LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue47/lukas.html

222 lines
9.8 KiB
HTML
Raw Permalink Blame History

<!--startcut BEGIN header ==============================================-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Securing Linux: The First Steps LG #47</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!--endcut ============================================================-->
<H4>
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Securing Linux: The First Steps</font></H1>
<H4>By <a href="mailto:peter@math.umn.edu">Peter Lukas</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<p>
Not too long ago, I sat patiently while the latest kernel version trickled
down my slow, analog dial-up connection. Throughout the entire process, I
longed for the day when high-speed Internet access would be available in
the home. The arrival of xDSL and cable modems to the doorstep has made
this dream a reality, but not without its price.
<p>
As I write this, somewhere in the world, someone is setting up a Linux
distribution on their home computer for the first time. The new Linux
administrator takes the system for a spin by firing up accounts for family
and friends. Just a few short hours after the initial installation, this
new Linux system is an Internet presence thanks to its high-speed DSL
connection.
<p>
<H3>It Is Also a Sitting Duck</H3>
<p>
Nearly all Linux distributions available today are insecure right out of
the box. Many of these security holes can be easily plugged, but tradition
and habit have left them wide open. A typical Linux installation boots for
the first time offering a variety of exploitable services like SHELL, IMAP
and POP3. These services are often used as points of entry for rogue
netizens who then use the machine for their needs, not yours. This
isn't just limited to Linux--even the most sophisticated
commercial UNIX flavors ship with these services and more running right
out of the box.
<p>
Without assessing blame or pointing fingers, it is more important that
these new machines become locked down (<I>hardened</I>, to pin a technical
term to it). Believe it or not, it doesn't take an expert in system
security to harden a Linux machine. In fact, you can protect yourself from
90 percent of intrusions in less than five minutes.
<p>
<H3>Getting Started</H3>
<p>
To begin the process of hardening your machine, ask yourself what role
your machine will play and how comfortable you are with connecting it to
the Internet. Carefully decide which services you want to make available
to the rest of the world. If you are unsure, it's best not to run any.
Most importantly, create a security policy for yourself. Decide what is
and what is not acceptable use of your system.
<p>
For purposes of this article, the example machine is a workstation that
will be used for typical Internet access such as mail and news reading,
web browsing, etc.
<p>
<H3>Securing Network Services</H3>
<p>
First, gain superuser (root) access to the system and take an inventory of
its current network state by using the <B>netstat</B> command (part of net-tools
and standard on most Linux systems). An example of its ouput is shown
here:
<pre>
root@percy / ]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:imap2 *:* LISTEN
tcp 0 0 *:pop-3 *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
udp 0 0 *:ntalk *:*
udp 0 0 *:talk *:*
udp 0 0 *:xdmcp *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
</pre>
As you can see from that output, a fresh installation left a number
of services open to anyone within earshot. Most of these services are
known troublemakers and can be disabled in the configuration file,
/etc/inetd.conf.
<p>
Open the file with your favorite text editor and begin to comment out any
services you do not want. To do this, simply add a ``#'' to the beginning of
the line containing the service. In this example, the entire file would be
commented out. Of course, should you decide at some point that you would
like to offer some of these services, you are free to do so.
<p>
Now, restart <B>inetd</B> to reflect the changes. This can be done in a number of
ways and can differ from system to system. A simple
<p>
<pre>
killall -HUP inetd
</pre>
should do the trick. Check the open sockets again with netstat and note
the changes.
<p>
Next, take a look at what processes are running. In most cases, you'll see
things like <B>sendmail</B>, <B>lpd</B> and <B>snmpd</B> waiting for connections.
Because this machine will not be responsible for any of these services,
they will all be turned off.
<p>
In most cases, these services are launched from the system initialization
scripts. These can vary somewhat from distribution to distribution, but
they are most commonly found in /etc/init.d or /etc/rc.d. Consult the
documentation for your distribution if you are unsure. The goal is to
prevent the scripts from starting these services at boot time.
<p>
If your Linux distribution uses a packaging system, take the time
to remove the services you do not want or need. On this example machine,
those would be sendmail, any of the ``r'' services (<B>rwho</B>, <B>rwall</B>, etc), <B>lpd</B>, <B>ucd-snmp</B> and Apache. This is a much easier approach and will ensure the
services aren't activated accidentally.
<p>
<H3>Securing X</H3>
<p>
Most recent distributions enable machines to boot for the first time into
an X Window System login manager like <B>xdm</B>. Unfortunately, that too is subject to
exploits. By default, the machine will allow any host to request a login
window. Since this machine has only one user that logs into the console
directly, that feature will need to be disabled as well.
<p>
The configuration file for this varies depending on which version of the
login manager you are using. This machine is running xdm, so the
/usr/X11R6/lib/X11/Xaccess file will need to be edited. Again, add a
``#''
to prevent the services from starting. My Xaccess file looks like this:
<p>
<pre>
#* #any host can get a login window
#* #any indirect host can get a chooser
</pre>
The changes will take effect when xdm restarts.
<p>
<H3>Software Updates</H3>
<p>
Now that some of the basic hardening has been done, it is necessary to
check with the vendor for updates and enhancements to the distribution.
Poor maintenance or none at all is another large contributor to system
compromises.
<p>
One of the blessings of open-source software is that it is constantly
under development. Security vulnerabilities are often discovered by a
number of people, and a fix is available within days, if not hours of its
discovery. As a result, most vendors actively maintain their Linux
distribution. Quite often, they post updates, bug fixes and security
advisories on their web site. Make a daily or weekly visit to your vendor's
site and apply any patches or updates they post.
<p>
<H3>The Next Step</H3>
<p>
By this point, the machine is far more secure than when it was first
installed. It isn't invulnerable to attack, but at least it is no longer
extending an invitation to attackers. The approach outlined here is
similar to that of locking your home or car. The average thief will jiggle
the handle, realize that it's locked and move on to one that isn't.
<p>
Should you decide these steps do not provide enough security, or you
wish to provide some network services across the Internet, take the time
to research some advanced security techniques before you do so.
<p>
Unfortunately, vendors of most Linux distributions assume their customers
already know about these services and want to use them. This isn't always
the case for newcomers. Of course, there is still a large amount of ground
to cover before total Linux system security can be achieved, but these
steps provide a basic foundation and awareness of system security.
<p>
To date, the majority of system and network compromises are relatively
minor. As Linux increases in popularity and high-speed Internet access
becomes more available, attacks on unprepared Linux systems will only
become more severe and abundant.
<!-- BEGIN copyright ==================================================-->
<P> <hr> <P>
<H5 ALIGN=center>
Copyright &copy; 1999, Peter Lukas<BR>
Published in Issue 47 of <i>Linux Gazette</i>, November 1999</H5>
<!-- END copyright ===================================================-->
<!--startcut footer ===================================================-->
<P> <hr> <P>
<A HREF="index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
ALT="[ TABLE OF CONTENTS ]"></A>
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
ALT="[ FRONT PAGE ]"></A>
<A HREF="heizer.html"><IMG SRC="../gx/back2.gif"
ALT=" Back "></A>
<A HREF="../faq/index.html"
><IMG SRC="./../gx/dennis/faq.gif"
ALT="[ Linux Gazette FAQ ]"></A>
<A HREF="makarov.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
<P> <hr> <P>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink