SECURING YOUR
NEW LINUX BOX
You've finally done it, you have
thumbed your nose at the monopoly
which is Microsoft, you have installed linux. Well done! Glory in that
newfound feeling of freedom! Unfortunately I have to interject with
some harsh realities though, you still have work to do. Even with
linux, you have to go that little bit further to make it more secure.
But fear not, it is not difficult, in fact here is a general list to
work through, just remember - "That which is not explicitly permitted
is
expressly forbidden"..
- Patch
and Upgrade
You must always make sure that you are using the most secure
versions of the kernel and software on your machine. Be aware that the
main benefit of open source is that any program has many people
checking it out. If something wrong is found then -more often than not-
a patch or new version is released to fix the problem. Make sure the
software you are running has no problems, you may even consider running
a vulnerability scanner against your machine to double check it.
- Remove
Unnecessary User Accounts
There could well be users and groups which are installed by default,
and many of these are never used. These unused accounts or very often
used by attackers. Disable them first to see if you
need them, that way if critical software stops working you can enable
them again. However if your machine functions fine without them, then
remove them totally. If you have multiple users on your machine the
same rule applies, you must make sure there are no old accounts active.
If you see a user account you are'nt sure of if it is used or not, try "find / -user <user_name> -print",
this will give you list of all files owned by the specified user. If
the files are minimal and/or very old, the chances are that it is safe
to delete the user.
- Change
Banners
Most versions of server software show a system banner when a client
connects. These banners very often give away important details which
can be useful to attackers. Make sure that you do not allow these
banners to display. If you feel very sneaky you could even change the
banners to give false information, you know, just to throw a bit of a
false scent.
- Increase
Logging
Make sure that all logging activity is recorded, and that it is of a
detail which you find useful. Also think about using an automatic log
filtering program to help you track and read the logs. Another handy
trick is to configure logging to another system, this allows for both
safer logs and centralized viewing of the logs. Remember logs are the
history of your machine, keep them safe.
- Disable
CTL+ALT+DEL
Many linux systems recognize this "three finger salute" as a shutdown
command. This is very bad as anyone who has physical access to the
server can reboot it without knowing any passwords. Change this in the
runlevel file (normally /etc/inittab). This does not take the need for
physical security, it just removes another way the system could be
attacked, or even accidentally shutdown.
- Remove
Unneeded Applications
Your system should only have
the software on it that it needs to perform its business functions.
Leaving other software running or even on the server can often leave
more ways an attacker can compromise your system, but if nothing else,
it gives them more files to hide amongst. Be especially cautious of
compilers and network diagnostic tools. Use your package management
system to remove unneeded software as a first step, and then start
weeding it out manually. If in doubt man pages, package information and
even the web can tell you what a certain app or file is used for.
- Disable
Unused Services
Many default installs have some default network services running. Turn
off all the ones you do not need (xinetd, inetd, rc runlevels, etc).
Doing this not only reduces the possible entry points an attacker
can use, but also reduces the system administration overhead as you
can concentrate on monitoring only the needed services. You can run a
port scanner against your machine to check for running services.
Checking for unused services is also not something you do once but
periodically to ensure your system is secure.
- Enable
IPTABLES
Even if you are running a simple server you can and should enable and
configure IPTables, the inbuilt linux firewall. Even if the machine
does sit behind a normal firewall, having a firewall running on your
host helps enforce proper network usage. This is an implementation of
the "defense in Depth" principle, where you make an attacker fight for
every bit of access he wants.
- Use Sudo
Full and blanket usage of the
root account for day to day working with your server is a bad thing,
especially if you have multiple people working on the server, each
undertaking some administrative functions. It is much better to rather
create sudo entries for each task the various administrators need to
perform so that there is less risk of major disasters when something
goes wrong. It also increases the accountability each administrator
will
have for their actions on the server.
- Use
CHROOT
Using CHROOT restricts a given service or user to an isolated area of
the system, which means that even if the service is compromised then
the damage is limited to just the isolated area rather then
compromising the entire server. This is useful because while some
servers are inherently insecure you will be forced to run them
(business requirements, because the customer says so, etc), this
measure can limit the damage any compromise can do.
- Check
Files
Install some type of measure which can monitor important files and
notify you of any changes which may occur to these files. Doing so will
help you keep track of what is happening on your machine, and also what
files you can and cannot trust. These logs are also useful in helping
rebuilt the system, as if you have some idea of the extent of the
attack you will better be able to choose to rebuild or reinstall.
- Limit
Suid File Usage
Leaving files lying around your
system that have the superuser privilege bit set, can be an easy way in
for an attacker. Take a bit of time to identify these files, and if
they do not need to suid bit set then remove it. Another option you
have is to set the suid bit to run as a user with lesser privileges as
this will also lessen the damage exploiting this files can cause.
- Install
An IDS
Install an Intrusion Detection System to help you monitor what is
happening to your box, and to help you track and monitor any unwanted
or suspicious network traffic so you can decide if you should take
further action or not. Remember the more you know about what happens to
your machine, the better you can protect it.
Well I hope that helps, but bear in
mind this is a general list. There are times when you might not be able
to implement some of these or when you may need to implement more
stringent measures, but whatever the circumstances this list should be
a good start towards a secure linux machine.