222 lines
9.8 KiB
HTML
222 lines
9.8 KiB
HTML
<!--startcut BEGIN header ==============================================-->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Securing Linux: The First Steps LG #47</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4>
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Securing Linux: The First Steps</font></H1>
|
|
<H4>By <a href="mailto:peter@math.umn.edu">Peter Lukas</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<p>
|
|
Not too long ago, I sat patiently while the latest kernel version trickled
|
|
down my slow, analog dial-up connection. Throughout the entire process, I
|
|
longed for the day when high-speed Internet access would be available in
|
|
the home. The arrival of xDSL and cable modems to the doorstep has made
|
|
this dream a reality, but not without its price.
|
|
<p>
|
|
As I write this, somewhere in the world, someone is setting up a Linux
|
|
distribution on their home computer for the first time. The new Linux
|
|
administrator takes the system for a spin by firing up accounts for family
|
|
and friends. Just a few short hours after the initial installation, this
|
|
new Linux system is an Internet presence thanks to its high-speed DSL
|
|
connection.
|
|
<p>
|
|
<H3>It Is Also a Sitting Duck</H3>
|
|
<p>
|
|
Nearly all Linux distributions available today are insecure right out of
|
|
the box. Many of these security holes can be easily plugged, but tradition
|
|
and habit have left them wide open. A typical Linux installation boots for
|
|
the first time offering a variety of exploitable services like SHELL, IMAP
|
|
and POP3. These services are often used as points of entry for rogue
|
|
netizens who then use the machine for their needs, not yours. This
|
|
isn't just limited to Linux--even the most sophisticated
|
|
commercial UNIX flavors ship with these services and more running right
|
|
out of the box.
|
|
<p>
|
|
Without assessing blame or pointing fingers, it is more important that
|
|
these new machines become locked down (<I>hardened</I>, to pin a technical
|
|
term to it). Believe it or not, it doesn't take an expert in system
|
|
security to harden a Linux machine. In fact, you can protect yourself from
|
|
90 percent of intrusions in less than five minutes.
|
|
<p>
|
|
<H3>Getting Started</H3>
|
|
<p>
|
|
To begin the process of hardening your machine, ask yourself what role
|
|
your machine will play and how comfortable you are with connecting it to
|
|
the Internet. Carefully decide which services you want to make available
|
|
to the rest of the world. If you are unsure, it's best not to run any.
|
|
Most importantly, create a security policy for yourself. Decide what is
|
|
and what is not acceptable use of your system.
|
|
<p>
|
|
For purposes of this article, the example machine is a workstation that
|
|
will be used for typical Internet access such as mail and news reading,
|
|
web browsing, etc.
|
|
<p>
|
|
<H3>Securing Network Services</H3>
|
|
<p>
|
|
First, gain superuser (root) access to the system and take an inventory of
|
|
its current network state by using the <B>netstat</B> command (part of net-tools
|
|
and standard on most Linux systems). An example of its ouput is shown
|
|
here:
|
|
<pre>
|
|
root@percy / ]# netstat -a
|
|
Active Internet connections (servers and established)
|
|
Proto Recv-Q Send-Q Local Address Foreign Address State
|
|
tcp 0 0 *:imap2 *:* LISTEN
|
|
tcp 0 0 *:pop-3 *:* LISTEN
|
|
tcp 0 0 *:linuxconf *:* LISTEN
|
|
tcp 0 0 *:auth *:* LISTEN
|
|
tcp 0 0 *:finger *:* LISTEN
|
|
tcp 0 0 *:login *:* LISTEN
|
|
tcp 0 0 *:shell *:* LISTEN
|
|
tcp 0 0 *:telnet *:* LISTEN
|
|
tcp 0 0 *:ftp *:* LISTEN
|
|
tcp 0 0 *:6000 *:* LISTEN
|
|
udp 0 0 *:ntalk *:*
|
|
udp 0 0 *:talk *:*
|
|
udp 0 0 *:xdmcp *:*
|
|
raw 0 0 *:icmp *:* 7
|
|
raw 0 0 *:tcp *:* 7
|
|
</pre>
|
|
As you can see from that output, a fresh installation left a number
|
|
of services open to anyone within earshot. Most of these services are
|
|
known troublemakers and can be disabled in the configuration file,
|
|
/etc/inetd.conf.
|
|
<p>
|
|
Open the file with your favorite text editor and begin to comment out any
|
|
services you do not want. To do this, simply add a ``#'' to the beginning of
|
|
the line containing the service. In this example, the entire file would be
|
|
commented out. Of course, should you decide at some point that you would
|
|
like to offer some of these services, you are free to do so.
|
|
<p>
|
|
Now, restart <B>inetd</B> to reflect the changes. This can be done in a number of
|
|
ways and can differ from system to system. A simple
|
|
<p>
|
|
<pre>
|
|
killall -HUP inetd
|
|
</pre>
|
|
should do the trick. Check the open sockets again with netstat and note
|
|
the changes.
|
|
<p>
|
|
Next, take a look at what processes are running. In most cases, you'll see
|
|
things like <B>sendmail</B>, <B>lpd</B> and <B>snmpd</B> waiting for connections.
|
|
Because this machine will not be responsible for any of these services,
|
|
they will all be turned off.
|
|
<p>
|
|
In most cases, these services are launched from the system initialization
|
|
scripts. These can vary somewhat from distribution to distribution, but
|
|
they are most commonly found in /etc/init.d or /etc/rc.d. Consult the
|
|
documentation for your distribution if you are unsure. The goal is to
|
|
prevent the scripts from starting these services at boot time.
|
|
<p>
|
|
If your Linux distribution uses a packaging system, take the time
|
|
to remove the services you do not want or need. On this example machine,
|
|
those would be sendmail, any of the ``r'' services (<B>rwho</B>, <B>rwall</B>, etc), <B>lpd</B>, <B>ucd-snmp</B> and Apache. This is a much easier approach and will ensure the
|
|
services aren't activated accidentally.
|
|
<p>
|
|
<H3>Securing X</H3>
|
|
<p>
|
|
Most recent distributions enable machines to boot for the first time into
|
|
an X Window System login manager like <B>xdm</B>. Unfortunately, that too is subject to
|
|
exploits. By default, the machine will allow any host to request a login
|
|
window. Since this machine has only one user that logs into the console
|
|
directly, that feature will need to be disabled as well.
|
|
<p>
|
|
The configuration file for this varies depending on which version of the
|
|
login manager you are using. This machine is running xdm, so the
|
|
/usr/X11R6/lib/X11/Xaccess file will need to be edited. Again, add a
|
|
``#''
|
|
to prevent the services from starting. My Xaccess file looks like this:
|
|
<p>
|
|
<pre>
|
|
#* #any host can get a login window
|
|
#* #any indirect host can get a chooser
|
|
</pre>
|
|
The changes will take effect when xdm restarts.
|
|
<p>
|
|
<H3>Software Updates</H3>
|
|
<p>
|
|
Now that some of the basic hardening has been done, it is necessary to
|
|
check with the vendor for updates and enhancements to the distribution.
|
|
Poor maintenance or none at all is another large contributor to system
|
|
compromises.
|
|
<p>
|
|
One of the blessings of open-source software is that it is constantly
|
|
under development. Security vulnerabilities are often discovered by a
|
|
number of people, and a fix is available within days, if not hours of its
|
|
discovery. As a result, most vendors actively maintain their Linux
|
|
distribution. Quite often, they post updates, bug fixes and security
|
|
advisories on their web site. Make a daily or weekly visit to your vendor's
|
|
site and apply any patches or updates they post.
|
|
<p>
|
|
<H3>The Next Step</H3>
|
|
<p>
|
|
By this point, the machine is far more secure than when it was first
|
|
installed. It isn't invulnerable to attack, but at least it is no longer
|
|
extending an invitation to attackers. The approach outlined here is
|
|
similar to that of locking your home or car. The average thief will jiggle
|
|
the handle, realize that it's locked and move on to one that isn't.
|
|
<p>
|
|
Should you decide these steps do not provide enough security, or you
|
|
wish to provide some network services across the Internet, take the time
|
|
to research some advanced security techniques before you do so.
|
|
<p>
|
|
Unfortunately, vendors of most Linux distributions assume their customers
|
|
already know about these services and want to use them. This isn't always
|
|
the case for newcomers. Of course, there is still a large amount of ground
|
|
to cover before total Linux system security can be achieved, but these
|
|
steps provide a basic foundation and awareness of system security.
|
|
<p>
|
|
To date, the majority of system and network compromises are relatively
|
|
minor. As Linux increases in popularity and high-speed Internet access
|
|
becomes more available, attacks on unprepared Linux systems will only
|
|
become more severe and abundant.
|
|
|
|
|
|
|
|
<!-- BEGIN copyright ==================================================-->
|
|
<P> <hr> <P>
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 1999, Peter Lukas<BR>
|
|
Published in Issue 47 of <i>Linux Gazette</i>, November 1999</H5>
|
|
<!-- END copyright ===================================================-->
|
|
|
|
|
|
|
|
|
|
|
|
<!--startcut footer ===================================================-->
|
|
<P> <hr> <P>
|
|
<A HREF="index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
|
ALT="[ FRONT PAGE ]"></A>
|
|
<A HREF="heizer.html"><IMG SRC="../gx/back2.gif"
|
|
ALT=" Back "></A>
|
|
<A HREF="../faq/index.html"
|
|
><IMG SRC="./../gx/dennis/faq.gif"
|
|
ALT="[ Linux Gazette FAQ ]"></A>
|
|
<A HREF="makarov.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
|
<P> <hr> <P>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|