Security

Basic physical security

Keep your server closet locked.

Remove floppy and CD devices.

Prevent booting from USB by configuring BIOS.

Set a BIOS password.

Set a boot loader password in LILO or GRUB. (See http://www.scrye.com/~kevin/lsh/x184.html for details.)

Don’t walk away from the computer while you’re logged in. Or, lock your screen. In Red Hat/Fedora:

Red Hat button > Lock Screen

In SUSE:

Desktop menu > Lock Screen

Even better, if you run a command that needs to continue executing after you log out, run it with nohup:

nohup myscript.sh &

Make sure your system clock is correct. Using an internet time service is a good idea for this. Funny timestamps are surely a sign of trouble.

 

root user security

Don’t log in as root; instead, use:

su –

You can run a single command as root using:

su -c ‘pwconv’ root

If you are listed in /etc/sudoers, you can use sudo:

sudo ‘pwconv’

More on sudo.

 

Make sure your root prompt is different from other users’, so you can tell you’re working as root.

Make sure that all directories in root’s $PATH are writable ONLY by root.

Create specialized accounts for limited root-like functions, for instance, a shutdown account and group.

 

All users’ security

Edit /etc/fstab to disallow suid in /home . You’ll use a line similar to:

/dev/hda2 /home ext2 defaults,nosuid,nodev 0 2

Set up user accounts so they’re disabled as soon as the password expires:

usermod -f 0 username

 

Disable root access to users who mount NFS exports (see /etc/exports); do not use the no_root_squash option.

 

Don’t create file resources that are world-writable. Instead, create a group for the resource, set permissions on the group, then add users as necessary.

 

Eliminate Unneeded Default User Accounts

Some OSs, such as AIX, come with a range of default accounts: guest, nobody, anonymous, etc. Do you need anonymous for your FTP site? (No, if you’re not running anon FTP!)

 

Network Attacks

Buffer overruns

 

nmap

nmap -sT <servername>

Displays the services running on <servername>.

See man nmap.

cat your access files:

/etc/hosts.allow

/etc/hosts.deny

 

Protecting services

Implement TCP Wrappers as necessary:

Red Hat/Fedora: http://www.ms.washington.edu/Docs/Linux/rhel-rg-en-3/ch-tcpwrappers.html

SUSE: See Installing a Secure Server with SUSE® Linux Enterprise Server 9 and Novell® AppArmor, search for TCP Wrappers.

 

Audit: what user is running each service? What directories and files does that user own?

Apache (httpd)

ls -l /var/www/html

useradd webmast

passwd webmast

chown webmast:webmast /var/www/html/*

Review your services:

/etc/services

 

Disable Services

1. Audit for unnecessary services using the Services applet.

2. Check /etc/inetd.conf in older versions of Linux.

3. DISABLE: UUCP, PPP, NNTP, Gopher, rsh, rcopy

4. If you don’t know what a service does, disable it. Use the netstat command to make sure it’s off. Does everything you need still work?

 

Intrusion detection

Many applications that authenticate users do so via Pluggable Authentication Modules (PAM). PAM logs to /var/log/wtmp in a binary format. To read it:

who /var/log/wtmp

This will tell you who’s been logging in.

 

Consider installing an IDS on critical systems.

See http://www.tripwire.com/ and http://www.die.net/doc/linux/man/man8/snort.8.html.

 

File and directory protection

Find all files that are world-writable.

Command:

find / -perm -2 ! -type l -ls

Note that files in /proc and /tmp may have to be world-writable.

You can run:

find /home -perm -2 ! -type l -ls | awk ‘{print $11}’ | xargs chmod 644

to crush world-writable permissions in users’ home folders. This is good when people have written web scripts with world-writable html page targets. (Don’t ask me how I know this.)

 

Find any files with no owner or group; these are evidence of intrusion.

Command:

find / -nouser -o -nogroup

Audit any programs that use setuid or setgid. Do they really need this?

Command:

find / -type f -perm +6000 -ls

If they can and should be changed, command:

chmod -s filename

 

Audit directories and files with lsattr, and change with chattr.

 

Set tight file permissions on system files:

/var/log (all log files) – 640

/var/log/messages (system messages) – 644

/etc/crontab (system crontab file) – 600

/etc/syslog.conf (syslog daemon config file) – 640

/var/log/wtmp (log of currently logged-in users) – 660

/var/log/lastlog (log of previously logged-in users) – 640

/etc/passwd (user accounts) – 644

/etc/shadow (shadow password file) – 600

/etc/lilo.cong(LiLo config file) – 600

/etc/ssh (ssh config file) – 600

 

Modify /etc/profile to assign masks of 066 to root and 022 to users.

 

Restrict access to logs:

chmod 640 /var/log/*log

 

One text suggests making log files append-only:

chattr +a /var/log/*.log

This could be tricky, since a) log files get rotated, and b) new log files get created, and will need to have this applied. See /etc/logrotate.d/syslog.

 

Use Swatch to monitor log files

See “Using Swatch to monitor logfiles” at http://linsec.ca/accounting/swatch.php.

 

Kernel Protection

1. Build your own! Eliminate the unnecessary.

2. Y to CONFIG_SYN_COOKIES (see http://www.faqs.org/docs/securing/chap10sec99.html)

3. N to CONFIG_IP_ROUTER

 

University of Arkansas at Little Rock, http://netsecurity.ualr.edu/Tips/UNIX-1.htm

System Monitoring: U.K. Computing for Particle Physics, http://www.gridpp.ac.uk/deployment/security/guidelines/

Tips to Secure Linux Workstation, http://aymanh.com/tips-to-secure-linux-workstation

HOWTO Protect SSHD with Swatch, http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch