Securing Linux - Part 3

Post install steps to securing a Linux box.

by Mike Peters, April 2004
(Originally published on Linux.com)

SSH

If you are accessing machines remotely, you should not be using Telnet. Telnet transmits information, including passwords, in plain text, which can easily be intercepted and read. SSH performs much the same task as Telnet, however it does so through an encrypted tunnel and is therefore much more secure.

There are a number of configuration options which you should consider when using SSH. These are set in the /etc/ssh/sshd_config and /etc/ssh/ssh_config files.

Firstly set the LoginGraceTime, the time a user has to enter their login information, to a low but sensible value, 30 seconds maybe.

Make sure root is not allowed to login by setting PermitRootLogin to no. If you need root privileges you should login as a normal user and su to root.

Set StrictMode to yes, this ensures that users cannot access home directories owned by other users.

You can restrict the users who are allowed to login using ssh by setting the AllowUsers directive. Multiple users can be listed by separating them with a space:

If you need to restrict access to certain machines you can use the AllowHosts directive:

SSH also provides scp and sftp which are secure ways to transfer files between two machines over an ssh tunnel. For example to copy a file called my file to /home/foo on 192.168.1.2, you would use:

Wherever possible you should use scp or sftp in place of ftp to transfer files between hosts.

Limiting Resource Usage with PAM

PAM (the Pluggable Authentication Mechanism) allows you to configure how applications authenticate users. We can set limits to a user's system usage by editing the files under /etc/security.

A good place to start is with the /etc/security/limits.conf file. This file allows us to restrict resource usage by users or groups of users. For example, we can control CPU usage by time, restrict maximum file or data size or the number of times a user can concurrently login. Each line takes the form:

    <domain>        <type>  <item>  <value>
    

To prevent users hogging system resources we should limit the number of processes they are allowed:

    * 		soft  nproc 100
    * 		hard  nproc 150
    

You may also want to restrict the number of logins allowed to users and the maximum file size allowed:

    *	hard maxlogins 4
    @users	hard fsize 50000
    

Note that * indicates all users and @users only affects users belonging to the users group. The available options for <item> are listed in the limits.conf file. Limits can be set to be hard or soft by using the hard and soft keywords in the <type> column. If you set a hard limit it cannot be exceeded and processes will be killed in order to stay within the limit, soft limits will result in users being warned when they are exceeded but no process will be killed.

There are certain accounts that should never be allowed to login. These can be configured in the /etc/security/access.conf file.

The - sign at the beginning removes privileges from the listed account, the keyword ALL, indicates which privileges to remove. You should add any special accounts which do not require login privileges to this list.

Many other restrictions can be put in place using PAM, such as chroot environments and time based logins however these are beyond the scope of this article.

Finally, you can restrict which users can su to root by adding the lines:

to /etc/pam.d/su. This will require that a user be a member of the wheel group in order to su to root.

Set Up a Firewall Using iptables

With today's widespread availability of easy to use cracking tools any machine or network connected to the Internet needs to be protected by a firewall. Whilst I'm not going into the details of setting up a firewall in this article (see below for a link to many firewall and iptables resources), I'll mention a couple of things you need to bear in mind when configuring your firewall.

Firstly, make sure you set the default policy of the firewall to drop any packets (this should be standard in any firewall script you download anyway). Refuse any access to your external interface initiated from 127.0.0.1 or your internal network. A common way used to fool firewalls is to spoof an internal network address to gain access by pretending to be a local machine. Finally, never allow access to services from external addresses unless you are certain you know what you are doing.

Once you have your firewall up and running, you should run a scan with a utility such as nmap to make sure that you really have closed off access to those services:

Run the scan from both within your network and from a remote machine not directly connected to your network and compare the results. If you don't have access to a remote machine running nmap, there are many online scanners such as Shields Up (https://grc.com/x/ne.dll?bh0bkyd2) which allow you to check your firewall.

Commonly Run Services

It is beyond the scope of this article to explain in detail how to secure all of the services which you may want to run on your network, but I shall go over a few commonly run services and some points which you should bear in mind. Generally speaking, if you are running a service on your network you should be as restrictive as possible in your policy. Deny everything by default and then give access to what you need, as opposed to allowing everything and blocking what you don't want.

Apache

Apache is the most commonly run web server on the Internet. You may want to run Apache on your home machine to test sites you have developed or maybe you run a small intranet. In this case you can restrict Apache to only allow access from certain hosts. For example, if you only want to allow access to local users, add the following line to httpd.conf:

The following can be used to restrict access to all but certain hosts:

    <Directory /var/www/htdocs>
     # Deny all accesses by default
     Order deny,allow
     # Allow access to local machine
     Allow from 127.0.0.1
     # Allow access to local network
     Allow from 192.168.1.
     # Allow access to a certain machine
     Allow from 192.168.3.6
     # Set the default policy to deny
     Deny from all
    </Directory>
    

Beware that using Apache's access controls is no substitute for a firewall and should only be used alongside a firewall as an extra level of security. Securing Apache to run a publicly available site on the Internet is beyond the scope of this guide and so I'll leave that for another day.

FTP

If possible, you should avoid the use of FTP entirely as, like telnet, it transmits passwords in the clear. scp and sftp should be used as secure alternatives.

NFS

NFS is a commonly used utility to share files on Linux and UNIX networks. NFS is far from a secure protocol and should only be used with extreme caution. Only export the directories needed to the hosts that need them.

NFS implicitly trusts the client machine meaning that if a user has root access to the client they can access any files exported to that machine, including those belonging to another user. This is even true with the root_squash option which prevents the local root user having root privileges on remote filesystems. While root_squash is set by default, the user merely needs to su to another user in order to access their files. If you require a secure way to share files on your network you should look into NFS4 in newer kernels or an secure alternative such as OpenAFS (http://www.openafs.org/).

Essential Tools

There are many tool available to make your life easier, some of which, such as nmap, I've already mentioned. Other tools which you should have in your arsenal:

chkrootkit: - scans for many common rootkits on the local machine.

nmap: - a popular open source port scanner

tcpdump: - should be available by default on most distros. Dumps the headers of network traffic for analysis.

ethereal: - a powerful network analyzer.

Tripwire: - tripwire monitors the integrity of files on your system and tracks any changes.

Portsentry and Logcheck: originally from http://www.psionic.com/abacus, it seems that the site is now owned by Cisco, however, older versions should still be available from various mirrors (Google is your friend). Portsentry is a tool used to detect portscans and logcheck will monitor log files and warn you of any suspicious activity.

Snort: - Snort is a Network Intrusion Detection system which can monitor your network in real-time for suspicious activity.

Iptables: the Linux firewall framework. http://www.linuxguruz.com/iptables/ contains a whole host of links to ready made firewall scripts and HOWTOs.

Conclusions

Remember that security is an ongoing process. Check regularly that you know exactly what services are running on your machine and frequently check your logs for suspicious activity -- after all, it's no good keeping logs if you don't check them.

Always stay up to date with the latest vulnerabilities in the software you run and patch your servers whenever updates are made available. Sign up to a vulnerability mailing list such as BugTraq. If your particular distro has a security or updates list make sure you join it. Most importantly of all, make sure you know what software is running on your hosts and only run the services that you really need. Don't run anything until you know what it does and what the possible consequences are.