Go Back   TechArena Community > ARENA > Guides & Tutorials
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



How to secure your Linux Box : Part 1

Guides & Tutorials


Reply
 
Thread Tools Search this Thread
  #1  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
How to secure your Linux Box : Part 1
  

How to secure your Linux Box : Part 1

Recently, I have been watching a lot of my friends who use various versions of Windows getting a lot of viruses, mostly because of their negligence/ignorance. This sudden spurt in spread of Viruses/Worms/Trojans etc. made me think about Linux security. It also made me realise how vast this topic of "Securing a Linux Box" can be.
I tried searching Google for an easy and concise How-To on securing my Linux install but was unable to find one. It made me write this series of 3 very basic guides to enable a user put his first steps on the way of having a secure system.
This first part of the series will cover the basic tweaks that will help you close any open doors to your PC and remove any weak links that might lead to an easy way through your system.
So then lets start...

Reply With Quote
  #2  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
1) Password: The first step in making a Linux box secure is for you to realise that good passwords are back bone of Linux security. An easily guessed word or date or a dictionary word for that matter are as bad a password as none at all. The amazing thing is that even weak passwords can be turned into strong ones pretty easily. If you love your name and you always remember a particular date (may be your gf's b'day? ) then combining both of them in a random order might be a very good idea. For example: 14ab07ha19y83 is a way better password then just 'abhay' or '14071983'. Even better would be if you could add a few special characters to it like this 14ab#$07ha&^19y83. Yes the password is extremely difficult to remember thus you must practice it before you apply it to something as important as your root account.
If you are not smart enough or you are too lazy to make good passwords for your self then give a visit to
AllSeek.NFO or
TechZoom
The former is a better link as it also gives you a way to say your password so that you can remember it easily.
NOTE: I strictly recommend you making your own passwords instead of using such tools.

2) Securing LILO: Before everyone pounces on me by saying that "Oh!!! Start using GRUB", I would like to say that I am a bit old fashioned. Yes, I like LILO and love to stay with it but not with a HUGE flaw in its security. Before I go on explaining you as to how you can remove this major loophole, I would like to explain what it is.
If you are using LILO then rather than just pressing "Enter" key on the LILO prompt, write this on lilo prompt.
Code:
linux single
or
Code:
linux 1
You can see that I am just adding single or 1 after the word linux (this is the label with which you identify your Linux snippet in lilo.conf) and telling LILO to boot into single user mode. This single user mode will log you or any other smart-a$$ friend of yours in to a root shell where you can do everything you desire.
Some distros have grown out of this vulnerability and now add sulogin to their start up scripts. This will ask you for a root password once the system boots before taking you to the root shell but then there is a work around to this security as well by doing the following at the lilo prompt.
Code:
linux init=/bin/bash
Do you see what I am doing here? Yes you guessed it, I am telling init to launch /bin/bash as root as soon as the system starts. I could have launched any thing I wanted but /bin/bash would be the most convenient thing to have. The only problem in this method is that all your disks are mounted in ro mode i.e. read-only mode.
To get around this, pass the following commands
Code:
# fsck /
# mount -orw,remount /
Now, we are logged in as root no questions asked!!!
To get around this potentially serious security loop hole, you need to set a password for lilo so that you need to give the lilo password if you pass any comments to lilo prompt.
The resulting lilo.conf snippet will look something like this
Quote:
image = /boot/vmlinuz-2.6.8.1
label = slackware
restricted
password=<YourLILOPassword>

root = /dev/hdb2
read-only
The part in BOLD is the thing of concern here. I am telling LILO to have a restricted access with a password. Now everytime I pass some comments to LILO it will ask me for password. If I change restricted to mandatory then you will need to give password everytime you want to boot.
Also, you should change your lilo.conf permissions to 600 by passing the following command
Code:
#chmod 600 /etc/lilo.conf

Last edited by abhay : 19-08-2004 at 01:49 AM.
Reply With Quote
  #3  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
3) Open Ports, Services and nmap: nmap is a very important tool in managing your own security. It is a port scanner that can also tell which all ports are open on your system i.e. doors to your lovely home.
Pass the following command in a console window
Code:
root@darkstar:/home/abhay# nmap -P0 -O localhost

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-08-18 20:28 IST
Interesting ports on localhost (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
6000/tcp open  X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Wed Aug 18 19:04:33 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 5.371 seconds
root@darkstar:/home/abhay#
As you can see that I have three ports open. Two are for smtp and pop3 servers I run, (25 and 110 respectively) and 6000 is of X Server. You will have different results depending on open ports and running services on your system.
If you suspect something fishy and don't want a particular port to be opened on your PC then it is time to take action.

I Part: This part will involve finding out whether a port has been opened by a cracker or by a valid service on your system. To check whether the port has been opened by an official service, pass the following command.
Code:
cat /etc/services | grep <port>
If no output comes out then it means that the port is not associated with any known service. Next issue this command
Code:
netstat -anp | grep <port>
This command will tell you which process has opened the port and whether it is connecting to an IP or not. Usually a cracker will not allow an opened port to be reported in netstat so if you get an output from the above command then most probably it is a service separately installed from all the known services of the system.

II Part: This part deals with all the unwanted ports that has been reported by nmap. Now here comes the difficult part for me. There are various distros in market today and they use two different ways to handle services i.e. inetd and xinetd. I have more experience with inetd as Slackware Linux uses inetd to handle services but I will still try to throw some light on xinetd. For this part I would recommend using your distro specific control centre for dealing with services.

inetd part: To establish whether inetd demon is running or not pass the following command in a console window
Code:
root@darkstar:/home/abhay# ps aux | grep inetd
root      2289  0.0  0.1  1380  524 ?        Ss   22:25   0:00 /usr/sbin/inetd
root      2898  0.0  0.1  1676  584 pts/2    R+   22:47   0:00 grep inetd
The command and output is written above and it shows that inetd demon is running. Next step is to know which all services are being run by inetd.
Code:
root@darkstar:/home/abhay# grep -v "^#" /etc/inetd.conf
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd <system specific entry>
smtp    stream  tcp     nowait  root    /usr/sbin/tcpd <system spefici entry>
The command entered above shows that I have two services running for my pop3 and smtp servers (I have edited the part that shows which servers I am running).
Stopping services run by inetd is extremely easy. You need to edit the /etc/inetd.conf file and comment out the unwanted services by adding a hash (#) before each entry. For example: finger, ntalk and telnet etc.
Then restart the inetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.

xinetd part: If you have xinetd managing your system services then you should pass the following commands to establish whether xinetd is running or not.
Code:
ps aux | grep xinetd
Now to check which all services xinetd is running on your PC, you need to pass the following command.
Code:
ls -l /etc/xinetd.d/*
This will give you a list of all the services installed and monitored by xinted on your PC. Each service has a different file. I am giving sample structure of a xinetd service file.
Code:
# default: off
# description: The talk server accepts talk requests for chatting with 
# users on other systems.
service talk
{
		disable  	= no
		socket_type	= dgram
		wait		= yes
		user		= nobody
		group		= tty
		server		= /usr/bin/in.talkd
}
Now, to switch the talk service off, change the disable value to yes instead of no. disable all the services you do not need and restart xinetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.

Miscellaneous Part: Not all services are and should be managed by inetd or xinetd as the demon itself might have problems thus network services are slowly but surely moving out of the control of these two demons. If after following the above mentioned steps, you still find some opened ports then they must be because of the network services that are not being controlled by inetd or xinetd. To deal with them, you need to look into /etc/rc.d directory by passing following command.
Code:
# cd /etc/rc.d
# ls -l
There you will find various directories that might look like rc0.d, rc1.d and so on. The numbers in these directories represent the run-levels on which the scripts in these directories are executed. For example: If your system starts with X-windows then it is most probably starting at run-level 5 which will lead to the scripts in rc5.d directory being executed on start up (you can know more about runlevels by reading man inittab).
To disable services in these directories I highly recommend using GUI tools like Mandrake Control Center, linuxconf and YaST etc. but if you want to be playful then go ahead and delete the un-needed files in the runlevel directory. These are just softlinks to original files so you will not cause major damage to your system but you must know how to solve a boo-boo.
Go through the nmap procedure once again so that you are absolutely sure of which ports are open and whether you need them or not. Phew...a really long quest is over ;-)
Reply With Quote
  #4  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
4) host files: Now we come to a simple but effective protection setting. This setting is done using host files located in your /etc directory. These files are often over looked by avid tweakers as these files can be easily cheated but I like keeping them tuned. I will be giving output of my host files along with explaining what they do.
(i) /etc/hosts: This file contains a list of known hosts on network. I like to keep it clean with just localhost entries.
Code:
root@darkstar:/# cat /etc/hosts
127.0.0.1               localhost
127.0.0.1               darkstar.slacknet darkstar
(ii) /etc/host.conf: This file controls the resolver setup of a system i.e. this is the file that is looked at first whenever a connection attempt needs to be resolved.
Code:
root@darkstar:/# cat /etc/host.conf
order hosts, bind
multi on
nospoof on
Also look at man host.conf.

(iii) /etc/hosts.equiv: This file contains a list of all the hosts on network that should be given equivalent rights as that of the localhost.
Code:
root@darkstar:/# cat /etc/hosts.equiv
localhost
(iv) /etc/hosts.allow: This file contains a list of all the hosts that should be allowed to gain access to your system.
Code:
root@darkstar:/# cat /etc/hosts.allow
ALL: localhost
(v) /etc/hosts.deny: This file contains a list of all the hosts that are denied access to your system. I would recommend you to make your hosts.deny look like mine and if you need any system to get access then add that exception in hosts.allow file.
Code:
root@darkstar:/# cat /etc/hosts.deny
ALL: ALL
If used properly, host files can be very helpful in securing you.
All these files have self explanatory names but if you still need any help then you can ask about it.

5) Updates: Just like Windows, Linux softwares release updates/patches regularly. Linux softwares are not absolutely free from bugs or security loopholes so please do not fall for this myth. Make it a religious practice to update your distro using any package tool it comes with. These days an update tool is available for almost every distro. Either they are inbuilt or can be obtained as a third party application. Here are a few examples:-
Quote:
ArchLinux - Pacman
Debian - Apt + Synaptic
Fedora Core - Apt + Synaptic
SuSE - Apt, YaST Online Update (YOU)
Mandrake - urpmi
Gentoo - Portage
Slackware - SWARET / Slapt-Get
(If I have missed some distros offering good update tools then please PM me)
Any distro not offering easy and prompt updates is not worth using (IMHO). Make it a weekly or bi-weekly practice to check for updates and install them if necessary. (Refrain from updating gcc)

Last edited by abhay : 19-08-2004 at 01:57 AM.
Reply With Quote
  #5  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
6) Conclusion: After doing all the above mentioned things your system should be reasonably secure from cracking attacks but I would still like to point a few last minute things.
i) Lots of network related applications come with their own IP settings and they might allow you to give them a range of IP's that will be allowed to access the application. Use this feature to set per application IP settings.
ii) Always try and read README file and man pages. They are their for you reading and not for deleting purpose. They might give you very important stuff to secure yourself.
iii) Try to "compile and install" the programs rather than relying on pre-compiled binaries. Never and I mean NEVER use any precompiled applications until you trust the source.
iv) Never work as root until you MUST.

Please post whether this guide helped you or not and if you would like any additions in it. If you find any faults, spelling mistakes or grammatical errors then do PM me or send me a mail. My next guide in this series will require you to have a bit of prior knowledge about kernel compiling. If you don't know how to compile a kernel then I recommend you to read an extremely good guide written by kingkrool located here.

Disclaimer: This guide is written with no guarantee at all. All the tweaks have been tried and tested by me on my own Slackware 10 (Kernel 2.6.8.1) box. You MUST backup before trying any of the commands mentioned above. I must not be held responsible for any harm done by these tweaks to your system.

Copyleft: This guide is copylefted and comes with full open source feeling. If you want to copy the whole or any part of this guide then you are totally free to do so but I would love it if you gave me some credit and sent me a link if possible on abhay.kedia<at>gmail.com

Additional Reading:
Redhat Linux 9 Manual
Hacking Linux Exposed
man lilo.conf
man nmap
man inetd (or xinetd)
man hosts
man host.conf

Last edited by abhay : 19-08-2004 at 02:01 AM.
Reply With Quote
  #6  
Old 19-08-2004
Banned Users
 
Join Date: Feb 2004
Posts: 72
On fire man....
Will read this carefully soon.
Reply With Quote
  #7  
Old 19-08-2004
Member
 
Join Date: Apr 2004
Location: India
Posts: 1
very nice tut dude
thanks much
Reply With Quote
  #8  
Old 19-08-2004
Banned Users
 
Join Date: Feb 2004
Posts: 72
I hope u are gonna talk about ssh and all in ur next guide.
U need kernel recompiling for the next....
U planning on SELinux?
whoa baby......
Reply With Quote
  #9  
Old 19-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
kingkrool: nah man...i have not planned on writing about ssh in my future guides cos I don't have any resources for testing the ssh commands or setting up a sshd for that matter. i m on dial-up and don't have any trusted friends with whom I can establish a ssh session. sorry for that :-(
may be someone else will take on that job, who owns two or more networked PCs or has access to a trusted network.
btw you are getting too excited about that 'kernel recompiling' thing ;-P
i was talking about netfilter/iptables modules (that will be required for setting up your own firewall) and not SELinux. SELinux comes under linux "hardening" and not securing. that is way out of the league for these docs but still cos you asked about SELinux, i will talk a teeny weeny bit about "hardening" in my final guide. that will talk about not only SELinux but other access control programs too.
Reply With Quote
  #10  
Old 21-08-2004
Member
 
Join Date: Jan 2004
Location: /dev/null
Posts: 85
Hey abhay, nice guide, and good idea about the series.

What will the next part have?

Installing / configuring firewall, antivirus and such things ?

ooo exciting stuff can't wait

-

Could you write a small list of tweaks you've done to your slack sometime?

I have a nack of tweaking whatever I see, but, whenever I try to get too bold, something screws up (no backup & restore strategy works perfectly ), and mostly I remain clueless as to what thing to fix!

So something on those lines would be very helpful! don't mean to push you, take this as a suggestion for your next topic after this series..!!

Thanks again!

-

Last edited by rock_ya_baby : 21-08-2004 at 08:04 PM.
Reply With Quote
  #11  
Old 21-08-2004
binaryman
 
Posts: n/a
Amazing stuff man Abhay....
Even though i dont use linux or unix,
i have studied it in coll...
and believe me if i had one more hdd i would have had red hat linux on it...
and your tutorial explains everything quite well....
am looking forward to the next part...keep up the good work.
Reply With Quote
  #12  
Old 22-08-2004
Banned Users
 
Join Date: Jan 2004
Location: /home/n00b
Posts: 88
thanx for the encouragement guys. it feels nice to know that the work is being appreciated
ryb: tweaking slack is a good idea and if you want i will put in some points as starters after this series but i don't know how much i will be able to help you. still i will keep this suggestion in mind.
Reply With Quote
  #13  
Old 22-08-2004
Member
 
Join Date: Jan 2004
Location: /dev/null
Posts: 85
ThumbsUp

Thanks

-

Btw, http://www.linuxsecurity.com is an awesome site dedicated to linux security issues. That deserves a mention here.

Everyone serious about security of their OS should definitely subscribe to security-mailing list of their distros.

Slackware-security mailing list : http://www.slackware.com/lists

-

Last edited by rock_ya_baby : 22-08-2004 at 09:28 AM.
Reply With Quote
  #14  
Old 06-12-2004
Member
 
Join Date: Dec 2003
Location: 18.55 N and 72.54 E
Posts: 61
Ahh just what I was looking for. Repped Abhay thnx

Regards.
Reply With Quote
  #15  
Old 06-12-2004
cngn
 
Posts: n/a
Abhay how about putting the entire guide into a zip file and attaching it ? That way I can download it.. Thinking of Installing LINUX on one of my boxes here...

Sorry to be a pain in the (you know where), and if it's problem, I'm cool if you can't do it...
Reply With Quote
Reply

  TechArena Community > ARENA > Guides & Tutorials
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "How to secure your Linux Box : Part 1"
Thread Thread Starter Forum Replies Last Post
Tips to Secure Linux from Backdoor Innis Tips & Tweaks 4 31-12-2010 06:17 AM
Need help in building secure linux server Wenro Networking & Security 5 13-04-2010 01:05 PM
What are the ways to secure Linux network Angelica Maria Networking & Security 6 13-03-2010 09:08 AM
Is Linux is more secure than Windows XP? Sanith Operating Systems 3 07-02-2009 09:41 AM
How to secure Files in Linux? Vibhas Operating Systems 6 16-01-2009 07:15 AM


All times are GMT +5.5. The time now is 11:14 PM.