webpointmorpheus total solution web design

webpointmorpheus Linux Info
Security

     Intro      Data Encryption      Securing Passwords      PAM      Firewalls      IP Masquerading
     SELinux      Network Attacks      Intrusion Detection      Reading Log Files      Documents in this Series

©2005 - material compiled by Bob Carnaghi, www.webpointmorpheus.com
Linux Security Guidelines Introduction     Top of Page
Computer security is an extremely valid consideration, and the level of security measures that are needed are typically based upon the sensitivity of the data that is being protected. On a home network system, the need for advanced security that would be applied at a bank or financial instution is not warranted. However, the implementation of the necessary measure of security that is warranted must be applied diligently in order to keep sensitive information secure. Listed below are several security guidelines. Based upon the system and the environment in which it runs, any or all of the following may be appropriate or necessary.
  1. Limit access to the physical computer(s) - locked server room
  2. Disable and/or uninstall unneeded services and software
  3. Implement a firewall on computers that are connected to the Internet
  4. Publicly accessible computers should have floppy & CD-ROM drives removed
  5. Set system BIOS boot order to prevent booting from USB devices
  6. Set BIOS password to prevent tampering with boot order or other configuration settings
  7. Set a boot loader password to prevent tampering with the boot loader
  8. When running background processes, consider using the nohup command & running the process in the background. This will permit logging out of the shell for long-running processes, and the process will continue.
  9. Use the su command to 'switch user' to root for system configuration actions. Note that the su - flag will load the root user's environment variables.
  10. Consider the sudo command for users who need certain commands for various tasks, such as software development, etc. For configuration, see the /etc/sudoers file.
Data Encryption     Top of Page
Encryption measures can be implemented for data and passwords that are transmitted over the network or Internet. Keep in mind that the default method of data transmission is without encryption, and anyone with a packet sniffer can capture and read the data packets. This process is tedious, but it does happen. There are several methods of data encryption available, as listed. Some of these methods are one-way hashes and password algorithm practices.
  • MD5
  • Shadow Passwords
  • Kerberos
  • GNU Privacy Guard
  • RSA & DSA (Digital Signature Algorithms)
Passwords     Top of Page
Passwords can be placed on the computer BIOS, on the bootloader, and on login accounts. Some environments may not warrant passwords on all these areas, but it may be necessary in some environments. Passwords can be set in Linux to have minimum length and expiration dates. Strong passwords are at least 8-12 characters and should be a mixture of upper, lower, and numeric characters. By implementing shadow passwords, they become encrypted and held in a more secure directory (/etc/shadow) that is readable only by the root user.
Pluggable Authentication Modules     Top of Page
Pluggable Authentication Modules are loadable modules for security that add levels of authentication per application. The PAM configuration file is /etc/pam.d. The modules themselves are located in /lib/security. There are four module types: Password, Session, Account, Auth (Authentication), which can be assigned four PAM control flags, which are set per module: optional, required, requisite, sufficient.
Firewalls     Top of Page
Firewalls can be packet based, service based, or daemon xinetd based. In Linux, the system firewall is called iptables, and /etc/sysconfig/iptables is the configuration file for the firewall. The iptables command invokes the Linux firewall utility. Rules for the firewall are established by configuring directives in succession that are called ipchains. The ipchains directives are established such that traffic is monitored or blocked on the way in, on the way out, or as it passes through the firewall. The default system security tool is invoked with the system-config-securitylevel command, which brings up a GUI dialog box. The firewall as well as SELinux settings are available in this utility. Make sure to backup the /etc/sysconfig/iptables file before making changes to the firewall or security level. For finer-grained firewall configuration, the system-config-securitylevel-tui command invokes a separate utility. Port numbers can be enabled or blocked in the configuration tool. A list of common port numbers can be referenced at /etc/services or www.iana.org/assignments/port-numbers.
Two alternate methods of isolating a LAN from the Internet are with a bastion host and a DMZ (DeMilitarized Zone). A bastion host is a firewall on a dedicated gateway computer that provides a single entrance and exit point from the internal LAN to the external network or Internet. A DMZ (DeMilitarized Zone) is a virtual area that sits between the LAN and the Internet and has limited access. Connections from the internal and the external network to the DMZ are permitted, but connections from the DMZ are only permitted to the external network. Certain services can be run on computers which reside in the DMZ and are accessible from the outside network, but those computers are not permitted access to the internal LAN. Therefore, if one of the publicly accessible servers becomes compromised, the LAN is still secured.
IP Masquerading     Top of Page
IP Masquerading is a method of hiding the true LAN ip address of local computers when viewed from the outside network. This option is available only when there is a gateway computer through which local LAN computers connect to an outside network. The IP address of the local computer is replaced with the IP address of the gateway coputer. IP Masquerading is a function of the iptables command, and is stored in the configuration file /etc/sysconfig/iptables.
Security Enhanced Linux (SELinux)     Top of Page
SELinux supports security controls that are configured per user or subject, services or objects, and commands or actions. SELinux works through the Security Level Configuration tool, which is primarily focused on objects. For SELinux information about a file type ls -Z filename (on SELinux enabled computers). This will provide the information that is stored in the /etc/sysconfig/selinux file. The Security Level Configuration tool can be invoked by the command system-config-securitylevel. Individual configurations can be added or altered with the /usr/sbin/setsebool command. Changes are not implemented until after a system reboot.
SELinux policies and configurations are beyond the scope of this document. For a good reference see SELinux on NSA. In some instances it may be necessary to disable SELinux at boot time. When the system boots, enter the GRUB menu, select the kernel, press A for a configuration line, and add selinux=0 to the end of the line.
Network Attacks     Top of Page
Systems permit network traffic through ports, which are dedicated to the services that are running on the computer. One type of attack is such that system crackers attempt to create a buffer overrun situation that will replace critical data in memory with destructive data. One of the methods to minimize this vulnerability is to use the nmap (Network MAPper) utility to verify which ports/services are open/running on the system. Shutting down all non-critical ports/services will greatly reduce the possibility of an intrusion. The port listed by nmap can be determined through the /etc/services file, or by searching the Internet for that particular port number.
Encrypting data that must travel across the network is a good practice where possible, see above. Use netfilter/iptables to limit network traffic to only the desired activity. Watch that no services run as root - check config files to see if the service owner can be set. Upgrading software packages is the best way to stay on top of the latest patches that are usually aimed at popular system cracking attempts.
Additional security practices include using TCP wrappers to start daemons, thereby insulating the initialization of services to hosts that are permitted by the tcpd daemon. This daemon checks the /etc/hosts.allow and the /etc/hosts.deny files for permitted access.
Another security measure that is important is file permissions. For a discussion of file permissions, see the Linux Filesystem document. Further security measures include the group policies that are enacted by the system administrator. The general rule of thumb is that a user is given only the amount of access that is necessary to fulfill job functions.
Intrusion Detection     Top of Page
System compromise can be detected by constantly and vigilantly checking log files. Pluggable Authentication Modules (PAM) log information to the /var/log/secure file, which should be checked regularly. The /var/log/wtmp log file lists the latest logins that received a BASH shell. Use the who /var/log/wtmp command to view this logfile.
Intrusion systems can detect when and how a system is being attacked or compromised. Port watch utilities can determine if a port is being scanned. Log file monitors can watch for activity on the system. The sum command can generate a checksum for system files, but is time consuming to use individually. Tripwire is a popular commercial utility that can detect changes to system config files and directories automatically. See the table below for other popular utilities.
For access logs to the system refer to the /var/log/wtmp file by using the utmpdump wtmp command. There may be additional info in the /var/log/secure log. Another tool to view and monitor network traffic is Ethereal, which is a packet sniffer. Use of the tool may take a bit of effort, but Ethereal is well documented and well presented. There are additional utilities that can be installed on the server, such as Tripwire, which will detect break-ins, see below.
Popular Intrustion Detection Systems
Name Description
Tripwire Tripwire is a commercially available intrusion detection system. Visit the link for an Open Source version.
Advanced Intrustion
Detection System		 A GPL version similar to Tripwire. Checks the integrity of files and directories.
Integrity Checking Utility (ICU) A simple filesystem integrity checker implemented in PERL that can be used with AIDE to check systems across a network.
PortSentry A port watch utility that can detect port scans.
Snort A packet capture utility that can detect port scan activity.
Linux Intrustion
Detection System (LIDS)		 Implements several security features that are not in the Linux kernel natively.
Simple WATCHer (SWATCH) A log file watch utility.
 
Checking Log Files     Top of Page
The following log files are the key points for determining what is going on security-wise on the Linux system. Check these log files regularly.
  • /var/log/secure - logs use of the sudo command
  • /var/log/wtmp - shows login records. Use the utmpdump wtmp command to view this binary log file.
  • /var/log/messages - lots of system information is logged here.
Other Documents in this Series      Top of Page
  1. Introduction and History
  2. Installation, Advanced Installation, and Usage
  3. The Linux Kernel and the Boot Process
  4. Filesystems - Management & Administration
  5. The BASH and Other Shells
  6. System Initialization and the X Environment
  7. Linux Processes
  8. Linux Administration, Peripherals, and Hardware
  9. Software Installation and Management
  10. Backups and Log Files
  11. Performance and Problems
  12. Network Configuration
  13. Security
  14. Key Linux Commands
  15. Essential Linux Definitions
webpointmorpheus Home       Technical Pages Site Map      This page was last modified: Thursday January 04, 2007 10:29 AM