Basic physical security
Keep your server closet locked.
Remove floppy and CD devices.
Prevent booting from USB by configuring BIOS.
Set a BIOS password.
Set a boot loader password in LILO or GRUB. (See http://www.scrye.com/~kevin/lsh/x184.html for details.)
Don’t walk away from the computer while you’re logged in. Or, lock your screen. In Red Hat/Fedora:
Red Hat button > Lock Screen
In SUSE:
Desktop menu > Lock Screen
Even better, if you run a command that needs to continue executing after you log out, run it with nohup:
nohup myscript.sh &
Make sure your system clock is correct. Using an internet time service is a good idea for this. Funny timestamps are surely a sign of trouble.
Don’t log in as root; instead, use:
su –
You can run a single command as root using:
su -c ‘pwconv’ root
If you are listed in /etc/sudoers, you can use sudo:
sudo ‘pwconv’
Make sure your root prompt is different from other users’, so you can tell you’re working as root.
Make sure that all directories in root’s $PATH are writable ONLY by root.
Create specialized accounts for limited root-like functions, for instance, a shutdown account and group.
Edit /etc/fstab to disallow suid in /home . You’ll use a line similar to:
/dev/hda2 /home ext2 defaults,nosuid,nodev 0 2
Set up user accounts so they’re disabled as soon as the password expires:
usermod -f 0 username
Disable root access to users who mount NFS exports (see /etc/exports); do not use the no_root_squash option.
Don’t create file resources that are world-writable. Instead, create a group for the resource, set permissions on the group, then add users as necessary.
Eliminate Unneeded Default User Accounts
Some OSs, such as AIX, come with a range of default accounts: guest, nobody, anonymous, etc. Do you need anonymous for your FTP site? (No, if you’re not running anon FTP!)
Buffer overruns
nmap
nmap -sT <servername>
Displays the services running on <servername>.
See man nmap.
cat your access files:
/etc/hosts.allow
/etc/hosts.deny
Implement TCP Wrappers as necessary:
Red Hat/Fedora: http://www.ms.washington.edu/Docs/Linux/rhel-rg-en-3/ch-tcpwrappers.html
SUSE: See Installing a Secure Server with SUSE® Linux Enterprise Server 9 and Novell® AppArmor, search for TCP Wrappers.
Audit: what user is running each service? What directories and files does that user own?
Apache (httpd)
ls -l /var/www/html
useradd webmast
passwd webmast
chown webmast:webmast /var/www/html/*
Review your services:
/etc/services
Disable Services
1. Audit for unnecessary services using the Services applet.
2. Check /etc/inetd.conf in older versions of Linux.
3. DISABLE: UUCP, PPP, NNTP, Gopher, rsh, rcopy
4. If you don’t know what a service does, disable it. Use the netstat command to make sure it’s off. Does everything you need still work?
Many applications that authenticate users do so via Pluggable Authentication Modules (PAM). PAM logs to /var/log/wtmp in a binary format. To read it:
who /var/log/wtmp
This will tell you who’s been logging in.
Consider installing an IDS on critical systems.
See http://www.tripwire.com/ and http://www.die.net/doc/linux/man/man8/snort.8.html.
Find all files that are world-writable.
Command:
find / -perm -2 ! -type l -ls
Note that files in /proc and /tmp may have to be world-writable.
You can run:
find /home -perm -2 ! -type l -ls | awk ‘{print $11}’ | xargs chmod 644
to crush world-writable permissions in users’ home folders. This is good when people have written web scripts with world-writable html page targets. (Don’t ask me how I know this.)
Find any files with no owner or group; these are evidence of intrusion.
Command:
find / -nouser -o -nogroup
Audit any programs that use setuid or setgid. Do they really need this?
Command:
find / -type f -perm +6000 -ls
If they can and should be changed, command:
chmod -s filename
Audit directories and files with lsattr, and change with chattr.
Set tight file permissions on system files:
/var/log (all log files) – 640
/var/log/messages (system messages) – 644
/etc/crontab (system crontab file) – 600
/etc/syslog.conf (syslog daemon config file) – 640
/var/log/wtmp (log of currently logged-in users) – 660
/var/log/lastlog (log of previously logged-in users) – 640
/etc/passwd (user accounts) – 644
/etc/shadow (shadow password file) – 600
/etc/lilo.cong(LiLo config file) – 600
/etc/ssh (ssh config file) – 600
Modify /etc/profile to assign masks of 066 to root and 022 to users.
Restrict access to logs:
chmod 640 /var/log/*log
One text suggests making log files append-only:
chattr +a /var/log/*.log
This could be tricky, since a) log files get rotated, and b) new log files get created, and will need to have this applied. See /etc/logrotate.d/syslog.
Use Swatch to monitor log files
See “Using Swatch to monitor logfiles” at http://linsec.ca/accounting/swatch.php.
1. Build your own! Eliminate the unnecessary.
2. Y to CONFIG_SYN_COOKIES (see http://www.faqs.org/docs/securing/chap10sec99.html)
3. N to CONFIG_IP_ROUTER
University of Arkansas at Little Rock, http://netsecurity.ualr.edu/Tips/UNIX-1.htm
System Monitoring: U.K. Computing for Particle Physics, http://www.gridpp.ac.uk/deployment/security/guidelines/
Tips to Secure Linux Workstation, http://aymanh.com/tips-to-secure-linux-workstation
HOWTO Protect SSHD with Swatch, http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch