Securing and Optimizing Linux RedHat Edition phần 9 ppt

Step 2 You must restart the Apache web server for the changes to take effect: • To restart Apache, use the following commands: [root@deep /]# /etc/rc.d/init.d/httpd restart Create the p

Step 2

You must restart the Apache web server for the changes to take effect:

• To restart Apache, use the following commands:

[root@deep /]# /etc/rc.d/init.d/httpd restart

Create the php.php file in your DocumentRoot (touch /home/httpd/ona/php.php) and add the

following lines in the PHP file:

Now, point your web browser to the following address: http://my-web-server/php.php

The <my-web-server> is the address where your Apache web server lives, and <php.php> is the PHP document we have created above to display the information and configuration of our Linux server

If you see something like the above page appearing in your web browser… congratulations! Your PHP module is working

Perl module Devel::Symdump

If you intend to use the mod_perl programming language support with your Apache web server, it can be interesting to install the small perl module program named “Devel::Symdump” This third party module will allow you to inspect perl's symbol table and the class hierarchies within a running program To build and install it, follow these steps

Packages

Devel-Symdump Homepage: http://www.perl.com/CPAN/modules/by-module/Devel/

You must be sure to download: Devel-Symdump-2_00_tar.gz

Devel-Symdump version number is 2.00

[root@deep /]# cp Devel-Symdump-version.tar.gz /var/tmp/

[root@deep /]# cd /var/tmp/

[root@deep tmp]# tar xzpf Devel-Symdump-version.tar.gz

Step 1

Move into the new Devel-Symdump directory and type the following commands on your terminal

to compile and install the module on your Linux server:

[root@deep Devel-Symdump-2.00]# perl Makefile.PL

[root@deep Devel-Symdump-2.00]# make

[root@deep Devel-Symdump-2.00]# make test

[root@deep Devel-Symdump-2.00]# make install

Step 2

Once the module has been installed on your system, you must include in your

“/etc/httpd/conf/httpd.conf” file the following lines to be able to see the status of different Perl modules on the server:

Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and add the following lines:

You must restart the Apache web server for the changes to take effect:

• To restart Apache, use the following commands:

[root@deep /]# /etc/rc.d/init.d/httpd restart

To verify that it works, points your web browser to the following address:

http://my-web-server/perl-status/ The <my-web-server> is the address where your Apache web server lives

Cleanup after work

CGI.pm Perl library

The CGI.pm is a Perl5 library for writing World Wide Web CGI scripts Older versions of this software exist by default on your system, but they are buggy It’s recommended that you update your copy to version 2.56, at least To update this module, please follow these steps

Packages

CGI.pm Homepage: http://stein.cshl.org/WWW/software/CGI/cgi_docs.html

You must be sure to download: CGI_pm_tar.gz

CGI.pm version number is 2.56

[root@deep /]# cp CGI_pm_tar.gz /var/tmp/

[root@deep /]# cd /var/tmp/

[root@deep tmp]# tar xzpf CGI_pm_tar.gz

Step 1

First of all, we’ll check the version of CGI.pm installed in our system

• You can check your current “CGI.pm” version number with the following command:

[root@deep]# perl -e 'use CGI; print $CGI::VERSION."\n";'

2.46

Step 2

Move into the new CGI.pm directory and type the following commands on your terminal to

compile and install the updated libraries on your Linux server:

[root@deep CGI.pm-2.56]# perl Makefile.PL

[root@deep CGI.pm-2.56]# make

[root@deep CGI.pm-2.56]# make test

[root@deep CGI.pm-2.56]# make install

Cleanup after work

Securing Apache

Change some important permissions on files and directories for your Web Server

When you install Apache on your server, there are some files and directories that have too many permissions set by default The binary program “httpd” can be set to be read-only by the super-user “root”, and executable by the owner, group, and others for better security The

“/etc/httpd/conf” and “/var/log/httpd” directories don’t need to by readable, writable or executable

by other people

[root@deep /]# chmod 511 /usr/sbin/httpd

[root@deep /]# chmod 750 /etc/httpd/conf/

[root@deep /]# chmod 750 /var/log/httpd/

Automatic indexing

If you have enabled the automatic indexing of directories in your Apache configuration file,

