Andrew Rangen
Welcome 38.107.179.210
Monday February 6, 2012 11:49 PM
Client: CCBot/1.0 (+http://www.commoncrawl.org/bot.html)

Main

personal
About
PGP Key
Resume
Other Pages
Contact
Softball

photos
Skiing
Ski Racing
Kayaking
Rock Climbing
Ice Climbing
Photo Index

trips
Trip Reports

Securing a Linux Machine

      There are several essential issues that need to be addressed when securing a Linux machine (Post Installation security issues). There are three main methods of attack when approaching an unsecured system. Physical, Internal, and External security are the three general categories that most security issues fall under. A user or administrator should make sure to take certain steps to secure a machine before the machine is ever brought online. The instant that a machine is brought online, it is a potential target for any number of “canned” attack programs or a more complex attack by a “hacker/cracker.” In the ever changing world of computer security it is essential to understand that just because a system may be secure one day, it may have potential vulnerabilities that come about the very next day. It is for that reason that computer security experts have a tireless job of continuously updating software and keeping unwanted visitors out.

            Physical security is something that is often overlooked by many of those working to secure a machine. A good question is: “Who has direct physical access to your machine?” If your server machine/workstation is located in a high traffic area, it can be susceptible to a malicious attack from someone passing by. Let’s say for instance that a server machine was kept out in the open in a frequently used computer lab. Anyone could sit down at the terminal and create problems if there is an account left open. A passerby could also hit the power button on the computer, causing downtime and perhaps disk damage. A thorough administrator will take into account all of these possibilities and take appropriate action to physically secure a machine, whether it be to put locks on the machine or move it to a more secure location, something should be done to prevent fore mentioned problems. Several PC BIOS’s and LILO boot loaders allow for password protected loading so that only authorized users can start a system (to prevent it from being booted to a single user mode where all files are writeable without a password). Two programs; xlock and vlock can also be used to lock a terminal so that while you are away no unauthorized party can gain access.

            Internal security of a machine covers a great deal of territory. Among several more complex vulnerabilities, one must make sure that a normal user cannot gain access to the super user (root) account. This could be done through incorrect permissions, poor password maintenance, or software vulnerabilities that allow a user to execute a command as someone other than the root user. Restricting root access from all users using the “r-utilities” (rlogin/rsh/rexec) and also restricting accounts and terminals that the root user can log in from is a good first step. Suid programs, although essential to many aspects of running a Linux (UNIX) machine, can cause many problems in themselves. A suid program allows a user to execute a command as another user. These utilities are essential to many maintenance programs, such as allowing a user to change his/her password (passwd) and allowing users access to network socketing (ping, traceroute). Other utilities using the suid bit (seen as rwsr-xr-x in permissions) include, perl, lpr (print daemon), mail utilities and crontab (allowing users to execute commands at certain predetermined times). These programs should be examined and all programs not necessary should be restricted to a predetermined group (wheel for example). Another important precaution that should be taken is an examination of users and what access they should be allowed. Some users only use their account for mail and ftp (web) purposes. These users can be restricted in what shell access they are allowed.

            Password protection is another important aspect of internal security. Passwords should be changed often and they should be “strong” passwords which does not include dictionary words, or information relating to the user (as stored on the system). Several programs are available to administrative users to try and “crack” a password file to find out any passwords that are not “strong.” A very important software utility can be used to “hide” passwords (even though they are encrypted) from normal users. This is the Shadow utility. This program stores the encrypted passwords in a separate file from the normal password file (passwords are stored in /etc/shadow instead of in the world readable /etc/password file). Another very important precaution that can be taken is the restricting of files that are allowed to be downloaded by a normal user via ftp. In the /etc/ftpaccess file, there are certain commands that can be incorporated to restrict the downloading of system specific files. The command: noretrieve is often followed by directories or files that a normal user should not need to access. Files that are often included are: all files in the /etc directory, all .htaccess files (used by the apache webserver for limiting access to directories), and any “core” files. Core files are what is dumped on an abnormal completion of a program. Sensitive information can often be dumped to a core file (used in buffer overflows, etc.).

            External security is perhaps the most important aspect of keeping a machine safe. By default, several utilities, or deamons, are enabled. A good first step is to restrict access to a machine, to only those domains which are “trusted.” This can be done with the use of the TCP (wrapping) catchers. The best course of action is to edit the /etc/hosts.deny file to deny ALL from ALL and then in the /etc/hosts.allow file, allow connections from those trusted hosts. The order the files are read is that it will deny from all, except those in the hosts.allow file. One of the most common programs used by a network machine is telnet. Telnet, although widely used, is very dangerous. It passes passwords and all commands in plain text, which can be read by any modern Packet Sniffer. The best alternative for telnet is “SSH.” SSH is a program that uses a 768 bit RSA key to encrypt all interaction in a connection. SSH also allows X forwarding, which is a nice aside to other conventional X forwarding methods.

            Another important post installation security procedure that could fall under either internal or external security is to remove all unnecessary kernel features and services. Source-routed frames for example could allow an attacker to bypass the normal routing decisions by specifying the routers the packet should go through within the packet data. Although, sometimes necessary, it can often be removed to ensure that this type of attack cannot be made.

            After a default installation a netstat –ea |fgrep LISTEN |less will return a table of all those ports which a machine is “LISTENING” to the network on. Many of these can be disabled (as they are not needed) through inetd. In the /etc/inetd.conf file there is a listing of all those services that are enabled and disabled (usually commented out by a #). These services include: telnet, echo, daytime, time, shell, login, talk, pop3, imap, finger, and auth. Most of these will not be needed on the majority of machines.

            Network filesystems are often used to “mount” other filesystems on a machine as if they are local storage. This is very useful, but can be dangerous if not appropriately configured. All trusted machines can be given access through the /etc/exports file and should be allowed read-only (ro) access, unless write access is necessary. The lpd program listens for print requests on a network and can often be disabled (if it is not needed) or restricted through a /etc/hosts.lpd file (similar format to the hosts.allow file). By default, the X server listens on port 6000. This can be disabled by starting X with the –nolisten tcp switch (often X listening is not used).

            Sendmail (the program for sending and receiving mail) has many security issues in itself, although an entire book could be written on it’s security issues, one of the best post installation security techniques is to add the line “O PrivacyOptions=authwarnings noexpn novrfy.” This will restrict external users from gaining access to information regarding user accounts. DNS (Domain Name Server) is the program that gives and receives information about the name’s corresponding to domains (which names are assigned to which IP addresses, etc.). This program has similar vulnerabilities to sendmail, but we can restrict access to who is allowed to gain information through the /etc/named.conf file where we can “allow-query” from those trusted zones (as defined in the same file). A webserver (most often APACHE) also has several issues that should be addressed, those include, who is allowed to execute CGI and SSI (Server side includes). The most important thing is to make sure that the webserver is not being run by the “root” user as this will allow unauthorized writing of files for example.

            As we can see, there is an almost endless number of security issues that needs to be addressed before a machine can be deemed “secure” and once the machine is labeled as such, there are always developing issues that need to be addressed. The best technique in securing a machine is often to remove all unneeded services and always keep software up to date. In doing this, one is ensured that most conventional methods cannot be used to gain unauthorized access to a machine.

Best if viewed with Netscape or Lynx