Adding Security to Common Linux Distributions

ArticleCategory: [Choose a category, translators: do not translate this, see list below for available categories]

System Administration

AuthorImage:[Here we need a little image from you]

[Photo of the Author]

TranslationInfo:[Author + translation history. mailto: or http://homepage]

original in en Michael Jastremski

AboutTheAuthor:[A small biography about the author]

Michael Jastremski has been hacking Unix for about the past four years. His website can usually be found at http://westphila.net/mike . He thanks Andrew <andy(at)westphila.net> for help with his English.

Abstract:[Here you write a little summary]

This article discusses ways in which system administrators can help secure there system from intruders. It discusses several ways to improve the security of Linux systems.

ArticleIllustration:[One image that will end up at the top of the article]

[Illustration]

ArticleBody:[The main part of the article]

Introduction

Large scale attempts at compromising internet computers are becoming commonplace. Linux and FreeBSD servers have increasingly become the target of recent attacks, involving buffer overflows in the imapd and BIND sources. Every day, vulnerabilities of all shapes and sizes are unleashed upon the nearly 20,000 subscribers of BUGTRAQ mailing list (If you only subscribe to one security mailing list, this is the one ).

It would be judicious to assume that at least one of those 19,305 subscribers is going to write a for() loop and a little bit of logic around a cut+paste exploit in the hope of efficiently gaining access to as many computers as possible..

Sooner or later, the loop will construct the address of your computer. There is no time like the present to prepare.

Despite what some 'experts' may have you believe, installing and maintaining a secure computer isn't rocket science.. Sound system administration practices serve as protection from the menaces of the global network. This article describes some of the precautions i generally take when configuring a networked RedHat Linux system. While this article provides guidelines for protecting your computer from the malicious intent of others, it is not intended to be a complete reference.

The following are some steps which will hopefully prevent your installation from falling victim the next publicized hole in your network software. WARNING: If you're not exactly sure of what you're doing, don't do it. Some of these steps assume a moderate degree of cluefulness on your part. Warranty void in Alaska,Hawaii & Puerto Rico. Some suggested reading is mentioned at the end..

Steps to safety

1. Remove all unnecessary network services from your system. Fewer ways to connect to your computer equal fewer ways for an intruder to break in to your computer. Comment out everything you don't need from /etc/inetd.conf. Don't need telnet on this system? Disable it. Same goes for ftpd,rshd,rexecd,gopher,chargen, echo,pop3d and friends. Dont forget to do a 'killall -HUP inetd' after editing inetd.conf. Also don't neglect the /etc/rc.d/init.d directory. Some network services (BIND,printer daemons) are standalone programs started from these scripts.

2. Install SSH. SSH is a drop-in replacement for most of those antiquated Berkeley 'r' commands. From the homepage at http://www.cs.hut.fi/ssh.

Ssh (Secure Shell) is a program to log into another 
computer over a network, to execute commands in a
remote machine, and to move files from one machine 
to another. It provides strong authentication 
and secure communications over insecure channels.

It also does lots of other stuff any aspiring hacker should find interesting. Download SSH from http://ftp.rge.com/pub/ssh .

3. Use vipw(1) to lock any non-login accounts. Note that under RedHat Linux, accounts with a null login shell names are default to /bin/sh, which is probably not what you want. Also make sure that none of your accounts have null password fields. The following is an example of what the system part of a healthy password file might look like.

  daemon:*:2:2:daemon:/sbin:/bin/sync
  adm:*:3:4:adm:/var/adm:/bin/sync
  lp:*:4:7:lp:/var/spool/lpd:/bin/sync
  sync:*:5:0:sync:/sbin:/bin/sync
  shutdown:*:6:0:shutdown:/bin:/sync
  halt:*:7:0:halt:/sbin:/bin:/sync
  mail:*:8:12:mail:/var/spool/mail:/bin/sync
  news:*:9:13:news:/var/spool/news:/bin/sync
  uucp:*:10:14:uucp:/var/spool/uucp:/bin/sync
  operator:*:11:0:operator:/root:/bin/sync
  games:*:12:100:games:/usr/games:/bin/sync
  gopher:*:13:30:gopher:/usr/lib/gopher-data:/bin/sync
  ftp:*:14:50:FTP User:/home/ftp:/bin/sync
  nobody:*:99:99:Nobody:/:/bin/sync                    

4. Remove the 's' bits from root-owned programs that won't require such privelege. This can be accomplished by executing the command 'chmod a-s' with the name(s) of the offending files as it's arguments.

Such programs include, but aren't limited to:

  1. programs you never use
  2. programs that you don't want any non-root users to run
  3. programs you use occasionallly, and don't mind having to su(1) to root to run.

I've placed an asterisk (*) next to each program i personally might disable. Remember that your system needs some suid root programs to work properly, so be careful.

Alternately, you could create a special group called 'suidexec', place trusted user accounts into this group. chgrp(1) the iffy suid program(s) to the suidexec group, and remove the world execute permissions.

     
# find / -user root -perm "-u+s"    
*/bin/ping              
*/bin/mount              -- only root should be mounting
                            filesystems
*/bin/umount             -- same here    
/bin/su                  -- don't touch this!
/bin/login
/sbin/pwdb_chkpwd
*/sbin/cardctl           -- PCMCIA card control utility
*/usr/bin/rcp            -- Use ssh
*/usr/bin/rlogin         -- ditto
*/usr/bin/rsh            --  "
*/usr/bin/at             -- use cron, or disable altogether
*/usr/bin/lpq            -- install LPRNG
*/usr/bin/lpr            -- "
*/usr/bin/lprm           -- "
*/usr/bin/mh/inc
*/usr/bin/mh/msgchk
/usr/bin/passwd          -- don't touch! 
*/usr/bin/suidperl       -- each new version of suidperl 
                         seems to have a buffer overflow
*/usr/bin/sperl5.003     -- use it only if necessary
/usr/bin/procmail        -- 
*/usr/bin/chfn
*/usr/bin/chsh
*/usr/bin/newgrp
*/usr/bin/crontab               
*/usr/X11R6/bin/dga      -- lots of buffer overflows 
                            in X11 as well
*/usr/X11R6/bin/xterm    -- "
*/usr/X11R6/bin/XF86_SVGA   -- "    
*/usr/sbin/usernetctl           
/usr/sbin/sendmail
*/usr/sbin/traceroute    -- you can  stand to type the 
                         root password once in a while.

5. Upgrade sendmail. Download the source from ftp://ftp.sendmail.org/pub/sendma il. Unpack it and read the instructions. Install smrsh (packaged with sendmail) if you have a couple extra minutes. this program addresses many of the concerns people have with sendmail, such as sending email to arbitrary programs. Edit sendmail.cf and set the 'PrivacyOptions' option to 'goaway':

        O PrivacyOptions=goaway

If you don't plan to receive internet email, DON'T RUN SENDMAIL IN RECEIVE MODE (sendmail -bd)!. In this case, disable /etc/rc.d/init.d/sendmail.init and do a 'killall -TERM sendmail'. You'll still be able to send outbound email.

6. Upgrade BIND if you use it. The latest BIND can be found at http://www.isc.org . Otherwise disable it altogether.

7. Recompile the kernel. I usually do this if just to reduce the bloat of the default kernel. HINT: turn on all of the firewalling options even if the computer isn't a firewall.

       
        CONFIG_FIREWALL=y
        CONFIG_NET_ALIAS=y
        CONFIG_INET=y
        # CONFIG_IP_FORWARD is not set
        # CONFIG_IP_MULTICAST is not set
        CONFIG_SYN_COOKIES=y
        CONFIG_RST_COOKIES=y
        CONFIG_IP_FIREWALL=y
        CONFIG_IP_FIREWALL_VERBOSE=y
        # CONFIG_IP_MASQUERADE is not set
        # CONFIG_IP_TRANSPARENT_PROXY is not set
        CONFIG_IP_ALWAYS_DEFRAG=y
        CONFIG_IP_ACCT=y
        # CONFIG_IP_ROUTER is not set
        # CONFIG_NET_IPIP is not set
        CONFIG_IP_ALIAS=m

8. Apply patches: Any known problems with their software can be found at RedHat on their Errata pages. (see http://www.redhat.com/support/docs/errata.html to see which patches apply to your release. RedHat does a very good job of keeping those pages up to date. They also includes links to the RPM files you'll need with installation instructions.

9. Configure tcp_wrappers: Tcp_wrappers are a method for controlling which computers on the 'net(c) are permitted to 'talk' to your computer. This package, written by security guru Wieste Venema, sits in front of programs run from inetd (or those linked with it's library) consulting it's configuration files to determine whether to deny or permit a network transaction. For example, to allow telnet & ftp from home via your isp, while denying everything else, put the following in /etc/hosts.allow:

        in.ftpd : .dialup.your-isp.com : allow
        all : all : deny 

SSH, sendmail and other packages can be built with tcp_wrappers support. Read the tcpd(1) manual page for further information.