Cleaning Up Your Server

Check your disk space

Use the du and df commands to check your space.

Use du -s to get info only on directories.

Use the file utility to find out what types of files you’re looking at:

file filename

 

Clean up temporary space

Check /tmp and /var/tmp for files with old access times.

Subdirectories can be old; check their creation/modification times. Many, like /var/tmp/packagename, were used during installations, and can be deleted.

 

Clean up spool files

Check /var/spool.

Mail is likely valid to keep, regardless of age.

Most programs clean up after themselves, but you should still check! See the cups and samba directories.

 

Clean up log files

Check /var/log. Very old files may indicate misconfigured log rotation or failing cron jobs, among other issues.

 

Check how many kernel versions you have in /boot

This partition is usually quite small. You CAN fill it up!

 

Get rid of old package files

Have you downloaded .rpm or .deb files? Chances are you don’t need them. Frankly, if you do a reinstallation, you probably want to update to the latest version anyway.

 

Get rid of old build files

Be aware of where you’re building when you install. If you’re installing as root, you likely have expanded tarballs or build directories under /root.

 

Uninstall stuff!

Fire up YaST, APT, Yumex or whatever package manager your system uses, and take a hard look at what’s installed.

Security

Basic physical security

Keep your server closet locked.

Remove floppy and CD devices.

Prevent booting from USB by configuring BIOS.

Set a BIOS password.

Set a boot loader password in LILO or GRUB. (See http://www.scrye.com/~kevin/lsh/x184.html for details.)

Don’t walk away from the computer while you’re logged in. Or, lock your screen. In Red Hat/Fedora:

Red Hat button > Lock Screen

In SUSE:

Desktop menu > Lock Screen

Even better, if you run a command that needs to continue executing after you log out, run it with nohup:

nohup myscript.sh &

Make sure your system clock is correct. Using an internet time service is a good idea for this. Funny timestamps are surely a sign of trouble.

 

root user security

Don’t log in as root; instead, use:

su –

You can run a single command as root using:

su -c ‘pwconv’ root

If you are listed in /etc/sudoers, you can use sudo:

sudo ‘pwconv’

More on sudo.

 

Make sure your root prompt is different from other users’, so you can tell you’re working as root.

Make sure that all directories in root’s $PATH are writable ONLY by root.

Create specialized accounts for limited root-like functions, for instance, a shutdown account and group.

 

All users’ security

Edit /etc/fstab to disallow suid in /home . You’ll use a line similar to:

/dev/hda2 /home ext2 defaults,nosuid,nodev 0 2

Set up user accounts so they’re disabled as soon as the password expires:

usermod -f 0 username

 

Disable root access to users who mount NFS exports (see /etc/exports); do not use the no_root_squash option.

 

Don’t create file resources that are world-writable. Instead, create a group for the resource, set permissions on the group, then add users as necessary.

 

Eliminate Unneeded Default User Accounts

Some OSs, such as AIX, come with a range of default accounts: guest, nobody, anonymous, etc. Do you need anonymous for your FTP site? (No, if you’re not running anon FTP!)

 

Network Attacks

Buffer overruns

 

nmap

nmap -sT <servername>

Displays the services running on <servername>.

See man nmap.

cat your access files:

/etc/hosts.allow

/etc/hosts.deny

 

Protecting services

Implement TCP Wrappers as necessary:

Red Hat/Fedora: http://www.ms.washington.edu/Docs/Linux/rhel-rg-en-3/ch-tcpwrappers.html

SUSE: See Installing a Secure Server with SUSE® Linux Enterprise Server 9 and Novell® AppArmor, search for TCP Wrappers.

 

Audit: what user is running each service? What directories and files does that user own?

Apache (httpd)

ls -l /var/www/html

useradd webmast

passwd webmast

chown webmast:webmast /var/www/html/*

Review your services:

/etc/services

 

Disable Services

1. Audit for unnecessary services using the Services applet.

2. Check /etc/inetd.conf in older versions of Linux.

3. DISABLE: UUCP, PPP, NNTP, Gopher, rsh, rcopy

4. If you don’t know what a service does, disable it. Use the netstat command to make sure it’s off. Does everything you need still work?

 

Intrusion detection

Many applications that authenticate users do so via Pluggable Authentication Modules (PAM). PAM logs to /var/log/wtmp in a binary format. To read it:

who /var/log/wtmp

This will tell you who’s been logging in.

 

Consider installing an IDS on critical systems.

See http://www.tripwire.com/ and http://www.die.net/doc/linux/man/man8/snort.8.html.

 

File and directory protection

Find all files that are world-writable.

Command:

find / -perm -2 ! -type l -ls

Note that files in /proc and /tmp may have to be world-writable.

You can run:

find /home -perm -2 ! -type l -ls | awk ‘{print $11}’ | xargs chmod 644

to crush world-writable permissions in users’ home folders. This is good when people have written web scripts with world-writable html page targets. (Don’t ask me how I know this.)

 

Find any files with no owner or group; these are evidence of intrusion.

Command:

find / -nouser -o -nogroup

Audit any programs that use setuid or setgid. Do they really need this?

Command:

find / -type f -perm +6000 -ls

If they can and should be changed, command:

chmod -s filename

 

Audit directories and files with lsattr, and change with chattr.

 

Set tight file permissions on system files:

/var/log (all log files) – 640

/var/log/messages (system messages) – 644

/etc/crontab (system crontab file) – 600

/etc/syslog.conf (syslog daemon config file) – 640

/var/log/wtmp (log of currently logged-in users) – 660

/var/log/lastlog (log of previously logged-in users) – 640

/etc/passwd (user accounts) – 644

/etc/shadow (shadow password file) – 600

/etc/lilo.cong(LiLo config file) – 600

/etc/ssh (ssh config file) – 600

 

Modify /etc/profile to assign masks of 066 to root and 022 to users.

 

Restrict access to logs:

chmod 640 /var/log/*log

 

One text suggests making log files append-only:

chattr +a /var/log/*.log

This could be tricky, since a) log files get rotated, and b) new log files get created, and will need to have this applied. See /etc/logrotate.d/syslog.

 

Use Swatch to monitor log files

See “Using Swatch to monitor logfiles” at http://linsec.ca/accounting/swatch.php.

 

Kernel Protection

1. Build your own! Eliminate the unnecessary.

2. Y to CONFIG_SYN_COOKIES (see http://www.faqs.org/docs/securing/chap10sec99.html)

3. N to CONFIG_IP_ROUTER

 

University of Arkansas at Little Rock, http://netsecurity.ualr.edu/Tips/UNIX-1.htm

System Monitoring: U.K. Computing for Particle Physics, http://www.gridpp.ac.uk/deployment/security/guidelines/

Tips to Secure Linux Workstation, http://aymanh.com/tips-to-secure-linux-workstation

HOWTO Protect SSHD with Swatch, http://gentoo-wiki.com/HOWTO_Protect_SSHD_with_Swatch

Webmin

Go to http://www.webmin.com/ and take a look at this management product (and its user interface). Then go to http://www.webmin.com/download.html and download the RPM.

Get the gpg key install it. (See this page for a how-to.)

Also, see the Swell User’s Guide The Book of Webmin for installation and setup instructions. You’ll want this book/website as a reference, so keep this link handy.

Install the RPM.

 

The next thing you’ll need to do is to go to the new Webmin directory (how can you determine where this is?) and set up the root password:

./changepass.pl /etc/webmin root newpassword

(See http://www.swelltech.com/support/webminguide-1.0/ch01.html#rpminstall.)

 

Now direct your web browser to http://localhost:10000.

 

Go to http://www.swelltech.com/support/webminguide/. We will review the sections:

IP Access Control: http://www.swelltech.com/support/webminguide/ch03.html#wmipaccess

Webmin Servers: http://www.swelltech.com/support/webminguide/ch03.html#wmservers

Webmin Users: http://www.swelltech.com/support/webminguide/ch03.html#wmusers

Securing Webmin: http://www.swelltech.com/support/webminguide/ch03.html#wmsecuring

Server and Daemon Configuration: http://www.swelltech.com/support/webminguide/ch06.html

 

Printing : Sharing Printers

You’ll be glad this part is so easy.

  • Use the same printtool as always, and select an existing printer.
  • Pull down the Action menu, and select Sharing.
  • Click the Queue tab.
  • Check the box beside “This queue is available to other computers.”
  • “All Hosts” will appear in the Allowed box.
  • If you want to restrict hosts, click Remove, then Add.
  • Now you can choose to allow anyone on your subnet to print by selecting the local network interface on your server,
  • or you can specify a CIDR range of IP addresses,
  • or you can specify a single IP address.

You may also need to open your firewall to allow UDP and TCP traffic on port 513.

Older applications may need you to enable LPD printing. Command:
chkconfig cups-lpd on
then
service xinetd restart

And be sure you’ve specified your server’s and clients’ names correctly, and that they can be resolved.

For Samba printers, you’ll configure smb.conf (discussed elsewhere).

Printing : Command-line Tools

If you’re an old UNIX hand and like to use command-line tools to run print jobs, you still have them available from CUPS.

 

lpr

You can print to your default printer with a command like:

lpr document.txt

If you haven’t set a default printer or want to change it, add a line to your .bashrc profile file like this:

export PRINTER=djet850

And if you want to override that default for a single print job, use this kind of command:

lpr -P djet600 document.txt

 

lpc

List the status of your printers with:

lpc status

 

lprm

Remove (kill) print jobs with an lprm command:

lprm -P djet850 #Kills jobs on this printer
or
lprm – #Kills all your print jobs
or
lprm glenn #Kills all of glenn’s print jobs – you have to be root to do this
or
lprm 166 #Kills job 166; find this number by issuing the lpq command.

Printing : Administration

You’ve already seen the printtool and YaST administration interfaces. You can use them for most or all of your configuration needs.

Sometimes, however, a lightweight monitoring and control interface is the way to go. CUPS provides a web-based administrative tool, which makes sense, since CUPS is itself web-based. CUPS runs a small web server that will answer requests on port 631, which you can reach at the url:

http://localhost:631/admin

You’ll be asked for a user name and password; root’s is usable to start. Initially web admin access is limited to the localhost, which is a sensible precaution. However, most print (and other) servers are on a protected subnet, and you as the network administrator may be at any machine on this subnet when you need to check on CUPS.

To allow remote administration (with the usual cautions), edit the file /etc/cups/cupsd.conf file, in the /admin section.

<Location /admin>
AuthType Basic
AuthClass System
Order Deny, Allow
Deny from All
Allow from 127.0.0.1
Allow from 192.168.2.*
</Location>

Using the wildcard in the second Allow line I added lets me administer the CUPS server from any workstation on the subnet. This all by itself won’t do the job, though. Look for the Listen line:

Listen 127.0.0.1:631

and alter it to

Listen *:631

Now you can use the CUPS web admin interface from any host on your subnet. (In Red Hat, take a look at the discussion in Chapter 17 of the Red Hat Linux Bible about allowing BrowseRelay, if you need to span subnets.) And don’t forget that these changes, like all changes to services, won’t take effect until you restart the service.

From the web interface, you can now:

  • List print jobs
  • View printers
  • Stop a printer (which does not stop its queue from accepting pending jobs)
  • Reject jobs (which does stop the queue)

Printing : Remote Setup

Remote Printer Setup Using Red Hat’s printtool/printconf-gui

Remote setup of printers under Linux CUPS is similar to local printer setup. Depending on the remote printer type, you’ll need various pieces of information for this setup, and there are various precautions to take.

Run the printtool application as usual. When you get to the queue type screen, you’ll have these choices:

For a remote CUPS printer, for instance, you’ll have to specify a server by name (which must be resolvable through DNS, NIS or a hosts file) or by IP address, and a “path,” which is really the name of the printer on the remote server. One interesting option here is that the remote CUPS printer may have several instances, with, for instance, different resolutions: 300 dpi, 1200 dpi, etc.

For a UNIX printer, you’ll specify a server (by resolvable name or IP address) and queue (again, the printer name). An additional consideration is that you may need to have access permissions to that printer configured on the remote host. He or she will add your host name to the /etc/lpd.perms file (or may not, if you shouldn’t have permission).

For an SMB printer, life is made easier by the fact that SMB objects are advertised via the lmannounce or lisa services, so you get a list of available printers immediately. Don’t despair if the one you want doesn’t appear, because the whole Lan Manager mechanism can be a little creaky; just know the host name and share name. (You may also have entries in your /etc/hosts or /etc/lmhosts files that provide resolution.) Click the Specify button and fill in these names. You’ll need to know the workgroup, server, and share name, and have a Samba user name and user password. Remember that under SMB your user name and password may be synchronized with your Linux username and password (which is good), and that this username and password will be stored unencrypted in the /etc/cups/printers.conf file. This file must be readable only by root!

For a Novell printer, you’ll need the server name, queue name, user name and password.

Once you’ve set up one of these, you’ll see a printer entry in your local /etc/cups/printers.conf file:

<Printer djet850>
Device URI smb://username:password@Workgroup/SMBhostserver/printername
Location …
State …

</Printer>

If this looks similar to Apache configuration files you’ve seen, you’re sharp. The syntax is very similar.

The /etc/cups/cupsd.conf file specifies whom you’ll allow to print to this printer:

<Location /printers/djet850>
Order Deny, Allow
Deny From All
Allow From 127.0.0.1, 192.168.2.22, 132.62.20.15
AuthType None
</Location>

Printing : GUI Configuration

Local Printer Setup Using Red Hat’s printtool/printconf-gui

You can set up CUPS printing (using the cupsd daemon) manually, but CUPS is inherently an http-based system. That’s not to say you normally set it up with a web browser, but rather that you set it up using utilities with an underlying TCP/IP functionality.

In Red Hat/Fedora, start by running one of these commands (you may need to command su – )

printtool
or
printconf-gui
or
system-config-printer

or
from the System Settings menu, choose Printing.

(You should note that all of these are simply shortcuts to the consolehelper app.)

 

You’ll start this application:

This printer configuration wizard can be used to add local or remote printers, or to edit and modify the characteristics of existing printers once you’ve set them up. Click New to start the process of adding a printer.

Choose a useful printer name and description, then click Forward.

From the drop-list at the top you can choose local or network printers of several types. Among these are CUPS printers, Networked CUPS (IPP, for IP Printing) printers, LPD, Windows SMB printers, Novell NCP printers, and JetDirect printers. Each choice gives you very different screens from this point forward.

But let’s stick with a local printer for this example. The default first local printer will be /dev/lp0. Select that printer in the window and click Forward.

If you click the grey Generic bar at the top, you’ll get a list of manufacturers. Choose one of these, or better, scroll down the list in the white window and choose Postscript Printer, which is the ideal printer for quality Linux/UNIX printing.

After you’ve made that choice, you’ll see a screen that varies depending on that choice. Often you can find your exact printer on the list, as well as a range of choices for setting resolution and other options.

Work your way through the options available, and you’ll arrive at the final screen. The printtool will take care of adding configuration files and queues, which is a great labor-saver.

Printing : CUPS

The Common Unix Printing System: CUPS

All examples assume a printer named “printer1”.

 

Printing under CUPS: the lp command

lp myfile.txt

Specify a destination printer:

lp -d printer1 myfile.txt

Modify a print job:

lp -i <job_ID>

Print multiple copies:

lp -n 3 myfile.txt
#Prints 3 copies

Mail you a confirmation:

lp -m myfile.txt

Print landscape:

lp -o landscape myfile.txt

Print two-sided:

lp -o sides=’two-sided-short-edge’
or
lp -o sides=’two-sided-long-edge’

Set a print priority (the scale is 1-100, low to high; 50 is default):

lp -q 75 myfile.txt

Print standard output:

(date;who) | lp -d printer1

 

Setting Options

Specify a default printer for all users:

lpoptions -d printer1
#This will place information in /etc/cups/lpoptions.

Each user can set their own default printer by creating a .lpoptions file in their home directory, containing the line:

default printer1

Or add a line to their local profile (.profile or .bash_profile) file:

PRINTER=printer1
or
LPDEST=printer1

 

Viewing Printer Status

List all printers and their status:

lpstat -t #-t for “total”

Simply list all printers:

lpstat -a

Display default printer:

lpstat -d

Display jobs for one printer only:

lpstat -o printer1

Display enabled printers:

lpstat -p

Check that cupsd is running:

lpstat -r

 

Changing Printer Status

accept printer1
#This modifies the print spooler:
#”accept” means allowing print jobs
#to be sent to the spooler (not the printer).

reject printer1
#Stops the spooler from accepting
#print jobs.

/usr/bin/enable printer1
#This modifies the physical printer:
#”enable” means the printer should
#take printer jobs from the spooler.

disable printer1
#Stops the printer from receiving
#print jobs from the spooler.

About the enable command:

You must specify the full path to this command:

/usr/bin/enable

because the BASH shell also has an enable command.

disable -r “Adding paper” printer1
#-r lets you supply a reason to users

reject -r “Server shutting down” printer1
#lets you supply a reason for spooler shutdown

 

Cancelling Print Jobs

Cancel all print jobs:

cancel -a

Cancel print jobs by job number:

cancel printer1-1

Cancel all of a user’s print jobs:

cancel -u <username>

 

Controlling Access to Printers

Allow only authorized users to print to printer1:

lpadmin -u allow:root, glenn -u deny:all -d printer1

 

The CUPS Print Spool

/var/spool/cups

The CUPS Daemon Configuration File

/etc/cups/cupsd.conf

The CUPS Printer Configuration File

/etc/cups/printers.conf