----------------
Overview
----------------
The following is designed to give you a good start to securing your Linux system. There seems to be a large belief among some users on the internet that installing a Linux distribution on your box will automatically make your system secure, of course this is not true. While (in my opinion) Linux out of the box is alot more secure than your standard Windows Operating System, any system that is not properly administered will have problems.
There is also the issue of security vs usability, the more you configure your box towards security, the more problems you may encounter whilst trying to use certain services. Some network administrators may want an almost total lockdown on their system, whereas the average home user just wants some peace of mind. This document is aimed more towards helping the home user on a standalone desktop setup, as network admins worth their salt should already know how to configure Linux security.
-----------------------------
General Security Tips
-----------------------------
Often overlooked as a serious security hardening method is your user and root passwords. Its no good having all the extra security if someone manages to find a vulnerability and your root password is something like "password" or "admin", because the likelyhood is that they will guess it straight away. The same is true for mail passwords, forum passwords, and well, any password you are going to use on a system connected to the internet. I'm not going to go into this too deeply, but make sure your password is at least 8 characters, with a combination of numbers and upper/lowercase characters, its also a good idea to change them regularly, even if you just change a few characters around. Also, never write your password down, especially dont save it anywhere on your box / website - it happens all too often when someone stumbles across an imaginatively named: passwords.txt.
Another general rule for Linux/Unix systems is to stay logged in as a normal user, and do not use root unless you have to (editing important config files, installing a compiled package etc). Make sure you don't start up applications (an FTP server for example) that are connected to the internet logged in as root, as if someone exploits a vulnerability on the service, you run the risk of getting rooted pretty fast.
Also, it would be a good idea to deny remote logins by editing the /etc/securetty file. Comment out everything under the remote shell section, usually beginning with pts or ttyp. If you wish to allow users onto your machine later you can setup something like ssh which is alot more secure.
Keeping your system and the programs you run (especially those with contact to the internet) updated is also very important, to be safe use only stable versions of programs where possible. If you hear of a vulnerability in one of your programs and there is no update or patch available, simply rollback to a version that the vulnerability is not compatible with until a patch becomes available.
--------------------------
Disabling Services
--------------------------
This is one of the most important steps in the security process, if you have a shed load of services that you don't need running on your box 24/7, you are opening yourself up to even the lowest levels of the script kiddie world.
Most distributions should give you the option to disable many of the services the average user will not require at installation. Some users seem to see "Services: FTP, HTTP etc" and think that they need to enable these to be able to browse websites and FTP servers, this is not the case. The services described here are only for systems that will host an FTP / HTTP server locally, it doesn't mean you cannot access remote ones. Even if you think you may require these in the future, it is best to disable them until they are needed.
If you have already completed the installation process and are worried because you didn't disable the services then, its not a problem, the beauty of Linux is that everything is configurable, and there is usually more than one way to achieve what you want.
First off, to disable the unwanted services that are running on your system, you will need to identify them. One way of doing this is by using netstat.
For this example, we will use the command "netstat -pat |grep LISTEN", I will break this down quickly for you:
The -p argument tells netstat to list the programs / process ID of the port - this makes it easier to see which programs are causing a port to listen
The -a argument tells netstat to list all active ports
The -t argument tells netstat to show ports dealing with the TCP protocol.
| is known as a "pipe", and "grep LISTEN" tells the terminal to only print lines returned with the word "LISTEN" in them, this is useful for this activity because it only displays the listening ports we are trying to disable.
Ok, now you should have something like this in front of you:
Code: Select all
someone@somewhere $: netstat -pat |grep LISTEN
tcp 0 0 *:4000 *:* LISTEN 1294/mlnet
tcp 0 0 *:ssh *:* LISTEN 989/sshd
tcp 0 0 *:telnet *:* LISTEN 972/inetd
tcp 0 0 *:ftp *:* LISTEN 972/inetd
tcp 0 0 *:x11 *:* LISTEN 1383/X
Now, I cant tell you which servers you will and wont need, as needs vary from user to user, and please note that your netstat output may look very different from this one depending on your system configuration.
It may also help you to read through the man pages for netstat (type man netstat in a terminal window), or at least google for some information.
First off, you can see the top line reads "*:4000" and "LISTEN", this means that my local system is listening on port 4000. At the end of the line I am given a process ID (1294) and the name of the process listening on that port (mlnet). Running the command "locate mlnet" gives me the following output:
Code: Select all
/home/life/programs/mldonkey-2-5-12/mlnet
Ok, next line reads "*:ssh", this is the Secure SHell service, used for secure (well, more so than rshell, telnet etc) remote logins on your system, it can be a very useful service, but its also a security risk, so if you don't need this, you should disable it.
To do this, simply note down the process ID shown at the end of the row, in this case, 989, and type from a terminal: (you may need to use su to get root privileges depending on the file permissions)
Code: Select all
kill 989
However, although this method will terminate unwanted processes and stop them listening, it probably wont stop them from starting up again next time you reboot your system. One way to stop certain services running at boot, is to remove the package for it totally, now as with most things, this varies from distro to distro, RedHat, Mandrake, SuSE etc should all have GUI tools available for removing their native packages, Debian has the apt-get and dpkg tools and Slackware has pkgtool. Check out the man pages relevant to your distribution, or have a search around on google if you are unsure.
There are also Init services that are started up at boot, on my Slackware system, these are located at /etc/rc.d/rc.inet2, but on most distributions the path is slightly different, try looking around for /etc/init.d or similar.
Another file you might want to take a look at is /etc/inet.conf, this is the configuration file for the inetd daemon (most boxes may now be using the xinetd daemon instead, the same principles apply), which controls some other daemons (as you can see above in the netstat output). If you make changes to this file, you could either reboot your system, or better yet, use the following command:
Code: Select all
kill -HUP pid
Code: Select all
chmod 750 /etc/whateverfile
NOTE: Before editing these files, make sure you have a backup, if you want to create one quickly, simply do something like:
Code: Select all
cp /etc/rc.d/rc.inet2 /home/rc.inet2backup
Code: Select all
#/etc/rc.d/rc.inet2
# Start the OpenSSH SSH daemon:
if [ -x /etc/rc.d/rc.sshd ]; then
echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
/etc/rc.d/rc.sshd start
fi
Code: Select all
# Start the OpenSSH SSH daemon:
#if [ -x /etc/rc.d/rc.sshd ]; then
# echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
# /etc/rc.d/rc.sshd start
#fi
-------------------------------
Securing Services
-------------------------------
If there are certain services that you will need to be running on your box, like apache webserver for instance, you should do as much as you can to secure it. One small step you could do is to change the banner information given out by this service.
To do this, you would need to locate the following file:
Code: Select all
apache-x.x/src/include/httpd.h
Code: Select all
#define SERVER_BASEPRODUCT "apache"
#define SERVER_BASEREVISION "x.x.x"
Code: Select all
#define SERVER_BASEPRODUCT "h4x0r_jim_duggans_httpserver"
#define SERVER_BASEREVISION "99.99.99b"
With pretty much any open source project, you can change these banners before compiling the programs, obviously they are not always in the same place, but if you look around enough, using your friends google and grep, you should be able to find them.
Another thing you may have noticed in my netstat output above, is that the X11 server is listening on a port. Now instead of shutting this one down (which will kill your graphical environment - im assuming you don't want to do that and you are running a graphical environment), you can just edit a config file to stop it listening by default.
On most systems this file is in:
/usr/X11R6/bin/
cd to that directory, and type; vi startx
Scroll down the file until you see the following line:
Code: Select all
serverargs=""
Code: Select all
serverargs="-nolisten tcp"
This should stop the X server from listening on a tcp port next time it is started, reboot X with ctrl+alt+backspace and check your netstat to see if this has worked properly.
There are also other methods you can deploy, one quite effect one is to run any services like FTP/HTTP servers in a chroot jail. Basically this will run your desired service in a different part of your hard drive instead of in the / (root) dir. This can be a bit of a hassle to setup, as you may have to copy across many libraries and files needed by the service to operate correctly, and also setup a new user and group account. The advantage is that any would be attacker that exploits a vulnerability on the chroot jailed program may think s/he has gained root access on your box, when in fact all they have is an emulated root environment, and therefore can do hardly any damage to the rest of your box.
For more information on setting up chroot jails, search around on google, or sites like http://www.linuxsecurity.org and see the man / info pages for the chroot command, as there is quite a bit of information to cover and you will have to do some work with adding user groups and copying directory structures over.
---------------------
Firewalling
---------------------
A firewall is an important part of any security setup, ideally a hardware firewall, either a standalone hardware firewall, or a system set up with a minimal linux/unix distribution and a good set of rules for filtering packets.
However, most home users do not have the hardware available to set up a hard firewall, so instead you can opt for a software firewall program.
There are a few good ones available for linux, a good starter would be something like Firestarter, its a basic GUI program that allows you to setup a decent software firewall very quickly. This program is available at http://firestarter.sourceforge.net/ and is very simple to setup, download the relevant package and start it up, it will run you through a wizard to customize your rules.
A popular software firewall is Shorewall, this program comes precompiled with some distros, such as Mandrake, and may even come with a GUI interface. If you don't fancy the idea of editing configuration files with the command line interface, something like Webmin from http://www.webmin.com is a great program for configuring the shorewall program with a GUI. In fact, I would recommend anyone using Linux or administering servers / networks check out Webmin, its like the swiss army knife of computer software. Just download and compile it, grab the shorewall module for webmin from their site and configure it all with the web browser interface.
Shorewall (at least the latest versions and with the 2.4 and newer kernels) works with IPTABLES to configure NetFilter rulesets to create a firewall program on your box. I suggest you read up about IPTABLES and NetFilter if you don't already know about them, as there is alot of information I don't have the motivation to cover here ;)
Shorewall's homepage is at http://shorewall.sourceforge.net/
They have a great set of documentation there if you require some more complex rulesets, but for the purpose of this document, I will run through the basics.
Shorewall works by adding rulesets, policies and zones...
ZONES: (default: /etc/shorewall/zones)
Zones define the the source and destination areas for incoming and outgoing traffic so you can setup rulesets and policies around them. For instance, you can setup the "net" zone to refer to all traffic on the internet, the "fw" zone to refer to all traffic on your local machine where shorewall resides, and maybe a "local" zone to refer to all traffic on your local network LAN (if applicable).
RULESETS: (default: /etc/shorewall/rules)
Rulesets define how shorewall handles different types of traffic, for instance, a ruleset like:
Code: Select all
ACTION SOURCE DEST DEST PROTO
PORT
ACCEPT net fw ftp TCP
POLICIES: (default: /etc/shorewall/policy)
Policies are used for a default ruleset, when no other rule in /etc/shorewall/rules applies. For instance, when a connection attempts to establish itself on your system from the net zone, shorewall will first check the rulesets defined in /etc/shorewall/rules, if it does not find a matching ruleset there, it will look in the policy file to see what to do.
A good, simple default policy to have would be something like this:
Code: Select all
SOURCE DEST POLICY
net fw DROP
With this basic setup, you will also want to add:
Code: Select all
SOURCE DEST POLICY
fw net ACCEPT
Another shorewall file you may want to look at is shorewall.conf, usually found in /etc/shorewall. This is a general configuration file that lets you specify things like logging options which may be useful for you.
Once you have setup your firewall and disabled all the services you don't need, it would be a good idea to download nmap from http://www.insecure.org and run a scan against yourself (127.0.0.1) to see what ports are still open. It's also a good idea to get a friend to check this remotely by using nmap against your IP as a local scan will probably pick up some open ports that are not actually open outside of your machine as the firewall drops the traffic from remote hosts.
Ok, by now you should have a basic level of security setup on your linux box, of course there are alot more things you can implement, you could look at getting an Intrusion Detection System, you could go through the system chmodding all the important files so users cannot r/w/exec them, you could write your own scripts to output firewall logs and kernel messages, alter more application configurations, setup TCP wrappers etc etc. Linux security is a massive subject, and due to its open nature, you can change any configurations to suit your needs, so if you require anymore information, search around on google, read through linux user forums, RFC's, keep an eye on security sites and bugtraq's, and make sure your system stays updated. Thats all for now.