Linux Security: Linux Security Resources

General Security Tips

• AutoRPM on Red Hat and apt-get on Debian can be used to download and install any packages on your system for which there are updates. Use care when automatically updating production servers.

• IP Masquerading enables a Linux box with multiple interfaces to act as a gateway to remote networks for hosts connected to the Linux box on the internal network interface. See the IP Masquerading HOWTO for implementation information.

• Install nmap to determine potential communication channels. Can determine remote OS version, perform “stealth” scans by manipulating ICMP, TCP and UDP, and even potentially determine the remote username running the service. Start with something simple like:
# nmap 192.168.1.1

• Password-protect LILO for servers in public environments to require authorization when passing LILO command-line kernel parameters at boot time. Add the password and restricted arguments to /etc/lilo.conf, then be sure to re-run /sbin/lilo:
image = /boot/vmlinuz-2.2.17
label = Linux
read-only
restricted
password = your-password

• The OpenWall kernel patch is a useful set of kernel security improvements that helps to prevent buffer overflows, restrict information in /proc available to normal users, and other changes. Requires compiling the kernel, and not for newbies.

• Ensure system clocks are accurate. The time stamps on log files must be accurate so security events can be correlated with remote systems. Inaccurate records make it impossible to build a timeline. For workstations, it is enough to add a crontab entry:
0-59/30 * * * * root /usr/sbin/ntpdate -su time.timehost.com

• Install and execute the Bastille Linux hardening tool. Bastille is a suite of shell scripts that eliminates many of the vulnerabilities that are common on default Linux installations. It enables users to make educated choices to improve security by asking questions as it interactively steps through securing the host. Features include basic packet filtering, deactivating unnecessary network services, auditing file permissions, and more. Try the non-intrusive test mode first.

• Configure sudo (superuser do) to execute privileged commands as a normal user instead of using su. The administrator supplies his own password to execute specific commands that would otherwise require root access. The file /etc/sudoers file controls which users may execute which programs. To permit Dave to only manipulate the printer on magneto:
Cmnd_Alias LPCMDS = /usr/sbin/lpc, /usr/bin/lprm
dave magneto = LPCMDS
Dave executes sudo with the authorized command and enters his own password
when prompted:
dave$ sudo /usr/sbin/lpc
Password:
lpc>

• Password security is the most basic means of authentication, yet the most critical means to protect your system from compromise. It is also one of the most overlooked means. Without an effective well-chosen password, your system is sure to be compromised. Obtaining access to any user account on the system is the tough part. From there, root access is only a step away. Run password-cracking programs such as John the Ripper or Crack regularly on systems for which you’re responsible to ensure password security is maintained. Disable unused accounts using /usr/bin/passwd -l. Use the MD5 password during install if your distribution supports it.

• Packet filtering isn’t just for firewalls. Using ipchains, you can provide a significant amount of protection from external threats on any Linux box. Blocking access to a particular service from connecting outside of your local network you might try:
# ipchains -I input -p TCP -s 192.168.1.11 telnet -j DENY -l
This will prevent incoming access to the telnet port on your local machine if the connection originates from 192.168.1.11. This is a very simple example. Be sure to read the IP Chains HOWTO before implementing any firewalling.

* Apache directory and password protection
http://www.apacheweek.com/features/userauth

* Bastille Linux Project
http://www.bastille-linux.org

* BugTraq Full Disclosure Mailing List
http://www.securityfocus.com/forums/bugtraq/intro.html

* Building Internet Firewalls, Second Edition
O'Reilly & Assoc, ISBN 1565928717

* CERT Security Improvement Modules
http://www.cert.org/security-improvement

* Introduction to Linux Security
http://www.linux-mag.com/1999-10/security_01.html

* Linux Intrusion Detection Resources
http://www.linuxsecurity.com/intrusion-detection

* John the Ripper Password Cracker
http://www.openwall.com/john

* Linux and Open Source Security Advisories
http://www.linuxsecurity.com/advisories

* LinuxSecurity.com Security Reference Info
http://www.linuxsecurity.com/docs

* LinuxSecurity.com Security Discussion Lists
http://www.linuxsecurity.com/mailing-lists.html

* LinuxSecurity.com Tip of the Day
http://www.linuxsecurity.com/tips

* LinuxSecurity.com Weekly Security Newsletter
http://www.linuxsecurity.com/newsletter.html

* OpenSSH secure remote access tool
http://www.openssh.com

* OpenWall Security Project
http://www.openwall.com

* Network Time Protocol information
http://www.ntp.org

* nmap Port Scanner
http://www.insecure.org/nmap

* Practical UNIX & Internet Security, Second Ed.
O'Reilly & Assoc, ISBN 1565921488

* rsync Incremental File Transfer Utility
http://rsync.samba.org

* Secure Shell FAQ
http://www.employees.org/~satch/ssh/faq/

* Security-related HOWTOs and FAQs
http://www.linuxsecurity.com/docs

* Site Security Handbook (RFC2196)
http://www.linuxsecurity.com/docs/rfcs/rfc2196.txt

* sudo root access control tool
http://www.courtesan.com/sudo

* Snort Network Intrusion Detection System
http://www.snort.org

* Tripwire file integrity tool
http://www.tripwiresecurity.com

* Using Snort
http://www.linuxsecurity.com/using-snort.html

Security Glossary

• Buffer Overflow: A condition that occurs when a user or process attempts to place more data into a program’s storage buffer in memory and then overwrites the actual program data with instructions that typically provide a shell owned by root on the server. Accounted for more than 50 percent of all major security bugs leading to security advisories published by CERT. Typically associated with set-user-ID root binaries.

• Cryptography: The mathematical science that deals with transforming data to render its meaning unintelligible, prevent its undetected alteration, or prevent its unauthorized use.

• Denial of Service: Occurs when a resource is targeted by an intruder to prevent legitimate users from using that resource. They are a threat to the availability of data to all others trying to use that resource. Range from unplugging the network connection to consuming all the available network bandwidth.

• IP Spoofing: An attack in which one host masquerades as another. This can be used to route data destined for one host to antoher, thereby allowing attackers to intercept data not originally intended for them. It is typically a one-way attack.

• Port Scanning: The process of determining which ports are active on a machine. By probing as many hosts as possible, means to exploit the ones that respond can be developed. It is typically the precursor to an attack.

• Packet Filtering: A method of filtering network traffic as it passes between the firewall’s interfaces at the network level. The network data is then analyzed according to the information available in the data packet, and access is granted or denied based on the firewall security policy. Usually requires an intimate knowledge of how network protocols work.

• Proxy Gateway: Also called Application Gateways, act on behalf of another program. A host with a proxy server installed becomes both a server and a client, and acts as a choke between the final destination and the client. Proxy servers are typically small, carefully-written single-purpose programs that only permit specific services to pass through it. Typically combined with packet filters.

• Set User-ID (setuid) / Set Group-ID (setgid): Files that everyone can execute as either it's owner or group privileges. Typically, you'll find root-owned setuid files, which means that regardless of who executes them, they obtain root permission for the period of time the program is running (or until that program intentionally relinquishes these privileges). These are the types of files that are most often attacked by intruders, because of the potential for obtaining root privileges. Commonly associated with buffer overflows.

• Trojan Horse: A program that masquerades itself as a benign program, when in fact it is not. A program can be modified by a malicious programmer that purports to do something useful, but in fact contains a malicious program containing hidden functions, exploiting the privileges of the user executing it. A modified version of /bin/ps, for example, may be used to hide the presence of other programs running on the system.

• Vulnerability: A condition that has the potential for allowing security to be compromised. Many different types of network and local vulnerabilities exist and are widely known, and frequently occur on computers regardless of their level of network connectivity, processing speed, or profile.

Linux Security

General Security Tips

Linux Security Resources

security.fx-vista

1. Security Publications

2. Crypto, Virology, Cracking And Backdoors

3. Unix And Linux Security

4. What You Can Do To Keep Your System Safe

5. Phreaking Information

6. Windows Security

7. Law, Privacy, Wetware, Hardware, File Sharing

8. The Standards That Define The Internet

9. Computer Security Information

Security Glossary