471 lines
12 KiB
HTML
471 lines
12 KiB
HTML
<HTML
|
||
><HEAD
|
||
><TITLE
|
||
>Introduction</TITLE
|
||
><META
|
||
NAME="GENERATOR"
|
||
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
||
"><LINK
|
||
REL="HOME"
|
||
TITLE="Security Quick-Start HOWTO for Red Hat Linux"
|
||
HREF="index.html"><LINK
|
||
REL="PREVIOUS"
|
||
TITLE="Security Quick-Start HOWTO for Red Hat Linux"
|
||
HREF="index.html"><LINK
|
||
REL="NEXT"
|
||
TITLE="Foreword"
|
||
HREF="foreword.html"></HEAD
|
||
><BODY
|
||
CLASS="SECT1"
|
||
BGCOLOR="#FFFFFF"
|
||
TEXT="#000000"
|
||
LINK="#0000FF"
|
||
VLINK="#840084"
|
||
ALINK="#0000FF"
|
||
><DIV
|
||
CLASS="NAVHEADER"
|
||
><TABLE
|
||
SUMMARY="Header navigation table"
|
||
WIDTH="100%"
|
||
BORDER="0"
|
||
CELLPADDING="0"
|
||
CELLSPACING="0"
|
||
><TR
|
||
><TH
|
||
COLSPAN="3"
|
||
ALIGN="center"
|
||
>Security Quick-Start HOWTO for Red Hat Linux</TH
|
||
></TR
|
||
><TR
|
||
><TD
|
||
WIDTH="10%"
|
||
ALIGN="left"
|
||
VALIGN="bottom"
|
||
><A
|
||
HREF="index.html"
|
||
ACCESSKEY="P"
|
||
>Prev</A
|
||
></TD
|
||
><TD
|
||
WIDTH="80%"
|
||
ALIGN="center"
|
||
VALIGN="bottom"
|
||
></TD
|
||
><TD
|
||
WIDTH="10%"
|
||
ALIGN="right"
|
||
VALIGN="bottom"
|
||
><A
|
||
HREF="foreword.html"
|
||
ACCESSKEY="N"
|
||
>Next</A
|
||
></TD
|
||
></TR
|
||
></TABLE
|
||
><HR
|
||
ALIGN="LEFT"
|
||
WIDTH="100%"></DIV
|
||
><DIV
|
||
CLASS="SECT1"
|
||
><H1
|
||
CLASS="SECT1"
|
||
><A
|
||
NAME="INTRO">1. Introduction</H1
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN54">1.1. Why me?</H2
|
||
><P
|
||
> Who should be reading this document and why should the average Linux user
|
||
care about security? Those new to Linux, or unfamiliar with the inherent
|
||
security issues of connecting a Linux system to large networks like Internet
|
||
should be reading. <SPAN
|
||
CLASS="QUOTE"
|
||
>"Security"</SPAN
|
||
> is a broad subject with many
|
||
facets, and is covered in much more depth in other documents, books, and on
|
||
various sites on the Web. This document is intended to be an introduction to
|
||
the most basic concepts as they relate to Red Hat Linux, and as
|
||
a starting point only. </P
|
||
><P
|
||
> <TT
|
||
CLASS="LITERAL"
|
||
> <P
|
||
CLASS="LITERALLAYOUT"
|
||
><br>
|
||
Iptables Weekly Log Summary from Jul 15 04:24:13 to Jul 22 04:06:00<br>
|
||
Blocked Connection Attempts:<br>
|
||
<br>
|
||
Rejected tcp packets by destination port<br>
|
||
<br>
|
||
port count<br>
|
||
111 19<br>
|
||
53 12<br>
|
||
21 9<br>
|
||
515 9<br>
|
||
27374 8<br>
|
||
443 6<br>
|
||
1080 2<br>
|
||
1138 1<br>
|
||
<br>
|
||
<br>
|
||
Rejected udp packets by destination port<br>
|
||
<br>
|
||
port count<br>
|
||
137 34<br>
|
||
22 1<br>
|
||
<br>
|
||
</P
|
||
>
|
||
</TT
|
||
></P
|
||
><P
|
||
> The above is real, live data from a one week period for my home LAN.
|
||
Much of the above would seem to be specifically targeted at Linux systems.
|
||
Many of the targeted <SPAN
|
||
CLASS="QUOTE"
|
||
>"destination"</SPAN
|
||
> ports are used by well known
|
||
Linux and Unix services, and all may be installed, and possibly
|
||
even running, on your system. </P
|
||
><P
|
||
> The focus here will be on threats that are shared by all Linux users, whether
|
||
a dual boot home user, or large commercial site. And we will take a few,
|
||
relatively quick and easy steps that will make a typical home Desktop system
|
||
or small office system running Red Hat Linux reasonably safe
|
||
from the majority of outside threats. For those responsible for Linux systems
|
||
in a larger or more complex environment, you'd be well advised to read this,
|
||
and then follow up with additional reading suitable to your particular
|
||
situation. Actually, this is probably good advice for everybody. </P
|
||
><P
|
||
> We will assume the reader knows little about Linux, networking, TCP/IP,
|
||
and the finer points of running a server Operating System like Linux. We
|
||
will also assume, for the sake of this document, that all local users are
|
||
<SPAN
|
||
CLASS="QUOTE"
|
||
>"trusted"</SPAN
|
||
> users, and won't address physical or local network
|
||
security issues in any detail. Again, if this is not the case, further
|
||
reading is strongly recommended.
|
||
</P
|
||
><P
|
||
> The principles that will guide us in our quest are: </P
|
||
><P
|
||
> <P
|
||
></P
|
||
><UL
|
||
><LI
|
||
><P
|
||
> There is no <SPAN
|
||
CLASS="APPLICATION"
|
||
>magic bullet</SPAN
|
||
>. There is no one
|
||
<EM
|
||
>single</EM
|
||
> thing we can do to make us secure. It is not that simple.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Security is a process that requires maintenance, not an objective to
|
||
be reached.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> There is no 100% safe program, package or distribution. Just varying
|
||
degrees of insecurity.
|
||
</P
|
||
></LI
|
||
></UL
|
||
></P
|
||
><P
|
||
> The steps we will be taking to get there are:</P
|
||
><P
|
||
> <P
|
||
></P
|
||
><UL
|
||
><LI
|
||
><P
|
||
> Step 1: Turn off, and perhaps uninstall, any and all unnecessary services.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Step 2: Make sure that any services that are installed are updated and
|
||
patched to the current, safe version -- <EM
|
||
>and then stay that
|
||
way</EM
|
||
>. Every server application has potential exploits. Some have
|
||
just not been found yet.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Step 3: Limit connections to us from outside sources by implementing a
|
||
firewall and/or other restrictive policies. The goal is to allow only the
|
||
minimum traffic necessary for whatever our individual situation may be.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Awareness. Know your system, and how to properly maintain and secure it.
|
||
New vulnerabilities are found, and exploited, all the time. Today's
|
||
secure system may have tomorrow's as yet unfound weaknesses.
|
||
|
||
</P
|
||
></LI
|
||
></UL
|
||
></P
|
||
><P
|
||
> If you don't have time to read everything, concentrate on Steps 1, 2, and 3.
|
||
This is where the meat of the subject matter is. The <A
|
||
HREF="appendix.html"
|
||
>Appendix</A
|
||
> has a lot of supporting information, which
|
||
may be helpful, but may not be necessary for all readers. </P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN92">1.2. Notes</H2
|
||
><P
|
||
> This is a Red Hat specific version of this document. The included examples
|
||
are compatible with Red Hat 7.0 and later. Actually, most examples should
|
||
work with earlier versions of Red Hat as well. Also, this document should be
|
||
applicable to other distributions that are Red Hat derivatives, such as
|
||
Mandrake, Conectiva, etc. </P
|
||
><P
|
||
> Overwhelmingly, the content of this document is not peculiar to Red Hat. The
|
||
same rules and methodologies apply to other Linuxes. And indeed, to other
|
||
Operating Systems as well. But each may have their own way of doing things --
|
||
the file names and locations may differ, as may the system utilities that
|
||
we rely on. It is these differences that make this document a
|
||
<SPAN
|
||
CLASS="QUOTE"
|
||
>"Red Hat"</SPAN
|
||
> version.
|
||
</P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN97">1.3. Copyright</H2
|
||
><P
|
||
> Security-Quickstart HOWTO for Red Hat Linux</P
|
||
><P
|
||
> Copyright <20> 2001 Hal Burgiss. </P
|
||
><P
|
||
> This document is free; you can redistribute it and/or modify it under the
|
||
terms of the GNU General Public License as published by the Free Software
|
||
Foundation; either version 2 of the License, or (at your option) any later
|
||
version.</P
|
||
><P
|
||
> This document is distributed in the hope that it will be useful, but WITHOUT
|
||
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
||
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
||
details.</P
|
||
><P
|
||
> You can get a copy of the GNU GPL at at <A
|
||
HREF="http://www.gnu.org/copyleft/gpl.html"
|
||
TARGET="_top"
|
||
>http://www.gnu.org/copyleft/gpl.html</A
|
||
>. </P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN105">1.4. Credits</H2
|
||
><P
|
||
> Many thanks to those who helped with the production of this document. </P
|
||
><P
|
||
> <P
|
||
></P
|
||
><UL
|
||
><LI
|
||
><P
|
||
> Bill Staehle, who has done a little bit of everything: ideas, editing,
|
||
encouragement, and suggestions, many of which have been incorporated.
|
||
Bill helped greatly with the content of this document.
|
||
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Others who have contributed in one way or another: Dave Wreski, Ian
|
||
Jones, Jacco de Leeuw, and Indulis Bernsteins.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> Various posters on comp.os.linux.security, a great place to learn about
|
||
Linux and security.
|
||
</P
|
||
></LI
|
||
><LI
|
||
><P
|
||
> The Netfilter Development team for their work on
|
||
<SPAN
|
||
CLASS="APPLICATION"
|
||
>iptables</SPAN
|
||
> and connection tracking, state of the
|
||
art tools with which to protect our systems.
|
||
|
||
</P
|
||
></LI
|
||
></UL
|
||
></P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="DISCLAIMER">1.5. Disclaimer</H2
|
||
><P
|
||
> The author accepts no liability for the contents of this document. Use the
|
||
concepts, examples and other content at your own risk. As this is a new
|
||
document, there may be errors and inaccuracies. Hopefully these are few and
|
||
far between. Corrections and suggestions are welcomed. </P
|
||
><P
|
||
> This document is intended to give the new user a starting point for securing
|
||
their system while it is connected to the Internet. Please understand that
|
||
there is no intention whatsoever of claiming that the contents of this
|
||
document will necessarily result in an ultimately secure and worry-free
|
||
computing environment. Security is a complex topic. This document just
|
||
addresses some of the most basic issues that inexperienced users should be
|
||
aware of. </P
|
||
><P
|
||
> The reader is encouraged to read other security related documentation and
|
||
articles. And to stay abreast of security issues as they evolve. Security is
|
||
not an objective, but an ongoing process.
|
||
</P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN124">1.6. New Versions and Changelog</H2
|
||
><P
|
||
> The current official version can always be found at <A
|
||
HREF="http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/"
|
||
TARGET="_top"
|
||
>http://www.tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/</A
|
||
>.
|
||
Pre-release versions can be found at <A
|
||
HREF="http://feenix.burgiss.net/ldp/quickstart-rh/"
|
||
TARGET="_top"
|
||
>http://feenix.burgiss.net/ldp/quickstart-rh/</A
|
||
>. </P
|
||
><P
|
||
> Other formats, including PDF, PS, single page HTML, may be found at
|
||
the Linux Documentation HOWTO index page: <A
|
||
HREF="http://tldp.org/docs.html#howto"
|
||
TARGET="_top"
|
||
>http://tldp.org/docs.html#howto</A
|
||
>. </P
|
||
><P
|
||
> Changelog: </P
|
||
><P
|
||
> Version 1.2: Clarifications on example firewall scripts, and small additions
|
||
to 'Have I been Hacked'. Note on Zonealarm type applications. More on the use
|
||
of <SPAN
|
||
CLASS="QUOTE"
|
||
>"chattr"</SPAN
|
||
> by script kiddies, and how to check for this. Other
|
||
small additions and clarifications.</P
|
||
><P
|
||
> Version 1.1: Various corrections, amplifications and numerous mostly small
|
||
additions. Too many to list. Oh yea, learn to spell Red Hat correctly ;-)</P
|
||
><P
|
||
> Version 1.0: This is the initial release of this document. Comments
|
||
welcomed. </P
|
||
></DIV
|
||
><DIV
|
||
CLASS="SECT2"
|
||
><H2
|
||
CLASS="SECT2"
|
||
><A
|
||
NAME="AEN136">1.7. Feedback</H2
|
||
><P
|
||
> Any and all comments on this document are most welcomed. Please make sure you have
|
||
the most current version before submitting corrections or suggestions! These
|
||
can be sent to <TT
|
||
CLASS="EMAIL"
|
||
><<A
|
||
HREF="mailto:hal@foobox.net"
|
||
>hal@foobox.net</A
|
||
>></TT
|
||
>.</P
|
||
></DIV
|
||
></DIV
|
||
><DIV
|
||
CLASS="NAVFOOTER"
|
||
><HR
|
||
ALIGN="LEFT"
|
||
WIDTH="100%"><TABLE
|
||
SUMMARY="Footer navigation table"
|
||
WIDTH="100%"
|
||
BORDER="0"
|
||
CELLPADDING="0"
|
||
CELLSPACING="0"
|
||
><TR
|
||
><TD
|
||
WIDTH="33%"
|
||
ALIGN="left"
|
||
VALIGN="top"
|
||
><A
|
||
HREF="index.html"
|
||
ACCESSKEY="P"
|
||
>Prev</A
|
||
></TD
|
||
><TD
|
||
WIDTH="34%"
|
||
ALIGN="center"
|
||
VALIGN="top"
|
||
><A
|
||
HREF="index.html"
|
||
ACCESSKEY="H"
|
||
>Home</A
|
||
></TD
|
||
><TD
|
||
WIDTH="33%"
|
||
ALIGN="right"
|
||
VALIGN="top"
|
||
><A
|
||
HREF="foreword.html"
|
||
ACCESSKEY="N"
|
||
>Next</A
|
||
></TD
|
||
></TR
|
||
><TR
|
||
><TD
|
||
WIDTH="33%"
|
||
ALIGN="left"
|
||
VALIGN="top"
|
||
>Security Quick-Start HOWTO for Red Hat Linux</TD
|
||
><TD
|
||
WIDTH="34%"
|
||
ALIGN="center"
|
||
VALIGN="top"
|
||
> </TD
|
||
><TD
|
||
WIDTH="33%"
|
||
ALIGN="right"
|
||
VALIGN="top"
|
||
>Foreword</TD
|
||
></TR
|
||
></TABLE
|
||
></DIV
|
||
></BODY
|
||
></HTML
|
||
> |