402 lines
13 KiB
HTML
402 lines
13 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>My Guide To Linux Security LG #80</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></A>
|
|
<BR>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">My Guide To Linux Security</font></H1>
|
|
<H4>By <a href="mailto:robt@robtougher.com">Rob Tougher</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<dl>
|
|
<dt><a href=#1>1. Introduction</a>
|
|
<dt><a href=#2>2. Securing My Linux Box</a>
|
|
<dd><a href=#2.1>2.1 Installation</a>
|
|
<dd><a href=#2.2>2.2 Post-installation</a>
|
|
<dd><a href=#2.3>2.3 Post-compromise forensics (nobody's perfect)</a>
|
|
<dt><a href=#3>3. Secure Transmissions</a>
|
|
<dt><a href=#4>4. Conclusion</a>
|
|
<dt><a href=#a>a. References</a>
|
|
</dl>
|
|
|
|
<a name=1></a>
|
|
<h2>1. Introduction</h2>
|
|
|
|
<p>
|
|
This article explains the steps I
|
|
take to secure my home computer and data
|
|
communications.
|
|
If you are an active proponent of computer
|
|
security, this article will be a review.
|
|
If you do not have any security practices
|
|
currently, you should read on to get a
|
|
general idea of how to secure a Linux box.
|
|
This obviously isn't a complete security
|
|
reference - I take security seriously,
|
|
but I'm not as vigilant as I could be with
|
|
my computer.
|
|
You will have to see for yourself
|
|
whether or not the items in this article
|
|
provide enough security for your needs.
|
|
</p>
|
|
|
|
<a name=2></a>
|
|
<h2>2. Securing My Linux Box</h2>
|
|
|
|
|
|
<p>
|
|
I run a Debian Linux box here at home. I keep it powered
|
|
up and connected to the Internet at all times.
|
|
There are two reasons I want to keep this computer secure -
|
|
to hide my data from those who shouldn't see it,
|
|
and to protect my computer resources from those
|
|
who shouldn't be using them. I keep important stuff
|
|
on my machine - data that shouldn't be read (and
|
|
certainly not modified) by anyone but me. And I don't
|
|
want an intruder to be able to use my machine as a
|
|
staging ground for attacks on other targets. I'd be pretty
|
|
pissed if I found out someone was using my machine to
|
|
try to break into other systems.
|
|
</p>
|
|
|
|
<a name=2.1></a>
|
|
<h3>2.1 Installation</h3>
|
|
|
|
<p>
|
|
After a fresh install, the first thing I do right off the bat is
|
|
<a href="http://www.netfilter.org/"><b>configure iptables</b></a>
|
|
in my kernel. Iptables
|
|
allows me to block any packets entering or leaving my
|
|
computer. This is important because I am constantly
|
|
connected to the net, which leaves my computer open for an
|
|
attack. Configuring iptables isn't for the faint of heart - it
|
|
requires downloading the kernel source code, configuring it correctly,
|
|
and installing it without screwing anything up. If you
|
|
have never done this before, you should check out the
|
|
<a href="http://www.tldp.org/HOWTO/Kernel-HOWTO.html">
|
|
Linux Kernel HOWTO</a>, and practice compiling your kernel
|
|
a few times before trying to configure iptables.
|
|
</p>
|
|
|
|
<p>
|
|
Next is <a href="http://www.lids.org"><b>LIDS</b></a> - the
|
|
Linux Intrusion Detection System. LIDS consists of a patch
|
|
for the kernel, and two userspace utilities - lidsconf and
|
|
lidsadm. The purpose of this system is to increase the
|
|
level of security of your computer by restricting access to files and
|
|
processes, and alerting you when attempts to break these restrictions
|
|
occur.
|
|
The great part about LIDS
|
|
is that you can even restrict the root account's permissions. This
|
|
reduces the power of the root account, and limits the damage that
|
|
can be done if an intruder gets root privileges.
|
|
|
|
I use LIDS to protect my system binaries, my log files in /var/log,
|
|
and my configuration files in /etc. The binaries I mark as READONLY
|
|
so that no user, including root, can modify or delete them.
|
|
The log files I mark as APPEND so that programs can write data to files in
|
|
this directory, but cannot delete or change existing data.
|
|
|
|
</p>
|
|
|
|
|
|
<p>
|
|
The next thing I do is
|
|
minimize the number of services running
|
|
on the computer. The less services I run, the less
|
|
chance there is for someone to be able to break into my
|
|
machine. Distributions tend to let a lot of daemons run by
|
|
default, which is a bad thing in my opinion. I turn off telnet,
|
|
FTP, named, and all of the R* daemons, to name a few. I basically
|
|
turn everything off so that I don't have to worry about keeping
|
|
them updated with security fixes and such. For the services that
|
|
I do run, I install any security patches that are created
|
|
as soon as possible. And if a situation occurs where there is
|
|
a vulnerability made public without the proper fix, I will
|
|
turn off the service.
|
|
</p>
|
|
|
|
<p>
|
|
After reducing the number of services running on my computer,
|
|
I type "netstat -l" to see what sockets are listening for connections.
|
|
I do this just to make sure I haven't missed any services that
|
|
I don't need. Every once in a while I'll miss something important,
|
|
and catch it later on with netstat.
|
|
</p>
|
|
|
|
|
|
<a name=2.2></a>
|
|
<h3>2.2 Post-installation</h3>
|
|
|
|
|
|
<p>
|
|
After an installation, I run
|
|
<a href="http://www.chkrootkit.org"><b>chkrootkit</b></a> about
|
|
every week or so. This program will alert me to the presence
|
|
of any rootkits on my computer. A rootkit is a set of tools that a cracker
|
|
can use to hide his tracks - the kit contains trojaned(altered)
|
|
versions of various utilities like ps, ifconfig, and
|
|
others. If an intruder broke into my machine and installed
|
|
a rootkit, he could basically use my computer resources for
|
|
whatever he wanted, and I could only detect him if
|
|
I was paying <i>very</i> close attention to my system.
|
|
|
|
You can download and analyze various rootkits (for educational
|
|
use only!) at
|
|
<a href="http://packetstorm.decepticons.org/UNIX/penetration/rootkits/">
|
|
packetstorm
|
|
</a>. The one I've seen mentioned the most is LRK5, which is listed
|
|
about half way down the page.
|
|
</p>
|
|
|
|
<p>
|
|
When downloading files off of the Internet, I generate checksums
|
|
for them using <a href="http://www.gnu.org/software/textutils/textutils.html">
|
|
<b>md5sum</b></a>. Most sites that provide downloadable files
|
|
also list their checksums, so that I can check to see that the files
|
|
I download match the files they are providing. This is a simple
|
|
check, and reassures me that I am getting the right bits.
|
|
There is of course the possibility that both the files and the
|
|
checksums have been tampered with, but in this situation the
|
|
web site will probably figure it out quickly, and fix the problem.
|
|
</p>
|
|
|
|
|
|
<a name=2.3></a>
|
|
<h3>2.3 Post-compromise forensics (nobody's perfect)</h3>
|
|
|
|
|
|
<p>
|
|
All of the security in the world cannot <i>guarantee</i> that
|
|
your machine will be safe from crackers. I can honestly say
|
|
that I don't think my computer has ever been compromised,
|
|
but I'm not 100% sure. For the first couple of months that I
|
|
used Linux, I didn't give a squat about security - I was just
|
|
trying to get the operating system working. I was more
|
|
interested in learning the basic userspace commands, and
|
|
didn't want to be bothered by anything else.
|
|
I was <b>wide open for an attack</b>.
|
|
I had a VA Linux machine with a stock Redhat system they put on
|
|
there. I probably was running many servers, and didn't even know it.
|
|
Poor guy.
|
|
</p>
|
|
|
|
<p>
|
|
Well, If my machine ever becomes compromised in the future, I will
|
|
first head over to the main site for
|
|
<a href="http://www.porcupine.org/forensics/tct.html">
|
|
<b>The Coroner's Toolkit</b></a>. TCT is a set of tools
|
|
that allow you to figure out what happened on a
|
|
compromised machine. You run them, and sit back and relax
|
|
while they collect data from your hard drive. I haven't
|
|
personally used these tools, but from what the web site says,
|
|
they do a pretty decent job. Another impression I get from the web
|
|
site is that the tools are extremely difficult to use for novices,
|
|
so you are in for a lot of reading and learning if you don't have any
|
|
experience with TCT. On
|
|
the bottom of the main page they have a couple of links to HOWTO
|
|
documents, so your best bet is to start there.
|
|
</p>
|
|
|
|
<p>
|
|
I would also check out the
|
|
<a href="http://www.honeynet.org/"><b>Honeynet Project</b></a>.
|
|
The purpose of this project is to perform research in forensics
|
|
analysis, and present this research to the public in the hopes of
|
|
raising awareness about security. They have a monthly
|
|
forensics contest, where they present information about
|
|
a real compromise on their network, and ask for write-ups
|
|
on how to investigate the intrusion. The archive for this
|
|
contest has a lot of great submissions by security professionals -
|
|
I actually learned about The Coroner's Toolkit by seeing
|
|
it mentioned in a handful of these investigations. Anyone
|
|
interested in computer forensics should go to this site
|
|
and read as much information as they can find - there's
|
|
enough to keep you busy for a while.
|
|
</p>
|
|
|
|
<a name=3></a>
|
|
<h2>3. Secure Transmissions</h2>
|
|
|
|
<p>
|
|
Transmissions by default are insecure. Your
|
|
data just flies across the Internet for everyone
|
|
to see, and you can't do anything about it. You can use
|
|
the traceroute program to see an example of this in
|
|
action. Type "traceroute www.google.com" at your command
|
|
prompt, and you'll
|
|
see every machine that gets to look at the data you
|
|
send google during a web search.