(IndexOptions in httpd.conf), then you’ll have a security issue since any requests for a directory that don't find an index file will build an index of what is in the directory In many cases, you may only want people seeing files that you specifically link to To turn this off, you need to remove read permissions from the DocumentRoot directory (but not the files inside it)

[root@deep /]# cd /home/httpd/

[root@deep httpd]# chmod 311 ona

[root@deep httpd]# ls -la

d-wx x x 13 webadmin webadmin 1024 Jul 28 08:12 ona

Now, with this modification, any requests for this protected directory should return an error

message like:

Forbidden

You don't have permission to access “/ona/” on this server

NOTE: “ona” is the DocumentRoot (the directory out of which you will serve your documents) in our example

Create the dbmpasswd password file for users authentication

This step is necessary only if you think that you’ll use an access file authentication system for your web site Access file authentication is used when you have the need to protect some part of your web site with a user password With Apache, a lot of options exist to protect your site with usernames and passwords

Step 1

The “dbmmanage” program utility of Apache can be used to create and update usernames and passwords of HTTP users This method use a DBM format files that is the fastest mechanism when you have thousands users to manage in your password file First of all, it’s important to change the permission of this program to be (0750/-rwxr-x -), writable only by the super-user

“root”, readable and executable by group and nothing for the others

• To change the permissions on the “dbmmanage” program, use the following command:

[root@deep /]# chmod 750 /usr/bin/dbmmanage

• To create a username and password, use the following command:

[root@deep /]# /usr/bin/dbmmanage /etc/httpd/.dbmpasswd adduser username

New password:

Re-type new password:

User username added with password encrypted to l4jrdAL9MH0K

Where </etc/httpd> is the location of the password file, <.dbmpasswd> is the name of the

password file, and <username> is the name of the user you want to add in your “.dbmpasswd” file

Step 2

If you use the “dbmmanage” utility with your Apache web server to create passwords and

usernames, don’t forget to include in your “/etc/httpd/conf/httpd.conf” configuration file the part of your web site you need to protect with user password authentication:

Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and add the following lines to protect the

“private” directory of your web site “ona” with user password authentication:

Step 3

You must restart Apache web server for the changes to take effect:

• To restart Apache, use the following commands:

[root@deep /]# /etc/rc.d/init.d/httpd restart

Shutting down http: [ OK ]

Starting httpd: [ OK ]

Step 4

Finally, we must test the new protected directory named (private)

To verify that it works, point your web browser to the following address:

http://my-web-server/private/ The <my-web-server> is the address where your Apache web server lives The

</private/> is the directory we want to protect with user password authentication

Immunize important configuration file like “httpd.conf”

As we already know, the immutable bit can be used to prevent deletion, overwriting or creation of

a symbolic link to a file Once your “httpd.conf” file has been configured, it’s a good idea to

immunize it with the following command:

[root@deep /]# chattr +i /etc/httpd/conf/httpd.conf

Running Apache in a chroot jail

This part focuses on preventing Apache from being used as a point of break-in to the system

hosting it Apache by default runs as a non-root user, which will limit any damage to what can be

done as a normal user with a local shell Of course, allowing what amounts to an anonymous guest account falls rather short of the security requirements for most Apache servers, so an

additional step can be taken - that is, running Apache in a chroot jail

The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon can see to the root directory of the jail Additionally, since the jail only needs to support Apache, the programs available in the jail can be extremely limited Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail

Chrooting apache is no easy task and has a tendency to break things Before we embark on this,

we need to first decide whether it is beneficial for you to do so Some pros and cons are, but most certainly not limited to, the following:

Pros:

If apache is ever compromised, the attacker will not have access to the entire file system

Poorly written CGI scripts that may allow someone to access your server will not work

Cons:

There are extra libraries you'll need to have in the chroot jail for Apache to work

If you use any Perl/CGI features with Apache, you will need to copy the needed binaries, Perl libraries and files to the appropriate spot within the chroot space The same applies for SSL, PHP, LDAP, PostgresSQL and other third-party programs

The chrooted configuration listed below supposes that you’ve compiled your Apache server with

the external program mod_ssl The differences in what you’ve compiled with your Apache web

server reside in which libraries and binaries you‘ll need to copy to the chrooted directory

Remember that if you’ve compiled Apache to use mod_perl, you must copy all the related

binaries and Perl libraries to the chrooted directory Perl resides in “/usr/lib/perl5” and in case you use Perl features, copy the Perl directories to “/chroot/httpd/usr/lib/perl5/” Don’t forget to create the directory “/chroot/httpd/usr/lib/perl5” in your chrooted structure before copying

The following are the necessary steps to run Apache Web Server in a chroot jail:

Add a new UID and a new GID if this is not already done for running Apache httpd This is

important because running it as root defeats the purpose of the jail, and using a different UID that already exists on the system (i.e nobody) can allow your services to access each others'

resources Consider the scenario where a web server is running as nobody, or any other overly used UID/GID and compromised The cracker can now access any other processes running as nobody from within the chroot

These are sample UID/GIDs Check the “/etc/passwd” and “/etc/group” files for a free UID/GID number In our configuration we'll use the numeric value “80” and UID/GID “www”

[root@deep /]# useradd -c “Apache Server” -u 80 -s /bin/false -r -d /home/httpd www 2>/dev/null || :

The above commands will create the group “www” with the numerical GID value 80, and the user

“www” with the numerical UID value 80

Step 3

Set up the chroot environment First we need to create the chrooted Apache structure We use

“/chroot/httpd” for the chrooted Apache The “/chroot/httpd” is just a directory on a different partition where we've decided to put apache for more security

[root@deep /]# /etc/rc.d/init.d/httpd stop
only if Apache is already installed and run on your system.

Shutting down http: [ OK ]

[root@deep /]# mkdir /chroot/httpd

Next, create the rest of directories as follows:

[root@deep /]# mkdir /chroot/httpd/dev

[root@deep /]# mkdir /chroot/httpd/lib

[root@deep /]# mkdir /chroot/httpd/etc

[root@deep /]# mkdir -p /chroot/httpd/usr/sbin

[root@deep /]# mkdir -p /chroot/httpd/var/run

[root@deep /]# mkdir -p /chroot/httpd/var/log/httpd

[root@deep /]# chmod 750 /chroot/httpd/var/log/httpd/

[root@deep /]# mkdir -p /chroot/httpd/home/httpd

Copy the main configuration directory, the configuration files, the cgi-bin directory, the root

directory and the httpd program to the chroot jail:

[root@deep /]# cp -r /etc/httpd /chroot/httpd/etc/

[root@deep /]# cp -r /home/httpd/cgi-bin /chroot/httpd/home/httpd/

[root@deep /]# cp -r /home/httpd/your-DocumentRoot /chroot/httpd/home/httpd/

[root@deep /]# mknod /chroot/httpd/dev/null c 1 3

[root@deep /]# chmod 666 /chroot/httpd/dev/null

[root@deep /]# cp /usr/sbin/httpd /chroot/httpd/usr/sbin/

We need the “/chroot/httpd/etc”, “/chroot/httpd/dev”, “/chroot/httpd/lib”, “/chroot/httpd/usr/sbin”,

“/chroot/httpd/var/run”, “/chroot/httpd/home/httpd” and “/chroot/httpd/var/log/httpd” directories because, from the point of the chroot, we're sitting at “/”

Step 4

If you have compiled your Apache web server with SSL support, you must copy the entire

“/etc/ssl” directory that handles all private and public keys to the chroot jail

[root@deep /]# cp -r /etc/ssl /chroot/httpd/etc/
require only if you use mod_ssl feature.

[root@deep /]# chmod 600 /chroot/httpd/etc/ssl/certs/ca.crt
require only if you use mod_ssl feature.

[root@deep /]# chmod 600 /chroot/httpd//etc/ssl/certs/server.crt
require only if you use mod_ssl feature.

[root@deep /]# chmod 600 /chroot/httpd/etc/ssl/private/ca.key
require only if you use mod_ssl feature.

[root@deep /]# chmod 600 /chroot/httpd/etc/ssl/private/server.key
require only if you use mod_ssl feature.

Step 5

Since we have compiled apache to use shared libraries, we need to install them into the chroot

directory structure Use ldd /chroot/httpd/usr/sbin/httpd to find out which libraries are needed

The output (depending on what you’ve compiled with Apache) will be something similar to:

Copy the shared libraries identified above:

[root@deep /]# cp /lib/libpam.so.0 /chroot/httpd/lib/

[root@deep /]# cp /lib/libm.so.6 /chroot/httpd/lib/

[root@deep /]# cp /lib/libdl.so.2 /chroot/httpd/lib/

[root@deep /]# cp /lib/libcrypt.so.1 /chroot/httpd/lib/

[root@deep /]# cp /lib/libnsl* /chroot/httpd/lib/

[root@deep /]# cp /lib/libresolv* /chroot/httpd/lib/

[root@deep /]# cp /lib/libdb.so.3 /chroot/httpd/lib/

[root@deep /]# cp /lib/libc.so.6 /chroot/httpd/lib/

[root@deep /]# cp /lib/ld-linux.so.2 /chroot/httpd/lib/

You'll also need the following extra libraries for some network functions, like resolving:

[root@deep /]# cp /lib/libnss_compat* /chroot/httpd/lib/

[root@deep /]# cp /lib/libnss_dns* /chroot/httpd/lib/

[root@deep /]# cp /lib/libnss_files* /chroot/httpd/lib/

Step 6

We now need to copy the passwd and group files inside the “/chroot/httpd/etc” chrooted directory The concept here is the same as how ftpd uses passwd and group files Next, we’ll remove all entries except for the user that apache runs as in both files (passwd and group)

[root@deep /]# cp /etc/passwd /chroot/httpd/etc/

[root@deep /]# cp /etc/group /chroot/httpd/etc/

Edit the passwd file (vi /chroot/httpd/etc/passwd) and delete all entries except for the user

apache run as (in our configuration, it’s “www”):

www:x:80:80::/home/www:/bin/bash

Edit the group file (vi /chroot/httpd/etc/group) and delete all entries except the group apache run

as (in our configuration it’s “www”):

www:x:80:

Step 7

You will also need “/etc/resolv.conf”, “/etc/nsswitch.conf” and “/etc/hosts” files in your chroot

jail

[root@deep /]# cp /etc/resolv.conf /chroot/httpd/etc/

[root@deep /]# cp /etc/hosts /chroot/httpd/etc/

[root@deep /]# cp /etc/nsswitch.conf /chroot/httpd/etc/

Step 8

Now we must set some files in the chroot jail directory immutable for better security

• Set the immutable bit on “passwd” file:

[root@deep /]# cd /chroot/httpd/etc/

[root@deep /]# chattr +i passwd

• Set the immutable bit on “group” file:

[root@deep /]# cd /chroot/httpd/etc/

[root@deep /]# chattr +i group

• Set the immutable bit on “httpd.conf” file:

[root@deep /]# cd /chroot/httpd/etc/httpd/conf/

[root@deep /]# chattr +i httpd.conf

• Set the immutable bit on “resolv.conf” file:

[root@deep /]# cd /chroot/httpd/etc/

[root@deep /]# chattr +i resolv.conf

• Set the immutable bit on “hosts” file:

[root@deep /]# cd /chroot/httpd/etc/

[root@deep /]# chattr +i hosts

• Set the immutable bit on “nsswitch.conf” file:

[root@deep /]# cd /chroot/httpd/etc/

[root@deep /]# chattr +i nsswitch.conf

Step 9

Copy the “localtime” file to the jail so that log entries are adjusted for your local timezone properly:

[root@deep /]# cp /etc/localtime /chroot/httpd/etc/

Step 10

Remove unnecessary Apache files and directories:

[root@deep /]# rm -rf /var/log/httpd/

Tell syslogd about the new chrooted service

Normally, processes talk to syslogd through “/dev/log” As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to “/chroot/httpd/dev/log” To do this, edit the syslog startup script to specify additional places to listen

Edit the syslog script (vi /etc/rc.d/init.d/syslog) to change the line:

daemon syslogd -m 0

To read:

daemon syslogd -m 0 -a /chroot/httpd/dev/log

Step 12

The default httpd script file of Apache starts the daemon “httpd” outside the chroot jail We must

change it to now start httpd from the chroot jail Edit the httpd script file (vi /etc/rc.d/init.d/httpd)

and change the line:

