Linux Security Guide by Joey.
Created on October 11th, 1999.
Last modified on September 19th, 2003.
Linux, it's stable, free and versatile. Yet these all don't mean a thing when you log into your machine to find out someone has gained unauthorized access to your system and took it upon themselves to wipe your hard drive clean.
The only way to make your Linux system (or any computer system for that matter) 100% secure is to turn off the computer, unplug it and place it in a locked closet. And even then, a good locksmith would still get access to your machine. ;) Unfortunately locking your powered off system in closet will likely be a problem for 99.99% of Linux users out there Basically having a secure system just means that you keep all the programs on your system updated and you know a little more then the guy/gal who is trying to break in.
The first thing you should do is set up a firewall. If you are using Kernel version 2.4.x you can find a very simple firewall script located at http://www.linuxhelp.ca/guides/iptables. If you are not sure what Kernel version you are running you can type uname -r at the shell prompt.
If you are using version 2.2.x of the Linux Kernel, you can find an IPChains script at http://www.linuxhelp.ca/guides/ipchains.
For those of you still using version 2.0.x of the Linux Kernel, you must use a different tool called IPFWADM (IP firewall and accounting administration). You can find our IPFWADM script at http://www.linuxhelp.ca/guides/ipfwadm.
Installing and configuring the firewall is pretty simple. First make sure you have IPTables, IPChains or IPFWADM installed depending on your Kernel version. Then simply open up the firewall script with your favorite text editor (nano, pico, vi, joe etc) and follow the instructions inside the script.
Another very important security measure is to always keep the software installed on your machine updated. Many Linux Distributions now have some form of automated updated. For example, Red Hat has up2date and Debian has apt-get
You will also want to sign up to a few Mailing Lists. This way when your favorite Linux distribution releases a security update you will receive an email letting you know.
By not keeping the installed software updated you make yourself a prime target for people looking to break into systems.
Another way to improve system security is to disable any service/daemon that you are not using. Be sure to do your homework before randomly killing off services that you might possibly need. If you are running Red Hat Linux or Mandrake Linux you can type setup as root and go into the "System Services" section to enable/disable applications that load at boot time. Make sure you don't have anything listed here that you don't need running by removing the * next to it. A couple of things you probably don't want running are named, netfs, nfs, portmap, pcmcia, rstatd, rwhod and rusersd.
Now, if you run Debian GNU/Linux, these services can be found in /etc/init.d. Here you can simply disable something from starting up by removing the file from /etc/init.d followed by running the update-rc.d command. An example would be:
# rm -rf /etc/init.d/alsa # update-rc.d alsa remove Removing any system startup links for /etc/init.d/alsa ... /etc/rc0.d/K20alsa /etc/rc1.d/K20alsa /etc/rc2.d/S20alsa /etc/rc3.d/S20alsa /etc/rc4.d/S20alsa /etc/rc5.d/S20alsa /etc/rc6.d/K20alsa
If you are sure you won't be using a peticular service or daemon you might as well delete it from your system. In RPM based systems you would run rpm -e package. For example if you wanted to remove bind you would execute rpm -e bind. For Debian you can run dpkg -e file or apt-get remove package
xinetd runs on your machine and listens for any connections to certian ports. When a connection is made, it reads the files in /etc/xinetd.d/ and decides if a specified service should run. You should edit all the files in /etc/xinetd.d/ and make sure you have disable = yes set in all of them. Once you've done this you can run /etc/init.d/xinetd restart to reload the xinetd daemon.
The selection of a good password is a must. Basing it off a word you can find in a dictionary is a no no. Your password should be at least 6 to 8 characters in length and contain upper and lower cases letters as well as numerals and punctuation. As well, users should consider changing their password every few months. You can test the strength of your password at http://www.securitystats.com/tools/password.php.
Monitoring the traffic on your internet connection or LAN is another way to help protect yourself. I believe that the best tool for this job is IPTraf. You can find an Installation Guide here.
You will also want to download and install a port scanner called nmap, which can be found at http://www.insecure.org/nmap/. This tool is excellent for scanning your machines and networked machines for open ports.
Tripwire is a neat program that gathers a database of every "important" file on your system and then every night it compares the database to the actual filesystem and emails you all the changed files. This is a good way to see if you have been cracked into and if anyone has replaced vital programs with trojans. You can find Tripwire at www.tripwiresecurity.com and read our Tripwire Setup Guide at http://www.linuxhelp.ca/guides/tripwire/
Secure SHell is a secure replacement for telnet. When you use telnet to log into a remote machine, you password is sent in plain text form, allowing it to be sniffed. With SSH strong cryptography is used for protecting all transmitted confidential data, including passwords, binary files, and administrative commands. For those who are interested in running SSH you can have a look at our SSH Installation Guide.
This file determines what IP's are authorized to access services on the
system. You should have the following line in your /etc/hosts.allow
file:
ALL: LOCAL
This means that your system will accept any connections coming from the
local machine. If you have your own LAN set up, you can also put the
IP's of the LAN machines. I have 2 other computers on my LAN so my
/etc/hosts.allow looks like the following:
ALL: LOCAL
ALL: 10.10.10.12
ALL: 10.10.10.13
This file, as you might have guessed contains hosts that are not
allowed to access services on your system. If you are not running a
public FTP server or a mail server it is safe to place the following in
this file:
ALL: ALL
This will deny everyone access to serices running on the machine. Now lets say you do need telnet or FTP open, but only for a few people or the local LAN, you can place those hosts/IP's in /etc/hosts.allow. For more information on hosts.allow and hosts.deny you can try 'man hosts.deny' and 'man hosts.allow' (which should provide man pages on most machines).
You can run the following command to create a text file of all the setuid root files on your system. These files are often used for local buffer overflow exploits to gain root access. You can generate the file by running the following as root:
find / -user root -perm -4000 -print > setuid.txt
Another popular exploit is through FTP. If you are not running an FTP server, please delete the FTP user from the system (userdel ftp).
Don't run what you dont need. If you don't use it, then uninstall it. If you run sendmail or apache, keep it updated, ESPECIALLY Sendmail. Never let anyone telnet or ssh into your computer that you don't know and never accept any "cool" files from people on IRC. If you haven't noticed already, you have to be majorly paranoid about everything and everybody.
One last thing, try and keep your cool around people, especially on IRC. If you go around pissing people off, one day when you're at school/work/whatever you might come home to an unwanted surprise. So try to not make too many enemies.
Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!