For Securing your Linux System
Notes from the Red Hat Linux Security Seminar (July 23, 2002)
General Best Practices:
- Patches - Patch your system often. Check for operating system patches at your vendor web site on a regular (weekly) basis, and stay informed about security issues on lists such as Bugtraq. If using an RPM based distribution, use AutoRPM or Red Hat's up2date program to watch for updates/patches.
- Firewall - Restrict access to your system services by configuring and using tcp wrappers and ipchains/iptables to allow only authorized hosts and users to connect to network services.
- Physical Security - If you cannot ensure the physical security of the system, then disable control+alt+delete to reboot, disable boot from removable media, set a password for the LILO prompt, disable plug and play settings in BIOS, set a password in the BIOS, and allow only authorized users (root, administrators) to log in from the console. Perform regular system backups.
- Encryption - Use sshd for terminal access in place of telnetd, such as OpenSSH or PuTTY. Use the Sudo command in place of root logins (see http://www.courtesan.com/sudo/) for elevated access with logging.
- Network Services - Deactivate all network services that are not in use on the system: pop3d, imapd, ftpd, fingerd, bind, named, httpd, linuxconf, sendmail, portmapper, lpr
- File System Security - Review file permissions using the least access rule; allow write access only where needed. Review /etc/passwd, /etc/shadow, /etc/security/ files (access, group, limits, times, etc) for correct configuration. Restrict elevated authority by finding Set UID root programs (see monitoring below) and removing the SUID bit if possible, and by removing all access to directories, programs and/or compilers that users donât need.
- NFS - Review network file exports: do not export / or /bin or /etc. Disable NFS and portmapper if not needed.
- Passwords - Ensure strong authentication is used via PAM facilities, and all default (shipped) passwords are changed. Use a stronger encryption for passwords instead of crypt, such as md5.
- Monitor - Keep an eye on your system by reviewing the syslog often (minimally log all kernel, warning and error messages), reviewing open ports (netstat -an) and running processes (ps -ef), regularly reviewing the network configuration (inetd.conf or xinet.d/*) and scheduled processes (cron or at jobs), and by performing a Set UID Root audit with the "find / -perm +4000 -uid 0 -print" command to reviewing changes in world executable programs that run as root.
Hardening your Linux System with the Bastille Script
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system, and currently supports Red Hat and Mandrake Linux. The objective is to provide the most secure, yet usable, system possible. Bastille Linux draws from every available major reputable source on Linux Security, and has been designed to educate the installing administrator about the security issues involved in each of the script's tasks. Each step is optional and contains a description of the security issues involved. See
http://www.bastille-linux.org/ for more information and to download the executables.
Documentation and Online Resources
Red Hat Docs: http://www.redhat.com/apps/support/documentation.html
Linux Headquarters: http://www.linuxheadquarters.com/
Caldera Linux: http://www.calderasystems.com/products/