|
|
</p>
|
|
|
|
<p>
|
|
I make sure that whenever I am logging in to a site,
|
|
I use the secure page - https. HTTPS uses SSL, which
|
|
encrypts your data while in transit. If I didn't do
|
|
this, my password could be sniffed by a compromised machine.
|
|
For example, Yahoo! provides a method of secure login
|
|
when submitting my username and password for their
|
|
various web services. I have a Yahoo! email account, and
|
|
use this secure login whenever I am checking my mail.
|
|
</p>
|
|
|
|
<p>
|
|
For remote administration, I use
|
|
<a href="http://www.openssh.com/"><b>ssh and scp</b></a>.
|
|
These two programs are replacements for telnet and FTP.
|
|
They are easy to install, and work just as well
|
|
as the programs they replace. Once installed, I
|
|
open up the corresponding ports in my iptables
|
|
configuration so that I can connect to the machine from outside.
|
|
</p>
|
|
|
|
|
|
<p>
|
|
For email, I use
|
|
<a href="http://www.gnupg.org"><b>GnuPG</b></a> to encrypt data that
|
|
I don't want anyone reading. When I am sending sensitive
|
|
information to someone, I use their public key to encrypt it.
|
|
I ask the same of people sending sensitive information to me.
|
|
My public key is downloadable from my
|
|
<a href="http://www.robtougher.com/">web site</a>,
|
|
and also available on various
|
|
<a href="http://www.openpgp.net/pgpsrv.html">public key servers</a>.
|
|
These steps assure me that I'm the only one reading the email
|
|
destined for my inbox.
|
|
</p>
|
|
|
|
|
|
<a name=4></a>
|
|
<h2>4. Conclusion</h2>
|
|
|
|
<p>
|
|
I hope you enjoyed this article - I tried to explain,
|
|
as clearly as possible,
|
|
the steps I take to secure my computer and data communications.
|
|
If you feel there are any glaring
|
|
errors or omissions, by all means
|
|
<a href="mailto:robt@robtougher.com">
|
|
let me know</a>. My security policy is far from perfect,
|
|
and I'm very eager to hear about your practices
|
|
and experiences.
|
|
</p>
|
|
|
|
|
|
<a name=a></a>
|
|
<h2>a. References</h2>
|
|
|
|
<p>
|
|
The following is a list of sites I visit regularly to get
|
|
information on various security topics:
|
|
</p>
|
|
|
|
|
|
<ul>
|
|
|
|
<li><b>Advisories</b>
|
|
<ul>
|
|
<li><a href="http://www.cert.org/">CERT</a>
|
|
<li><a href="http://online.securityfocus.com/">
|
|
SecurityFocus Online</a>
|
|
</ul>
|
|
|
|
<li><b>Exploits</b> (for educational use only!)
|
|
<ul>
|
|
<li><a href="http://packetstorm.decepticons.org/Exploit_Code_Archive/">
|
|
packetstorm</a>
|
|
<li><a href="http://www.securiteam.com/exploits/">
|
|
SecuriTeam</a>
|
|
<li><a href="http://www.insecure.org/sploits.html">
|
|
Fyodor's Exploit World</a>
|
|
</ul>
|
|
|
|
<li><b>Forensics</b>
|
|
<ul>
|
|
<li><a href="http://www.porcupine.org/forensics/tct.html">
|
|
The Coroner's Toolkit</a>
|
|
<li><a href="http://www.honeynet.org/">The Honeynet Project</a>
|
|
</ul>
|
|
|
|
<li><b>General</b>
|
|
<ul>
|
|
<li><a href="http://www.linuxsecurity.com/">Linux Security</a>
|
|
<li><a href="http://packetstorm.decepticons.org/">packetstorm</a>
|
|
<li><a href="http://www.startplaza.nu/">www.startplaza.nu</a>
|
|
</ul>
|
|
|
|
<li><b>Tools</b>
|
|
<ul>
|
|
<li><a href="http://www.gnupg.org">GnuPG</a>
|
|
<li><a href="http://www.insecure.org/tools.html">
|
|
Insecure.org Top 50</a>
|
|
<li><a href="http://www.lids.org/">LIDS Project - Secure Linux System</a>
|
|
<li><a href="http://www.insecure.org/">NMAP Port Scanner</a>
|
|
<li><a href="http://www.snort.org/">SNORT Intrusion Detection System</a>
|
|
</ul>
|
|
</ul>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN bio *** -->
|
|
<SPACER TYPE="vertical" SIZE="30">
|
|
<P>
|
|
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Rob Tougher</H4>
|
|
<EM>Rob is a C++ software engineer in the NYC area.
|
|
When not coding on his favorite platform, you can
|
|
find Rob strolling on the beach with his girlfriend, Nicole,
|
|
and their dog, Halley. </EM>
|
|
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2002, Rob Tougher.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 80 of <i>Linux Gazette</i>, July 2002</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|