LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue80/tougher.html

402 lines
13 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>My Guide To Linux Security LG #80</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></A>
<BR>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">My Guide To Linux Security</font></H1>
<H4>By <a href="mailto:robt@robtougher.com">Rob Tougher</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<dl>
<dt><a href=#1>1. Introduction</a>
<dt><a href=#2>2. Securing My Linux Box</a>
<dd><a href=#2.1>2.1 Installation</a>
<dd><a href=#2.2>2.2 Post-installation</a>
<dd><a href=#2.3>2.3 Post-compromise forensics (nobody's perfect)</a>
<dt><a href=#3>3. Secure Transmissions</a>
<dt><a href=#4>4. Conclusion</a>
<dt><a href=#a>a. References</a>
</dl>
<a name=1></a>
<h2>1. Introduction</h2>
<p>
This article explains the steps I
take to secure my home computer and data
communications.
If you are an active proponent of computer
security, this article will be a review.
If you do not have any security practices
currently, you should read on to get a
general idea of how to secure a Linux box.
This obviously isn't a complete security
reference - I take security seriously,
but I'm not as vigilant as I could be with
my computer.
You will have to see for yourself
whether or not the items in this article
provide enough security for your needs.
</p>
<a name=2></a>
<h2>2. Securing My Linux Box</h2>
<p>
I run a Debian Linux box here at home. I keep it powered
up and connected to the Internet at all times.
There are two reasons I want to keep this computer secure -
to hide my data from those who shouldn't see it,
and to protect my computer resources from those
who shouldn't be using them. I keep important stuff
on my machine - data that shouldn't be read (and
certainly not modified) by anyone but me. And I don't
want an intruder to be able to use my machine as a
staging ground for attacks on other targets. I'd be pretty
pissed if I found out someone was using my machine to
try to break into other systems.
</p>
<a name=2.1></a>
<h3>2.1 Installation</h3>
<p>
After a fresh install, the first thing I do right off the bat is
<a href="http://www.netfilter.org/"><b>configure iptables</b></a>
in my kernel. Iptables
allows me to block any packets entering or leaving my
computer. This is important because I am constantly
connected to the net, which leaves my computer open for an
attack. Configuring iptables isn't for the faint of heart - it
requires downloading the kernel source code, configuring it correctly,
and installing it without screwing anything up. If you
have never done this before, you should check out the
<a href="http://www.tldp.org/HOWTO/Kernel-HOWTO.html">
Linux Kernel HOWTO</a>, and practice compiling your kernel
a few times before trying to configure iptables.
</p>
<p>
Next is <a href="http://www.lids.org"><b>LIDS</b></a> - the
Linux Intrusion Detection System. LIDS consists of a patch
for the kernel, and two userspace utilities - lidsconf and
lidsadm. The purpose of this system is to increase the
level of security of your computer by restricting access to files and
processes, and alerting you when attempts to break these restrictions
occur.
The great part about LIDS
is that you can even restrict the root account's permissions. This
reduces the power of the root account, and limits the damage that
can be done if an intruder gets root privileges.
I use LIDS to protect my system binaries, my log files in /var/log,
and my configuration files in /etc. The binaries I mark as READONLY
so that no user, including root, can modify or delete them.
The log files I mark as APPEND so that programs can write data to files in
this directory, but cannot delete or change existing data.
</p>
<p>
The next thing I do is
minimize the number of services running
on the computer. The less services I run, the less
chance there is for someone to be able to break into my
machine. Distributions tend to let a lot of daemons run by
default, which is a bad thing in my opinion. I turn off telnet,
FTP, named, and all of the R* daemons, to name a few. I basically
turn everything off so that I don't have to worry about keeping
them updated with security fixes and such. For the services that
I do run, I install any security patches that are created
as soon as possible. And if a situation occurs where there is
a vulnerability made public without the proper fix, I will
turn off the service.
</p>
<p>
After reducing the number of services running on my computer,
I type "netstat -l" to see what sockets are listening for connections.
I do this just to make sure I haven't missed any services that
I don't need. Every once in a while I'll miss something important,
and catch it later on with netstat.
</p>
<a name=2.2></a>
<h3>2.2 Post-installation</h3>
<p>
After an installation, I run
<a href="http://www.chkrootkit.org"><b>chkrootkit</b></a> about
every week or so. This program will alert me to the presence
of any rootkits on my computer. A rootkit is a set of tools that a cracker
can use to hide his tracks - the kit contains trojaned(altered)
versions of various utilities like ps, ifconfig, and
others. If an intruder broke into my machine and installed
a rootkit, he could basically use my computer resources for
whatever he wanted, and I could only detect him if
I was paying <i>very</i> close attention to my system.
You can download and analyze various rootkits (for educational
use only!) at
<a href="http://packetstorm.decepticons.org/UNIX/penetration/rootkits/">
packetstorm
</a>. The one I've seen mentioned the most is LRK5, which is listed
about half way down the page.
</p>
<p>
When downloading files off of the Internet, I generate checksums
for them using <a href="http://www.gnu.org/software/textutils/textutils.html">
<b>md5sum</b></a>. Most sites that provide downloadable files
also list their checksums, so that I can check to see that the files
I download match the files they are providing. This is a simple
check, and reassures me that I am getting the right bits.
There is of course the possibility that both the files and the
checksums have been tampered with, but in this situation the
web site will probably figure it out quickly, and fix the problem.
</p>
<a name=2.3></a>
<h3>2.3 Post-compromise forensics (nobody's perfect)</h3>
<p>
All of the security in the world cannot <i>guarantee</i> that
your machine will be safe from crackers. I can honestly say
that I don't think my computer has ever been compromised,
but I'm not 100% sure. For the first couple of months that I
used Linux, I didn't give a squat about security - I was just
trying to get the operating system working. I was more
interested in learning the basic userspace commands, and
didn't want to be bothered by anything else.
I was <b>wide open for an attack</b>.
I had a VA Linux machine with a stock Redhat system they put on
there. I probably was running many servers, and didn't even know it.
Poor guy.
</p>
<p>
Well, If my machine ever becomes compromised in the future, I will
first head over to the main site for
<a href="http://www.porcupine.org/forensics/tct.html">
<b>The Coroner's Toolkit</b></a>. TCT is a set of tools
that allow you to figure out what happened on a
compromised machine. You run them, and sit back and relax
while they collect data from your hard drive. I haven't
personally used these tools, but from what the web site says,
they do a pretty decent job. Another impression I get from the web
site is that the tools are extremely difficult to use for novices,
so you are in for a lot of reading and learning if you don't have any
experience with TCT. On
the bottom of the main page they have a couple of links to HOWTO
documents, so your best bet is to start there.
</p>
<p>
I would also check out the
<a href="http://www.honeynet.org/"><b>Honeynet Project</b></a>.
The purpose of this project is to perform research in forensics
analysis, and present this research to the public in the hopes of
raising awareness about security. They have a monthly
forensics contest, where they present information about
a real compromise on their network, and ask for write-ups
on how to investigate the intrusion. The archive for this
contest has a lot of great submissions by security professionals -
I actually learned about The Coroner's Toolkit by seeing
it mentioned in a handful of these investigations. Anyone
interested in computer forensics should go to this site
and read as much information as they can find - there's
enough to keep you busy for a while.
</p>
<a name=3></a>
<h2>3. Secure Transmissions</h2>
<p>
Transmissions by default are insecure. Your
data just flies across the Internet for everyone
to see, and you can't do anything about it. You can use
the traceroute program to see an example of this in
action. Type "traceroute www.google.com" at your command
prompt, and you'll
see every machine that gets to look at the data you
send google during a web search.
</p>
<p>
I make sure that whenever I am logging in to a site,
I use the secure page - https. HTTPS uses SSL, which
encrypts your data while in transit. If I didn't do
this, my password could be sniffed by a compromised machine.
For example, Yahoo! provides a method of secure login
when submitting my username and password for their
various web services. I have a Yahoo! email account, and
use this secure login whenever I am checking my mail.
</p>
<p>
For remote administration, I use
<a href="http://www.openssh.com/"><b>ssh and scp</b></a>.
These two programs are replacements for telnet and FTP.
They are easy to install, and work just as well
as the programs they replace. Once installed, I
open up the corresponding ports in my iptables
configuration so that I can connect to the machine from outside.
</p>
<p>
For email, I use
<a href="http://www.gnupg.org"><b>GnuPG</b></a> to encrypt data that
I don't want anyone reading. When I am sending sensitive
information to someone, I use their public key to encrypt it.
I ask the same of people sending sensitive information to me.
My public key is downloadable from my
<a href="http://www.robtougher.com/">web site</a>,
and also available on various
<a href="http://www.openpgp.net/pgpsrv.html">public key servers</a>.
These steps assure me that I'm the only one reading the email
destined for my inbox.
</p>
<a name=4></a>
<h2>4. Conclusion</h2>
<p>
I hope you enjoyed this article - I tried to explain,
as clearly as possible,
the steps I take to secure my computer and data communications.
If you feel there are any glaring
errors or omissions, by all means
<a href="mailto:robt@robtougher.com">
let me know</a>. My security policy is far from perfect,
and I'm very eager to hear about your practices
and experiences.
</p>
<a name=a></a>
<h2>a. References</h2>
<p>
The following is a list of sites I visit regularly to get
information on various security topics:
</p>
<ul>
<li><b>Advisories</b>
<ul>
<li><a href="http://www.cert.org/">CERT</a>
<li><a href="http://online.securityfocus.com/">
SecurityFocus Online</a>
</ul>
<li><b>Exploits</b> (for educational use only!)
<ul>
<li><a href="http://packetstorm.decepticons.org/Exploit_Code_Archive/">
packetstorm</a>
<li><a href="http://www.securiteam.com/exploits/">
SecuriTeam</a>
<li><a href="http://www.insecure.org/sploits.html">
Fyodor's Exploit World</a>
</ul>
<li><b>Forensics</b>
<ul>
<li><a href="http://www.porcupine.org/forensics/tct.html">
The Coroner's Toolkit</a>
<li><a href="http://www.honeynet.org/">The Honeynet Project</a>
</ul>
<li><b>General</b>
<ul>
<li><a href="http://www.linuxsecurity.com/">Linux Security</a>
<li><a href="http://packetstorm.decepticons.org/">packetstorm</a>
<li><a href="http://www.startplaza.nu/">www.startplaza.nu</a>
</ul>
<li><b>Tools</b>
<ul>
<li><a href="http://www.gnupg.org">GnuPG</a>
<li><a href="http://www.insecure.org/tools.html">
Insecure.org Top 50</a>
<li><a href="http://www.lids.org/">LIDS Project - Secure Linux System</a>
<li><a href="http://www.insecure.org/">NMAP Port Scanner</a>
<li><a href="http://www.snort.org/">SNORT Intrusion Detection System</a>
</ul>
</ul>
<!-- *** BEGIN bio *** -->
<SPACER TYPE="vertical" SIZE="30">
<P>
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Rob Tougher</H4>
<EM>Rob is a C++ software engineer in the NYC area.
When not coding on his favorite platform, you can
find Rob strolling on the beach with his girlfriend, Nicole,
and their dog, Halley. </EM>
<!-- *** END bio *** -->
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2002, Rob Tougher.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 80 of <i>Linux Gazette</i>, July 2002</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink