxlogins 2\n@dev hard core 100000\n@dev soft nproc 20\n@dev hard nproc 35\n@dev - maxlogins 10\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):36 +msgid "If you find yourself trying to set <c>nproc</c> or <c>maxlogins</c> to 0, maybe you should delete the user instead. The example above sets the group <c>dev</c> settings for processes, core file and <c>maxlogins</c>. The rest is set to a default value." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):43 +msgid "<path>/etc/security/limits.conf</path> is part of the PAM package and will only apply to packages that use PAM." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):51 ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):61 +msgid "/etc/limits" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):54 +msgid "<path>/etc/limits</path> is very similar to the limit file <path>/etc/security/limits.conf</path>. The only difference is the format and that it only works on users or wild cards (not groups). Let's have a look at a sample configuration:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):61 +#, no-wrap +msgid "\n* L2 C0 U15 R10000\nkn L10 C100000 U35\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):66 +msgid "Here we set the default settings and a specific setting for the user kn. Limits are part of the sys-apps/shadow package. It is not necessary to set any limits in this file if you have enabled <c>pam</c> in <path>/etc/make.conf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):75 +msgid "Quotas" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(warn):78 +msgid "Make sure the file systems you are working with support quotas. In order to use quotas on ReiserFS, you must patch your kernel with patches available from <uri link=\"ftp://ftp.namesys.com/pub/reiserfs-for-2.4/testing/quota-2.4.20\">Namesys</uri>. User tools are available from <uri link=\"http://www.sf.net/projects/linuxquota/\">the Linux DiskQuota project</uri>. While quotas do work with ReiserFS, you may encounter other issues while trying to use them--you have been warned!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):89 +msgid "Putting quotas on a file system restricts disk usage on a per-user or per-group basis. Quotas are enabled in the kernel and added to a mount point in <path>/etc/fstab</path>. The kernel option is enabled in the kernel configuration under <c>File systems->Quota support</c>. Apply the following settings, rebuild the kernel and reboot using the new kernel." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):97 +msgid "Start by installing quotas with <c>emerge quota</c>. Then modify your <path>/etc/fstab</path> and add <c>usrquota</c> and <c>grpquota</c> to the partitions that you want to restrict disk usage on, like in the example below." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):103 +msgid "/etc/fstab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):103 +#, no-wrap +msgid "\n/dev/sda1 /boot ext2 noauto,noatime 1 1\n/dev/sda2 none swap sw 0 0\n/dev/sda3 / reiserfs notail,noatime 0 0\n/dev/sda4 /tmp ext3 noatime,nodev,nosuid,noexec,usrquota,grpquota 0 0\n/dev/sda5 /var ext3 noatime,nodev,usrquota,grpquota 0 0\n/dev/sda6 /home ext3 noatime,nodev,nosuid,usrquota,grpquota 0 0\n/dev/sda7 /usr reiserfs notail,noatime,nodev,ro 0 0\n/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0\nproc /proc proc defaults 0 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):115 +msgid "On every partition that you have enabled quotas, create the quota files (<path>aquota.user</path> and <path>aquota.group</path>) and place them in the root of the partition." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):121 +msgid "Creating the quota files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):121 +#, no-wrap +msgid "\n# <i>touch /tmp/aquota.user</i>\n# <i>touch /tmp/aquota.group</i>\n# <i>chmod 600 /tmp/aquota.user</i>\n# <i>chmod 600 /tmp/aquota.group</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):128 +msgid "This step has to be done on every partition where quotas are enabled. After adding and configuring the quota files, we need to add the <c>quota</c> script to the boot run level." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(impo):134 +msgid "XFS does all quota checks internally, and does <e>not</e> need the <c>quota</c> script added to the boot runlevel. There may be other filesystems not listed in this document with similar behavior, so please read the manpages for your filesystem to learn more about how it handles quota checks." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):141 +msgid "Adding quota to the boot runlevel" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):141 +#, no-wrap +msgid "\n# <i>rc-update add quota boot</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):145 +msgid "We will now configure the system to check the quotas once a week by adding the following line to <path>/etc/crontab</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):150 +msgid "Adding quota check to crontab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):150 +#, no-wrap +msgid "\n0 3 * * 0 /usr/sbin/quotacheck -avug.\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):154 +msgid "After rebooting the machine, it is time to setup the quotas for users and groups. <c>edquota -u kn</c> will start the editor defined in $EDITOR (default is nano) and let you edit the quotas of the user kn. <c>edquota -g</c> will do the same thing for groups." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):161 +msgid "Setting up quota's for user kn" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):161 +#, no-wrap +msgid "\nQuotas for user kn:\n/dev/sda4: blocks in use: 2594, limits (soft = 5000, hard = 6500)\n inodes in use: 356, limits (soft = 1000, hard = 1500)\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):167 +msgid "For more detail read <c>man edquota</c> or the <uri link=\"http://www.tldp.org/HOWTO/Quota.html\">Quota mini howto</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):175 +msgid "/etc/login.defs" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):178 +msgid "If your security policy states that users should change their password every other week, change the value <c>PASS_MAX_DAYS</c> to 14 and <c>PASS_WARN_AGE</c> to 7. It is recommended that you use password aging since brute force methods can find any password, given enough time. We also encourage you to set <c>LOG_OK_LOGINS</c> to yes." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(title):189 ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre:caption):206 +msgid "/etc/security/access.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):192 +msgid "The <path>access.conf</path> file is also part of the <c>sys-libs/pam</c> package, which provides a login access control table. This table is used to control who can and cannot login based on user name, group name or host name. By default, all users on the system are allowed to login, so the file consists only of comments and examples. Whether you are securing your server or workstation, we recommend that you setup this file so no one other than yourself (the admin) has access to the console." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):202 +msgid "These settings apply for root, as well." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(pre):206 +#, no-wrap +msgid "\n-:ALL EXCEPT wheel sync:console\n-:wheel:ALL EXCEPT LOCAL .gentoo.org\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(impo):211 +msgid "Be careful when configuring these options, since mistakes will leave you with no access to the machine if you do not have root access." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(note):216 +msgid "These settings do not apply to SSH, since SSH does not execute <c>/bin/login</c> per default. This can be enabled by setting <c>UseLogin yes</c> in <path>/etc/ssh/sshd_config</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(p):222 +msgid "This will setup login access so members of the wheel group can login locally or from the gentoo.org domain. Maybe too paranoid, but better to be safe than sorry." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-limits.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-logging.xml.pot b/shandbook/gettext/shb-logging.xml.pot new file mode 100644 index 0000000..1db51b3 --- /dev/null +++ b/shandbook/gettext/shb-logging.xml.pot @@ -0,0 +1,165 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(version):10 +msgid "1.3" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(date):11 +msgid "2010-04-02" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):14 +msgid "Introduction" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):16 +msgid "Extra logging should be added to catch warnings or errors that might indicate an ongoing attack or a successful compromise. Attackers often scan or probe before attacking." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):22 +msgid "It's also vital that your log files are easily readable and manageable. Gentoo Linux lets you choose between 3 different loggers when installing." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):30 +msgid "Logging: Syslogd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):33 +msgid "Syslogd is the most common logger for Linux and Unix in general. It has some log rotation facilities, but using <path>/usr/sbin/logrotate</path> in a cron job (logrotate is configured in <path>/etc/logrotate.conf</path>) might prove to be more powerful as <c>logrotate</c> has many features. How often log rotation should be done depends on the system load." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):42 +msgid "Below is the standard <path>syslog.conf</path> with some added features. We have uncommented the <c>cron</c> and <c>tty</c> lines and added a remote logging server. To further enhance security you could add logging to two places." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):48 +msgid "/etc/syslog.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):48 +#, no-wrap +msgid "\n# /etc/syslog.conf Configuration file for syslogd.\n#\n# For more information see syslog.conf(5)\n# manpage.\n# This is from Debian, we are using it for now\n# Daniel Robbins, 5/15/99\n\n#\n# First some standard logfiles. Log by facility.\n#\n\nauth,authpriv.* /var/log/auth.log\n*.*;auth,authpriv.none -/var/log/syslog\ncron.* /var/log/cron.log\ndaemon.* -/var/log/daemon.log\nkern.* -/var/log/kern.log\nlpr.* -/var/log/lpr.log\nmail.* /var/log/mail.log\nuser.* -/var/log/user.log\nuucp.* -/var/log/uucp.log\nlocal6.debug /var/log/imapd.log\n\n#\n# Logging for the mail system. Split it up so that\n# it is easy to write scripts to parse these files.\n#\nmail.info -/var/log/mail.info\nmail.warn -/var/log/mail.warn\nmail.err /var/log/mail.err\n\n# Logging for INN news system\n#\nnews.crit /var/log/news/news.crit\nnews.err /var/log/news/news.err\nnews.notice -/var/log/news/news.notice\n\n#\n# Some `catch-all' logfiles.\n#\n*.=debug;\\\n auth,authpriv.none;\\\n news.none;mail.none -/var/log/debug\n*.=info;*.=notice;*.=warn;\\\n auth,authpriv.none;\\\n cron,daemon.none;\\\n mail,news.none -/var/log/messages\n\n#\n# Emergencies and alerts are sent to everybody logged in.\n#\n*.emerg *\n*.=alert *\n\n#\n# I like to have messages displayed on the console, but only on a virtual\n# console I usually leave idle.\n#\ndaemon,mail.*;\\\n news.=crit;news.=err;news.=notice;\\\n *.=debug;*.=info;\\\n *.=notice;*.=warn /dev/tty8\n\n#Setup a remote logging server\n*.* @logserver\n\n# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,\n# you must invoke `xconsole' with the `-file' option:\n#\n# $ xconsole -file /dev/xconsole [...]\n#\n# NOTE: adjust the list below, or you'll go crazy if you have a reasonably\n# busy site..\n#\n#daemon.*,mail.*;\\\n# news.crit;news.err;news.notice;\\\n# *.=debug;*.=info;\\\n# *.=notice;*.=warn |/dev/xconsole\n\nlocal2.* --/var/log/ppp.log\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):130 +msgid "Attackers will most likely try to erase their tracks by editing or deleting log files. You can make it harder for them by logging to one or more remote logging servers on other machines. Get more info about syslogd by executing <c>man syslog</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):140 +msgid "Metalog" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):143 +msgid "<uri link=\"http://metalog.sourceforge.net\">Metalog</uri> by Frank Dennis is not able to log to a remote server, but it does have advantages when it comes to performance and logging flexibility. It can log by program name, urgency, facility (like syslogd), and comes with regular expression matching with which you can launch external scripts when specific patterns are found. It is very good at taking action when needed." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):152 +msgid "The standard configuration is usually enough. If you want to be notified by email whenever a password failure occurs use one of the following scripts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):157 +msgid "For postfix:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):161 +msgid "/usr/local/sbin/mail_pwd_failures.sh for postfix" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):161 +#, no-wrap +msgid "\n#! /bin/sh\necho \"$3\" | mail -s \"Warning (program : $2)\" root\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):166 +msgid "For netqmail:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):170 +msgid "/usr/local/sbin/mail_pwd_failures.sh for netqmail" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):170 +#, no-wrap +msgid "\n#!/bin/sh\necho \"To: root\nSubject:Failure (Warning: $2)\n$3\n\" | /var/qmail/bin/qmail-inject -f root\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):178 +msgid "Remember to make the script executable by issuing <c>/bin/chmod +x /usr/local/sbin/mail_pwd_failures.sh</c>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):183 +msgid "Then uncomment the command line under \"Password failures\" in <path>/etc/metalog/metalog.conf</path> like:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):188 +msgid "/etc/metalog/metalog.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):188 +#, no-wrap +msgid "\ncommand = \"/usr/local/sbin/mail_pwd_failures.sh\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):195 +msgid "Syslog-ng" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):198 +msgid "Syslog-ng provides some of the same features as syslog and metalog with a small difference. It can filter messages based on level and content (like metalog), provide remote logging like syslog, handle logs from syslogd (even streams from Solaris), write to a TTY, execute programs, and it can act as a logging server. Basically it is the best of both loggers combined with advanced configuration." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):206 +msgid "Below is a classic configuration file slightly modified." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre:caption):210 +msgid "/etc/syslog-ng/syslog-ng.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(pre):210 +#, no-wrap +msgid "\noptions {\n chain_hostnames(no);\n\n <comment># The default action of syslog-ng is to log a STATS line\n # to the file every 10 minutes. That's pretty ugly after a while.\n # Change it to every 12 hours so you get a nice daily update of\n # how many messages syslog-ng missed (0).</comment>\n stats_freq(43200);\n};\n\nsource src {\n unix-stream(\"/dev/log\" max-connections(256));\n internal();\n};\n\nsource kernsrc { file(\"/proc/kmsg\"); };\n\n<comment># define destinations</comment>\ndestination authlog { file(\"/var/log/auth.log\"); };\ndestination syslog { file(\"/var/log/syslog\"); };\ndestination cron { file(\"/var/log/cron.log\"); };\ndestination daemon { file(\"/var/log/daemon.log\"); };\ndestination kern { file(\"/var/log/kern.log\"); };\ndestination lpr { file(\"/var/log/lpr.log\"); };\ndestination user { file(\"/var/log/user.log\"); };\ndestination mail { file(\"/var/log/mail.log\"); };\n\ndestination mailinfo { file(\"/var/log/mail.info\"); };\ndestination mailwarn { file(\"/var/log/mail.warn\"); };\ndestination mailerr { file(\"/var/log/mail.err\"); };\n\ndestination newscrit { file(\"/var/log/news/news.crit\"); };\ndestination newserr { file(\"/var/log/news/news.err\"); };\ndestination newsnotice { file(\"/var/log/news/news.notice\"); };\n\ndestination debug { file(\"/var/log/debug\"); };\ndestination messages { file(\"/var/log/messages\"); };\ndestination console { usertty(\"root\"); };\n\n<comment># By default messages are logged to tty12...</comment>\ndestination console_all { file(\"/dev/tty12\"); };\n\n<comment># ...if you intend to use /dev/console for programs like xconsole\n# you can comment out the destination line above that references /dev/tty12\n# and uncomment the line below.</comment>\n#destination console_all { file(\"/dev/console\"); };\n\n<comment># create filters</comment>\nfilter f_authpriv { facility(auth, authpriv); };\nfilter f_syslog { not facility(authpriv, mail); };\nfilter f_cron { facility(cron); };\nfilter f_daemon { facility(daemon); };\nfilter f_kern { facility(kern); };\nfilter f_lpr { facility(lpr); };\nfilter f_mail { facility(mail); };\nfilter f_user { facility(user); };\nfilter f_debug { not facility(auth, authpriv, news, mail); };\nfilter f_messages { level(info..warn)\n and not facility(auth, authpriv, mail, news); };\nfilter f_emergency { level(emerg); };\n\nfilter f_info { level(info); };\nfilter f_notice { level(notice); };\nfilter f_warn { level(warn); };\nfilter f_crit { level(crit); };\nfilter f_err { level(err); };\nfilter f_failed { message(\"failed\"); };\nfilter f_denied { message(\"denied\"); };\n\n<comment># connect filter and destination</comment>\nlog { source(src); filter(f_authpriv); destination(authlog); };\nlog { source(src); filter(f_syslog); destination(syslog); };\nlog { source(src); filter(f_cron); destination(cron); };\nlog { source(src); filter(f_daemon); destination(daemon); };\nlog { source(kernsrc); filter(f_kern); destination(kern); };\nlog { source(src); filter(f_lpr); destination(lpr); };\nlog { source(src); filter(f_mail); destination(mail); };\nlog { source(src); filter(f_user); destination(user); };\nlog { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };\nlog { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };\nlog { source(src); filter(f_mail); filter(f_err); destination(mailerr); };\n\nlog { source(src); filter(f_debug); destination(debug); };\nlog { source(src); filter(f_messages); destination(messages); };\nlog { source(src); filter(f_emergency); destination(console); };\n\n<comment># default log</comment>\nlog { source(src); destination(console_all); };\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):301 +msgid "Syslog-ng is very easy to configure, but it is also very easy to miss something in the configuration file since it is huge. The author still promises some extra features like encryption, authentication, compression and MAC (Mandatory Access Control) control. With these options it will be a perfect for network logging, since the attacker cannot spy on the log." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):309 +msgid "And syslog-ng does have one other advantage: it does not have to run as root!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(title):317 +msgid "Log analysis with Logcheck" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):320 +msgid "Of course, keeping logs alone is only half the battle. An application such as Logcheck can make regular log analysis much easier. Logcheck is a script, accompanied by a binary called <c>logtail</c>, that runs from your cron daemon and checks your logs against a set of rules for suspicious activity. It then mails the output to root's mailbox." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):327 +msgid "Logcheck and logtail are part of the <c>app-admin/logsentry</c> package." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(p):330 +msgid "Logcheck uses four files to filter important log entries from the unimportant. These files are <path>logcheck.hacking</path>, which contains known hacking attack messages, <path>logcheck.violations</path>, which contains patterns indicating security violations, <path>logcheck.violations.ignore</path>, which contains keywords likely to be matched by the violations file, allowing normal entries to be ignored, and <path>logcheck.ignore</path>, which matches those entries to be ignored." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(warn):341 +msgid "Do not leave <path>logcheck.violations.ignore</path> empty. Logcheck uses <c>grep</c> to parse logs, some versions of which will take an empty file to mean wildcard. All violations would thus be ignored." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-logging.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-mounting.xml.pot b/shandbook/gettext/shb-mounting.xml.pot new file mode 100644 index 0000000..3f7da12 --- /dev/null +++ b/shandbook/gettext/shb-mounting.xml.pot @@ -0,0 +1,73 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(version):10 +msgid "1.0" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(date):11 +msgid "2005-05-31" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(title):14 +msgid "Mounting partitions" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(p):17 +msgid "When mounting an <c>ext2</c>, <c>ext3</c>, or <c>reiserfs</c> partition, you have several options you can apply to the file <path>/etc/fstab</path>. The options are:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):24 +msgid "<c>nosuid</c> - Will ignore the SUID bit and make it just like an ordinary file" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):28 +msgid "<c>noexec</c> - Will prevent execution of files from this partition" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(li):31 +msgid "<c>nodev</c> - Ignores devices" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(p):36 +msgid "Unfortunately, these settings can easily be circumvented by executing a non-direct path. However, setting <path>/tmp</path> to noexec will stop the majority of exploits designed to be executed directly from <path>/tmp</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(pre:caption):42 +msgid "/etc/fstab" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(pre):42 +#, no-wrap +msgid "\n/dev/sda1 /boot ext2 noauto,noatime 1 1\n/dev/sda2 none swap sw 0 0\n/dev/sda3 / reiserfs notail,noatime 0 0\n/dev/sda4 /tmp reiserfs notail,noatime,nodev,nosuid,noexec 0 0\n/dev/sda5 /var reiserfs notail,noatime,nodev 0 0\n/dev/sda6 /home reiserfs notail,noatime,nodev,nosuid 0 0\n/dev/sda7 /usr reiserfs notail,noatime,nodev,ro 0 0\n/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0\nproc /proc proc defaults 0 0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(warn):54 +msgid "Placing <path>/tmp</path> in <c>noexec</c> mode can prevent certain scripts from executing properly." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):59 +msgid "For disk quotas see <uri link=\"?part=1&chap=5#quotas\">the Quotas section</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):63 +msgid "I do not set <path>/var</path> to <c>noexec</c> or <c>nosuid</c>, even if files normally are never executed from this mount point. The reason for this is that netqmail is installed in <path>/var/qmail</path> and must be allowed to execute and access one SUID file. I setup <path>/usr</path> in read-only mode since I never write anything there unless I want to update Gentoo. Then I remount the file system in read-write mode, update and remount again." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(note):72 +msgid "Even if you do not use netqmail, Gentoo still needs the executable bit set on <path>/var/tmp</path> since ebuilds are made here. But an alternative path can be setup if you insist on having <path>/var</path> mounted in <c>noexec</c> mode." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-mounting.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-pam.xml.pot b/shandbook/gettext/shb-pam.xml.pot new file mode 100644 index 0000000..54df79e --- /dev/null +++ b/shandbook/gettext/shb-pam.xml.pot @@ -0,0 +1,76 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(date):11 +msgid "2006-08-03" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(title):14 +msgid "PAM" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):17 +msgid "PAM is a suite of shared libraries that provide an alternative way providing user authentication in programs. The <c>pam</c> USE flag is turned on by default. Thus the PAM settings on Gentoo Linux are pretty reasonable, but there is always room for improvement. First install cracklib." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):24 +msgid "Installing cracklib" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):24 +#, no-wrap +msgid "\n# <i>emerge cracklib</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):28 +msgid "/etc/pam.d/passwd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):28 +#, no-wrap +msgid "\nauth required pam_unix.so shadow nullok\naccount required pam_unix.so\npassword required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2\npassword required pam_unix.so md5 use_authtok\nsession required pam_unix.so\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):36 +msgid "This will add the cracklib which will ensure that the user passwords are at least 8 characters and contain a minimum of 2 digits, 2 other characters, and are more than 3 characters different from the last password. This forces the user to choose a good password (password policy). Check the <uri link=\"http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html\">PAM</uri> documentation for more options." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):45 +msgid "/etc/pam.d/sshd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):45 +#, no-wrap +msgid "\nauth required pam_unix.so nullok\nauth required pam_shells.so\nauth required pam_nologin.so\nauth required pam_env.so\naccount required pam_unix.so\npassword required pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=-2 ocredit=-2 use_authtok\npassword required pam_unix.so shadow md5\nsession required pam_unix.so\nsession required pam_limits.so\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(p):57 +msgid "Every service not configured with a PAM file in <path>/etc/pam.d</path> will use the rules in <path>/etc/pam.d/other</path>. The defaults are set to <c>deny</c>, as they should be. But I like to have a lot of logs, which is why I added <c>pam_warn.so</c>. The last configuration is <c>pam_limits</c>, which is controlled by <path>/etc/security/limits.conf</path>. See the <uri link=\"?part=1&chap=5#limits_conf\">/etc/security/limits.conf</uri> section for more on these settings." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre:caption):67 +msgid "/etc/pam.d/other" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(pre):67 +#, no-wrap +msgid "\nauth required pam_deny.so\nauth required pam_warn.so\naccount required pam_deny.so\naccount required pam_warn.so\npassword required pam_deny.so\npassword required pam_warn.so\nsession required pam_deny.so\nsession required pam_warn.so\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pam.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-perms.xml.pot b/shandbook/gettext/shb-perms.xml.pot new file mode 100644 index 0000000..0e72299 --- /dev/null +++ b/shandbook/gettext/shb-perms.xml.pot @@ -0,0 +1,133 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(date):11 +msgid "2006-09-16" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):14 +msgid "World readable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):17 +msgid "Normal users should not have access to configuration files or passwords. An attacker can steal passwords from databases or web sites and use them to deface--or even worse, delete--data. This is why it is important that your file permissions are correct. If you are sure that a file is only used by root, assign it with the permissions <c>0600</c> and assign the file to the correct user with <c>chown</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):29 +msgid "World/Group writable" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):32 +msgid "Finding world-writable files and directories" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):32 +#, no-wrap +msgid "\n# <i>find / -type f \\( -perm -2 -o -perm -20 \\) -exec ls -lg {} \\; 2>/dev/null >writable.txt</i>\n# <i>find / -type d \\( -perm -2 -o -perm -20 \\) -exec ls -ldg {} \\; 2>/dev/null >>writable.txt</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):37 +msgid "This will create a huge file with permission of all files having either write permission set to the group or everybody. Check the permissions and eliminate world writable files to everyone, by executing <c>/bin/chmod o-w</c> on the files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):47 +msgid "SUID/SGID files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):50 +msgid "Files with the SUID or SGID bit set execute with privileges of the <e>owning</e> user or group and not the user executing the file. Normally these bits are used on files that must run as root in order to do what they do. These files can lead to local root compromises (if they contain security holes). This is dangerous and files with the SUID or SGID bits set should be avoided at any cost. If you do not use these files, use <c>chmod 0</c> on them or unmerge the package that they came from (check which package they belong to by using <c>equery</c>; if you do not already have it installed simply type <c>emerge gentoolkit</c>). Otherwise just turn the SUID bit off with <c>chmod -s</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):62 +msgid "Finding setuid files" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):62 +#, no-wrap +msgid "\n# <i>find / -type f \\( -perm -004000 -o -perm -002000 \\) -exec ls -lg {} \\; 2>/dev/null >suidfiles.txt</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):66 +msgid "This will create a file containing a list of all the SUID/SGID files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):70 +msgid "List of setuid binaries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):70 +#, no-wrap +msgid "\n/bin/su\n/bin/ping\n/bin/mount\n/bin/umount\n/var/qmail/bin/qmail-queue\n/usr/bin/chfn\n/usr/bin/chsh\n/usr/bin/crontab\n/usr/bin/chage\n/usr/bin/expiry\n/usr/bin/sperl5.6.1\n/usr/bin/newgrp\n/usr/bin/passwd\n/usr/bin/gpasswd\n/usr/bin/procmail\n/usr/bin/suidperl\n/usr/lib/misc/pt_chown\n/usr/sbin/unix_chkpwd\n/usr/sbin/traceroute\n/usr/sbin/pwdb_chkpwd\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):93 +msgid "By default Gentoo Linux does not have a lot of SUID files (though this depends on what you installed), but you might get a list like the one above. Most of the commands should not be used by normal users, only root. Switch off the SUID bit on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, <c>chsh</c>, <c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> and <c>traceroute</c> by executing <c>chmod -s</c> on every file. Don't remove the bit on <c>su</c>, <c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing setuid from those files will prevent you from <c>su</c>'ing and receiving mail. By removing the bit (where it is safe to do so) you remove the possibility of a normal user (or an attacker) gaining root access through any of these files." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):106 +msgid "The only SUID files that I have on my system are <c>su</c>, <c>passwd</c>, <c>gpasswd</c>, <c>qmail-queue</c>, <c>unix_chkpwd</c> and <c>pwdb_chkpwd</c>. But if you are running X, you might have some more, since X needs the elevated access afforded by SUID." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):116 +msgid "SUID/SGID binaries and Hard links" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):119 +msgid "A file is only considered deleted when there are no more links pointing to it. This might sound like a strange concept, but consider that a filename like <path>/usr/bin/perl</path> is actually a link to the inode where the data is stored. Any number of links can point to the file, and until all of them are gone, the file still exists." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):127 +msgid "If your users have access to a partition that isn't mounted with <c>nosuid</c> or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, or <path>/var/tmp</path> are not separate partitions) you should take care to ensure your users don't create hard links to SUID or SGID binaries, so that after Portage updates they still have access to the old versions." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(warn):135 +msgid "if you have received a warning from portage about remaining hard links, and your users can write to a partition that allows executing SUID/SGID files, you should read this section carefully. One of your users may be attempting to circumvent your update by keeping an outdated version of a program. If your users cannot create their own SUID files, or can only execute programs using the dynamic loader (partitions mounted <c>noexec</c>), you do not have to worry." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(note):145 +msgid "Users do not need read access to a file to create a link to it, they only need read permission to the directory that contains it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):150 +msgid "To check how many links a file has, you can use the <c>stat</c> command." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):154 +msgid "Stat command" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):154 +#, no-wrap +msgid "\n$ stat /bin/su\n File: `/bin/su'\n Size: 29350 Blocks: 64 IO Block: 131072 regular file\nDevice: 900h/2304d Inode: 2057419 Links: 1\nAccess: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root)\nAccess: 2005-02-07 01:59:35.000000000 +0000\nModify: 2004-11-04 01:46:17.000000000 +0000\nChange: 2004-11-04 01:46:17.000000000 +0000\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):165 +msgid "To find the SUID and SGID files with multiple links, you can use <c>find</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):169 +msgid "Finding multiply linked suid/sgid binaries" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):169 +#, no-wrap +msgid "\n$ find / -type f \\( -perm -004000 -o -perm -002000 \\) -links +1 -ls\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-pre.xml.pot b/shandbook/gettext/shb-pre.xml.pot new file mode 100644 index 0000000..108c100 --- /dev/null +++ b/shandbook/gettext/shb-pre.xml.pot @@ -0,0 +1,208 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(version):10 +msgid "1.0" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(date):11 +msgid "2005-05-31" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):14 +msgid "Physical Security" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):17 +msgid "No matter how many safeguards you implement, they can all be easily circumvented by an attacker with physical access to your computer. Despite this, there are at least some measures that can be taken to provide a degree of security against an attacker with physical access to your machine. Putting your hardware in a locked closet prevents an attacker from simply unplugging it and carting it off. Locking your computer's case is also a good idea, to make sure that an attacker cannot simply walk away with your hard drive. To prevent an attacker from booting from another disk, nicely circumventing your permissions and login restrictions, try setting the hard drive as the first boot device in your BIOS, and setting a BIOS password. It is also important to set a LILO or GRUB boot password, to prevent a malicious user from booting into single-user mode and gaining complete access to your system. This is covered in more detail in Chapter 3, under <uri link=\"?part=1&chap=2#passwording_GRUB\">Setting a GRUB password</uri> and <uri link=\"?part=1&chap=2#passwording_LILO\">Setting a LILO password</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):38 +msgid "Daemon/Service Planning" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):40 +msgid "Start by documenting what services this machine should run. This will help you compose a better partition scheme for your system, and allow you to better plan your security measures. Of course, this is unnecessary if the machine serves a single simple purpose, such as a desktop, or a dedicated firewall. In those cases, you should not be running <e>any</e> services, except perhaps sshd." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):47 +msgid "This list can also be used to aid system administration. By keeping a current list of version information, you will find it much easier to keep everything up to date if a remote vulnerability is discovered in one of your daemons." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):56 +msgid "Partitioning Schemes" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):59 +msgid "Partitioning rules:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):64 +msgid "Any directory tree a user should be able to write to (e.g. <path>/home</path>, <path>/tmp</path>) should be on a separate partition and use disk quotas. This reduces the risk of a user filling up your whole filesystem. Portage uses <path>/var/tmp</path> to compile files, so that partition should be large." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):70 +msgid "Any directory tree where you plan to install non-distribution software on should be on a separate partition. According to the <uri link=\"http://www.pathname.com/fhs/\"> File Hierarchy Standard</uri>, this is <path>/opt</path> or <path>/usr/local</path>. If these are separate partitions, they will not be erased if you have to reinstall the system." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):77 +msgid "For extra security, static data can be put on a separate partition that is mounted read-only. For the truly paranoid, try using read-only media like CD-ROM." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):87 +msgid "The root user" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):90 +msgid "The user 'root' is the most vital user on the system and should not be used for anything except when absolutely necessary. If an attacker gains root access, the only way to ever trust your system again is to reinstall." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):96 +msgid "Golden rules about 'root'" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):101 +msgid "Always create a user for everyday use and if this user needs to have root access, add the user to the group 'wheel'. This makes it possible for a normal user to <c>su</c> to root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):106 +msgid "Never run X or any other user application as root. root should only be used when absolutely necessary; if a vulnerability exists in an application running as a user, an attacker can gain user level access. But if that application is running as root, the attacker gains root access." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):112 +msgid "Always use absolute paths when logged in as root (or always use <c>su -</c>, which replaces the environmental variables of the user with those of root, while being sure root's <c>PATH</c> only includes protected directories like <path>/bin</path> and <path>/sbin</path>). It's possible to trick root into running a different application rather than the one meant to be run. If root's <c>PATH</c> is protected or root only uses absolute paths, we can be sure this won't happen." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):121 +msgid "If a user only needs to run a few commands as root, instead of everything that root normally can do, consider using <c>sudo</c> instead. Just be careful who you give this access to, as well!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):126 +msgid "Never leave the terminal when you are logged in as root." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):131 +msgid "Gentoo has some default protection against normal users trying to <c>su</c> to root. The default PAM setting requires that a user be a member of the group \"wheel\" in order to be able to <c>su</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(title):140 +msgid "Security policies" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):143 +msgid "There are several reasons to draft a security policy for your system(s) and network." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):149 +msgid "A good security policy allows you to outline security as a \"system\", rather than simply a jumble of different features. For example, without a policy an administrator might decide to turn off telnet, because it transmits unencrypted passwords, but leave on FTP access, which has the same weakness. A good security policy allows you to identify which security measures are worthwhile, and which are not." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):157 +msgid "In order to diagnose problems, conduct audits, or track down intruders, it may be necessary to intercept network traffic, inspect the login and command history of users, and look in home directories. Without outlining this in print, and making users aware of this, such actions may actually be illegal and put <e>you</e> in legal jeopardy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):164 +msgid "Hijacked user accounts pose one of the most common threats to system security. Without explaining to users why security is important, and how to practice good security (such as not writing passwords on a Post-It note on their desks), it is unlikely you will have any hope of secure user accounts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):170 +msgid "A well-documented network and system layout will aid you, as well as law enforcement forensics examiners, if need be, in tracing an intrusion and identifying weaknesses after the fact. A security policy \"issue\" banner, stating that your system is a private network and all unauthorized access is prohibited, will also help ensure your ability to properly prosecute an intruder, once he is caught." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):180 +msgid "The need for a good security policy is hopefully now more than clear." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):184 +msgid "The policy itself is a document, or several documents, that outlines the network and system features (such as what services are provided), acceptable use and forbidden use, security \"best practices\", and so forth. All users should be made aware of your security policy, as well as changes you make to keep it up to date. It is important that you take the time to help users understand your policy and why that policy needs to be signed or what will happens if they act directly against the policy (the policy should also state this). This should be repeated at least once a year, since the policy can change (but also as a reminder to the user of the policy itself)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(note):196 +msgid "Create policies that are easy to read and be very precise on every subject." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):200 +msgid "A security policy should at least contain the following subjects:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):207 +msgid "Screen savers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):208 +msgid "Password handling" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):209 +msgid "Software download and installation" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):210 +msgid "Information stating if the users are being monitored" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):211 +msgid "Use of anti-virus software" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):205 +msgid "Acceptable use <placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):216 +msgid "Clean desk and locked up classified information" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):217 +msgid "PC shutdown before leaving" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):218 +msgid "Use of encryption" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):219 +msgid "Handling of keys to trusted co-workers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):220 +msgid "Handling of confidential material when traveling" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):214 +msgid "Handling of sensitive information (any written form, paper or digital) <placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):225 +msgid "Laptop handling during travels and hotel stays" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(li):223 +msgid "Handling of computer equipment when traveling <placeholder-1/>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):230 +msgid "Different users may require different levels or types of access, and as such your policy may vary to accommodate them all." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):235 +msgid "The security policy can become huge, and vital information can easily be forgotten. The IT-staff's policy could contain information that is confidential for the ordinary user, so it is wise to split it up into smaller policies; e.g. Acceptable Use Policy, Password policy, Email policy and Remote Access policy." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(p):243 +msgid "You can find example policies at <uri link=\"http://www.sans.org/resources/policies/\">The SANS Security Policy Project</uri>. If you have a small network and think these policies are too much you should look at the <uri link=\"ftp://ftp.isi.edu/in-notes/rfc2196.txt\">Site Security Handbook</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-pre.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-services.xml.pot b/shandbook/gettext/shb-services.xml.pot new file mode 100644 index 0000000..8f5fb96 --- /dev/null +++ b/shandbook/gettext/shb-services.xml.pot @@ -0,0 +1,448 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(version):10 +msgid "1.5" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(date):11 +msgid "2008-06-13" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):14 +msgid "Apache" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):17 +msgid "Apache comes with a pretty decent configuration file but again, we need to improve some things, like binding Apache to one address and preventing it from leaking information. Below are the options that you should apply the configuration file." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):24 +msgid "If you did not disable <c>ssl</c> in your <path>/etc/make.conf</path> before installing Apache, you should have access to an ssl enabled server. Inside <path>/etc/apache2/vhosts.d</path> example configuration files can be found. These are working examples and it is best to verify those or disable them." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):31 +msgid "It is important to define your configuration(s) to listen to a particular IP address (rather than all available IP addresses on your system). For instance, for the <path>00_default_vhost.conf</path> file:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):37 +msgid "/etc/apache2/vhosts.d/00_default_vhost.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):37 +#, no-wrap +msgid "\n<comment># Make it listen on your ip</comment>\nListen 127.0.0.1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):42 +msgid "We also recommend you to disable showing any information about your Apache installation to the world. By default, the configuration will add server version and virtual host name to server-generated pages. To disable this, change the <c>ServerSignature</c> variable to <c>Off</c>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):49 +msgid "/etc/apache2/modules.d/00_default_settings.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):49 +#, no-wrap +msgid "\nServerSignature Off\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):53 +msgid "Apache is compiled with <c>--enable-shared=max</c> and <c>--enable-module=all</c>. This will by default enable all modules, so you should comment out all modules in the <c>LoadModule</c> section (<c>LoadModule</c> and <c>AddModule</c>) that you do not use in the main <path>/etc/apache2/httpd.conf</path> configuration file. Restart the service by executing <c>/etc/init.d/apache2 restart</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):62 +msgid "Documentation is available at <uri>http://www.apache.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):70 +msgid "Bind" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):73 +msgid "One can find documentation at the <uri link=\"http://www.isc.org/products/BIND/bind9.html\">Internet Software Consortium</uri>. The BIND 9 Administrator Reference Manual is also in the <path>doc/arm</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):80 +msgid "The newer BIND ebuilds support chrooting out of the box. After emerging <c>bind</c> follow these simple instructions:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):85 +msgid "Chrooting BIND" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):85 +#, no-wrap +msgid "\n# <i>emerge --config bind</i>\n<comment>(Before running the above command you might want to change the chroot\ndirectory in /etc/conf.d/named. Otherwise /chroot/dns will be used.)</comment>\n\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):94 +msgid "Djbdns" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):97 +msgid "Djbdns is a DNS implementation on the security of which its author is willing to bet <uri link=\"http://cr.yp.to/djbdns/guarantee.html\">money</uri>. It is very different from how Bind 9 works but worth a try. More information can be obtained from <uri>http://www.djbdns.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):108 +msgid "FTP" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):111 +msgid "Generally, using FTP (File Transfer Protocol) is a bad idea. It uses unencrypted data (ie. passwords are sent in clear text), listens on 2 ports (normally port 20 and 21), and attackers are frequently looking for anonymous logins for trading warez. Since the FTP protocol contains several security problems you should instead use <c>sftp</c> or HTTP. If this is not possible, secure your services as well as you can and prepare yourself." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):123 +msgid "Mysql" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):126 +msgid "If you only need local applications to access the <c>mysql</c> database, uncomment the following line in <path>/etc/mysql/my.cnf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):131 +msgid "Disable network access" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):131 +#, no-wrap +msgid "\nskip-networking\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):135 +msgid "Then we disable the use of the LOAD DATA LOCAL INFILE command. This is to prevent against unauthorized reading from local files. This is relevant when new SQL Injection vulnerabilities in PHP applications are found." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):141 +msgid "Disable LOAD DATA LOCAL INFILE in the [mysqld] section" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):141 +#, no-wrap +msgid "\nset-variable=local-infile=0\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):145 +msgid "Next, we must remove the sample database (test) and all accounts except the local <c>root</c> account." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):150 +msgid "Removing sample database and all unnecessary users" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):150 +#, no-wrap +msgid "\nmysql> <i>drop database test;</i>\nmysql> <i>use mysql;</i>\nmysql> <i>delete from db;</i>\nmysql> <i>delete from user where not (host=\"localhost\" and user=\"root\");</i>\nmysql> <i>flush privileges;</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):158 +msgid "Be careful with the above if you have already configured user accounts." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(note):162 +msgid "If you have been changing passwords from the MySQL prompt, you should always clean out <path>~/.mysql_history</path> and <path>/var/log/mysql/mysql.log</path> as they store the executed SQL commands with passwords in clear text." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):172 +msgid "Proftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):175 +msgid "Proftpd has had several security problems, but most of them seem to have been fixed. Nonetheless, it is a good idea to apply some enhancements:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):180 +msgid "/etc/proftpd/proftpd.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):180 +#, no-wrap +msgid "\nServerName \"My ftp daemon\"\n#Don't show the ident of the server\nServerIdent on \"Go away\"\n\n#Makes it easier to create virtual users\nRequireValidShell off\n\n#Use alternative password and group file (passwd uses crypt format)\nAuthUserFile \"/etc/proftpd/passwd\"\nAuthGroupFile \"/etc/proftpd/group\"\n\n# Permissions\nUmask 077\n\n# Timeouts and limitations\nMaxInstances 30\nMaxClients 10 \"Only 10 connections allowed\"\nMaxClientsPerHost 1 \"You have already logged on once\"\nMaxClientsPerUser 1 \"You have already logged on once\"\nTimeoutStalled 10\nTimeoutNoTransfer 20\nTimeoutLogin 20\n\n#Chroot everyone\nDefaultRoot ~\n\n#don't run as root\nUser nobody\nGroup nogroup\n\n#Log every transfer\nTransferLog /var/log/transferlog\n\n#Problems with globbing\nDenyFilter \\*.*/\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):218 +msgid "One can find documentation at <uri>http://www.proftpd.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):225 +msgid "Pure-ftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):228 +msgid "Pure-ftpd is an branch of the original trollftpd, modified for security reasons and functionality by Frank Dennis." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):233 +msgid "Use virtual users (never system accounts) by enabling the <c>AUTH</c> option. Set this to <c>-lpuredb:/etc/pureftpd.pdb</c> and create your users by using <c>/usr/bin/pure-pw</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):239 +msgid "/etc/conf.d/pure-ftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):239 +#, no-wrap +msgid "\nAUTH=\"-lpuredb:/etc/pureftpd.pdb\"\n\n## Misc. Others ##\nMISC_OTHER=\"-A -E -X -U 177:077 -d -4 -L100:5 -I 15\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):246 +msgid "Configure your <c>MISC_OTHER</c> setting to deny anonymous logins (<c>-E</c>), chroot everyone (<c>-A</c>), prevent users from reading or writing to files beginning with a . (dot) (<c>-X</c>), max idle time (<c>-I</c>), limit recursion (<c>-L</c>), and a reasonable <c>umask</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):253 +msgid "Do <e>not</e> use the <c>-w</c> or <c>-W</c> options! If you want to have a warez site, stop reading this guide!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):258 +msgid "One can find documentation at <uri>http://www.pureftpd.org</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):265 +msgid "Vsftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):268 +msgid "Vsftpd (short for very secure ftp) is a small ftp daemon running a reasonably default configuration. It is simple and does not have as many features as pureftp and proftp." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):274 +msgid "/etc/vsftpd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):274 +#, no-wrap +msgid "\nanonymous_enable=NO\nlocal_enable=YES\n\n#read only\nwrite_enable=NO\n\n#enable logging of transfers\nxferlog_std_format=YES\n\nidle_session_timeout=20\ndata_connection_timeout=20\nnopriv_user=nobody\n\nchroot_list_enable=YES\nchroot_list_file=/etc/vsftpd/chrootlist\n\nls_recurse_enable=NO\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):294 +msgid "As you can see, there is no way for this service to have individual permissions, but when it comes to anonymous settings it is quite good. Sometimes it can be nice to have an anonymous ftp server (for sharing open source), and vsftpd does a really good job at this." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):304 +msgid "Netqmail" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):307 +msgid "Netqmail is often considered to be a very secure mail server. It is written with security (and paranoia) in mind. It does not allow relaying by default and has not had a security hole since 1996. Simply <c>emerge netqmail</c> and go configure!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):316 +msgid "Samba" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):319 +msgid "Samba is a protocol to share files with Microsoft/Novell networks and it should <e>not</e> be used over the Internet. Nonetheless, it still needs securing." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):325 +msgid "/etc/samba/smb.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):325 +#, no-wrap +msgid "\n[global]\n #Bind to an interface\n interfaces = eth0 10.0.0.1/32\n\n #Make sure to use encrypted password\n encrypt passwords = yes\n directory security mask = 0700\n\n #allow traffic from 10.0.0.*\n hosts allow = 10.0.0.\n\n #Enables user authentication\n #(don't use the share mode)\n security = user\n\n #Disallow privileged accounts\n invalid users = root @wheel\n\n #Maximum size smb shows for a share (not a limit)\n max disk size = 102400\n\n #Uphold the password policy\n min password length = 8\n null passwords = no\n\n #Use PAM (if added support)\n obey pam restrictions = yes\n pam password change = yes\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):356 +msgid "Make sure that permissions are set correct on every share and remember to read the <uri link=\"http://www.samba.org\">documentation</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):361 +msgid "Now restart the server and add the users who should have access to this service. This is done though the command <path>/usr/bin/smbpasswd</path> with the parameter <c>-a</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):370 +msgid "ssh" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):373 +msgid "The only securing that OpenSSH needs is turning on a stronger authentication based on public key encryption. Too many sites (like <uri>http://www.sourceforge.net</uri>, <uri>http://www.php.net</uri> and <uri>http://www.apache.org</uri>) have suffered unauthorized intrusion due to password leaks or bad passwords." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):381 +msgid "/etc/ssh/sshd_config" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):381 +#, no-wrap +msgid "\n#Only enable version 2\nProtocol 2\n\n#Disable root login. Users have to su to root\nPermitRootLogin no\n\n#Turn on Public key authentication\nPubkeyAuthentication yes\nAuthorizedKeysFile .ssh/authorized_keys\n\n#Disable .rhost and normal password authentication\nHostbasedAuthentication no\nPasswordAuthentication no\nPermitEmptyPasswords no\n\n#Only allow userin the wheel or admin group to login\nAllowGroups wheel admin\n\n#In those groups only allow the following users\n#The @<domainname> is optional but replaces the\n#older AllowHosts directive\nAllowUsers kn@gentoo.org bs@gentoo.org\n\n#Logging\nSyslogFacility AUTH\nLogLevel INFO\n\n<comment>(Change this to your address)</comment>\nListenAddress 127.0.0.1\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):413 +msgid "Also verify that you don't have <c>UsePAM yes</c> in your configuration file as it overrides the public key authentication mechanism, or you can disable either <c>PasswordAuthentication</c> or <c>ChallengeResponseAuthentication</c>. More information about these options can be found in the <path>sshd_config</path> manual page." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):421 +msgid "Now all that your users have to do is create a key (on the machine they want to login from) with the following command:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):426 +msgid "Create a DSA keypair" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):426 +#, no-wrap +msgid "\n# <i>/usr/bin/ssh-keygen -t dsa</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):430 +msgid "And type in a pass phrase." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):434 +msgid "Output of ssh-keygen" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):434 +#, no-wrap +msgid "\nGenerating public/private dsa key pair.\nEnter file in which to save the key (/home/kn/.ssh/id_dsa):<i>[Press enter]</i>\nCreated directory '/home/kn/.ssh'.\nEnter passphrase (empty for no passphrase): <i>[Enter passphrase]</i>\nEnter same passphrase again: <i>[Enter passphrase again]</i>\nYour identification has been saved in /home/kn/.ssh/id_dsa.\nYour public key has been saved in /home/kn/.ssh/id_dsa.pub.\nThe key fingerprint is:\n07:24:a9:12:7f:83:7e:af:b8:1f:89:a3:48:29:e2:a4 kn@knielsen\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):446 +msgid "This will add two files in your <path>~/.ssh/</path> directory called <path>id_dsa</path> and <path>id_dsa.pub</path>. The file called <path>id_dsa</path> is your private key and should be kept from other people than yourself. The other file <path>id_dsa.pub</path> is to be distributed to every server that you have access to. Add the key to the users home directory in <path>~/.ssh/authorized_keys</path> and the user should be able to login:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):455 +msgid "Adding the id_dsa.pub file to the authorized_keys file" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):455 +#, no-wrap +msgid "\n$ <i>scp id_dsa.pub other-host:/var/tmp/currenthostname.pub</i>\n$ <i>ssh other-host</i>\npassword:\n$ <i>cat /var/tmp/currenthostname.pub >> ~/.ssh/authorized_keys</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):462 +msgid "Now your users should guard this private key well. Put it on a media that they always carry with them or keep it on their workstation (put this in the <uri link=\"?part=1&chap=1#security_policies\">password</uri> policy)." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):468 +msgid "For more information go to the <uri link=\"http://www.openssh.org\">OpenSSH</uri> web site." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):476 +msgid "Using xinetd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):479 +msgid "xinetd is a replacement for <c>inetd</c> (which Gentoo does not have), the Internet services daemon. It supports access control based on the address of the remote host and the time of access. It also provide extensive logging capabilities, including server start time, remote host address, remote user name, server run time, and actions requested." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):487 +msgid "As with all other services it is important to have a good default configuration. But since <c>xinetd</c> is run as root and supports protocols that you might not know how they work, we recommend not to use it. But if you want to use it anyway, here is how you can add some security to it:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):494 +msgid "Install xinetd" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):494 +#, no-wrap +msgid "\n# <i>emerge xinetd tcp-wrappers</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):498 +msgid "And edit the configuration file:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):502 +msgid "/etc/xinetd.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):502 +#, no-wrap +msgid "\ndefaults\n{\n only_from = localhost\n instances = 10\n log_type = SYSLOG authpriv info\n log_on_success = HOST PID\n log_on_failure = HOST\n cps = 25 30\n}\n\n# This will setup pserver (cvs) via xinetd with the following settings:\n# max 10 instances (10 connections at a time)\n# limit the pserver to tcp only\n# use the user cvs to run this service\n# bind the interfaces to only 1 ip\n# allow access from 10.0.0.*\n# limit the time developers can use cvs from 8am to 5pm\n# use tpcd wrappers (access control controlled in\n# <i>/etc/hosts.allow</i> and <i>/etc/hosts.deny</i>)\n# max_load on the machine set to 1.0\n# The disable flag is per default set to no but I like having\n# it in case of it should be disabled\nservice cvspserver\n{\n socket_type = stream\n protocol = tcp\n instances = 10\n protocol = tcp\n wait = no\n user = cvs\n bind = 10.0.0.2\n only_from = 10.0.0.0\n access_times = 8:00-17:00\n server = /usr/sbin/tcpd\n server_args = /usr/bin/cvs --allow-root=/mnt/cvsdisk/cvsroot pserver\n max_load = 1.0\n log_on_failure += RECORD\n disable = no\n}\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):544 +msgid "For more information read <c>man 5 xinetd.conf</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(title):552 +msgid "X" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):555 +msgid "By default Xorg is configured to act as an Xserver. This can be dangerous since X uses unencrypted TCP connections and listens for xclients." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(impo):560 +msgid "If you do not need this service disable it!" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):564 +msgid "But if you depend on using your workstation as a Xserver use the <c>/usr/X11R6/bin/xhost</c> command with caution. This command allows clients from other hosts to connect and use your display. This can become handy if you need an X application from a different machine and the only way is through the network, but it can also be exploited by an attacker. The syntax of this command is <c>/usr/X11R6/bin/xhost +hostname</c>" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(warn):573 +msgid "Do not ever use the <c>xhost +</c> feature! This will allow any client to connect and take control of your X. If an attacker can get access to your X, he can log your keystrokes and take control over your desktop. If you have to use it always remember to specify a host." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):580 +msgid "A more secure solution is to disable this feature completely by starting X with <c>startx -- -nolisten tcp</c> or disable it permanently in the configuration." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):585 +msgid "/usr/X11R6/bin/startx" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):585 +#, no-wrap +msgid "\ndefaultserverargs=\"-nolisten tcp\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):589 +msgid "To make sure that <path>startx</path> does not get overwritten when emerging a new version of Xorg you must protect it. Add the following line to <path>/etc/make.conf</path>:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):595 +msgid "/etc/make.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):595 +#, no-wrap +msgid "\nCONFIG_PROTECT_MASK=\"/usr/X11R6/bin/startx\"\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):599 +msgid "If you use a graphical login manager you need a different approach." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):603 +msgid "For <c>gdm</c> (Gnome Display Manager)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):607 +msgid "/etc/X11/gdm/gdm.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):607 +#, no-wrap +msgid "\n[server-Standard]\ncommand=/usr/X11R6/bin/X -nolisten tcp\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(p):612 +msgid "For <c>xdm</c> (X Display Manager) and <c>kdm</c> (Kde Display Manager)" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre:caption):616 +msgid "/etc/X11/xdm/Xservers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(pre):616 +#, no-wrap +msgid "\n:0 local /usr/bin/X11/X -nolisten tcp\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-services.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-tcp.xml.pot b/shandbook/gettext/shb-tcp.xml.pot new file mode 100644 index 0000000..ba30dfa --- /dev/null +++ b/shandbook/gettext/shb-tcp.xml.pot @@ -0,0 +1,62 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(date):11 +msgid "2010-04-26" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(title):14 +msgid "TCP Wrappers" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):17 +msgid "This is a way of controlling access to services normally run by inetd (which Gentoo does not have), but it can also be used by xinetd and other services." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(note):22 +msgid "The service should be executing tcpd in its server argument (in xinetd). See the chapter on xinetd for more information." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre:caption):27 +msgid "/etc/hosts.deny" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre):27 +#, no-wrap +msgid "\nALL:PARANOID\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre:caption):31 +msgid "/etc/hosts.allow" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(pre):31 +#, no-wrap +msgid "\nALL: LOCAL @wheel\ntime: LOCAL, .gentoo.org\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):36 +msgid "As you can see the format is very similar to the one in <path>/etc/security/access.conf</path>. Tcpd supports a specific service; it does not overlap with <path>/etc/security/access.conf</path>. These settings only apply to services using tcp wrappers." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(p):43 +msgid "It is also possible to execute commands when a service is accessed (this can be used when activating relaying for dial-in users) but it is not recommended, since people tend to create more problems than they are trying to solve. An example could be that you configure a script to send an e-mail every time someone hits the deny rule, but then an attacker could launch a DoS attack by keep hitting the deny rule. This will create a lot of I/O and e-mails so don't do it!. Read the <c>man 5 hosts_access</c> for more information." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tcp.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-tight.xml.pot b/shandbook/gettext/shb-tight.xml.pot new file mode 100644 index 0000000..3a67874 --- /dev/null +++ b/shandbook/gettext/shb-tight.xml.pot @@ -0,0 +1,146 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(date):11 +msgid "2006-03-04" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):14 +msgid "USE flags" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):17 +msgid "The <path>make.conf</path> file contains user defined USE flags and <path>/etc/make.profile/make.defaults</path> contains the default USE flags for Gentoo Linux. For this guide's purposes, the important flags are <c>pam</c> (Pluggable Authentication Modules), <c>tcpd</c> (TCP wrappers), and <c>ssl</c> (Secure Socket Layer). These are all in the default USE flags." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):28 +msgid "Password protecting GRUB" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):31 +msgid "GRUB supports two different ways of adding password protection to your boot loader. The first uses plain text, while the latter uses md5+salt encryption." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):36 ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):79 +msgid "/boot/grub/grub.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):36 +#, no-wrap +msgid "\ntimeout 5\npassword changeme\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):41 +msgid "This will add the password <c>changeme</c>. If no password is entered at boot, GRUB will simply use the default boot setting." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):46 +msgid "When adding an md5 password, you must convert your password into crypt format, which is the same format used in <path>/etc/shadow</path>. For more information see <c>man crypt</c>. The encrypted password <e>changeme</e>, for example, could look like this: <c>$1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):53 +msgid "You can encrypt your password directly at the GRUB shell:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):57 +msgid "md5crypt in grub shell" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):57 +#, no-wrap +msgid "\n#<i>/sbin/grub</i>\n\nGRUB version 0.92 (640K lower / 3072K upper memory)\n\n [ Minimal BASH-like line editing is supported. For the first word, TAB lists\n possible command completions. Anywhere else TAB lists the possible\n completions of a device/filename. ]\n\ngrub> <i>md5crypt</i>\n\nPassword: <i>********</i>\n<comment>(Typed changeme at the prompt)</comment>\nEncrypted: $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.\n\ngrub> <i>quit</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):75 +msgid "Then, cut and paste your password to <path>/boot/grub/grub.conf</path>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):79 +#, no-wrap +msgid "\ntimeout 5\npassword --md5 $1$T7/dgdIJ$dJM.n2wZ8RG.oEiIOwJUs.\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):84 +msgid "The 5 seconds timeout becomes handy if the system is remote and should be able to reboot without any keyboard interaction. Learn more about GRUB passwords by executing <c>info grub</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):93 +msgid "Password protecting LILO" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):96 +msgid "LILO also supports two ways of handling passwords: global and per-image, both in clear text." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):101 +msgid "The global password is set at the top of the configuration file, and applies to every boot image:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):106 ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):116 +msgid "/etc/lilo.conf" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):106 +#, no-wrap +msgid "\npassword=changeme\nrestricted\ndelay=3\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):112 +msgid "The per-image password is set as below:" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):116 +#, no-wrap +msgid "\nimage=/boot/bzImage\n read-only\n password=changeme\n restricted\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):123 +msgid "If the <c>restricted</c> option is not entered, it will prompt for a password every time." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):128 +msgid "In order to store the new information in <path>lilo.conf</path>, you must run <c>/sbin/lilo</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(title):136 +msgid "Restricting Console Usage" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):139 +msgid "The <path>/etc/securetty</path> file allows you to specify which <c>tty</c> (terminal) devices root is allowed to login to." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(p):144 +msgid "We suggest that you comment out all lines except <c>vc/1</c> if you are using devfs and all lines except <c>tty1</c> if you are using udev. This will ensure that root only can login once and only on one terminal." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(note):150 +msgid "Users in the group \"wheel\" can still <c>su -</c> to become root on other TTYs." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre:caption):154 +msgid "/etc/securetty" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(pre):154 +#, no-wrap +msgid "\n<comment>(For devfs)</comment>\nvc/1\n<comment>(For udev)</comment>\ntty1\n" +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-tight.xml(None):0 +msgid "translator-credits" +msgstr "" + diff --git a/shandbook/gettext/shb-uptodate.xml.pot b/shandbook/gettext/shb-uptodate.xml.pot new file mode 100644 index 0000000..eba1815 --- /dev/null +++ b/shandbook/gettext/shb-uptodate.xml.pot @@ -0,0 +1,82 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"POT-Creation-Date: 2010-10-22 00:56+0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(version):10 +msgid "1.1" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(date):11 +msgid "2005-10-13" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(title):14 +msgid "Keeping up-to-date" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):17 +msgid "Once you have successfully installed your system and ensured a good level of security you are not done. Security is an ongoing process; the vast majority of intrusions result from known vulnerabilities in unpatched systems. Keeping your system up-to-date is the single most valuable step you can take to greater security." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):25 +msgid "If you have a recent version of <c>portage</c> installed, you can first sync your portage tree with <c>emerge --sync</c> and then issue the command <c>glsa-check --list</c> to check if your system is up to date security-wise. <c>glsa-check</c> is part of <c>app-portage/gentoolkit</c>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre:caption):32 +msgid "Example output of glsa-check -l" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre):32 +#, no-wrap +msgid "\n# <i>glsa-check -l</i>\nWARNING: This tool is completely new and not very tested, so it should not be\nused on production systems. It's mainly a test tool for the new GLSA release\nand distribution system, it's functionality will later be merged into emerge\nand equery.\nPlease read http://www.gentoo.org/proj/en/portage/glsa-integration.xml\nbefore using this tool AND before reporting a bug.\n\n[A] means this GLSA was already applied,\n[U] means the system is not affected and\n[N] indicates that the system might be affected.\n\n200406-03 [N] sitecopy: Multiple vulnerabilities in included libneon ( net-misc/sitecopy )\n200406-04 [U] Mailman: Member password disclosure vulnerability ( net-mail/mailman )\n.......\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(warn):50 +msgid "The <c>glsa-check</c> is still experimental, so if security really is your top priority it would be wise to double check the list with other sources." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):55 +msgid "All lines with a <c>[A]</c> and <c>[U]</c> can be almost safely ignored as the system is not affected by this GLSA." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(impo):60 +msgid "Please note that the usual <c>emerge -vpuD world</c> will not pick up all package updates. You need to use <c>glsa-check</c> if you want to make sure all GLSAs are fixed on your system." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre:caption):66 +msgid "Check all GLSAs" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(pre):66 +#, no-wrap +msgid "\n<comment>(Check if your system is affected by GLSAs)</comment>\n# <i>glsa-check -t all</i>\nWARNING: This tool is completely new and not very tested, so it should not be\nused on production systems. It's mainly a test tool for the new GLSA release\nand distribution system, it's functionality will later be merged into emerge\nand equery.\nPlease read http://www.gentoo.org/proj/en/portage/glsa-integration.xml\nbefore using this tool AND before reporting a bug.\n\nThis system is affected by the following GLSA:\n200504-06\n200510-08\n200506-14\n200501-35\n200508-12\n200507-16\n\n<comment>(See what packages would be emerged)</comment>\n# <i>glsa-check -p $(glsa-check -t all)</i>\n <comment>(partial output)</comment>\nChecking GLSA 200504-06\nThe following updates will be performed for this GLSA:\n app-arch/sharutils-4.2.1-r11 (4.2.1-r10)\n\n **********************************************************************\n\n Checking GLSA 200510-08\n The following updates will be performed for this GLSA:\n media-libs/xine-lib-1.1.0-r5 (1.1.0-r4)\n\n<comment>(Apply required fixes)</comment>\n# <i>glsa-check -f $(glsa-check -t all)</i>\n" +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):101 +msgid "If you have upgraded a running service, you should not forget to restart it." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):105 +msgid "Keeping your <uri link=\"/doc/en/kernel-upgrade.xml\">kernel up-to-date</uri> is also recommended." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):110 +msgid "If you want an email each time a GLSA is released subscribe to the <c>gentoo-announce</c> mailing list. Instructions for joining it and many other great mailing lists can be found <uri link=\"/main/en/lists.xml\">Gentoo Linux Mailing List Overview</uri>." +msgstr "" + +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(p):117 +msgid "Another great security resource is the <uri link=\"http://www.securityfocus.com/archive/1\">Bugtraq mailing list</uri>." +msgstr "" + +#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL +#: ../../gentoo/xml/htdocs/doc/en/security//shb-uptodate.xml(None):0 +msgid "translator-credits" +msgstr "" + |