|
In this article I will explain how to make your Linux box secure
by taking basic security measures. This article will enable anybody
to tighten the security of a redhat Linux box.
Always set a password on BIOS to disallow booting from floppy
by changing the BIOS settings. This will block undesired
people from trying to boot your Linux system with a special
boot disk and will protect you from people trying to
change BIOS feature like allowing boot from floppy drive or booting
the server without password prompt.
Add the three parameters in "/etc./lilo.conf" file i.e. time-out,
restricted and password. These options will ask for password
if boot time options (such as "linux single") are passed to the
boot loader.
Step 1
Edit the lilo.conf file (vi /etc./lilo.conf) and add or change the three options
:
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
time-out=00 #change this line to 00
prompt
Default=linux
restricted #add this line
password=<password> #add this line and put your password
image=/boot/vmlinuz-2.2.14-12
label=linux
initrd=/boot/initrd-2.2.14-12.img
root=/dev/hda6
read-only
Step 2
The "/etc./lilo.conf" file should be readable by only root because
it contains unencrypted passwords.
[root@kapil /]# chmod 600 /etc./lilo.conf (will be no longer world readable).
Step 3
Update your configuration file "/etc./lilo.conf" for the change
to take effect.
[Root@kapil /]# /sbin/lilo -v (to update the lilo.conf file).
Step 4
One more security measure you can take to secure the "/etc./lilo.conf" file
is to set it immutable, using the chattr command.
* To set the file immutable simply, use the command:
[root@kapil /]# chattr +i /etc./lilo.conf
This will prevent any changes (accidental or otherwise) to the "lilo.conf" file.
For more information about lilo security, read my article on LILO.
You should delete all default users and group accounts
that you don't use on your system like lp, sync, shutdown, halt,
news, uucp, operator, games, gopher etc.
To delete a user account :
[root@kapil /]# userdel LP
To delete a group:
[root@kapil /]# groupdel LP
You should follow the following guidelines before choosing the
right password.
The password Length: The minimum acceptable password length
by default when you install your Linux system is 5. This
is not enough and must be 8. To do this you have to edit
the login.defs file (vi /etc./login.defs) and change the line
that read:
PASS_MIN_LEN 5
To read:
PASS_MIN_LEN 8
The "login.defs" is the configuration file for the login program.
You should enable the shadow password feature. You can use the "/usr/sbin/authconfig" utility
to enable the shadow password feature on your system. If you want
to convert the existing passwords and group on your system to shadow
passwords
and groups then you can use the commands pwconv, grpconv respectively.
The "root" account is the most privileged account on a Unix system. When the
administrator forgot to logout from the system root prompt before leaving the
system then the system should automatically logout from the shell. To do that,
you must set the special variable of Linux named "TMOUT" to the time
in seconds.
Edit your profile file "vi /etc./profile" and add the following line somewhere
after the line that read
"HISTFILESIZE="
TMOUT=3600
The value we enter for the variable "TMOUT=" is in second and represent 1 hours
(60 * 60 =
3600 seconds). If you put this line in your "/etc./profile" file, then
the automatic logout after one hour of inactivity will apply for all users
on the system. You can set this variable in user's individual ".bashrc " file
to automatically logout them after a certain time.
After this parameter has been set on your system, you must logout and login
again (as root) for the change to take effect.
You should disable all console-equivalent access to programs like shutdown,
reboot, and halt for regular users on your server.
To do this, run the following command:
[root@kapil /]# rm -f /etc./security/console.apps/<servicename>
Where <servicename> is the name of the program to which you wish to disable
console-equivalent access.
You should disable and uninstall all services that you do not use so
that you have one less thing to worry about. Look at your "/etc./inetd.conf" file
and disable what you do not need by commenting them out (by adding a
# at the beginning of the line), and then sending your inetd process a SIGHUP
command to update it to the current "inetd.conf" file. To do this:
Step 1
Change the permissions on "/etc./inetd.conf" file to 600, so that only root
can read or write to it.
[Root@kapil /]# chmod 600 /etc./inetd.conf
Step 2
ENSURE that the owner of the file "/etc./inetd.conf" is root.
Step 3
Edit the inetd.conf file (vi /etc./inetd.conf) and disable the services like:
ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth,
etc. unless you plan to use it. If it's turned off it's much less of a risk.
Step 4
Send a HUP signal to your inetd process
[root@kapil /]# killall -HUP inetd
Step 5
Set "/etc./inetd.conf" file immutable, using the chattr command
so that nobody can modify that file
* To set the file immutable simply, execute the following command:
[root@kapil /]# chattr +i /etc./inetd.conf
This will prevent any changes (accidental or otherwise) to the "inetd.conf" file.
The only person that can set or clear this attribute is the super-user root. To
modify the inetd.conf file you will need to unset the immutable flag:
* To unset the immutable simply, execute the following command:
[root@kapil /]# chattr -i /etc./inetd.conf
By using TCP_WRAPPERS you can make your server secure against
outside intrusion . The best policy is to deny all hosts by putting "ALL: ALL@ALL,
PARANOID" in the "/etc./hosts.deny" file and then explicitly list trusted
hosts who are allowed to your machine in the "/etc./hosts.allow" file. TCP_WRAPPERS
is controlled from two files and the search stops at the first match.
/etc/hosts.allow
/etc/hosts.deny
Step 1
Edit the hosts.deny file (vi /etc/hosts.deny) and add the following lines:
# Deny access to everyone.
ALL: ALL@ALL, PARANOID
Which means all services, all locations is blocked, unless they are permitted
access by entries in the allow file.
Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following
line:
As an example:
ftp: 202.54.15.99 foo.com
For your client machine: 202.54.15.99 is the IP address and foo.com the host
name of one of your client allowed using ftp.
Step 3
The tcpdchk program is the tcpd wrapper configuration checker. It examines
your tcp wrapper configuration and reports all potential and real problems
it can find.
* After your configuration is done, run the program tcpdchk.
[Root@kapil /]# tcpdchk
You should not display your system issue file when people log in
remotely . To do this, you can
change the telnet option in your "/etc/inetd.conf".
To do this change the line in "/etc/inetd.conf":
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
to look like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
-h
Adding the "-h" flag on the end will cause the daemon to not display any system
information and just hit the user with a login: prompt. I will
recommend to use sshd instead.
The "/etc/host.conf" file specifies how names are resolved.
Edit the host.conf file (vi /etc/host.conf) and add the following lines:
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
The first option is to resolve the host name through DNS first and then
hosts file.The multi option determines whether a host in the "/etc/hosts" file
can have multiple IP addresses (multiple interface ethN).
The nospoof option indicates to take care of not permitting spoofing on this
machine.
You must immunize the "/etc/services" file to prevent unauthorized deletion or
addition of services.
* To immunize the "/etc/services" file, use the command:
[root@kapil /]# chattr +i /etc/services
The "/etc./securetty" file allows you to specify which TTY devices the "root" user
is allowed to login . Edit the "/etc./securetty" file to disable any tty that
you do not need by commenting them out (# at the beginning of the line).
The su (Substitute User) command allows you to become other existing users
on the system. If you don't want anyone to su to root or restrict "su" command
to certain users then add the following two lines to the top of your "su" configuration
file in the "/etc./pam.d/" directory.
Step 1
Edit the su file (vi /etc./pam.d/su) and add the following two lines to the
top of the file:
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel
Which means only members of the "wheel" group can su to root; it also includes logging.
You can add the users to the group wheel so that only those users will be allowed
to su as root.
The bash shell stores up to 500 old commands in the "~/.bash_history" file
(where "~/" is your home directory) to make it easy for you to repeat long
commands. Each user that has an account on the system will have this file "Bash_history" in
their home directory. The bash shell should store less number of commands and
delete it on logout of the user.
Step 1
The HISTFILESIZE and HISTSIZE lines in the "/etc./profile" file determine the
size of old commands the "Bash_history" file for all users on your system can
hold. I would highly recommend setting the HISTFILESIZE and HISTSIZE
in "/etc./profile" file to a low value such as 30.
Edit the profile file (vi /etc./profile) and change the lines to:
HISTFILESIZE=30
HISTSIZE=30
Which mean, the "Bash_history" file in each users home directory can store
20 old commands
and no more.
Step 2
The administrator should also add into the "/etc./skel/Bash_logout" file the
"
rm -f $HOME/Bash_history" line, so that each time a user logs
out, its "Bash_history" file will be deleted.
Edit the Bash_logout file (vi /etc./skel/Bash_logout) and add the following
line:
rm -f $HOME/Bash_history
To do this comment out the line (with a "#") listed below in your "/etc./inittab" file
.
To do this, edit the inittab file (vi /etc./inittab) and change the line:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To read:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Now, for the change to take effect type in the following at a prompt:
[root@kapil /]# /sbin/init q
Fix the permissions of the script files that are responsible for starting and
stopping all your normal processes that need to run at boot time. To
do this:
[root@kapil/]# chmod -R 700 /etc./rc.d/init.d/*
Which means only root is allowed to Read, Write, and Execute scripts files
on this directory.
By default, when you login to a Linux box, it tells you the Linux distribution
name, version, kernel version, and the name of the server. This is sufficient
information for a crackers to get information about your server. You should
just prompt users with a "Login:" prompt.
Step 1
To do this, Edit the "/etc./rc.d/rc.local" file and Place "#" in front of the
following lines as shown:
# This will overwrite /etc./issue at every boot. So, make any changes
you
# want to make to /etc./issue here or you will lose them when you reboot.
#echo "" > /etc./issue
#echo "$R" >> /etc./issue
#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc./issue
#
#cp -f /etc./issue /etc./issue.net
#echo >> /etc./issue
Step 2
Then, remove the following files: "issue.net" and "issue" under "/etc." directory:
[root@kapil /]# rm -f /etc./issue
[root@kapil /]# rm -f /etc./issue.net
A regular user will be able to run a program as root if it is set to SUID root.
A system administrator should minimize the use of these SUID/GUID programs
and disable the programs which are not needed.
Step 1
* To find all files with the `s' bits from root-owned programs, use the
command:
[root@kapil]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls lg
{} \;
* To disable the suid bits on selected programs
above, type the following commands:
[root@kapil /]# chmod a-s [program]
After following the above security guidelines, a system administrator can
maintain a basic level of system security. Some of the above tasks are a continuous
process. The system administrator has to continuously follow the above guidelines
to keep system secure.
This article is Copyright (c) 2000 by Kapil Sharma. This material
may be distributed only subject to the terms and conditions set forth in
the Open Publication License, v1.0 or later (the latest version is presently
available at http://www.opencontent.org/openpub/).
Written by: Kapil Sharma
Email:
Website: http://www.linux4biz.net
[Kapil Sharma is a Linux and Internet security consultant. He has been working
on various Linux/Unix systems and Internet Security for more than 4 years.
He is maintaining a web site http://www.linux4biz.net for
providing free as well as commercial support for web, Linux and Unix solutions.]
[Back]
|
