How To Lock down Linux by Steven J. Vaughn-Nichols - zdnet.com
Linux is, by design, a very secure operating system, but so what? You can have the best security system in the world on your house, but if you leave your front-door open anyone can still walk in. Even people who know better, like Linux kernel developers, blow it sometimes. That’s what happened to the Linux Foundation’s constellation of sites. Multiple important Linux sites were down for weeks and as of October 3rd, kernel.org is still down. This doesn’t have to happen to you. Here are a few simple suggestions from me, and some more advanced ones from Greg Kroah-Hartman, one of Linux’s lead developers.
First, here are some rules that everyone should know. Number one with a bullet is security expert Bruce Schneier’s mantra, “Security is a process, not a product.” I don’t care that your server was Fort Knox, two weeks ago, if you haven’t updated your system with the latest security patches, checked to make sure your users haven’t started running a porn Web server, and looked over your network logs to see if someone or something isn’t up to mischief then you can’t trust your system today.
In addition, as Kroah-Hartman wrote, “it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusions.” And, I might add, we need to keep doing it all the time.
Therefore, make darn sure that your root password, which should really be a passphrase, not a password, isn’t been being used by anyone than you. If your users really need fuller access than they usually get to the system, provide them with sudo access.
Thinking of users: Lock them down. Give them only as much permission and access as they absolutely must have. If it turns out they need access to say a group file directory give it to them after they’ve shown a need for it, not before. While you’re at it, set their home directories to be encrypted.
Moving on to the network, every system connected to the Internet needs a firewall set up to, once again, give users the absolute minimum of needed access. If someone doesn’t need to use a network port, that port should be blocked. Period. End of statement.
That’s all security 101 stuff. Kroah-Hartman gets into more technical detail. Still, what he’s suggests doesn’t require you be some kind of security ninja. You just need to know and practice some Linux administration basics.
For starters if you have any suspicion that your system has been compromised Kroah-Hartman suggests that you need a clean install of your operating system. If, you have everyone’s home directories in a separate home partition-which you should-you can reinstall your operating system during an idle period and no one will even be the wiser that everything has been refreshed.
After that, Kroah-Hartman suggests that you “verify that your package signatures match what your package manager thinks they are. To do this on a rpm-based system, [such as Red Hat or openSUSE] run the following command:
rpm --verify -all
“Please read the rpm man page for information on how to interpret the output of this command.” On Debian-Linux based systems, such as Mint or Ubuntu, it’s more complicated. From a Bash shell you need to run the following:
dpkg -l \*|while read s n rest; do if [ "$s" == "ii" ]; then echo $n;
fi; done > ~/tmp.txt
for f in `cat ~/tmp.txt`; do debsums -s -a $f; done
Let’s say you find a program that smells funny, you’ll want to get rid of it and install a fresh version. To do this, stop the program from running with, using the Secure Shell (ssh) daemon, with the following command:
$ /etc/init.d/sshd stop
and then re-install the suspect program.
You should also get into the habit of not just glancing over your startup scripts and system logs from inside your operating system–You are already doing that right? Right!?–but taking your system down, rebooting it with a live CD Linux distribution, and checking for rogue start-up scripts and odd log entries. For this kind of work, I prefer to use a Linux distribution like SystemRescueCd, which are designed for repair work, to look a system over for problems. You can use any live CD distribution though and if you’re happy with your main Linux, there’s no reason not to say use a live Ubuntu USB-stick or CD to over an Ubuntu system.
If you do all this, well you can still be cracked if an expert is targeting you, but you’ll be a lot safer from run-of-the-mill crackers and their automated programs. Good luck and stay safe out there. Even for Linux users, it’s a dangerous old Internet out there.
- Printer-friendly version
- Log in to post comments
- 4020 reads