415 lines
9.1 KiB
HTML
415 lines
9.1 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Security Preparation (before you go on-line)</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Security HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Network Security"
|
|
HREF="network-security.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="What To Do During and After a Breakin"
|
|
HREF="after-breakin.html"></HEAD
|
|
><BODY
|
|
CLASS="sect1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Security HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="network-security.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="after-breakin.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="sect1"
|
|
><H1
|
|
CLASS="sect1"
|
|
><A
|
|
NAME="secure-prep"
|
|
></A
|
|
>9. Security Preparation (before you go on-line)</H1
|
|
><P
|
|
> Ok, so you have checked over your system, and determined it's as secure
|
|
as feasible, and you're ready to put it online. There are a few things
|
|
you should now do in order to prepare for an intrusion,
|
|
so you can quickly disable the intruder, and get
|
|
back up and running.
|
|
</P
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN1129"
|
|
></A
|
|
>9.1. Make a Full Backup of Your Machine</H2
|
|
><P
|
|
> Discussion of backup methods and storage is beyond the scope of this
|
|
document, but here are a few words relating to backups and security:
|
|
</P
|
|
><P
|
|
> If you have less than 650mb of data to store on a partition, a CD-R
|
|
copy of your data is a good way to go (as it's hard to tamper with
|
|
later, and if stored properly can last a long time), you will of
|
|
course need at least 650MB of space to make the image. Tapes and other
|
|
re-writable media should be write-protected as soon as your backup is
|
|
complete, and then verified to prevent tampering. Make sure you store your
|
|
backups in a secure off-line area. A good backup will ensure that you
|
|
have a known good point to restore your system from.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN1133"
|
|
></A
|
|
>9.2. Choosing a Good Backup Schedule</H2
|
|
><P
|
|
> A six-tape cycle is easy to maintain. This includes four tapes
|
|
for during the week, one tape for even Fridays, and one tape for odd
|
|
Fridays. Perform an incremental backup every day, and a full backup
|
|
on the appropriate Friday tape. If you make some particularly important
|
|
changes or add some important data to your system, a full backup might
|
|
well be in order.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN1136"
|
|
></A
|
|
>9.3. Testing your backups</H2
|
|
><P
|
|
> You should do periodic tests of your backups to make sure they are
|
|
working as you might expect them to. Restores of files and checking
|
|
against the real data, sizes and listings of backups, and reading old
|
|
backups should be done on a regular basis.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN1139"
|
|
></A
|
|
>9.4. Backup Your RPM or Debian File Database</H2
|
|
><P
|
|
> In the event of an intrusion, you can use your RPM database like you
|
|
would use <TT
|
|
CLASS="literal"
|
|
>tripwire</TT
|
|
>, but only if you can be sure it too hasn't been
|
|
modified. You should copy the RPM database to a floppy, and keep this
|
|
copy off-line at all times. The Debian distribution likely has
|
|
something similar.
|
|
</P
|
|
><P
|
|
> The files <TT
|
|
CLASS="literal"
|
|
>/var/lib/rpm/fileindex.rpm</TT
|
|
> and
|
|
<TT
|
|
CLASS="literal"
|
|
>/var/lib/rpm/packages.rpm</TT
|
|
> most likely won't fit on a single floppy.
|
|
But if compressed, each should fit on a seperate floppy.
|
|
</P
|
|
><P
|
|
> Now, when your system is compromised, you can use the command:
|
|
</P
|
|
><P
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> root# rpm -Va
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
to verify each file on the system. See the <TT
|
|
CLASS="literal"
|
|
>rpm</TT
|
|
> man page, as there are
|
|
a few other options that can be included to make it less verbose.
|
|
Keep in mind you must also be sure your RPM binary has not been
|
|
compromised.
|
|
</P
|
|
><P
|
|
> This means that every time a new RPM is added to the system, the RPM
|
|
database will need to be rearchived. You will have to decide the
|
|
advantages versus drawbacks.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="logs"
|
|
></A
|
|
>9.5. Keep Track of Your System Accounting Data</H2
|
|
><P
|
|
> It is very important that the information that comes from <TT
|
|
CLASS="literal"
|
|
>syslog</TT
|
|
>
|
|
not be compromised. Making the files in <TT
|
|
CLASS="literal"
|
|
>/var/log</TT
|
|
> readable and
|
|
writable by only a limited number of users is a good start.
|
|
</P
|
|
><P
|
|
> Be sure to keep an eye on what gets written there, especially under
|
|
the <TT
|
|
CLASS="literal"
|
|
>auth</TT
|
|
> facility. Multiple login failures, for example, can
|
|
indicate an attempted break-in.
|
|
</P
|
|
><P
|
|
> Where to look for your log file will depend on your distribution. In a
|
|
Linux system that conforms to the "Linux Filesystem Standard", such as
|
|
Red Hat, you will want to look in <TT
|
|
CLASS="literal"
|
|
>/var/log</TT
|
|
> and check <TT
|
|
CLASS="literal"
|
|
>messages</TT
|
|
>,
|
|
<TT
|
|
CLASS="literal"
|
|
>mail.log</TT
|
|
>, and others.
|
|
</P
|
|
><P
|
|
> You can find out where your distribution is logging to by looking at
|
|
your <TT
|
|
CLASS="literal"
|
|
>/etc/syslog.conf</TT
|
|
> file. This is the file that tells
|
|
<TT
|
|
CLASS="literal"
|
|
>syslogd</TT
|
|
> (the system logging daemon) where to log various messages.
|
|
</P
|
|
><P
|
|
> You might also want to configure your log-rotating script or daemon to
|
|
keep logs around longer so you have time to examine them. Take a look
|
|
at the <TT
|
|
CLASS="literal"
|
|
>logrotate</TT
|
|
> package on recent Red Hat distributions. Other
|
|
distributions likely have a similar process.
|
|
</P
|
|
><P
|
|
> If your log files have been tampered with, see if you can determine
|
|
when the tampering started, and what sort of things appeared to be
|
|
tampered with. Are there large periods of time that cannot be accounted
|
|
for? Checking backup tapes (if you have any) for untampered log files
|
|
is a good idea.
|
|
</P
|
|
><P
|
|
> Intruders typically modify log files in order to cover their
|
|
tracks, but they should still be checked for strange happenings. You
|
|
may notice the intruder attempting to gain entrance, or exploit a
|
|
program in order to obtain the root account. You might see log entries
|
|
before the intruder has time to modify them.
|
|
</P
|
|
><P
|
|
> You should also be sure to separate the <TT
|
|
CLASS="literal"
|
|
>auth</TT
|
|
> facility from other log
|
|
data, including attempts to switch users using <TT
|
|
CLASS="literal"
|
|
>su</TT
|
|
>, login attempts,
|
|
and other user accounting information.
|
|
</P
|
|
><P
|
|
> If possible, configure <TT
|
|
CLASS="literal"
|
|
>syslog</TT
|
|
> to send a copy of the most important
|
|
data to a secure system. This will prevent an intruder from covering
|
|
his tracks by deleting his login/su/ftp/etc attempts. See the
|
|
<TT
|
|
CLASS="literal"
|
|
>syslog.conf</TT
|
|
> man page, and refer to the <TT
|
|
CLASS="literal"
|
|
>@</TT
|
|
> option.
|
|
</P
|
|
><P
|
|
> There are several more advanced <TT
|
|
CLASS="literal"
|
|
>syslogd</TT
|
|
> programs out
|
|
there. Take a look at <A
|
|
HREF="http://www.core-sdi.com/ssyslog/"
|
|
TARGET="_top"
|
|
>http://www.core-sdi.com/ssyslog/</A
|
|
> for Secure Syslog. Secure
|
|
Syslog allows you to encrypt your syslog entries and make sure no one
|
|
has tampered with them.
|
|
</P
|
|
><P
|
|
> Another <TT
|
|
CLASS="literal"
|
|
>syslogd</TT
|
|
> with more features is <A
|
|
HREF="http://www.balabit.hu/en/downloads/syslog-ng/"
|
|
TARGET="_top"
|
|
>syslog-ng</A
|
|
>. It allows you a lot more flexibility in your
|
|
logging and also can has your remote syslog streams to prevent
|
|
tampering.
|
|
</P
|
|
><P
|
|
> Finally, log files are much less useful when no one is reading
|
|
them. Take some time out every once in a while to look over your log
|
|
files, and get a feeling for what they look like on a normal
|
|
day. Knowing this can help make unusual things stand out.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="sect2"
|
|
><H2
|
|
CLASS="sect2"
|
|
><A
|
|
NAME="AEN1183"
|
|
></A
|
|
>9.6. Apply All New System Updates.</H2
|
|
><P
|
|
> Most Linux users install from a CD-ROM. Due to the fast-paced nature of
|
|
security fixes, new (fixed) programs are always being released. Before
|
|
you connect your machine to the network, it's a good idea to check with your
|
|
distribution's ftp site and get all the updated packages since you
|
|
received your distribution CD-ROM. Many times these packages contain
|
|
important security fixes, so it's a good idea to get them installed.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="network-security.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="after-breakin.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Network Security</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>What To Do During and After a Breakin</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |