old-www/LDP/intro-linux/html/sect_10_06.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Introduction to Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="Networking"
HREF="chap_10.html"><LINK
REL="PREVIOUS"
TITLE="Remote execution of applications"
HREF="sect_10_05.html"><LINK
REL="NEXT"
TITLE="Summary"
HREF="sect_10_08.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Introduction to Linux: </TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="sect_10_05.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 10. Networking</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="sect_10_08.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="sect_10_06"
></A
>10.5. Security</H1
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_06_01"
></A
>10.5.1. Introduction</H2
><P
>As soon as a computer is connected to the network, all kinds of abuse becomes possible, be it a UNIX-based or any other system.  Admittedly, mountains of papers have been spilled on this subject and it would lead us too far to discuss the subject of security in detail.  There are, however, a couple of fairly logical things even a novice user can do to obtain a very secure system, because most break-ins are the result of ignorant or careless users.</P
><P
>Maybe you are asking yourself if this all applies to you, using your computer at home or working at your office on a desktop in a fairly protected environment.  The questions you should be asking yourself, however, are more on the lines of:</P
><P
></P
><UL
><LI
><P
>Do you want to be in control of your own system?</P
></LI
><LI
><P
>Do you want to (unwittingly) participate in criminal activities?</P
></LI
><LI
><P
>Do you want your equipment to be used by someone else?</P
></LI
><LI
><P
>Do you want to take risks on losing your Internet connection?</P
></LI
><LI
><P
>Do you want to rebuild your system every time it has been hacked?</P
></LI
><LI
><P
>Do you want to risk personal or other data loss?</P
></LI
></UL
><P
>Presuming you don't, we will quickly list the steps you can take to secure your machine.  Extended information can be found in the <A
HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html"
TARGET="_top"
>Linux Security HOWTO</A
>.</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_06_02"
></A
>10.5.2. Services</H2
><P
>The goal is to run as few services as possible.  If the number of ports that are open for the outside world are kept to a minimum, this is all the better to keep an overview.  If services can't be turned off for the local network, try to at least disable them for outside connections.</P
><P
>A rule of thumb is that if you don't recognize a particular service, you probably won't need it anyway.  Also keep in mind that some services are not really meant to be used over the Internet.  Don't rely on what <EM
>should</EM
> be running, check which services are listening on what TCP ports using the <B
CLASS="command"
>netstat</B
> command:</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;<TT
CLASS="prompt"
>[elly@mars ~]</TT
> <B
CLASS="command"
>netstat -l | grep tcp</B
>
tcp     0      0 *:32769                 *:*      LISTEN
tcp     0      0 *:32771                 *:*      LISTEN
tcp     0      0 *:printer               *:*      LISTEN
tcp     0      0 *:kerberos_master       *:*      LISTEN
tcp     0      0 *:sunrpc                *:*      LISTEN
tcp     0      0 *:6001                  *:*      LISTEN
tcp     0      0 *:785                   *:*      LISTEN
tcp     0      0 localhost.localdom:smtp *:*      LISTEN
tcp     0      0 *:ftp                   *:*      LISTEN
tcp     0      0 *:ssh                   *:*      LISTEN
tcp     0      0 ::1:x11-ssh-offset      *:*      LISTEN
</PRE
></FONT
></TD
></TR
></TABLE
><P
>Things to avoid:</P
><P
></P
><UL
><LI
><P
><B
CLASS="command"
>exec</B
>, <B
CLASS="command"
>rlogin</B
> and <B
CLASS="command"
>rsh</B
>, and <B
CLASS="command"
>telnet</B
> just to be on the safe side.</P
></LI
><LI
><P
>X11 on server machines.</P
></LI
><LI
><P
>No lp if no printer is physically attached.</P
></LI
><LI
><P
>No MS Windows hosts in the network, no Samba required.</P
></LI
><LI
><P
>Don't allow FTP unless an FTP server is required.</P
></LI
><LI
><P
>Don't allow NFS and NIS over the Internet, disable all related services on a stand-alone installation.</P
></LI
><LI
><P
>Don't run an MTA if you're not actually on a mail server.</P
></LI
><LI
><P
>...</P
></LI
></UL
><P
>Stop running services using the <B
CLASS="command"
>chkconfig</B
> command, the initscripts or by editing the <B
CLASS="command"
>(x)inetd</B
> configuration files.
</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_06_03"
></A
>10.5.3. Update regularly</H2
><P
>Its ability to adapt quickly in an ever changing environment is what makes Linux thrive.  But it also creates a possibility that security updates have been released even while you are installing a brand new version, so the first thing you should do (and this goes for about any OS you can think of) after installing is getting the updates as soon as possible.  After that, update <EM
>all</EM
> the packages you use regularly.</P
><P
>Some updates may require new configuration files, and old files may be replaced.  Check the documentation, and ensure that everything runs normal after updating.</P
><P
>Most Linux distributions provide mailing list services for security update announcements, and tools for applying updates to the system.  General Linux only security issues are reported among others at <A
HREF="http://linuxsecurity.com"
TARGET="_top"
>Linuxsecurity.com</A
>.</P
><P
>Updating is an ongoing process, so it should be an almost daily habit.</P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_06_04"
></A
>10.5.4. Firewalls and access policies</H2
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_06_04_01"
></A
>10.5.4.1. What is a firewall?</H3
><P
>In the previous section we already mentioned firewall capabilities in Linux.  While firewall administration is one of the tasks of your network admin, you should know a couple of things about firewalls.</P
><P
><EM
>Firewall</EM
> is a vague term that can mean anything that acts as a protective barrier between us and the outside world, generally the Internet.  A firewall can be a dedicated system or a specific application that provides this functionality. Or it can be a combination of components, including various combinations of hardware and software. Firewalls are built from <SPAN
CLASS="QUOTE"
>"rules"</SPAN
> that are used to define what is allowed to enter and/or exit a given system or network.</P
><P
>After disabling unnecessary services, we now want to restrict accepted services as to allow only the minimum required connections.  A fine example is working from home: only the specific connection between your office and your home should be allowed, connections from other machines on the Internet should be blocked.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_06_04_02"
></A
>10.5.4.2. Packet filters</H3
><P
>The first line of defense is a <EM
>packet filter</EM
>, which can look inside IP packets and make decisions based on the content.  Most common is the <SPAN
CLASS="application"
>Netfilter</SPAN
> package, providing the <B
CLASS="command"
>iptables</B
> command, a next generation packet filter for Linux.</P
><P
>One of the most noteworthy enhancements in the newer kernels is the <EM
>stateful inspection</EM
> feature, which not only tells what is inside a packet, but also detects if a packet belongs or is related to a new or existing connection.</P
><P
>The <SPAN
CLASS="application"
>Shoreline Firewall</SPAN
> or <SPAN
CLASS="application"
>Shorewall</SPAN
> for short is a front-end for the standard firewall functionality in Linux.</P
><P
>More information can be found at <A
HREF="http://www.netfilter.org/"
TARGET="_top"
>the Netfilter/iptables project page</A
>.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_06_04_03"
></A
>10.5.4.3. TCP wrappers</H3
><P
>TCP wrapping provides much the same results as the packet filters, but works differently.  The wrapper actually accepts the connection attempt, then examines configuration files and decides whether to accept or reject the connection request.  It controls connections at the application level rather than at the network level.</P
><P
>TCP wrappers are typically used with <B
CLASS="command"
>xinetd</B
> to provide host name and IP-address-based access control.  In addition, these tools include logging and utilization management capabilities that are easy to configure.</P
><P
>The advantages of TCP wrappers are that the connecting client is unaware that wrappers are used, and that they operate separately from the applications they protect.</P
><P
>The host based access is controlled in the <TT
CLASS="filename"
>hosts.allow</TT
> and <TT
CLASS="filename"
>hosts.deny</TT
> files.  More information can be found in the TCP wrapper documentation files in <TT
CLASS="filename"
>/usr/share/doc/tcp_wrappers[-&#60;version&#62;/]</TT
> or <TT
CLASS="filename"
>/usr/share/doc/tcp</TT
> and in the man pages for the host based access control files, which contain examples.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_07_04_04"
></A
>10.5.4.4. Proxies</H3
><P
>Proxies can perform various duties, not all of which have much to do with security. But the fact that they are an intermediary make proxies a good place to enforce access control policies, limit direct connections through a firewall, and control how the network behind the proxy looks to the Internet.</P
><P
>Usually in combination with a packet filter, but sometimes all by themselves, proxies provide an extra level of control.  More information can be found in the <A
HREF="http://www.tldp.org/HOWTO/Firewall-HOWTO.html"
TARGET="_top"
>Firewall HOWTO</A
> or on the Squid website.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_07_04_05"
></A
>10.5.4.5. Access to individual applications</H3
><P
>Some servers may have their own access control features.  Common examples include <SPAN
CLASS="application"
>Samba</SPAN
>, <SPAN
CLASS="application"
>X Window</SPAN
>, <SPAN
CLASS="application"
>Bind</SPAN
>, <SPAN
CLASS="application"
>Apache</SPAN
> and CUPS.  For every service you want to offer check which configuration files apply.</P
></DIV
><DIV
CLASS="sect3"
><H3
CLASS="sect3"
><A
NAME="sect_10_07_04_06"
></A
>10.5.4.6. Log files</H3
><P
>If anything, the UNIX way of logging all kinds of activities into all kinds of files confirms that <SPAN
CLASS="QUOTE"
>"it is doing something."</SPAN
>  Of course, log files should be checked regularly, manually or automatically.  Firewalls and other means of access control tend to create huge amounts of log files, so the trick is to try and only log abnormal activities.</P
></DIV
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_07_05"
></A
>10.5.5. Intrusion detection</H2
><P
> Intrusion Detection Systems are designed to catch what might have gotten past the firewall. They can either be designed to catch an active break-in attempt in progress, or to detect a successful break-in after the fact. In the latter case, it is too late to prevent any damage, but at least we have early awareness of a problem.  There are two basic types of IDS:  those protecting networks, and those protecting individual hosts.</P
><P
> For host based IDS, this is done with utilities that monitor the file system for changes. System files that have changed in some way, but should not change, are a dead give-away that something is amiss. Anyone who gets in and gets root access will presumably make changes to the system somewhere. This is usually the very first thing done, either so he can get back in through a backdoor, or to launch an attack against someone else, in which case, he has to change or add files to the system.  Some systems come with the <B
CLASS="command"
>tripwire</B
> monitoring system, which is documented at the <A
HREF="http://www.tripwire.org"
TARGET="_top"
>Tripwire Open Source Project</A
> website.</P
><P
>Network intrusion detection is handled by a system that sees all the traffic that passes the firewall (not by portscanners, which advertise usable ports).  <A
HREF="http://www.snort.org"
TARGET="_top"
>Snort</A
> is an Open Source example of such a program.  Whitehats.com features an open Intrusion detection database, <A
HREF="http://www.whitehats.com"
TARGET="_top"
>arachNIDS</A
>.  </P
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_07_06"
></A
>10.5.6. More tips</H2
><P
>Some general things you should keep in mind:</P
><P
></P
><UL
><LI
><P
>Do not allow root logins.  UNIX developers came up with the <B
CLASS="command"
>su</B
> over two decades ago for extra security.</P
></LI
><LI
><P
>Direct root access is always dangerous and susceptible to human errors, be it by allowing root login or by using the <B
CLASS="command"
>su <TT
CLASS="option"
>-</TT
></B
> command.  Rather than using <B
CLASS="command"
>su</B
>, it is even better to use <B
CLASS="command"
>sudo</B
> to only execute the command that you need extra permissions for, and to return afterwards to your own environment.</P
></LI
><LI
><P
>Take passwords seriously.  Use shadow passwords.  Change your passwords regularly.</P
></LI
><LI
><P
>Try to always use SSH or SSL.  Avoid <B
CLASS="command"
>telnet</B
>, FTP and E-mail clients and other client programs which send unencrypted passwords over the network.  Security is not only about securing your computer, it is also about securing your passwords.</P
></LI
><LI
><P
>Limit resources using <B
CLASS="command"
>quota</B
> and/or <B
CLASS="command"
>ulimit</B
>.</P
></LI
><LI
><P
>The mail for root should be delivered to, or at least read by, an actual person.</P
></LI
><LI
><P
>The <A
HREF="http://www.sans.org"
TARGET="_top"
>SANS institute</A
> has more tips and tricks, sorted per distribution, with mailing list service.</P
></LI
><LI
><P
>Check the origin of new software, get it from a trusted place/site.  Verify new packages before installing.</P
></LI
><LI
><P
>When using a non-permanent Internet connection, shut it down as soon as you don't need it anymore.</P
></LI
><LI
><P
>Run private services on odd ports instead of the ones expected by possible hackers.</P
></LI
><LI
><P
>Know your system.  After a while, you can almost feel when something is happening.</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_07_07"
></A
>10.5.7. Have I been hacked?</H2
><P
>How can you tell?  This is a checklist of suspicious events:</P
><P
></P
><UL
><LI
><P
>Mysterious open ports, strange processes.</P
></LI
><LI
><P
>System utilities (common commands) behaving strange.</P
></LI
><LI
><P
>Login problems.</P
></LI
><LI
><P
>Unexplained bandwidth usage.</P
></LI
><LI
><P
>Damaged or missing log files, syslog daemon behaving strange.</P
></LI
><LI
><P
>Interfaces in unusual modes.</P
></LI
><LI
><P
>Unexpectedly modified configuration files.</P
></LI
><LI
><P
>Strange entries in shell history files.</P
></LI
><LI
><P
>Unidentified temporary files.</P
></LI
></UL
></DIV
><DIV
CLASS="sect2"
><H2
CLASS="sect2"
><A
NAME="sect_10_07_08"
></A
>10.5.8. Recovering from intrusion</H2
><P
>In short, stay calm.  Then take the following actions in this order:</P
><P
></P
><UL
><LI
><P
>Disconnect the machine from the network.</P
></LI
><LI
><P
>Try to find out as much as you can about how your security was breached.</P
></LI
><LI
><P
>Backup important non-system data.  If possible, check these data against existing backups, made before the system was compromised, to ensure data integrity.</P
></LI
><LI
><P
>Re-install the system.</P
></LI
><LI
><P
>Use new passwords.</P
></LI
><LI
><P
>Restore from system and data backups.</P
></LI
><LI
><P
>Apply all available updates.</P
></LI
><LI
><P
>Re-examine the system:  block off unnecessary services, check firewall rules and other access policies.</P
></LI
><LI
><P
>Reconnect.</P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="sect_10_05.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="sect_10_08.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Remote execution of applications</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="chap_10.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Summary</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>