(ext2fs-specific) In addition to standard Unix permissions,
the ext2 file system contains additional attributes, which the file
system driver honors whenever the file is accessed or modified. Attributes
are set or unset by the CHATTR command, and it is common
to refer to the bits set by the name. The ``immutable'' bit is
particularly popular among system administrators trying to protect
critical files from unintentional destruction by an inattentive ROOT
user.
authentication
The process of knowing that the data received is the
same as the data that was sent, and that the claimed sender is in
fact the actual sender.
backup (or archive)
Both of these terms are used as nouns and verbs.
The noun form refers to any copy of a set of files (and the meta-data
associated with them) on some form of removable media. The verb form
refers to any process of creating such a set. An extra copy of a set
of files to non-removable storage is sometimes referred to as ``a
backup''- but this is more precisely referred to as ``replication''
or ``mirroring'' or (in some cases) ``version
control''
bastion host
A computer system that must be highly secured because
it is vulnerable to attack, usually because it is exposed to the Internet
and is a main point of contact for users of internal networks. It
gets its name from the highly fortified projects on the outer walls
of medieval castles. Bastions overlook critical areas of defense,
usually having strong walls, room for extra troops, and the occasional
useful tub of boiling hot oil for discouraging attackers.
broadcast
The broadcast address is a special address that every host
on the network listens to in addition to its own unique address. This
address is the one that datagrams are sent to if every host on the
network is meant to receive it. Certain types of data like routing
information and warning messages are transmitted to the broadcast
address so that every host on the network can receive it simultaneously.
There are two commonly used standards for what the broadcast address
should be. The most widely accepted one is to use the highest possible
address on the network as the broadcast address. An example on an
internal network would be 192.168.1.255. Every host on the network
must be configured with the same broadcast address.
buffer overflow
Common coding style is to never allocate large enough
buffers, and to not check for overflows. When such buffers overflow,
the executing program (daemon or set-uid program) can be tricked in
doing some other things. Generally this works by overwriting a function's
return address on the stack to point to another location.
denial of service
An attack that consumes the resources on your
computer for things it was not intended to be doing, thus preventing
normal use of your network resources for legitimate purposes.
DHCP
See Dynamic Host Configuration Protocol.
DNS
See Domain Name Server.
Domain Name Server
The Domain Name System (DNS) is the software
that is responsible for converting hostnames into numbers that computers
can understand. For example, the name www.guardiandigital.com corresponds
to the host IP address 63.87.101.80 and vice versa. The DNS server,
sometimes called a name server, is the process that runs on EnGarde
awaiting incoming name service requests.
dual-homed host
A general-purpose computer system that has at least
two network interfaces.
Dynamic Host Configuration Protocol
Also known as DHCP, is a protocol
for assigning dynamic IP addresses to devices on a network. DHCP simplifies
network administrative work because the software keeps tracks of IP
addresses as opposed to the administrator.
EXT2
Is the main filesystem the Linux operating system uses on its
storage devices.
EXT3
A filesystem based on the EXT2 filesystem that includes journaling
capabilites.
filesystem
The filesystem manages files contained on a storage device
so that the operating system may interact with them. The most common
filesystem in Linux is Ext2.
firewall
A component or set of components that restricts access between
a protected network and the Internet, or between other sets of networks.
forward zone
A forward zone contains a listing of the hostnames
in that zone with their corresponding IP addresses. A reverse zone
represents address-to-domain mapping, such as 63.87.101.80
to www.guardiandigital .com.
forwarder
A forwarder is used for name servers that may not necessarily
be directly-connected to the Internet. This may be due to being behind
a firewall, or inside of a corporate network. Forwarders will instead
only query a specified additional name server for its DNS information.
FQDN
See Fully-Qualified Domain Name.
Fully-Qualified Domain Name
Domain names reflect the domain hierarchy.
Domain names are written from most specific (a host name) to least
specific (a top-level domain), with each part of the domain separated
by a dot '.'. A fully qualified domain name (FQDN) starts
with a specific host and ends with a top-level domain. An
example of this could be:
Name
Type
engarde.guardiandigital.com
FQDN
engarde
Machine Name
guardiandigital.com
Domain Name
com
Domain
full backup
This is probably the most confusing term that relates
to the subject of backups. It often does not mean ``comprehensive.''
A ``full'' backup does not necessarily mean that it includes
every file on a whole system. ``Full'' in those cases means
``including all files in a given data set without regard
to previous backups.'' In other words, it means ``not incremental''
and not ``differential.'' It is better to use the phrase
``level zero'' to make this distinction.
GNU
GNU's Not Unix, a recursive acronym. This is the name of a project
started by Richard M. Stallman, and is the mission of the FSF (Free
Software Foundation), which he founded. The purpose of the GNU project
is to produce a ``free'' operating system and suite of applications,
utilities, and programming tools that are non-proprietary and unencumbered.
GPL
To protect the GNU project software from being appropriated for
proprietary use by hardware vendors, the Free Software Foundation
released their software under the GPL or General Public License.
hard link
An entry in a directory that contains a pointer directly
the the inode bearing the file's meta-data. All non-symlink
directory entries are `` hard links.''
host
A computer system attached to a network.
host key
A key the host will store locally and used for authentication
when a user key, stored on the users system, is passed to it. If both
keys are valid then both the host and user. Usually associated with
SSH.
IDE
See Intelligent Drive Electronics.
Intelligent Drive Electronics
An interface for mass storage devices
that have the controller integrated into the disk. Also refered to
as IDE for short.
Internet Message Access Protocol
A protocol for retrieving e-mail
from a server. Similar to POP3 but instead of downloading messages
to the local machine IMAP's default is to work on the server.
IP spoofing
IP Spoofing is a complex technical attack that is made
up of several components. It is a security exploit that works by tricking
computers in a trust relationship into thinking that you are someone
that you really aren't. There is an extensive paper written by daemon9,
route, and infinity in the Volume Seven, Issue Forty-Eight issue of
Phrack Magazine.
ISO9660
The most common file system found on CD-ROMs.
Kernel
Unix systems have a kernel that provides a system call interface
(including IOCTL() I/O device control interface) to allow
programs to interface directly with hardware and files. The Linux
kernel provides file systems, networking support for TCP/IP and other
protocols, and device drivers. These can be built into a kernel ``statically''
or as loadable modules.
LIDS
See Linux Intrusion Detection System.
Linux Intrusion Detection System
The Linux Intrusion Detection
System allows fine tuning of control over resources and file permissions.
For detailed information concerning LIDS and using LIDS please read
Section .
loadable modules
Portions of kernel code that have been compiled
separately and that can be loaded during normal operation using modprobe
or insmod. If you have LIDS running it seals the ability to
load modules after the system has booted. You must shut LIDS off first,
then load your module(s). Information on controlling LIDS can be found
in Section .
journaling
Journaling is a method used to preserve data when it is
written to a storage device. This greatly increases recovery time
in the event of a system crash.
mount
A storage device containing a device can not be accessed by
a Linux system until it is mounted. The process of mounting allows
the system to make a common ``reference'' to this filesystem.
This is done by mounting a filesystem to an empty directory. The filesystem
will then be contained within that directory.
non-repudiation
The property of a receiver being able to prove that
the sender of some data did in fact send the data even though the
sender might later deny ever having sent it.
Open Source
Programs for which the original source code is available,
for which relatively permissive opportunities to modify the code and
share the results with others exist, and which are developed by people
whose primary means of communication with each other is the Internet.
OpenSSH
An Open Source version of Secure Shell.
ownership
The user (UID) and/or group (GID) that is associated with
a file, directory, process, or process group.
packet
The fundamental unit of communication on the Internet.
packet filtering
The action a device takes to selectively control
the flow of data to and from a network. Packet filters allow or block
packets, usually while routing them from one network to another (most
often from the Internet to an internal network, and vice-versa). To
accomplish packet filtering, you set up rules that specify what types
of packets (those to or from a particular IP address or port) are
to be allowed and what types are to be blocked.
partition
Before a storage device such as a hard drive can be used
by the system it must be partitioned. A partition is a portion of
the whole drive. It defines the boundries in which the filesystem
can manage. A filesystem can not be placed on a storage device without
a designated partition.
partitioning
See partition.
perimeter network
A network added between a protected network and
an external network, in order to provide an additional layer of security.
A perimeter network is sometimes called a DMZ.
pid
Process identifier. A number used by the kernel to keep track
of the system-level resources necessary to switch between this process
and others running on the system. It is easily visible to a system
administrator by use of the ps command. In the GD WebTool,Section , you will find detailed
instructions on viewing and deleting processes via the WebTool.
pptp
See Point-to-Point Tunneling Protocol.
protocol
A predefined standard for transmitting data between two
devices.
proxy server
A program that deals with external servers on behalf
of internal clients. Proxy clients talk to proxy servers, which relay
approved client requests to real servers, and relay answers back to
clients.
Point-to-Point Tunneling Protocol
A secure protocol for transmitting
data necessary for a Virtual Private Network (VPN) over the Internet.
Post Office Protocol
A protocol for retrieving e-mail. Also refered
to as POP3 (version 3), it downloads all new e-mail messages from
the server and stores them locally on a users machine.
reverse zone
See forward zone.
root
Root is the ``superuser'' of the system. Generally the system
administrator will login with root privileges to administer the system.
You can not login remotely as root, only from the console. It is not
recommended to login as root unless you need to since accidental errors
can be easily made.
samba
A client/server for non-Windows based system integration into
Windows File Sharing and Printing system.
SCSI
See Small Computer System Interface.
Secure Shell
A secure shell is a telnet type connection made to
a remote host. This connection is protected with SSL 3DES 128bit encryption.
Secure shell is also known for short as SSH. It is pronounced S-S-H.
Secure Socket Layer
Is a protocol designed by Netscape Communications
that provides encrypted communications for private documents via the
Internet. SSL works by use of a public/private key system for exchanging
session keys.
shared libraries
Shared libraries are object files that are dynamically
linked to executable binary programs. Under Linux, shared libraries
can be stored in a number of directories (usually listed in /etc/ld.so.conf).
Shared libraries typically include files under /usr/lib.
If the shared libraries are deleted or become damaged, or of the /etc/ld/so.cache
file is corrupted, then programs that rely on them will fail to execute.
Almost all normal programs on a system rely on glibc.
signal
Under Unix and Linux, the signal is the most fundamental and
common form of interprocess communications (IPC). It is also the basis
for ``event-driven'' programming under these systems. Each Unix
implementation defines a set of signals that area associated with
various asynchronous events, such as a terminal sending an ``interrupt
request'' (SIGINT) or a change in window size (SIGWINCH).
SIMAP
A version of IMAP that is tunneled through SSL for increased
security. For a description of IMAP see Internet Access Message
Protocol.
Small Computer System Interface
Commonly refered to as SCSI, is
an industry standard I/O bus for high speed data transfer.
SPOP3
Is a version of the POP3 protocol that is wrapped in the SSL
protocol for increased security. For a description of POP3 see Post
Office Protocol.
SSH
See Secure Shell.
SSL
See Secure Socket Layer.
superuser
An informal name for ROOT.
swap
A swap partition is a physical hard drive partition. A Linux
system utilizes swap space when system RAM starts to fill and it is
necessary for more RAM. However, swap is signfigantly slower than
system RAM and is not a replacement for RAM.
symlink
Symbolic link. An entry in a directory that is not a file,
but contains the name of another file that should normally be accessed
instead. Contrasts a hard link.
trusted host
A trusted host refers to a network computer or device
that can be trusted. Generally these are internally controlled boxes
and all boxes on the outside are untrusted.
Umask
A setting in a Unix process that modifies the permissions on
newly created files. It is generally represented as a three-digit
octal number that will be logically ANDed against the mode 666 (rw-rw-rw).
Execute bits are not on newly created files in any case.
Unix
The operating system after which Linux is modeled. Although
often used to refer to any operating system that provides features
and programming interfaces that emulate Unix, the term is a trademark
legally held by The Open Group.
user key
See host key.
virtual interface
A virtual interface is a non-existent interface
that binds itself to a real interface. This virtual interface can
be assigned its own IP address and will access the network through
the real interface its bound to. For example interface eth0 can have
eth0:X bound to it, 'X' being replaced with the virtual interface
number.
virtual memory
Memory beyond what is actually available, but which
programs believe is actually available memory in the system. See swap.
Virtual Private Network
Allows remote computers to connect to a
common network via a medium such as the Internet as if the remote
computer was locally connected to the network in a secure manner.
VPN
See Virtual Private Network.
zone transfer
A zone transfer is when a secondary name server, also
sometimes referred to as a slave server, for a zone gets the zone
data from another name server that is authoritative for the zone,
called its master server. When a secondary name server starts up,
it contacts its master server and requests a copy of the zone data
for which it is responsible, storing it in the event a request is
made for information in that zone.
![[*]](icons/crossref.png){kind=icon}
.