Linux Security HOWTO 中英文对照(错误之处,请指出, 谢谢)

eTony

10. What To Do During and After a Breakin 入侵发生了

So you have followed some of the advice here (or elsewhere) and have detected a break-in? The first thing to do is to remain calm. Hasty actions can cause more harm than the attacker would have.

您监测到入侵了吗? 您按照这些忠告来做了吗? 首先是保持冷静. 草率的行动可能是使事情变的更糟.
10.1 Security Compromise Underway. 安全入侵起步.

Spotting a security compromise under way can be a tense undertaking. How you react can have large consequences.

察觉安全入侵可能是一个进行态. 如何应对则与后果密切相关.

If the compromise you are seeing is a physical one, odds are you have spotted someone who has broken into your home, office or lab. You should notify your local authorities. In a lab, you might have spotted someone trying to open a case or reboot a machine. Depending on your authority and procedures, you might ask them to stop, or contact your local security people.

如果您发觉的入侵是物理的, 很幸运, 您可以明确的找到是谁进入您的家, 办公室或实验室. 您应当注意一下您的本地授权. 在实验室中, 您可以明确的查出是谁使用或重启了计算机. 根据您的职责和需求, 您可以要求他们立即停止, 或同本地安全人员联系.

If you have detected a local user trying to compromise your security, the first thing to do is confirm they are in fact who you think they are. Check the site they are logging in from. Is it the site they normally log in from? No? Then use a non-electronic means of getting in touch. For instance, call them on the phone or walk over to their office/house and talk to them. If they agree that they are on, you can ask them to explain what they were doing or tell them to cease doing it. If they are not on, and have no idea what you are talking about, odds are this incident requires further investigation. Look into such incidents , and have lots of information before making any accusations.

如果您发觉一个本地用户试图入侵您的系统, 首先要确定他就是您认为的那个人. 检查记录, 看他从何处登录. 是他通常登录的地点吗? 不是? 使用非电子的方式联络一下.例如, 用电话, 或直接到他的办公室/家, 了解一下. 如果他们承认是他们干的, 您可以要求他们做出解释, 或告诉他们不要这么干了. 如果否认, 或者根本不给你交谈的机会, 那么这件事则要进一步调查. 调查这类事情, 在做出结论之前, 需要获取很多信息.

If you have detected a network compromise, the first thing to do (if you are able) is to disconnect your network. If they are connected via modem, unplug the modem cable; if they are connected via Ethernet, unplug the Ethernet cable. This will prevent them from doing any further damage, and they will probably see it as a network problem rather than detection.

如果您发现了网络入侵, 首先要(如果可以)断开网络连接. 如果是通过调制解调器上网, 则要断开电缆; 如果是以太网, 拔掉网线. 这样可以阻止做更多的破坏, 他们可能认为是网络出现了问题, 而不是被察觉了.

If you are unable to disconnect the network (if you have a busy site, or you do not have physical control of your machines), the next best step is to use something like tcp_wrappers or ipfwadm to deny access from the intruder's site.

如果不能断开网络(比如是一个高访问量站点, 或无法物理接触您的计算机) 则最好是使用类似tcp_wrappers 或 ipfwadm 的工具来禁止入侵者的地址访问.

If you can't deny all people from the same site as the intruder, locking the user's account will have to do. Note that locking an account is not an easy thing. You have to keep in mind .rhosts files, FTP access, and a host of possible backdoors.

如果不能禁止所有与入侵者来自同一地址的访问者. 则需要锁定用户账号. 注意锁定一个账号并不是容易的事情. 需要注意 .rhosts 文件, FTP 访问, 和可能的后门.

After you have done one of the above (disconnected the network, denied access from their site, and/or disabled their account), you need to kill all their user processes and log them off.

做完这些以后(断开网络连接, 禁止访问地址, 和/或 禁用了账号), 您需要杀死所有相关进程,并将它们注销掉.

You should monitor your site well for the next few minutes, as the attacker will try to get back in. Perhaps using a different account, and/or from a different network address.

应当对您的网站监视一段时间, 因为入侵者可能会再回来. 也可能使用别的账号, 和/或 从别的网络地址登录.
10.2 Security Compromise has already happened 安全入侵发生了

So you have either detected a compromise that has already happened or you have detected it and locked (hopefully) the offending attacker out of your system. Now what?

那么你要么已经监测到了已经发生的入侵, 要么已经监测到了并且把入侵者驱逐出了您的系统之外? 现在该做什么了呢?
Closing the Hole 封锁漏洞

If you are able to determine what means the attacker used to get into your system, you should try to close that hole. For instance, perhaps you see several FTP entries just before the user logged in. Disable the FTP service and check and see if there is an updated version, or if any of the lists know of a fix.

如果您可以找到攻击者入侵您的系统的方法, 您应当尝试进行处理. 例如, 也许您在用户登录前发现了 FTP 连接. 停掉 FTP 服务, 并检查, 看是否有更新版本提供, 或者有如何修复的信息.

Check all your log files, and make a visit to your security lists and pages and see if there are any new common exploits you can fix. You can find Caldera security fixes at http://www.caldera.com/tech-ref/security/. Red Hat has not yet separated their security fixes from bug fixes, but their distribution errata is available at http://www.redhat.com/errata

检查所有的日志文件, 访问您的安全列表, 和网页, 看是否有需要修复的安全漏洞. 在 http://www.caldera.com/tech-ref/security/ 处您可以找到 Caldera 提供的安全修复文件. Red Hat 还没有从它的错误修复中将安全修复分离出来, 但是可以在 http://www.redhat.com/errata 获取它的发行版勘误表.

Debian now has a security mailing list and web page. See: http://www.debian.org/security/ for more information.

Debian 现在提供了安全邮件列表和网页. 更多信息参阅 http://www.debian.org/security/

It is very likely that if one vendor has released a security update, that most other Linux vendors will as well.

如果一个提供商发布一个安全更新, 那么其它的提供商也应该有.

There is now a Linux security auditing project. They are methodically going through all the user-space utilities and looking for possible security exploits and overflows. From their announcement:

现在有一个 Linux 安全审计项目. 他们正系统的检查所有的用户空间工具, 并查找可能的安全漏洞和溢出. 他们宣称:

    "We are attempting a systematic audit of Linux sources with a view to being as secure as OpenBSD. We have already uncovered (and fixed) some problems, but more help is welcome. The list is unmoderated and also a useful resource for general security discussions. The list address is: security-audit@ferret.lmh.ox.ac.uk To subscribe, send a mail to: security-audit-subscribe@ferret.lmh.ox.ac.uk"

    "我们试图对 Linux 的源代码进行系统的审计, 使其变的和 OpenBSD 一样安全. 我们已经解决(修复)了一些问题, 并需要更多的帮助. 邮件列表是 unmoderated 的(任何发送到该列表的邮件被立即分发到列表中的 用户邮箱中), 同时也是进行安全讨论的有用资源. 邮件列表地址是: security-audit@ferret.lmh.ox.ac.uk 发送邮件到 security-audit-subscribe@ferret.lmh.ox.ac.uk 进行订阅."

If you don't lock the attacker out, they will likely be back. Not just back on your machine, but back somewhere on your network. If they were running a packet sniffer, odds are good they have access to other local machines.

如果您不能将攻击者拒之门外, 他们很可能会再次回来. 不仅您的计算机, 甚至您的整个网络. 如果他们运行了数据包嗅探器, 就有可能能入侵其它的本地机器.
Assessing the Damage 损失评估

The first thing is to assess the damage. What has been compromised? If you are running an integrity checker like Tripwire, you can use it to perform an integrity check; it should help to tell you what has been compromised. If not, you will have to look around at all your important data.

首先要评估一下损失. 什么被入侵了? 如果您运行了完整检查攻击, 如 Tripwire, 则可以用它来完成完成性检查; 它将帮助您找出哪些被入侵了. 如果没有, 您将需要检查所有的重要数据.

Since Linux systems are getting easier and easier to install, you might consider saving your config files, wiping your disk(s), reinstalling, then restoring your user files and your config files from backups. This will ensure that you have a new, clean system. If you have to restore files from the compromised system, be especially cautious of any binaries that you restore, as they may be Trojan horses placed there by the intruder.

因为 Linux 系统变的越来越容易安装, 您可能会考虑保存配置文件, 整理磁盘, 重新安装, 然后从备份中恢复您的用户文件和配置文件. 这可以确保您拥有一个新的, 干净的系统. 如果您需要从入侵的系统中恢复二进制数据, 则要特别的注意, 因为可能被入侵者放置了木马程序.

Re-installation should be considered mandatory upon an intruder obtaining root access. Additionally, you'd like to keep any evidence there is, so having a spare disk in the safe may make sense.

如果入侵者获取了 root 权限, 应当考虑重新安装系统. 另外, 可以考虑使用备用磁盘保存证据.

Then you have to worry about how long ago the compromise happened, and whether the backups hold any damaged work. More on backups later.

然后, 如果您担心入侵发生多久了, 以及是否备份中包含了破坏了的数据. 那就恢复较旧的数据.
Backups, Backups, Backups! 备份,备份,备份!

Having regular backups is a godsend for security matters. If your system is compromised, you can restore the data you need from backups. Of course, some data is valuable to the attacker too, and they will not only destroy it, they will steal it and have their own copies; but at least you will still have the data.

正规的备份, 对于安全事件来说是意想不到的惊喜. 如果您的系统被入侵了, 您可以从备份中恢复所需数据. 当然, 有些数据对于攻击者也很有价值, 他们可能不会破坏它, 而只是窃取它, 获取一个拷贝; 但至少你还拥有数据.

You should check several backups back into the past before restoring a file that has been tampered with. The intruder could have compromised your files long ago, and you could have made many successful backups of the compromised file!

在恢复前, 您应当检查备份文件, 看是否是被篡改的. 入侵者可能入侵了您的系统很久了, 也许您已经对入侵文件做了多次备份.

Of course, there are also a raft of security concerns with backups. Make sure you are storing them in a secure place. Know who has access to them. (If an attacker can get your backups, they can have access to all your data without you ever knowing it.)

当然, 备份还包括很多安全方面的内容. 确保您将它们存储在了安全的地方. 知道谁可以接触它们.(如果攻击者可以获取您的备份, 那么他们可以在您不知晓的情况下, 接触所有数据.)
Tracking Down the Intruder. 追踪入侵者

Ok, you have locked the intruder out, and recovered your system, but you're not quite done yet. While it is unlikely that most intruders will ever be caught, you should report the attack.

Ok, 您现在可以将入侵者拒之门外, 并对系统进行恢复, 但是这是不够的. 抓住大多数的入侵者是不可能的, 您需要报告入侵事件.

You should report the attack to the admin contact at the site from which the attacker attacked your system. You can look up this contact with whois or the Internic database. You might send them an email with all applicable log entries and dates and times. If you spotted anything else distinctive about your intruder, you might mention that too. After sending the email, you should (if you are so inclined) follow up with a phone call. If that admin in turn spots your attacker, they might be able to talk to the admin of the site where they are coming from and so on.

您应当向攻击者利用的攻击您的站点的管理员报告攻击事件. 可以使用 whois 或 Internic 数据库查找站点的管理员. 您可以将所有的相关日志, 日期和时间通过电子邮件发送给他们. 如果您获取了攻击者的某些详细信息, 也可以发送给他们. 发送邮件以后, 您应当(如果有必要)通过电话联系一下. 如果管理员可以找到攻击源, 那么他们可以同攻击的上游站点的管理员联系.

Good crackers often use many intermediate systems, some (or many) of which may not even know they have been compromised. Trying to track a cracker back to their home system can be difficult. Being polite to the admins you talk to can go a long way to getting help from them.

老练的攻击者通常会使用多级系统跳板, 通常跳板并不知道被入侵了. 试图追踪攻击者是很困难的. 有礼貌的同管理员交流, 可以使获得很大的帮助.

You should also notify any security organizations you are a part of ( CERT or similar), as well as your Linux system vendor.

您还应当通知您所属的安全组织( CERT 或类似的), 以及您的 Linux 系统提供商.

eTony

12. Glossary 术语表

Included below are several of the most frequently used terms in computer security. A comprehensive dictionary of computer security terms is available in the LinuxSecurity.com Dictionary

下边是计算机安全中经常用到的一些术语.在 LinuxSecurity.com Dictionary 处提供了一个非常全面的计算机安全词汇字典.

    * authentication: The process of knowing that the data received is the same as the data that was sent, and that the claimed sender is in fact the actual sender.

      认证(authentication): 这是验证所发送数据, 以及数据发送者所用户所声称身份的真实性的过程.
    * bastion Host: A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projects on the outer walls of medieval castles. Bastions overlook critical areas of defense, usually having strong walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers.

      堡垒主机(bastion Host): 一个计算机系统, 很容易受到攻击, 通常是它暴露在互联网上, 是内部用户与互联网通讯的联系节点, 所以安全性需求非常高. 它由于中世纪构建高强度工事而得名. 堡垒可以俯视重要的防护区域, 通常有结实的城墙, 备用的房间, 为抵御攻击者, 偶尔要用到的煮沸油的桶.
    * buffer overflow: Common coding style is to never allocate large enough buffers, and to not check for overflows. When such buffers overflow, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location.

      缓存溢出(buffer overflow): 通常编码样式是不允许分配大量的缓存, 也不做溢出检查的. 当发生缓存溢出时, 执行中程序(守护进程或 set-uid 程序) 可以被欺骗作一些其它的工作. 通常可以通过重写一个过程的对应堆栈的返回地址来指向另一个地址.
    * denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes.

      拒绝服务(denial of service): 通过消耗您的计算机资源, 以妨碍您的计算机资源无法正常使用的攻击.
    * dual-homed Host: A general-purpose computer system that has at least two network interfaces.

      双宿主主机(dual-homed Host): 至少连接两个网络的多用途计算机.
    * firewall: A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.

      防火墙(firewall): 一个或一套部件, 用于限制保护网络和互联网之间, 或其它网络之间的访问.
    * host: A computer system attached to a network.

      主机(host):网上的一台计算机系统.
    * IP spoofing: IP Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust relationship into thinking that you are someone that you really aren't. There is an extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue Forty-Eight issue of Phrack Magazine.

      IP欺骗(IP spoofing): IP欺骗是一项复杂的攻击技术, 有几部分构成. 这是一个安全漏洞, 其通过欺骗计算机, 获取信任关系, 令计算机认为你是某人, 其实你不是. 在Phrack 杂志的第48期中, 第7卷, 提供了权威解释.
    * non-repudiation: The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later deny ever having sent it.

      不可抵赖性(non-repudiation): 尽管, 在事后发件人可以否认寄发某些数据, 但是这项技术可以证明这些数据是由他寄发的.
    * packet: The fundamental unit of communication on the Internet.

      数据包(packet): 网络通讯的基本单位.
    * packet filtering: The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice-versa). To accomplish packet filtering, you set up rules that specify what types of packets (those to or from a particular IP address or port) are to be allowed and what types are to be blocked.

      数据包过滤(packet filtering): 用于筛选控制数据流向和来源的设备. 数据包过滤当数据报从一个网络路由到另一网络时(通常为由互联网到内部网, 反之亦然), 对其采取允许或阻止. 要完成数据包过滤, 您应当设置规则, 明确指定什么类型的数据包(哪些发送到, 或源自某些IP地址或端口)应该允许, 什么类型的数据包应该禁止.
    * perimeter network: A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.

      非军事区(perimeter network):在外部网络和被保护网络之间的一个网络. 用于提供附加的安全层. 有时又称作DMZ.
    * proxy server: A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests to real servers, and relay answers back to clients.

      代理服务器(proxy server): 一个代表内部网络的客户端, 和外部服务打交道的程序. 代理客户端与代理服务器交互, 将客户端发出的请求传送给真正的服务器, 并把响应转送给客户端.
    * superuser: An informal name for root.

      超级用户(superuser): root的非正式名称.

eTony

13. Frequently Asked Questions 常见问题解答

   1. Is it more secure to compile driver support directly into the kernel, instead of making it a module?

      将驱动直接编译进内核, 而不是模块形式, 是不是更安全?

      Answer: Some people think it is better to disable the ability to load device drivers using modules, because an intruder could load a Trojan module or a module that could affect system security.

      回答: 有些人认为禁止商用模块加载设备驱动会更好一些, 因为入侵者有可能会加载木马模块或影响到系统安全的模块.

      However, in order to load modules, you must be root. The module object files are also only writable by root. This means the intruder would need root access to insert a module. If the intruder gains root access, there are more serious things to worry about than whether he will load a module.

      但是, 要加载模块, 您必须是root. 模块文件也只有 root 用户可写. 这就意味着入侵者要替换模块需要拥有 root 权限. 如果入侵者已经获取了 root 权限, 那么有比是否会被加载模块更严重的问题需要担心.

      Modules are for dynamically loading support for a particular device that may be infrequently used. On server machines, or firewalls for instance, this is very unlikely to happen. For this reason, it would make more sense to compile support directly into the kernel for machines acting as a server. Modules are also slower than support compiled directly in the kernel.

      对于某些特殊设备来说支持模块的动态加载是不常会用到的. 在一台服务器上, 例如防火墙, 这是不太可能发生的. 因此在服务器上将模块直接编译进内核更具意义. 模块化比直接编译进内核速度更慢.
   2. Why does logging in as root from a remote machine always fail?

      为什么当以 root 登录远程机器时, 老是失败?

      Answer: See Root Security. This is done intentionally to prevent remote users from attempting to connect via telnet to your machine as root, which is a serious security vulnerability, because then the root password would be transmitted, in clear text, across the network. Don't forget: potential intruders have time on their side, and can run automated programs to find your password. Additionally, this is done to keep a clear record of who logged in, not just root.

      回答: 参阅 Root Security. 这样做是为了防止远程用户以 root 通过 telnet 连接您的服务器, 这是一个严重的安全漏洞, 因为 root 密码在网上是明文传输的. 谨记: 潜在的入侵者有足够的时间, 并会运行自动程序监听您的密码. 另外, 也应当清楚的记录登录者, 不仅仅是 root.
   3. How do I enable shadow passwords on my Linux box?

      如何在我的系统上启用shadow密码?

      Answer: 回答:

      To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by applications. If you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any other change.

      要启用 shadow 密码, 以 root 运行 pwconv, 这样就会生成 /etc/shadow 并被其它程序使用.如果您使用的是RH 4.2 或更高版本, PAM 模块将会自动适应从使用普通 /etc/passwd 到 shadow 密码的调整.

      Some background: shadow passwords is a mechanism for storing your password in a file other than the normal /etc/passwd file. This has several advantages. The first one is that the shadow file, /etc/shadow, is only readable by root, unlike /etc/passwd, which must remain readable by everyone. The other advantage is that as the administrator, you can enable or disable accounts without everyone knowing the status of other users' accounts.

      一些背景知识: shadow 密码是将您的密码存储存储到一个文件中而不是通常的 /etc/passwd 文件中的机制. 这样的优势是, 第一 shadow 文件 /etc/shadow, 只对root可读, 不象/etc/passwd,必须是全局可读. 还有就是, 作为管理员, 在不必让其它人都知道的情况下启用或禁用一个账号.

      The /etc/passwd file is then used to store user and group names, used by programs like /bin/ls to map the user ID to the proper user name in a directory listing.

      这时 /etc/passwd 文件用于存储用户和组名, 被类似 /bin/ls 的程序进行ID和用户名映射.

      The /etc/shadow file then only contains the user name and his/her password, and perhaps accounting information, like when the account expires, etc.

      /etc/shadow 中只包含了用户名及其密码, 及可能的账号信息, 比如什么时候账号过期, 等等.

      To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by applications. Since you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any other change.

      要启用 shadow 密码, 以 root 运行 pwconv, 这样就会生成 /etc/shadow 并被其它程序使用. 如果您使用的是 RH 4.2 或更高版本, PAM 模块将会自动适应从使用普通 /etc/passwd 到 shadow 密码的调整.

      Since you're interested in securing your passwords, perhaps you would also be interested in generating good passwords to begin with. For this you can use the pam_cracklib module, which is part of PAM. It runs your password against the Crack libraries to help you decide if it is too-easily guessable by password-cracking programs.

      您对密码的安全性感兴趣, 也应该对使用好的密码感兴趣. 如果这样, 您可以使用 pam_cracklib 模块,它是 PAM 的一部分. 它依赖 Crack 库处理密码, 这样就有助于您确定密码是否很容易被密码破解程序猜出来.
   4. How can I enable the Apache SSL extensions?

      如何启用Apache SSL扩展?

      Answer: 回答:

         1. Get SSLeay 0.8.0 or later from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL

            由 ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL处获取SSLeay0.8.0 或更高版本.
         2. Build and test and install it!

            构建, 测试, 并安装它!
         3. Get Apache source

            获取 Apache 源代码
         4. Get Apache SSLeay extensions from here

            从 here 处获取 Apache SSLeay 扩展
         5. Unpack it in the apache source directory and patch Apache as per the README.

            将其解压到apache源代码目录, 参照 README, 给 Apache 打补丁.
         6. Configure and build it.

            配置并构建

      You might also try ZEDZ net which has many pre-built packages, and is located outside of the United States.

      您还可访问 ZEDZ net, 它位于美国以外, 提供了很多预编译的程序包.
   5. How can I manipulate user accounts, and still retain security?

      我怎么维护用户账号, 并能确保其安全?

      Answer: most distributions contain a great number of tools to change the properties of user accounts.

      回答: 大多数发行版都提供了很多用于修改用户账号属性的工具.

          * The pwconv and unpwconv programs can be used to convert between shadow and non-shadowed passwords.

            pwconv 和 unpwconv程序用于转换shadow和非shadow密码
          * The pwck and grpck programs can be used to verify proper organization of the passwd and group files.

            pwck 和 grpck程序用于校验passwd 和 group文件结构是否正确.
          * The useradd, usermod, and userdel programs can be used to add, delete and modify user accounts. The groupadd, groupmod, and groupdel programs will do the same for groups.

            useradd, usermod, 和 userdel 程序用于添加, 删除, 和修改用户账号. groupadd,groupmod, 和 groupdel用于出来组账号.
          * Group passwords can be created using gpasswd.

            可用gpasswd创建组密码.

      All these programs are "shadow-aware" -- that is, if you enable shadow they will use /etc/shadow for password information, otherwise they won't.

      所有这些程序都是 "shadow-aware" -- 也就是说, 如果您启用了 shadow, 它们将会从 /etc/shadow中获取密码信息, 否则, 则不会.

      See the respective man pages for further information.

      更多信息参阅各自的联机手册.
   6. How can I password-protect specific HTML documents using Apache?

      如何对Apache使用的特定HTML文档进行密码保护?

      I bet you didn't know about http://www.apacheweek.org, did you?

      我认为您不知道 http://www.apacheweek.org, 对不对?

      You can find information on user authentication at http://www.apacheweek.com/features/userauth as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html

      您可以在 http://www.apacheweek.com/features/userauth 处找到有关用户认证的信息, 其它有关web服务器的小窍门, 可以在 http://www.apache.org/docs/misc/security_tips.html 处找到.

eTony

14. Conclusion 结论

By subscribing to the security alert mailing lists, and keeping current, you can do a lot towards securing your machine. If you pay attention to your log files and run something like tripwire regularly, you can do even more.

通过订阅安全警告邮件列表, 并紧跟潮流, 可以使您的机器更加安全. 如果您花更多精力在日志文件和运行类似 tripwire 的程序上, 您可以做的更好.

A reasonable level of computer security is not difficult to maintain on a home machine. More effort is required on business machines, but Linux can indeed be a secure platform. Due to the nature of Linux development, security fixes often come out much faster than they do on commercial operating systems, making Linux an ideal platform when security is a requirement.

达到计算机安全的一个合理的水平在家用电脑上并不难. 对于商用机器则需要更多的努力, 但是 Linux 是一个理想的安全平台. 根据 Linux 开发的本质特性, 其修补安全漏洞的速度比其它商用操作系统要快的多, 这使得其成为更理想的安全平台.

d00m3d

此帖不精华便对不起楼主了

再次感谢 eTony 前辈作出的贡献

晨想

天啊，，全翻译了？？？？
楼主太伟大了。。。

omegao

感谢楼主所作的工作。

苦涩之恋

无泉之城dage: 能否把英文版的电子书发给我啊，huang_wei_yang@163.com谢谢

apzc2529

谢谢老大的大作！

强烈支持！

eTony

Post by 苦涩之恋
无泉之城dage: 能否把英文版的电子书发给我啊，huang_wei_yang@163.com谢谢

文档中给出了下载地址.
我检查了一下, 可以下载