Finally, we must test the new chrooted jail configuration of our Apache Web Server

• The first thing to do is to restart our syslogd daemon with the following command:

[root@deep /]# /etc/rc.d/init.d/syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

• Now, start the new chrooted jail Apache with the following command:

[root@deep /]# /etc/rc.d/init.d/httpd start

Configuration of the new “/etc/logrotate.d/apache” file

Now Apache logs files residing in the “/chroot/var/log/httpd” directory instead of “/var/log/httpd”, and for this reason we need to modify the “/etc/logrotate.d/httpd” file to point to the new chrooted directory Also, we’ve compiled Apache with mod_ssl, so we’ll add one more line to permit the logrotate program to rotate the “ssl_request_log” and “ssl_engine_log” files Configure your

“/etc/logrotate.d/apache” file to rotate your log files each week automatically

Create the apache file (touch /etc/logrotate.d/apache) and add:

The mod_mmap_static module of Apache

There is a special module with the Apache distribution named “mod_mmap_static” that can by used to improve the performance of your Web Server This module works by providing mappings

of a statically configured list of frequently requested, but not changed, files in your RootDirectory

So, if files displayed by Apache don’t change often, you can use this module to memory-map the static documents and increase the speed of your Apache web server

It’s important to note that the mod_mmap_static module of Apache must be enabled during the

configuration and compilation time of Apache before you can use it If you have follow what was described in the configuration and compilation time section above, this is already in Apache ( add-module- /mod_mmap_static.c)

Step 1

• To memory-map static documents, use the following command:

[root@deep /]# find /home/httpd/ona -type f -print | sed -e 's/.*/mmapfile &/' >

/etc/httpd/conf/mmap.conf

The </home/httpd/ona> is the RootDirectory, or to be more precise, the directory out of which you will serve your documents, and the </etc/httpd/conf/mmap.conf> is the location where we want to create this file, “mmap.conf”, that contains a static memory-map of all documents under our RootDirectory

Step 2

Once the “mmap.conf” file has been create under the location where we have chosen to keep this file, we must include it in the “httpd.conf” file of Apache to be able to use its features on our web server

Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and add the line:

Step 3

You must restart the Apache web server for the changes to take effect:

• To restart Apache, use the following commands:

[root@deep /]# /etc/rc.d/init.d/httpd restart

Shutting down http: [ OK ]

Starting httpd: [ OK ]

The atime and noatime attributes

The atime and noatime attributes of Linux can be used to get measurable performance gains in Apache See Chapter 4 in this book, “General System Optimization”, for more information on the subject

Installed files for Apache Web Server

Installed files for PHP4 server-side scripting language with Apache Web Server

Installed files for mod_perl programming language with Apache Web Server

Chapter 20 Optional component to install with Apache

In this Chapter

Webalizer

Configurations

Inform Apache about the output directory of Webalizer

Running Webalizer manually for the first time

Running Webalizer automatically with a cron job

FAQ-O-Matic

Inform Apache about the location of Faq-O-Matic files

Configure your FAQ-O-Matic software

Webmail IMP

Setting up PHPLib which is requires by Horde program of Webmail IMP Configure and create Webmail IMP SQL database

Configure your “php.ini” configuration file of PHP4

Configure Apache to recognize Webmail IMP

Optional component to install with Apache

In this chapter, I will speak about three-useful external programs that you may install on your Linux server These programs have been made for use with the Apache Web Server, and are useful only if you intend to use Apache in your organization If this is not the case, you can skip this chapter and continue through the rest of this book To begin, we’ll talk about Webalizer, which is a web server log file analysis program Then we’ll discuss FAQ-O-Matic, which can be used when you want a FAQ list, bug-tracing database, documentation and much more on your server Finally, we’ll talk about a very sophisticated and interesting program called Webmail, which allows you to offer free mail accounts to your clients, or access and read your mail, in a secure manner

Linux Webalizer

Overview

A web server like Apache logs all predefined log entry information into a text file that can be viewed and analyzed by the web administrator This file can also be evaluated by a special program which can produce the information in a graphical presentation, making interpretation easier for the administrator

As explained in the README file of Webalizer:

The Webalizer is a web server log file analysis program, which produces usage statistics in HTML format for viewing with a browser The results are presented in both columnar and graphical format, which facilitates interpretation Yearly, monthly, daily and hourly usage statistics are presented, along with the ability to display usage by site, URL, referrer, user agent (browser) and country (user agent and referrer are only available if your web server produces Combined log format files)

These installation instructions assume

Commands are Unix-compatible

The source path is “/var/tmp” (other paths are possible)

Installations were tested on Red Hat Linux 6.1 and 6.2

All steps in the installation will happen in super-user account “root”

Webalizer version number is 1_30-04

Decompress the tarball (tar.gz)

[root@deep /]# cp webalizer-version-src.tgz /var/tmp/

[root@deep /]# cd /var/tmp/

[root@deep tmp]# tar xzpf webalizer-version-src.tgz

Prerequisites

The Webalizer requires that the GD Graphics Library, which is required for generating inline graphics for the Webalizer program, be already installed on your system If this is not the case, you must install it from your Red Hat Linux CD-ROM

• To verify that the GD package is installed on your Linux system, use the following

command:

[root@deep /]# rpm -qi gd

package gd is not installed

• To install the GD packages on your Linux system, use the following command:

[root@deep /]# mount /dev/cdrom /mnt/cdrom/

[root@deep RPMS]# cd /; umount /mnt/cdrom/

The Apache web server should be already installed on your system to be able to use Webalizer software, of course

NOTE: For more information on Apache web server, see its related chapter in this book

[root@deep webalizer-1.30-04]# make

[root@deep webalizer-1.30-04]# make install

[root@deep webalizer-1.30-04]# mkdir /home/httpd/usage

The “make” command will compile all source files into executable binaries, and “make install” will install the binaries and any supporting files into the appropriate locations The “mkdir” will

create a new directory named “usage” under the “/home/httpd/” directory where we’ll handle all related Webalizer files

Cleanup after work

[root@deep /]# cd /var/tmp

[root@deep tmp]# rm -rf webalizer-version/ webalizer-version-src.tgz

The “rm” command will remove all the source files we have used to compile and install

Webalizer It will also remove the Webalizer compressed archive from the “/var/tmp” directory

Configurations

All software we describe in this book has a specific directory and subdirectory in a tar

compressed archive named “floppy.tgz” containing file configurations for specific programs If you get this archive file, you won’t be obliged to reproduce the different configuration files below, manually, or cut and paste them to create your configuration files Whether you decide to

manually copy them, or get the files made for your convenience from the archive, it will be your

responsibility to modify, adjust for your needs and place the files related to the Webalizer

software in the appropriate places on your server, as shown below The server configuration files archive to download is located at the following Internet address:

http://www.openna.com/books/floppy.tgz

• To run Webalizer, the following file is required, and must be created or copied to the appropriate directory on your server

Copy the webalizer.conf file to the “/etc/” directory

You can obtain the configuration file listed below on our floppy.tgz archive Copy the following file from the decompressed floppy.tgz archive to the appropriate place or copy and paste it directly from this book to the concerned file

Configuration of the “/etc/webalizer.conf” file

The “/etc/webalizer.conf” is the default configuration file for Webalizer With it, you can specify which directories or pages in your web site to analyze, which URL’s to hide, and so on By

default, the Webalizer program will install a sample configuration file named

“webalizer.conf.sample” under the “/etc/” directory of Linux You can use this file to configure your choices and then rename it “webalizer.conf”, and the Webalizer program will be able to find and use it A lot of options exist and it’s important to read the documentation that comes with

Webalizer for more information on all of the different setting and parameters Also, it’s important

to note that we comment in this Webalizer configuration file only the most common and used parameters

Edit the webalizer.conf.sample file (vi /etc/webalizer.conf.sample) or create the webalizer.conf

file (touch /etc/webalizer.conf) and add/change in this file:

The option “LogFile” specifies the logfile to use with Webalizer The default log file is supposed to

be the “access_log” of Apache Web Server, but you can specifies a different one, like the one Squid Proxy Server makes named “access.log” if you use it in httpd-accelerator mode See Chapter 18, “Servers Software Proxy Network Services”, for more information