378 lines
20 KiB
HTML
378 lines
20 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Linux Security Tips LG #58</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik2.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue58/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="taylor.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Linux Security Tips</font></H1>
|
|
<H4>By <a href="mailto:kapil@linux4biz.net">Kapil Sharma</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<p>In this article I will explain how to make your Linux box secure by taking
|
|
basic security measures. This article will enable anybody to tighten the security
|
|
of a redhat Linux box.
|
|
<p><b><u>BIOS Security</u></b> <br>
|
|
Always set a password on BIOS to disallow booting from floppy by changing the
|
|
BIOS settings. This will block undesired people from trying to boot your
|
|
Linux system with a special boot disk and will protect you from people
|
|
trying to change BIOS feature like allowing boot from floppy drive or
|
|
booting the server without password prompt.
|
|
<p><b><u>LILO Security</u></b> <br>
|
|
Add the three parameters in "/etc/lilo.conf" file i.e. time-out, restricted
|
|
and password. These options will ask for password if boot time options
|
|
(such as "linux single") are passed to the boot loader. <br>
|
|
<b>Step 1</b> <br>
|
|
Edit the lilo.conf file (vi /etc/lilo.conf) and add or change the three options
|
|
: <br>
|
|
boot=/dev/hda <br>
|
|
map=/boot/map <br>
|
|
install=/boot/boot.b <br>
|
|
time-out=00 <i>#change this line to 00</i><br>
|
|
prompt <br>
|
|
Default=linux <br>
|
|
restricted <i>#add this line</i><br>
|
|
password=<password> <i>#add this line and put your password</i>
|
|
<br>
|
|
image=/boot/vmlinuz-2.2.14-12 <br>
|
|
label=linux <br>
|
|
initrd=/boot/initrd-2.2.14-12.img <br>
|
|
root=/dev/hda6 <br>
|
|
read-only
|
|
<p><b>Step 2</b> <br>
|
|
The "/etc/lilo.conf" file should be readable by only root because it contains
|
|
unencrypted passwords. <br>
|
|
[root@kapil /]# chmod 600 /etc/lilo.conf (will be no longer world readable).
|
|
<p><b>Step 3</b> <br>
|
|
Update your configuration file "/etc/lilo.conf" for the change to take effect.
|
|
<br>
|
|
[Root@kapil /]# /sbin/lilo -v (to update the lilo.conf file).
|
|
<p><b>Step 4</b> <br>
|
|
One more security measure you can take to secure the "/etc/lilo.conf" file
|
|
is to set it immutable, using the chattr command. <br>
|
|
* To set the file immutable simply, use the command:
|
|
<br>
|
|
[root@kapil
|
|
/]# chattr +i /etc/lilo.conf <br>
|
|
This will prevent any changes (accidental or otherwise) to the "lilo.conf" file.
|
|
<p>For more information about lilo security, read my article on <a href="http://www.linux4biz.net/articles">LILO</a>.
|
|
|
|
<p>
|
|
<p><b><u>Disable all special accounts</u></b> <br>
|
|
You should delete all default users and group accounts that you don't
|
|
use on your system like lp, sync, shutdown, halt, news, uucp, operator, games,
|
|
gopher etc <br>
|
|
To delete a user account : <br>
|
|
[root@kapil /]# userdel LP
|
|
<p>To delete a group: <br>
|
|
[root@kapil /]# groupdel LP
|
|
<p><b><u>Choose a Right password</u></b> <br>
|
|
You should follow the following guidelines before choosing the right password.
|
|
<p>The password Length: The minimum acceptable password length by default when
|
|
you install your Linux system is 5. This is not enough and must be 8.
|
|
To do this you have to edit the login.defs file (vi /etc/login.defs) and change
|
|
the line that read:
|
|
<ul>
|
|
<i>PASS_MIN_LEN 5 <br>
|
|
</i>To read:<i> <br>
|
|
PASS_MIN_LEN 8 </i><br>
|
|
The "login.defs" is the configuration file for the login program.
|
|
</ul>
|
|
<b><u>Enable shadow password support</u></b> <br>
|
|
You should enable the shadow password feature. You can use the "/usr/sbin/authconfig"
|
|
utility to enable the shadow password feature on your system. If you want to convert
|
|
the existing passwords and group on your system to shadow passwords and groups
|
|
then you can use the commands <b>pwconv, grpconv</b> respectively. <br>
|
|
<br>
|
|
<u>T<b>he root account</b></u> <br>
|
|
The "root" account is the most privileged account on a Unix system. When the administrator
|
|
forgot to logout from the system root prompt before leaving the system then the
|
|
system should automatically logout from the shell. To do that, you must set the
|
|
special variable of Linux named "TMOUT" to the time in seconds. <br>
|
|
Edit your profile file "vi /etc/profile" and add the following line somewhere
|
|
after the line that read <br>
|
|
<i>"HISTFILESIZE="</i> <br>
|
|
<i>TMOUT=3600 </i><br>
|
|
The value we enter for the variable "TMOUT=" is in second and represent
|
|
1 hours (60 * 60 = <br>
|
|
3600 seconds). If you put this line in your "/etc/profile" file, then the
|
|
automatic logout after one hour of inactivity will apply for all users on the
|
|
system. You can set this variable in user's individual ".bashrc " file to automatically
|
|
logout them after a certain time. <br>
|
|
After this parameter has been set on your system, you must logout and login
|
|
again (as root) for the change to take effect.
|
|
<p><b><u>Disable all console-equivalent access for regular users</u></b> <br>
|
|
You should disable all console-equivalent access to programs like shutdown,
|
|
reboot, and halt for regular users on your server. <br>
|
|
To do this, run the following command: <br>
|
|
[root@kapil /]# rm -f /etc/security/console.apps/<servicename> <br>
|
|
Where <servicename> is the name of the program to which you wish to
|
|
disable console-equivalent access.
|
|
<p><b><u>Disable & uninstall all unused services</u></b> <br>
|
|
You should disable and uninstall all services that you do not use so that
|
|
you have one less thing to worry about. Look at your "/etc/inetd.conf" file
|
|
and disable what you do not need by commenting them out (by adding a #
|
|
at the beginning of the line), and then sending your inetd process a SIGHUP
|
|
command to update it to the current "inetd.conf" file. To do this: <br>
|
|
<b>Step 1</b> <br>
|
|
Change the permissions on "/etc/inetd.conf" file to 600, so that
|
|
only root can read or write to it. <br>
|
|
[Root@kapil /]# chmod 600 /etc/inetd.conf <br>
|
|
<br>
|
|
<b>Step 2</b> <br>
|
|
ENSURE that the owner of the file "/etc/inetd.conf" is root. <br>
|
|
<br>
|
|
<b>Step 3</b> <br>
|
|
Edit the inetd.conf file (vi /etc/inetd.conf) and disable the services like:
|
|
<br>
|
|
ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,
|
|
auth, etc unless you plan to use it. If it's turned off it's much less of a
|
|
risk. <br>
|
|
<br>
|
|
<b>Step 4</b> <br>
|
|
Send a HUP signal to your inetd process <br>
|
|
[root@kapil /]# killall -HUP inetd <br>
|
|
<br>
|
|
<b>Step 5</b> <br>
|
|
Set "/etc/inetd.conf" file immutable, using the <i>chattr</i> command
|
|
so that nobody can modify that file <br>
|
|
* To set the file immutable simply,
|
|
execute the following command: <br>
|
|
[root@kapil
|
|
/]# chattr +i /etc/inetd.conf <br>
|
|
This will prevent any changes (accidental or otherwise) to the "inetd.conf"
|
|
file. The only person that can set or clear this attribute is the super-user
|
|
root. To modify the inetd.conf file you will need to unset the immutable
|
|
flag: <br>
|
|
* To unset the immutable simply, execute the following command: <br>
|
|
[root@kapil
|
|
/]# chattr -i /etc/inetd.conf
|
|
<p><b><u>TCP_WRAPPERS</u></b> <br>
|
|
By using TCP_WRAPPERS you can make your server secure against
|
|
outside intrusion . The best policy is to deny all hosts by putting "ALL: ALL@ALL,
|
|
PARANOID" in the "/etc/hosts.deny" file and then explicitly list trusted
|
|
hosts who are allowed to your machine in the "/etc/hosts.allow" file. TCP_WRAPPERS
|
|
is controlled from two files and the search stops at the first match. <br>
|
|
/etc/hosts.allow <br>
|
|
/etc/hosts.deny
|
|
<p><b>Step 1</b> <br>
|
|
Edit the hosts.deny file (vi /etc/hosts.deny) and add the following lines:
|
|
<br>
|
|
# Deny access to everyone. <br>
|
|
ALL: ALL@ALL, PARANOID <br>
|
|
Which means all services, all locations is blocked, unless they are permitted
|
|
access by entries in the allow file.
|
|
<p> <b>Step 2</b> <br>
|
|
Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following
|
|
line: <br>
|
|
As an example: <br>
|
|
ftp: 202.54.15.99 foo.com<br>
|
|
For your client machine: 202.54.15.99 is the IP address and foo.com the
|
|
host name of one of your client allowed using ftp. <br>
|
|
<br>
|
|
<b>Step 3 </b><br>
|
|
The <i>tcpdchk</i> program is the tcpd wrapper configuration checker. It examines
|
|
your tcp wrapper configuration and reports all potential and real problems
|
|
it can find.
|
|
<p> * After your configuration is done, run the program tcpdchk. <br>
|
|
[Root@kapil
|
|
/]# tcpdchk
|
|
<p><b><u>Don't let system issue file to be displayed</u></b> <br>
|
|
You should not display your system issue file when people
|
|
log in remotely . To do this, you can <br>
|
|
change the telnet option in your "/etc/inetd.conf".<br>
|
|
To do this change the line in "/etc/inetd.conf":<br>
|
|
<p><i>telnet stream tcp nowait root
|
|
/usr/sbin/tcpd in.telnetd</i><br>
|
|
to look like:<br>
|
|
<i>telnet stream tcp nowait
|
|
root /usr/sbin/tcpd in.telnetd -h </i><br>
|
|
Adding the "-h" flag on the end will cause the daemon to not display any
|
|
system information and just hit the user with a login: prompt. I
|
|
will recommend to use sshd instead.
|
|
<p><b><u>Change the "/etc/host.conf" file</u></b> <br>
|
|
The "/etc/host.conf" file specifies how names are resolved. <br>
|
|
Edit the host.conf file (vi /etc/host.conf) and add the following lines:
|
|
<br>
|
|
# Lookup names via DNS first then fall back to /etc/hosts. <br>
|
|
order bind,hosts <br>
|
|
# We have machines with multiple IP addresses. <br>
|
|
multi on <br>
|
|
# Check for IP address spoofing. <br>
|
|
nospoof on
|
|
<p> The first option is to resolve the host name through DNS first and then
|
|
hosts file.The multi option determines whether a host in the "/etc/hosts" file
|
|
can have multiple IP addresses (multiple interface ethN). <br>
|
|
The nospoof option indicates to take care of not permitting spoofing on
|
|
this machine.
|
|
<p><b><u>Immunize the "/etc/services" file</u></b> <br>
|
|
You must immunize the "/etc/services" file to prevent unauthorized deletion
|
|
or addition of services. <br>
|
|
* To immunize
|
|
the "/etc/services" file, use the command: <br>
|
|
[root@kapil
|
|
/]# chattr +i /etc/services
|
|
<p><b><u>Disallow root login from different consoles</u></b> <br>
|
|
The "/etc/securetty" file allows you to specify which TTY devices the "root"
|
|
user is allowed to login . Edit the "/etc/securetty" file to disable any tty
|
|
that you do not need by commenting them out (# at the beginning of the line).
|
|
<br>
|
|
<br>
|
|
<b><u>Blocking anyone to su to root</u></b> <br>
|
|
The su (Substitute User) command allows you to become other existing users
|
|
on the system. If you don't want anyone to su to root or restrict
|
|
"su" command to certain users then add the following two lines to the top of
|
|
your "su" configuration file in the "/etc/pam.d/" directory. <br>
|
|
<b>Step 1</b> <br>
|
|
Edit the su file (vi /etc/pam.d/su) and add the following two lines to the
|
|
top of the file: <br>
|
|
<i>auth sufficient /lib/security/pam_rootok.so debug</i> <br>
|
|
<i>auth required /lib/security/Pam_wheel.so group=wheel</i>
|
|
<p>Which means only members of the "wheel" group can su to root; it also includes
|
|
logging. You can add the users to the group wheel so that only those users will
|
|
be allowed to su as root. <br>
|
|
|
|
<p><b><u>Shell logging</u></b> <br>
|
|
The bash shell stores up to 500 old commands in the "~/.bash_history"
|
|
file (where "~/" is your home directory) to make it easy for you to repeat long
|
|
commands. Each user that has an account on the system will have this file "Bash_history"
|
|
in their home directory. The bash shell should store less number of commands
|
|
and delete it on logout of the user.<br>
|
|
<b>Step 1</b> <br>
|
|
The HISTFILESIZE and HISTSIZE lines in the "/etc/profile" file determine the
|
|
size of old commands the "Bash_history" file for all users on your system can
|
|
hold. I would highly recommend setting the HISTFILESIZE and HISTSIZE
|
|
in "/etc/profile" file to a low value such as 30. <br>
|
|
Edit the profile file (vi /etc/profile) and change the lines to: <br>
|
|
HISTFILESIZE=30 <br>
|
|
HISTSIZE=30 <br>
|
|
Which mean, the "Bash_history" file in each users home directory can store
|
|
20 old commands <br>
|
|
and no more. <br>
|
|
<b>Step 2</b> <br>
|
|
The administrator should also add into the "/etc/skel/Bash_logout" file the
|
|
<br>
|
|
"<i>rm -f $HOME/Bash_history</i>" line, so that each time a user logs
|
|
out, its "Bash_history" file will be deleted.<br>
|
|
Edit the Bash_logout file (vi /etc/skel/Bash_logout) and add the following
|
|
line: <br>
|
|
<i>rm -f $HOME/Bash_history</i>
|
|
<p><b><u>Disable the Control-Alt-Delete keyboard shutdown command</u></b> <br>
|
|
To do this comment out the line (with a "#") listed below in your "/etc/inittab"
|
|
file . <br>
|
|
To do this, edit the inittab file (vi /etc/inittab) and change the line:
|
|
<br>
|
|
<i>ca::ctrlaltdel:/sbin/shutdown -t3 -r now </i><br>
|
|
To read: <br>
|
|
<i>#ca::ctrlaltdel:/sbin/shutdown -t3 -r now </i><br>
|
|
Now, for the change to take effect type in the following at a prompt:
|
|
<br>
|
|
[root@kapil /]# /sbin/init q
|
|
<p><b><u>Fix the permissions under "/etc/rc.d/init.d" directory for script files</u></b>
|
|
<br>
|
|
Fix the permissions of the script files that are responsible for starting
|
|
and stopping all your normal processes that need to run at boot time.
|
|
To do this: <br>
|
|
[root@kapil/]# chmod -R 700 /etc/rc.d/init.d/* <br>
|
|
Which means only root is allowed to Read, Write, and Execute scripts files
|
|
on this directory.
|
|
<p><b><u>Hide your system information</u></b> <br>
|
|
By default, when you login to a Linux box, it tells you the Linux distribution
|
|
name, version, kernel version, and the name of the server. This is sufficient
|
|
information for a crackers to get information about your server. You should
|
|
just prompt users with a "Login:" prompt. <br>
|
|
<b>Step 1</b> <br>
|
|
To do this, Edit the "/etc/rc.d/rc.local" file and Place "#" in front of the
|
|
following lines as shown:
|
|
<p># This will overwrite /etc/issue at every boot. So, make any changes
|
|
you <br>
|
|
# want to make to /etc/issue here or you will lose them when you reboot. <br>
|
|
#echo "" > /etc/issue <br>
|
|
#echo "$R" >> /etc/issue <br>
|
|
#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue <br>
|
|
# <br>
|
|
#cp -f /etc/issue /etc/issue.net <br>
|
|
#echo >> /etc/issue <br>
|
|
<br>
|
|
<b>Step 2</b> <br>
|
|
Then, remove the following files: "issue.net" and "issue" under "/etc" directory:
|
|
<br>
|
|
[root@kapil /]# rm -f /etc/issue <br>
|
|
[root@kapil /]# rm -f /etc/issue.net
|
|
<p><b><u>Disable unused SUID/SGID programs</u></b> <br>
|
|
A regular user will be able to run a program as root if it is set to SUID
|
|
root. A system administrator should minimize the use of these SUID/GUID programs
|
|
and disable the programs which are not needed. <br>
|
|
<b>Step 1</b> <br>
|
|
* To find all files with the `s' bits from root-owned programs, use the
|
|
command: <br>
|
|
[root@kapil]# find /
|
|
-type f \( -perm -04000 -o -perm -02000 \) \-exec ls ­lg {} \;
|
|
<p> * To disable the suid bits on selected programs
|
|
above, type the following commands: <br>
|
|
[root@kapil /]# chmod
|
|
a-s [program] <br>
|
|
|
|
<p>After following the above security guidelines, a system administrator can maintain
|
|
a basic level of system security. Some of the above tasks are a continuous process.
|
|
The system administrator has to continuously follow the above guidelines to
|
|
keep system secure. <br>
|
|
<p>Written by: Kapil Sharma <br>
|
|
Email: <a href="mailto:kapil@linux4biz.net">kapil@linux4biz.net</a> <br>
|
|
Website: <a href="http://www.linux4biz.net">http://www.linux4biz.net</a> <br>
|
|
[Kapil Sharma is a Linux and Internet security consultant. He has been working
|
|
on various Linux/Unix systems and Internet Security for more than 2 years. He
|
|
is maintaing a web site <a href="http://www.linux4biz.net">http://www.linux4biz.net</a>
|
|
for providing free as well as commercial support for web, Linux and Unix solutions.]
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2000, Kapil Sharma<BR>
|
|
Published in Issue 58 of <i>Linux Gazette</i>, October 2000</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="okopnik2.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue58/sharma.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="taylor.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|