LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Security-HOWTO/secure-prep.html

415 lines
9.1 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Security Preparation (before you go on-line)</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linux Security HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Network Security"
HREF="network-security.html"><LINK
REL="NEXT"
TITLE="What To Do During and After a Breakin"
HREF="after-breakin.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux Security HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="network-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="after-breakin.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="secure-prep"
></A
>9. Security Preparation (before you go on-line)</H1
><P
>&#13;Ok, so you have checked over your system, and determined it's as secure
as feasible, and you're ready to put it online. There are a few things
you should now do in order to prepare for an intrusion,
so you can quickly disable the intruder, and get
back up and running.
</P
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN1129"
></A
>9.1. Make a Full Backup of Your Machine</H2
><P
>&#13;Discussion of backup methods and storage is beyond the scope of this
document, but here are a few words relating to backups and security:
</P
><P
>&#13;If you have less than 650mb of data to store on a partition, a CD-R
copy of your data is a good way to go (as it's hard to tamper with
later, and if stored properly can last a long time), you will of
course need at least 650MB of space to make the image. Tapes and other
re-writable media should be write-protected as soon as your backup is
complete, and then verified to prevent tampering. Make sure you store your
backups in a secure off-line area. A good backup will ensure that you
have a known good point to restore your system from.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN1133"
></A
>9.2. Choosing a Good Backup Schedule</H2
><P
>&#13;A six-tape cycle is easy to maintain. This includes four tapes
for during the week, one tape for even Fridays, and one tape for odd
Fridays. Perform an incremental backup every day, and a full backup
on the appropriate Friday tape. If you make some particularly important
changes or add some important data to your system, a full backup might
well be in order.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN1136"
></A
>9.3. Testing your backups</H2
><P
>&#13;You should do periodic tests of your backups to make sure they are
working as you might expect them to. Restores of files and checking
against the real data, sizes and listings of backups, and reading old
backups should be done on a regular basis.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN1139"
></A
>9.4. Backup Your RPM or Debian File Database</H2
><P
>&#13;In the event of an intrusion, you can use your RPM database like you
would use <TT
CLASS="literal"
>tripwire</TT
>, but only if you can be sure it too hasn't been
modified. You should copy the RPM database to a floppy, and keep this
copy off-line at all times. The Debian distribution likely has
something similar.
</P
><P
>&#13;The files <TT
CLASS="literal"
>/var/lib/rpm/fileindex.rpm</TT
> and
<TT
CLASS="literal"
>/var/lib/rpm/packages.rpm</TT
> most likely won't fit on a single floppy.
But if compressed, each should fit on a seperate floppy.
</P
><P
>&#13;Now, when your system is compromised, you can use the command:
</P
><P
>&#13;
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13; root# rpm -Va
</PRE
></FONT
></TD
></TR
></TABLE
>
to verify each file on the system. See the <TT
CLASS="literal"
>rpm</TT
> man page, as there are
a few other options that can be included to make it less verbose.
Keep in mind you must also be sure your RPM binary has not been
compromised.
</P
><P
>&#13;This means that every time a new RPM is added to the system, the RPM
database will need to be rearchived. You will have to decide the
advantages versus drawbacks.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="logs"
></A
>9.5. Keep Track of Your System Accounting Data</H2
><P
>&#13;It is very important that the information that comes from <TT
CLASS="literal"
>syslog</TT
>
not be compromised. Making the files in <TT
CLASS="literal"
>/var/log</TT
> readable and
writable by only a limited number of users is a good start.
</P
><P
>&#13;Be sure to keep an eye on what gets written there, especially under
the <TT
CLASS="literal"
>auth</TT
> facility. Multiple login failures, for example, can
indicate an attempted break-in.
</P
><P
>&#13;Where to look for your log file will depend on your distribution. In a
Linux system that conforms to the "Linux Filesystem Standard", such as
Red Hat, you will want to look in <TT
CLASS="literal"
>/var/log</TT
> and check <TT
CLASS="literal"
>messages</TT
>,
<TT
CLASS="literal"
>mail.log</TT
>, and others.
</P
><P
>&#13;You can find out where your distribution is logging to by looking at
your <TT
CLASS="literal"
>/etc/syslog.conf</TT
> file. This is the file that tells
<TT
CLASS="literal"
>syslogd</TT
> (the system logging daemon) where to log various messages.
</P
><P
>&#13;You might also want to configure your log-rotating script or daemon to
keep logs around longer so you have time to examine them. Take a look
at the <TT
CLASS="literal"
>logrotate</TT
> package on recent Red Hat distributions. Other
distributions likely have a similar process.
</P
><P
>&#13;If your log files have been tampered with, see if you can determine
when the tampering started, and what sort of things appeared to be
tampered with. Are there large periods of time that cannot be accounted
for? Checking backup tapes (if you have any) for untampered log files
is a good idea.
</P
><P
>&#13;Intruders typically modify log files in order to cover their
tracks, but they should still be checked for strange happenings. You
may notice the intruder attempting to gain entrance, or exploit a
program in order to obtain the root account. You might see log entries
before the intruder has time to modify them.
</P
><P
>&#13;You should also be sure to separate the <TT
CLASS="literal"
>auth</TT
> facility from other log
data, including attempts to switch users using <TT
CLASS="literal"
>su</TT
>, login attempts,
and other user accounting information.
</P
><P
>&#13;If possible, configure <TT
CLASS="literal"
>syslog</TT
> to send a copy of the most important
data to a secure system. This will prevent an intruder from covering
his tracks by deleting his login/su/ftp/etc attempts. See the
<TT
CLASS="literal"
>syslog.conf</TT
> man page, and refer to the <TT
CLASS="literal"
>@</TT
> option.
</P
><P
>&#13;There are several more advanced <TT
CLASS="literal"
>syslogd</TT
> programs out
there. Take a look at <A
HREF="http://www.core-sdi.com/ssyslog/"
TARGET="_top"
>http://www.core-sdi.com/ssyslog/</A
> for Secure Syslog. Secure
Syslog allows you to encrypt your syslog entries and make sure no one
has tampered with them.
</P
><P
>&#13;Another <TT
CLASS="literal"
>syslogd</TT
> with more features is <A
HREF="http://www.balabit.hu/en/downloads/syslog-ng/"
TARGET="_top"
>syslog-ng</A
>. It allows you a lot more flexibility in your
logging and also can has your remote syslog streams to prevent
tampering.
</P
><P
>&#13;Finally, log files are much less useful when no one is reading
them. Take some time out every once in a while to look over your log
files, and get a feeling for what they look like on a normal
day. Knowing this can help make unusual things stand out.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="AEN1183"
></A
>9.6. Apply All New System Updates.</H2
><P
>&#13;Most Linux users install from a CD-ROM. Due to the fast-paced nature of
security fixes, new (fixed) programs are always being released. Before
you connect your machine to the network, it's a good idea to check with your
distribution's ftp site and get all the updated packages since you
received your distribution CD-ROM. Many times these packages contain
important security fixes, so it's a good idea to get them installed.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="network-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="after-breakin.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Network Security</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>What To Do During and After a Breakin</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink