kevin-securityhowto@tummy.com
dave@linuxsecurity.com
v2.0, 11 June 2002
The very latest version of this document should also be available in various formats from:
and
Note: Please send your feedback to both authors. Also, be sure and include "Linux" "security", or "HOWTO" in your subject to avoid Kevin's spam filter.
As far as we know, only programs that, under certain terms may be used or evaluated for personal purposes will be described. Most of the programs will be available, complete with source, under GNU terms.
In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, it. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as "crackers", who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're wondering what the difference is between a "Hacker" and a "Cracker", see Eric Raymond's document, "How to Become A Hacker", available at http://www.tuxedo.org/~esr/faqs/hacker-howto.html.
If you are a medium to large-sized site, you should establish a security policy stating how much security is required by your site and what auditing is in place to check it. You can find a well-known security policy example at http://www.faqs.org/rfcs/rfc2196.html. It has been recently updated, and contains a great framework for establishing a security policy for your company.
A generally-accepted security policy starts with the phrase
" That which is not permitted is prohibited"
rfc1244 is a document that describes how to create your own network security policy.
rfc1281 is a document that shows an example security policy with detailed descriptions of each step.
Finally, you might want to look at the COAST policy archive at ftp://coast.cs.purdue.edu/pub/doc/policy to see what some real-life security policies look like.
This document has been divided into a number of sections. They cover several broad security issues. The first, Section 3, covers how you need to protect your physical machine from tampering. The second, Section 4, describes how to protect your system from tampering by local users. The third, Section 5, shows you how to setup your file systems and permissions on your files. The next, Section 6, discusses how to use encryption to better secure your machine and network. Section 7 discusses what kernel options you should set or be aware of for a more secure system. Section 8, describes how to better secure your Linux system from network attacks. Section 9, discusses how to prepare your machine(s) before bringing them on-line. Next, Section 10, discusses what to do when you detect a system compromise in progress or detect one that has recently happened. In Section 11, some primary security resources are enumerated. The Q and A section Section 13, answers some frequently-asked questions, and finally a conclusion in Section 14
The two main points to realize when reading this document are:
Be aware of your system. Check system logs such as /var/log/messages and keep an eye on your system, and
Keep your system up-to-date by making sure you have installed the current versions of software and have upgraded per security alerts. Just doing this will help make your system markedly more secure.
I tested an Award BIOS and AWARD_PW worked. These passwords are quite easily available from manufacturers' websites and http://astalavista.box.sk and as such a BIOS password cannot be considered adequate protection from a knowledgeable attacker.
Many x86 BIOSs also allow you to specify various other good security settings. Check your BIOS manual or look at it the next time you boot up. For example, some BIOSs disallow booting from floppy drives and some require passwords to access some BIOS features.
Note: If you have a server machine, and you set up a boot password, your machine will not boot up unattended. Keep in mind that you will need to come in and supply the password in the event of a power failure. ;(
password=password
The per-image option `password=...' (see below) applies to all images.
restricted
The per-image option `restricted' (see below) applies to all images.
password=password
Protect the image by a password.
restricted
A password is only required to boot the image if
parameters are specified on the command line
(e.g. single).
|
Several good rules of thumb when allowing other people legitimate access to your Linux machine:
Many local user accounts that are used in security compromises have not been used in months or years. Since no one is using them they, provide the ideal attack vehicle.
Several tricks to avoid messing up your own box as root:
The /etc/securetty file contains a list of terminals that root can login from. By default (on Red Hat Linux) this is set to only the local virtual consoles(vtys). Be very wary of adding anything else to this file. You should be able to login remotely as your regular user account and then su if you need to (hopefully over Section 6.4 or other encrypted channel), so there is no need to be able to login directly as root.
Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type!
If you absolutely positively need to allow someone (hopefully very trusted) to have root access to your machine, there are a few tools that can help. sudo allows users to use their password to access a limited set of commands as root. This would allow you to, for instance, let a user be able to eject and mount removable media on your Linux box, but have no other root privileges. sudo also keeps a log of all successful and unsuccessful sudo attempts, allowing you to track down who used what command to do what. For this reason sudo works well even in places where a number of people have root access, because it helps you keep track of changes made.
Although sudo can be used to give specific users specific privileges for specific tasks, it does have several shortcomings. It should be used only for a limited set of tasks, like restarting a server, or adding new users. Any program that offers a shell escape will give root access to a user invoking it via sudo. This includes most editors, for example. Also, a program as innocuous as /bin/cat can be used to overwrite files, which could allow root to be exploited. Consider sudo as a means for accountability, and don't expect it to replace the root user and still be secure.
Configure your users' file-creation umask to be as restrictive as possible. See Section 5.1.
If you are mounting file systems using a network file system such as NFS, be sure to configure /etc/exports with suitable restrictions. Typically, using `nodev', `nosuid', and perhaps `noexec', are desirable.
Set file system limits instead of allowing unlimited as is the default. You can control the per-user limits using the resource-limits PAM module and /etc/pam.d/limits.conf. For example, limits for group users might look like this:
@users hard core 0 @users hard nproc 50 @users hard rss 5000 |
This says to prohibit the creation of core files, restrict the number of processes to 50, and restrict memory usage per user to 5M.
You can also use the /etc/login.defs configuration file to set the same limits.
The /var/log/wtmp and /var/run/utmp files contain the login records for all users on your system. Their integrity must be maintained because they can be used to determine when and from where a user (or potential intruder) has entered your system. These files should also have 644 permissions, without affecting normal system operation.
The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a hard link to the file. See the chattr(1) man page for information on the immutable bit.
SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged.
Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:
root# find / -type f \( -perm -04000 -o -perm -02000 \)
|
The Debian distribution runs a job each night to determine what SUID files exist. It then compares this to the previous night's run. You can look in /var/log/setuid* for this log.
You can remove the SUID or SGID permissions on a suspicious program with chmod, then restore them back if you absolutely feel it is necessary.
World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. To locate all world-writable files on your system, use the following command:
root# find / -perm -2 ! -type l -ls |
Unowned files may also be an indication an intruder has accessed your system. You can locate files on your system that have no owner, or belong to no group with the command:
root# find / \( -nouser -o -nogroup \) -print |
Finding .rhosts files should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember, a cracker only needs one insecure account to potentially gain access to your entire network. You can locate all .rhosts files on your system with the following command:
root# find /home -name .rhosts -print
|
Finally, before changing permissions on any system files, make sure you understand what you are doing. Never change permissions on a file because it seems like the easy way to get things working. Always determine why the file has that permission before changing it.
# Set the user's default umask umask 033 |
A quick explanation of Unix permissions:
Write:
To be able to add to or change a file
To be able to delete or move files in a directory
Execute:
To be able to run a binary program or shell script
To be able to search in a directory, combined with read permission
The "sticky bit" also has a different meaning when applied to directories than when applied to files. If the sticky bit is set on a directory, then a user may only delete files that the he owns or for which he has explicit write permission granted, even when he has write access to the directory. This is designed for directories like /tmp, which are world-writable, but where it may not be desirable to allow any user to delete files at will. The sticky bit is seen as a t in a long directory listing.
This describes set-user-id permissions on the file. When the set user ID access mode is set in the owner permissions, and the file is executable, processes which run it are granted access to system resources based on user who owns the file, as opposed to the user who created the process. This is the cause of many "buffer overflow" exploits.
If set in the group permissions, this bit controls the "set group id" status of a file. This behaves the same way as SUID, except the group is affected instead. The file must be executable for this to have any effect.
If you set the SGID bit on a directory (with chmod g+s directory), files created in that directory will have their group set to the directory's group.
You - The owner of the file
Group - The group you belong to
Everyone - Anyone on the system that is not the owner or a member of the group
File Example:
-rw-r--r-- 1 kevin users 114 Aug 28 1997 .zlogin
1st bit - directory? (no)
2nd bit - read by owner? (yes, by kevin)
3rd bit - write by owner? (yes, by kevin)
4th bit - execute by owner? (no)
5th bit - read by group? (yes, by users)
6th bit - write by group? (no)
7th bit - execute by group? (no)
8th bit - read by everyone? (yes, by everyone)
9th bit - write by everyone? (no)
10th bit - execute by everyone? (no)
|
The following lines are examples of the minimum sets of permissions that are required to perform the access described. You may want to give more permission than what's listed here, but this should describe what these minimum permissions on files do:
-r-------- Allow read access to the file by owner
--w------- Allows the owner to modify or delete the file
(Note that anyone with write permission to the directory
the file is in can overwrite it and thus delete it)
---x------ The owner can execute this program, but not shell scripts,
which still need read permission
---s------ Will execute with effective User ID = to owner
--------s- Will execute with effective Group ID = to group
-rw------T No update of "last modified time". Usually used for swap
files
---t------ No effect. (formerly sticky bit)
|
drwxr-xr-x 3 kevin users 512 Sep 19 13:47 .public_html/
1st bit - directory? (yes, it contains many files)
2nd bit - read by owner? (yes, by kevin)
3rd bit - write by owner? (yes, by kevin)
4th bit - execute by owner? (yes, by kevin)
5th bit - read by group? (yes, by users
6th bit - write by group? (no)
7th bit - execute by group? (yes, by users)
8th bit - read by everyone? (yes, by everyone)
9th bit - write by everyone? (no)
10th bit - execute by everyone? (yes, by everyone)
|
The following lines are examples of the minimum sets of permissions that are required to perform the access described. You may want to give more permission than what's listed, but this should describe what these minimum permissions on directories do:
dr-------- The contents can be listed, but file attributes can't be read d--x------ The directory can be entered, and used in full execution paths dr-x------ File attributes can be read by owner d-wx------ Files can be created/deleted, even if the directory isn't the current one d------x-t Prevents files from deletion by others with write access. Used on /tmp d---s--s-- No effect |
System configuration files (usually in /etc) are usually mode 640 (-rw-r-----), and owned by root. Depending on your site's security requirements, you might adjust this. Never leave any system files writable by a group or everyone. Some configuration files, including /etc/shadow, should only be readable by root, and directories in /etc should at least not be accessible by others.
SUID shell scripts are a serious security risk, and for this reason the kernel will not honor them. Regardless of how secure you think the shell script is, it can be exploited to give the cracker a root shell.
# set mailto MAILTO=kevin # run Tripwire 15 05 * * * root /usr/local/adm/tcheck/tripwire |
You can find the freely available unsusported version of Tripwire at http://www.tripwire.org, free of charge. Manuals and support can be purchased.
Aide can be found at http://www.cs.tut.fi/~rammer/aide.html.
Osiris can be found at http://www.shmoo.com/osiris/.
Brute force attacks, such as "Crack" or "John the Ripper" (see section Section 6.9) can often guess passwords unless your password is sufficiently random. PAM modules (see below) allow you to use a different encryption routine with your passwords (MD5 or the like). You can use Crack to your advantage, as well. Consider periodically running Crack against your own password database, to find insecure passwords. Then contact the offending user, and instruct him to change his password.
You can go to http://consult.cern.ch/writeup/security/security_3.html for information on how to choose a good password.
There are advantages to both public key and private key cryptography, and you can read about those differences in the RSA Cryptography FAQ, listed at the end of this section.
PGP (Pretty Good Privacy) is well-supported on Linux. Versions 2.6.2 and 5.0 are known to work well. For a good primer on PGP and how to use it, take a look at the PGP FAQ: http://www.pgp.com/service/export/faq/55faq.cgi
Be sure to use the version that is applicable to your country. Due to export restrictions by the US Government, strong-encryption is prohibited from being transferred in electronic form outside the country.
US export controls are now managed by EAR (Export Administration Regulations). They are no longer governed by ITAR.
There is also a step-by-step guide for configuring PGP on Linux available at http://mercury.chem.pitt.edu/~angel/LinuxFocus/English/November1997/article7.html. It was written for the international version of PGP, but is easily adaptable to the United States version. You may also need a patch for some of the latest versions of Linux; the patch is available at ftp://metalab.unc.edu/pub/Linux/apps/crypto.
There is a project maintaining a free re-implementation of pgp with open source. GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is in compliance with OpenPGP. See the GNU Privacy Guard web page for more information: http://www.gnupg.org/.
More information on cryptography can be found in the RSA cryptography FAQ, available at http://www.rsa.com/rsalabs/newfaq/. Here you will find information on such terms as "Diffie-Hellman", "public-key cryptography", "digital certificates", etc.
SSL: - SSL, or Secure Sockets Layer, is an encryption method developed by Netscape to provide security over the Internet. It supports several different encryption protocols, and provides client and server authentication. SSL operates at the transport layer, creates a secure encrypted channel of data, and thus can seamlessly encrypt data of many types. This is most commonly seen when going to a secure site to view a secure online document with Communicator, and serves as the basis for secure communications with Communicator, as well as many other Netscape Communications data encryption. More information can be found at http://www.consensus.com/security/ssl-talk-faq.html. Information on Netscape's other security implementations, and a good starting point for these protocols is available at http://home.netscape.com/info/security-doc.html. It's also worth noting that the SSL protocol can be used to pass many other common protocols, "wrapping" them for security. See http://www.quiltaholic.com/rickk/sslwrap/
S-HTTP: - S-HTTP is another protocol that provides security services across the Internet. It was designed to provide confidentiality, authentication, integrity, and non-repudiability [cannot be mistaken for someone else] while supporting multiple key-management mechanisms and cryptographic algorithms via option negotiation between the parties involved in each transaction. S-HTTP is limited to the specific software that is implementing it, and encrypts each message individually. [ From RSA Cryptography FAQ, page 138]
S/MIME: - S/MIME, or Secure Multipurpose Internet Mail Extension, is an encryption standard used to encrypt electronic mail and other types of messages on the Internet. It is an open standard developed by RSA, so it is likely we will see it on Linux one day soon. More information on S/MIME can be found at http://home.netscape.com/assist/security/smime/overview.html.
Along with CIPE, and other forms of data encryption, there are also several other implementations of IPSEC for Linux. IPSEC is an effort by the IETF to create cryptographically-secure communications at the IP network level, and to provide authentication, integrity, access control, and confidentiality. Information on IPSEC and Internet draft can be found at http://www.ietf.org/html.charters/ipsec-charter.html. You can also find links to other protocols involving key management, and an IPSEC mailing list and archives.
The x-kernel Linux implementation, which is being developed at the University of Arizona, uses an object-based framework for implementing network protocols called x-kernel, and can be found at http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html. Most simply, the x-kernel is a method of passing messages at the kernel level, which makes for an easier implementation.
Another freely-available IPSEC implementation is the Linux FreeS/WAN IPSEC. Their web page states, ""These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet.""
It's available for download from http://www.xs4all.nl/~freeswan/, and has just reached 1.0 at the time of this writing.
As with other forms of cryptography, it is not distributed with the kernel by default due to export restrictions.
There are several ssh implementiations now. The original commercial implementation by Data Fellows can be found at The ssh home page can be found at http://www.datafellows.com.
The excellent Openssh implementation is based on a early version of the datafellows ssh and has been totally reworked to not include any patented or proprietary pieces. It is free and under a BSD license. It can be found at: http://www.openssh.com.
There is also a open source project to re-implement ssh from the ground up called "psst...". For more information see: http://www.net.lut.ac.uk/psst/
You can also use ssh from your Windows workstation to your Linux ssh server. There are several freely available Windows client implementations, including the one at http://guardian.htu.tuwien.ac.at/therapy/ssh/ as well as a commercial implementation from DataFellows, at http://www.datafellows.com.
SSLeay is a free implementation of Netscape's Secure Sockets Layer protocol, developed by Eric Young. It includes several applications, such as Secure telnet, a module for Apache, several databases, as well as several algorithms including DES, IDEA and Blowfish.
Using this library, a secure telnet replacement has been created that does encryption over a telnet connection. Unlike SSH, stelnet uses SSL, the Secure Sockets Layer protocol developed by Netscape. You can find Secure telnet and Secure FTP by starting with the SSLeay FAQ, available at http://www.psy.uq.oz.au/~ftp/Crypto/.
SRP is another secure telnet/ftp implementation. From their web page:
""The SRP project is developing secure Internet software for free worldwide use. Starting with a fully-secure Telnet and FTP distribution, we hope to supplant weak networked authentication systems with strong replacements that do not sacrifice user-friendliness for security. Security should be the default, not an option!" "
For more information, go to http://www-cs-students.stanford.edu/~tjw/srp/
Newer versions of the Red Hat Linux and Debian Linux distributions ship with a unified authentication scheme called "PAM". PAM allows you to change your authentication methods and requirements on the fly, and encapsulate all local authentication methods without recompiling any of your binaries. Configuration of PAM is beyond the scope of this document, but be sure to take a look at the PAM web site for more information. http://www.kernel.org/pub/linux/libs/pam/index.html.
Just a few of the things you can do with PAM:
Use encryption other than DES for your passwords. (Making them harder to brute-force decode)
Set resource limits on all your users so they can't perform denial-of-service attacks (number of processes, amount of memory, etc)
Enable shadow passwords (see below) on the fly
allow specific users to login only at specific times from specific places
Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user's home directories by adding these lines to /etc/pam.d/rlogin:
# # Disable rsh/rlogin/rexec for users # login auth required pam_rhosts_auth.so no_rhosts |
Summarized from the CIPE documentation:
Further information can be found at http://www.inka.de/~bigred/devel/cipe.html
As with other forms of cryptography, it is not distributed with the kernel by default due to export restrictions.
You can find more information about kerberos by looking at the kerberos FAQ, and the code can be found at http://nii.isi.edu/info/kerberos/.
[From: Stein, Jennifer G., Clifford Neuman, and Jeffrey L. Schiller. "Kerberos: An Authentication Service for Open Network Systems." USENIX Conference Proceedings, Dallas, Texas, Winter 1998.]
Kerberos should not be your first step in improving security of your host. It is quite involved, and not as widely used as, say, SSH.
Shadow passwords are a means of keeping your encrypted password information secret from normal users. Recent versions of both Red Hat and Debian Linux use shadow passwords by default, but on other systems, encrypted passwords are stored in /etc/passwd file for all to read. Anyone can then run password-guesser programs on them and attempt to determine what they are. Shadow passwords, by contrast, are saved in /etc/shadow, which only privileged users can read. In order to use shadow passwords, you need to make sure all your utilities that need access to password information are recompiled to support them. PAM (above) also allows you to just plug in a shadow module; it doesn't require re-compilation of executables. You can refer to the Shadow-Password HOWTO for further information if necessary. It is available at http://metalab.unc.edu/LDP/HOWTO/Shadow-Password-HOWTO.html It is rather dated now, and will not be required for distributions supporting PAM.
There are a number of programs out there...the two most notable of which are "Crack" and "John the Ripper" (http://www.openwall.com/john/) . They will take up a lot of your CPU time, but you should be able to tell if an attacker could get in using them by running them first yourself and notifying users with weak passwords. Note that an attacker would have to use some other hole first in order to read your /etc/passwd file, but such holes are more common than you might think.
Because security is only as strong as the most insecure host, it is worth mentioning that if you have any Windows machines on your network, you should check out L0phtCrack, a Crack implementation for Windows. It's available from http://www.l0pht.com
CFS is a way of encrypting entire directory trees and allowing users to store encrypted files on them. It uses an NFS server running on the local machine. RPMS are available at http://www.zedz.net/redhat/, and more information on how it all works is at ftp://ftp.research.att.com/dist/mab/.
TCFS improves on CFS by adding more integration with the file system, so that it's transparent to users that the file system that is encrypted. More information at: http://www.tcfs.it/.
It also need not be used on entire file systems. It works on directory trees as well.
When using xdm (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1. A 128-bit "cookie" is generated and stored in your .Xauthority file. If you need to allow a remote machine access to your display, you can use the xauth command and the information in your .Xauthority file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html.
You can also use ssh (see Section 6.4, above) to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network.
You can also disable any remote connections to your X server by using the '-nolisten tcp' options to your X server. This will prevent any network connections to your server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe bet is to use xdm to login to your console and then use ssh to go to remote sites on which you wish to run X programs.
The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse login program running on your console. http://synergy.caltech.edu/~ggi/
As the kernel controls your computer's networking, it is important that it be very secure, and not be compromised. To prevent some of the latest networking attacks, you should try to keep your kernel version current. You can find new kernels at � or from your distribution vendor.
There is also a international group providing a single unified crypto patch to the mainstream Linux kernel. This patch provides support for a number of cryptographic subsystems and things that cannot be included in the mainstream kernel due to export restrictions. For more information, visit their web page at: http://www.kerneli.org
IP: forwarding/gatewaying (CONFIG_IP_FORWARD)
You can enable IP forwarding dynamically using the following command:
root# echo 1 > /proc/sys/net/ipv4/ip_forward |
root# echo 0 > /proc/sys/net/ipv4/ip_forward |
IP: syn cookies (CONFIG_SYN_COOKIES)
root# echo 1 > /proc/sys/net/ipv4/tcp_syncookies <P> |
IP: masquerading (CONFIG_IP_MASQUERADE) If one of the computers on your local network for which your Linux box acts as a firewall wants to send something to the outside, your box can "masquerade" as that host, i.e., it forewords the traffic to the intended destination, but makes it look like it came from the firewall box itself. See http://www.indyramp.com/masq for more information.
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) This option adds ICMP masquerading to the previous option of only masquerading TCP or UDP traffic.
IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) This enables your Linux firewall to transparently redirect any network traffic originating from the local network and destined for a remote host to a local server, called a "transparent proxy server". This makes the local computers think they are talking to the remote end, while in fact they are connected to the local proxy. See the IP-Masquerading HOWTO and http://www.indyramp.com/masq for more information.
IP: always defragment (CONFIG_IP_ALWAYS_DEFRAG)
Generally this option is disabled, but if you are building a firewall or a masquerading host, you will want to enable it. When data is sent from one host to another, it does not always get sent as a single packet of data, but rather it is fragmented into several pieces. The problem with this is that the port numbers are only stored in the first fragment. This means that someone can insert information into the remaining packets that isn't supposed to be there. It could also prevent a teardrop attack against an internal host that is not yet itself patched against it.
Packet Signatures (CONFIG_NCPFS_PACKET_SIGNING)
This is an option that is available in the 2.2.x kernel series that will sign NCP packets for stronger security. Normally you can leave it off, but it is there if you do need it.
IP: Firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)
This is a really neat option that allows you to analyze the first 128 bytes of the packets in a user-space program, to determine if you would like to accept or deny the packet, based on its validity.
You might read from the devices using something like:
root# head -c 6 /dev/urandom | mimencode |
See /usr/src/linux/drivers/char/random.c for a description of the algorithm.
Thanks to Theodore Y. Ts'o, Jon Lewis, and others from Linux-kernel for helping me (Dave) with this.
Some of the services you might want to leave enabled are:
If you know you are not going to use some particular package, you can also delete it entirely. rpm -e packagename under the Red Hat distribution will erase an entire package. Under Debian dpkg --remove does the same thing.
Additionally, you really want to disable the rsh/rlogin/rcp utilities, including login (used by rlogin), shell (used by rcp), and exec (used by rsh) from being started in /etc/inetd.conf. These protocols are extremely insecure and have been the cause of exploits in the past.
You should check /etc/rc.d/rc[0-9].d (on Red Hat; /etc/rc[0-9].d on Debian), and see if any of the servers started in those directories are not needed. The files in those directories are actually symbolic links to files in the directory /etc/rc.d/init.d (on Red Hat; /etc/init.d on Debian). Renaming the files in the init.d directory disables all the symbolic links that point to that file. If you only wish to disable a service for a particular run level, rename the appropriate symbolic link by replacing the upper-case S with a lower-case s, like this:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
|
If you have BSD-style rc files, you will want to check /etc/rc* for programs you don't need.
Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services. A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then checks the host that is requesting the service, and either executes the real server, or denies access from that host. tcpd allows you to restrict access to your TCP services. You should make a /etc/hosts.allow and add in only those hosts that need to have access to your machine's services.
If you are a home dial up user, we suggest you deny ALL. tcpd also logs failed attempts to access services, so this can alert you if you are under attack. If you add new services, you should be sure to configure them to use tcp_wrappers if they are TCP-based. For example, a normal dial-up user can prevent outsiders from connecting to his machine, yet still have the ability to retrieve mail, and make network connections to the Internet. To do this, you might add the following to your /etc/hosts.allow:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow you from the inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from inetd, and a select few others. There very well may be other services running on your machine. You can use netstat -ta to find a list of all the services your machine is offering.
Further information on postfix can be found at the Postfix home and in the Configuring and Securing Postfix.
SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner with a web interface. It can be configured to do light, medium, or strong checks on a machine or a network of machines. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. Make sure you get the copy of SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of SATAN that was distributed out on the net. http://www.trouble.org/~zen/satan/satan.html. Note that SATAN has not been updated in quite a while, and some of the other tools below might do a better job.
ISS (Internet Security Scanner) is another port-based scanner. It is faster than Satan, and thus might be better for large networks. However, SATAN tends to provide more information.
Abacus is a suite of tools to provide host-based security and intrusion detection. Look at it's home page on the web for more information. http://www.psionic.com/abacus/
SAINT is a updated version of SATAN. It is web-based and has many more up-to-date tests than SATAN. You can find out more about it at: http://www.wwdsi.com/~saint
Nessus is a free security scanner. It has a GTK graphical interface for ease of use. It is also designed with a very nice plug in setup for new port-scanning tests. For more information, take a look at: http://www.nessus.org
If you are using sendmail it is very important to keep up on current versions. sendmail has a long long history of security exploits. Always make sure you are running the most recent version from http://www.sendmail.org.
Keep in mind that sendmail does not have to be running in order for you to send mail. If you are a home user, you can disable sendmail entirely, and simply use your mail client to send mail. You might also choose to remove the "-bd" flag from the sendmail startup file, thereby disabling incoming requests for mail. In other words, you can execute sendmail from your startup script using the following instead:
# /usr/lib/sendmail -q15m |
Many administrators choose not to use sendmail, and instead choose one of the other mail transport agents. You might consider switching over to qmail. qmail was designed with security in mind from the ground up. It's fast, stable, and secure. Qmail can be found at http://www.qmail.org
In direct competition to qmail is "postfix", written by Wietse Venema, the author of tcp_wrappers and other security tools. Formerly called vmailer, and sponsored by IBM, this is also a mail transport agent written from the ground up with security in mind. You can find more information about postfix at http://www.postfix.org
SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer Linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. See Section 7 for proper kernel protection options.
Pentium "F00F" Bug - It was recently discovered that a series of assembly codes sent to a genuine Intel Pentium processor would reboot the machine. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what operating system it's running. Linux kernels 2.0.32 and up contain a work around for this bug, preventing it from locking your machine. Kernel 2.0.33 has an improved version of the kernel fix, and is suggested over 2.0.32. If you are running on a Pentium, you should upgrade now!
Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack at http://www.quadrunner.com/~chuegen/smurf.txt
If you are ever under a ping flood attack, use a tool like tcpdump to determine where the packets are coming from (or appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router level or by using a firewall.
Ping o' Death - The Ping o' Death attack sends ICMP ECHO REQUEST packets that are too large to fit in the kernel data structures intended to store them. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the "Ping o' Death." This one has long been fixed, and is no longer anything to worry about.
Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. It is fixed in kernel version 2.0.33, and does not require selecting any kernel compile-time options to utilize the fix. Linux is apparently not vulnerable to the "newtear" exploit.
See the NFS HOWTO for more information on NFS, available at http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
There is a much more secure replacement for NIS, called NIS+. Check out the NIS HOWTO for more information: http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
Firewalls are a very useful and important technique in securing your network. However, never think that because you have a firewall, you don't need to secure the machines behind it. This is a fatal mistake. Check out the very good Firewall-HOWTO at your latest metalab archive for more information on firewalls and Linux. http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
More information can also be found in the IP-Masquerade mini-howto: http://metalab.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html
More information on ipfwadm (the tool that lets you change settings on your firewall, can be found at it's home page: http://www.xos.nl/linux/ipfwadm/
If you have no experience with firewalls, and plan to set up one for more than just a simple security policy, the Firewalls book by O'Reilly and Associates or other online firewall document is mandatory reading. Check out http://www.ora.com for more information. The National Institute of Standards and Technology have put together an excellent document on firewalls. Although dated 1995, it is still quite good. You can find it at http://csrc.nist.gov/nistpubs/800-10/main.html. Also of interest:
The Freefire Project -- a list of freely-available firewall tools, available at http://sites.inka.de/sites/lina/freefire-l/index_en.html
SunWorld Firewall Design -- written by the authors of the O'Reilly book, this provides a rough introduction to the different firewall types. It's available at http://www.sunworld.com/swol-01-1996/swol-01-firewall.html
Mason - the automated firewall builder for Linux. This is a firewall script that learns as you do the things you need to do on your network! More info at: http://www.pobox.com/~wstearns/mason/
Be sure to read the IP Chains HOWTO for further information. It is available at http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
iptables |
Other IP Tables references include:
Oskar Andreasson IP Tables Tutorial -- Oskar Andreasson speaks with LinuxSecurity.com about his comprehensive IP Tables tutorial and how this document can be used to build a robust firewall for your organization.
Hal Burgiss Introduces Linux Security Quick-Start Guides -- Hal Burgiss has written two authoritative guides on securing Linux, including managing firewalling.
Netfilter Homepage -- The netfilter/iptables homepage.
Linux Kernel 2.4 Firewalling Matures: netfilter -- This LinuxSecurity.com article describes the basics of packet filtering, how to get started using iptables, and a list of the new features available in the latest generation of firewalling for Linux.
If you are running a Linux masquerading firewall and need to pass MS PPTP (Microsoft's VPN point-to-point product) packets, there is a Linux kernel patch out to do just that. See: ip-masq-vpn.
There are several Linux VPN solutions available:
vpnd. See the http://sunsite.dk/vpnd/.
Free S/Wan, available at http://www.xs4all.nl/~freeswan/
ssh can be used to construct a VPN. See the VPN mini-howto for more information.
vps (virtual private server) at http://www.strongcrypto.com.
yawipin at http://yavipin.sourceforge.net
See also the section on IPSEC for pointers and more information.
Now, when your system is compromised, you can use the command:
root# rpm -Va |
There are several more advanced syslogd programs out there. Take a look at http://www.core-sdi.com/ssyslog/ for Secure Syslog. Secure Syslog allows you to encrypt your syslog entries and make sure no one has tampered with them.
Another syslogd with more features is syslog-ng. It allows you a lot more flexibility in your logging and also can has your remote syslog streams to prevent tampering.
Finally, log files are much less useful when no one is reading them. Take some time out every once in a while to look over your log files, and get a feeling for what they look like on a normal day. Knowing this can help make unusual things stand out.
Check all your log files, and make a visit to your security lists and pages and see if there are any new common exploits you can fix. You can find Caldera security fixes at http://www.caldera.com/tech-ref/security/. Red Hat has not yet separated their security fixes from bug fixes, but their distribution errata is available at http://www.redhat.com/errata
Debian now has a security mailing list and web page. See: http://www.debian.org/security/ for more information.
It is very likely that if one vendor has released a security update, that most other Linux vendors will as well.
There is now a Linux security auditing project. They are methodically going through all the user-space utilities and looking for possible security exploits and overflows. From their announcement:
""We are attempting a systematic audit of Linux sources with a view to being as secure as OpenBSD. We have already uncovered (and fixed) some problems, but more help is welcome. The list is unmoderated and also a useful resource for general security discussions. The list address is: security-audit@ferret.lmh.ox.ac.uk To subscribe, send a mail to: security-audit-subscribe@ferret.lmh.ox.ac.uk""
If you don't lock the attacker out, they will likely be back. Not just back on your machine, but back somewhere on your network. If they were running a packet sniffer, odds are good they have access to other local machines.
You should also notify any security organizations you are a part of (CERT or similar), as well as your Linux system vendor.
Linux Advisory Watch -- A comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability.
Linux Security Week -- The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines.
Linux Security Discussion List -- This mailing list is for general security-related questions and comments.
Linux Security Newsletters -- Subscription information for all newsletters.
comp.os.linux.security FAQ -- Frequently Asked Questions with answers for the comp.os.linux.security newsgroup.
Linux Security Documentation -- A great starting point for information pertaining to Linux and Open Source security.
CERT is the Computer Emergency Response Team. They often send out alerts of current attacks and fixes. See ftp://ftp.cert.org for more information.
ZEDZ (formerly Replay) (http://www.zedz.net) has archives of many security programs. Since they are outside the US, they don't need to obey US crypto restrictions.
Matt Blaze is the author of CFS and a great security advocate. Matt's archive is available at ftp://ftp.research.att.com/pub/mab
tue.nl is a great security FTP site in the Netherlands. ftp.win.tue.nl
The COAST archive has a large number of Unix security programs and information: COAST
SuSe Security Page: http://www.suse.de/security/
Rootshell.com is a great site for seeing what exploits are currently being used by crackers: http://www.rootshell.com/
BUGTRAQ puts out advisories on security issues: BUGTRAQ archives
CERT, the Computer Emergency Response Team, puts out advisories on common attacks on Unix platforms: CERT home
Dan Farmer is the author of SATAN and many other security tools. His home site has some interesting security survey information, as well as security tools: http://www.trouble.org
The Linux security WWW is a good site for Linux security information: Linux Security WWW
Infilsec has a vulnerability engine that can tell you what vulnerabilities affect a specific platform: http://www.infilsec.com/vulnerabilities/
CIAC sends out periodic security bulletins on common exploits: http://ciac.llnl.gov/cgi-bin/index/bulletins
A good starting point for Linux Pluggable Authentication modules can be found at http://www.kernel.org/pub/linux/libs/pam/.
The Debian project has a web page for their security fixes and information. It is at http://www.debian.com/security/.
WWW Security FAQ, written by Lincoln Stein, is a great web security reference. Find it at http://www.w3.org/Security/Faq/www-security-faq.html
Red Hat has a number of mailing lists, the most important of which is the redhat-announce list. You can read about security (and other) fixes as soon as they come out. Send email to redhat-announce-list-request@redhat.com with the Subject Subscribe See https://listman.redhat.com/mailman/listinfo/ for more info and archives.
The Debian project has a security mailing list that covers their security fixes. See http://www.debian.com/security/ for more information.
Linux Network Administrator's Guide By Olaf Kirch, 1st Edition January 1995, ISBN: 1-56592-087-2
PGP: Pretty Good Privacy By Simson Garfinkel, 1st Edition December 1994, ISBN: 1-56592-098-8
Linux Security By John S. Flowers, New Riders; ISBN: 0735700354, March 1999
Included below are several of the most frequently used terms in computer security. A comprehensive dictionary of computer security terms is available in the LinuxSecurity.com Dictionary
authentication: The process of knowing that the data received is the same as the data that was sent, and that the claimed sender is in fact the actual sender.
bastion Host: A computer system that must be highly secured because it is vulnerable to attack, usually because it is exposed to the Internet and is a main point of contact for users of internal networks. It gets its name from the highly fortified projects on the outer walls of medieval castles. Bastions overlook critical areas of defense, usually having strong walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers.
buffer overflow: Common coding style is to never allocate large enough buffers, and to not check for overflows. When such buffers overflow, the executing program (daemon or set-uid program) can be tricked in doing some other things. Generally this works by overwriting a function's return address on the stack to point to another location.
denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes.
dual-homed Host: A general-purpose computer system that has at least two network interfaces.
firewall: A component or set of components that restricts access between a protected network and the Internet, or between other sets of networks.
host: A computer system attached to a network.
IP spoofing: IP Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust relationship into thinking that you are someone that you really aren't. There is an extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue Forty-Eight issue of Phrack Magazine.
non-repudiation: The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later deny ever having sent it.
packet: The fundamental unit of communication on the Internet.
packet filtering: The action a device takes to selectively control the flow of data to and from a network. Packet filters allow or block packets, usually while routing them from one network to another (most often from the Internet to an internal network, and vice-versa). To accomplish packet filtering, you set up rules that specify what types of packets (those to or from a particular IP address or port) are to be allowed and what types are to be blocked.
perimeter network: A network added between a protected network and an external network, in order to provide an additional layer of security. A perimeter network is sometimes called a DMZ.
proxy server: A program that deals with external servers on behalf of internal clients. Proxy clients talk to proxy servers, which relay approved client requests to real servers, and relay answers back to clients.
superuser: An informal name for root.
Is it more secure to compile driver support directly into the kernel, instead of making it a module?
Why does logging in as root from a remote machine always fail?
Answer: See Section 4.2. This is done intentionally to prevent remote users from attempting to connect via telnet to your machine as root, which is a serious security vulnerability, because then the root password would be transmitted, in clear text, across the network. Don't forget: potential intruders have time on their side, and can run automated programs to find your password. Additionally, this is done to keep a clear record of who logged in, not just root.
How do I enable shadow passwords on my Linux box?
Answer:
To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by applications. If you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any other change.
Some background: shadow passwords is a mechanism for storing your password in a file other than the normal /etc/passwd file. This has several advantages. The first one is that the shadow file, /etc/shadow, is only readable by root, unlike /etc/passwd, which must remain readable by everyone. The other advantage is that as the administrator, you can enable or disable accounts without everyone knowing the status of other users' accounts.
The /etc/passwd file is then used to store user and group names, used by programs like /bin/ls to map the user ID to the proper user name in a directory listing.
The /etc/shadow file then only contains the user name and his/her password, and perhaps accounting information, like when the account expires, etc.
To enable shadow passwords, run pwconv as root, and /etc/shadow should now exist, and be used by applications. Since you are using RH 4.2 or above, the PAM modules will automatically adapt to the change from using normal /etc/passwd to shadow passwords without any other change.
Since you're interested in securing your passwords, perhaps you would also be interested in generating good passwords to begin with. For this you can use the pam_cracklib module, which is part of PAM. It runs your password against the Crack libraries to help you decide if it is too-easily guessable by password-cracking programs.
How can I enable the Apache SSL extensions?
Answer:
Get SSLeay 0.8.0 or later from �
Build and test and install it!
Get Apache source
Get Apache SSLeay extensions from here
Unpack it in the apache source directory and patch Apache as per the README.
Configure and build it.
You might also try ZEDZ net which has many pre-built packages, and is located outside of the United States.
How can I manipulate user accounts, and still retain security?
Answer: most distributions contain a great number of tools to change the properties of user accounts.
The pwconv and unpwconv programs can be used to convert between shadow and non-shadowed passwords.
The pwck and grpck programs can be used to verify proper organization of the passwd and group files.
The useradd, usermod, and userdel programs can be used to add, delete and modify user accounts. The groupadd, groupmod, and groupdel programs will do the same for groups.
Group passwords can be created using gpasswd.
All these programs are "shadow-aware" -- that is, if you enable shadow they will use /etc/shadow for password information, otherwise they won't.
See the respective man pages for further information.
How can I password-protect specific HTML documents using Apache?
I bet you didn't know about http://www.apacheweek.org, did you?
You can find information on user authentication at http://www.apacheweek.com/features/userauth as well as other web server security tips from http://www.apache.org/docs/misc/security_tips.html
Rob Riggs rob@DevilsThumb.com |
Viktor Przebinda viktor@CRYSTAL.MATH.ou.edu
Roelof Osinga roelof@eboa.com
Kyle Hasselbacher kyle@carefree.quux.soltc.net
David S. Jackson dsj@dsj.net
Todd G. Ruskell ruskell@boulder.nist.gov
Rogier Wolff R.E.Wolff@BitWizard.nl
Antonomasia ant@notatla.demon.co.uk
Nic Bellamy sky@wibble.net
Eric Hanchrow offby1@blarg.net
Robert J. Bergerrberger@ibd.com
Ulrich Alpers lurchi@cdrom.uni-stuttgart.de
David Noha dave@c-c-s.com
Pavel Epifanov. epv@ibm.net
Joe Germuska. joe@germuska.com
Franklin S. Werren fswerren@bagpipes.net
Paul Rusty Russell <Paul.Russell@rustcorp.com.au>
Christine Gaunt <cgaunt@umich.edu>
lin bhewitt@refmntutl01.afsc.noaa.gov
A. Steinmetz astmail@yahoo.com
Jun Morimoto morimoto@xantia.citroen.org
Xiaotian Sun sunx@newton.me.berkeley.edu
Eric Hanchrow offby1@blarg.net
Camille Begnis camille@mandrakesoft.com
Neil D neild@sympatico.ca
Michael Tandy Michael.Tandy@BTInternet.com
Tony Foiani tkil@scrye.com
Matt Johnston mattj@flashmail.com
Geoff Billin gbillin@turbonet.com
Hal Burgiss hburgiss@bellsouth.net
Ian Macdonald ian@linuxcare.com
M.Kiesel m.kiesel@iname.com
Mario Kratzer kratzer@mathematik.uni-marburg.de
Othmar Pasteka pasteka@kabsi.at
Robert M rom@romab.com
Cinnamon Lowe clowe@cinci.rr.com
Gunnar Ritter g-r@bigfoot.de
The following have translated this HOWTO into various other languages!
A special thank you to all of them for help spreading the Linux word...
Polish: Ziemek Borowski ziembor@FAQ-bot.ZiemBor.Waw.PL
Japanese: FUJIWARA Teruyoshi fjwr@mtj.biglobe.ne.jp
Indonesian: Tedi Heriyanto 22941219@students.ukdw.ac.id
Korean: Bume Chang Boxcar0001@aol.com
Spanish: Juan Carlos Fernandez piwiman@visionnetware.com
Dutch: "Nine Matthijssen" nine@matthijssen.nl
Norwegian: ketil@vestby.com ketil@vestby.com
Turkish: tufan karadere tufank@metu.edu.tr