Securing Linux - Part 1

Post install steps to securing a Linux box.

by Mike Peters, April 2004
(Originally published on Linux.com)

Introduction

Linux is a powerful operating system and most distro's not only provide a wide variety of server applications, many network-aware applications are enabled by default when you install the operating system. This guide is aimed at securing a freshly installed machine. None of the steps outlined here will help to secure a machine which has already been compromised.

First Steps - Download and Install the Latest Patches

Before you even install anything on your machine check the website of your particular distro. Especially check for security patches and updates which have been released since the version you are going to install. Download any patches or updates you find. As soon as the install process is finished apply the patches and updates you found.

Choosing Sensible Passwords

Many users, if left to their own devices, will choose a password which is easy to remember --and just as easy for a cracker to guess. One of the first steps in securing any system is in ensuring that all users have safe passwords. Any password can be cracked given enough time and resources, however, a safe password is one which would take an unreasonably long time to crack whilst not being impossible for the user to remember.

Passwords should be at least 8 characters in length and contain a mixture of upper and lower case letters, numbers and special characters. A common way of choosing a safe password is to think of a phrase of 8 or more words, for example 'There was an old woman who lived in a shoe'. Taking the first letter of each word in the phrase we get 'twaowwlias'. Now replace some of the letters with numbers, mix the case and add some special characters to get your password, 'tW40ww!iAS'. This password is much more difficult to crack than your dog's name.

Su and Sudo

You've probably been told a hundred times since you started using Linux that you shouldn't log on as root. Instead you should log on as a normal user and use su to gain root privileges for specific tasks. Well, there you go, I've just told you again. There is, however, one more thing that many new users are not aware of and that is that you can restrict which users can actually use the su command to gain root privileges. In the file /etc/suauth add the line:

This will require that any user is a member of the wheel group before they can su to root. Check man /etc/suauth for more options. The same can also be achieved using PAM, see below for details.

It is a good idea to make sure that all su activity is logged. Normally logging to syslog is enabled by default, make sure the line:

    SYSLOG_SU_ENAB          yes
    

in /etc/login.defs is uncommented to be sure. You can also enable logging of su activity to it's own file by uncommenting the line:

    #SULOG_FILE     /var/log/sulog
    

You should never need to give out the root password of servers on your network to users. If you really need to give a user or users access to something which requires root privileges you should look to using sudo instead. Sudo allows certain users to perform certain tasks with root privileges without needing to know the root password.

You can configure sudo using the visudo command. This opens the /etc/sudoers configuration file in a special vi session. I wont go into the details here as sudo's man page contains full details of configuring sudo with examples.

Restrict the Number of Running Services

One of the most common errors made by people running Linux is having unnecessary services running. The more services you have running, the greater the risk of your box being broken into. You should only ever run the services you really need. After all, if you're not running a service it can't be exploited.

To see a list of the services currently running, try issuing the commands:

to show all running processes, and:

This will give you a list of services and the ports that they are listening to. Examine the output of these commands and decide which services you really need. If you don't know whether you need a service or not, the simple answer is, you don't. It is better to be aggressive when deciding what to disable, if you later find something which you need is missing, you can always re-enable it.

Now would be a good time to get out your pen and paper in order to make notes of any changes you make. That way when you need to put something right you can retrace your steps.

Many network services are initiated by the Internet superserver daemon or inetd for short. inetd reads its configuration from /etc/inetd.conf. You can prevent services from being started by commenting out (placing a # at the beginning of) the lines in inetd.conf:

    # echo          stream  tcp     nowait  root    internal
    

To begin with, you should comment out all of the services in this file. As stated earlier, if you later find you need something you can enable it.

You may also consider replacing inetd with xinetd, which is a more recent and secure alternative.

Your distro's boot scripts are also responsible for initiating services at system start-up. Exactly where these scripts are depends upon the distro you use, but you should check thoroughly to see what services are being started and disable the ones you don't need. In Red Hat you can use the chkconfig utility. Running:

will show you what daemons are started at which run level. You can use the --del option to turn off services. So, for example, to disable routed, you would type:

However, not all services are chkconfig friendly. You must disable such services by removing the symlinks in the directories corresponding to the different run levels eg /etc/rc.d/rc3.d/S50inet. It's enough to just remove the links, keep the actual files in case you need to enable something later.

In the case of Slackware you should check the scripts under /etc/rc.d, and either comment out the startup commands of services you don't need, alternatively, remove the executable bit from the appropriate script eg:

If you are sure that you have disabled everything you don't need, you should reboot. Yes, I know that rebooting a Linux machine is something akin to sacrilege but it's the best way to make sure that you really have disabled everything you think you have. It's no good if all the good work you've put in so far is going to be undone next time your machine reboots.

Once you've restarted, run the ps and netstat commands I gave earlier again to check what's running. Repeat the above as necessary until you have the bare minimum of services running.

TCPWrappers

TCPWrappers uses two files, /etc/hosts.allow and /etc/hosts.deny, to decide which users and domains can connect to the services run by inetd. Most default installations leave these files blank, so,the first thing we do is set our default policy to deny. The best policy in security is to lock all of our doors to begin with, then and only then, do we open the ones we need. To do this you need to open up /etc/hosts.deny and add the line:

This will deny access to all services from all hosts. If you want to be notified by mail of any failed connection attempts, you can modify the above to read:

Having set our default policy to deny all access, we can enable access for individual hosts to certain services by editing /etc/hosts.allow. For example, the line:

will allow access for 127.0.0.1 to all services. Whereas:

will allow 192.168.1.1 access to pop3. You can specify a range of addresses using, for example:

or use multiple addresses separated by a comma:

It's also possible to use domain names rather than IP addresses, however this could really slow things down if there is a DNS failure. Where possible I would advise you to stick to using IP addresses.

Continue to Part 2 >>>