Securing Linux Tutorial

abhay · #1 19-08-2004

How to secure your Linux Box : Part 1

Recently, I have been watching a lot of my friends who use various versions of Windows getting a lot of viruses, mostly because of their negligence/ignorance. This sudden spurt in spread of Viruses/Worms/Trojans etc. made me think about Linux security. It also made me realise how vast this topic of "Securing a Linux Box" can be.
I tried searching Google for an easy and concise How-To on securing my Linux install but was unable to find one. It made me write this series of 3 very basic guides to enable a user put his first steps on the way of having a secure system.
This first part of the series will cover the basic tweaks that will help you close any open doors to your PC and remove any weak links that might lead to an easy way through your system.
So then lets start...

abhay · #2 19-08-2004

1) Password: The first step in making a Linux box secure is for you to realise that good passwords are back bone of Linux security. An easily guessed word or date or a dictionary word for that matter are as bad a password as none at all. The amazing thing is that even weak passwords can be turned into strong ones pretty easily. If you love your name and you always remember a particular date (may be your gf's b'day?

) then combining both of them in a random order might be a very good idea. For example: 14ab07ha19y83 is a way better password then just 'abhay' or '14071983'. Even better would be if you could add a few special characters to it like this 14ab#$07ha&^19y83. Yes the password is extremely difficult to remember thus you must practice it before you apply it to something as important as your root account.
If you are not smart enough or you are too lazy to make good passwords for your self then give a visit to
AllSeek.NFO or
TechZoom
The former is a better link as it also gives you a way to say your password so that you can remember it easily.
NOTE: I strictly recommend you making your own passwords instead of using such tools.

2) Securing LILO: Before everyone pounces on me by saying that "Oh!!! Start using GRUB", I would like to say that I am a bit old fashioned. Yes, I like LILO and love to stay with it but not with a HUGE flaw in its security. Before I go on explaining you as to how you can remove this major loophole, I would like to explain what it is.
If you are using LILO then rather than just pressing "Enter" key on the LILO prompt, write this on lilo prompt.

Code:

linux single

or

Code:

linux 1

You can see that I am just adding single or 1 after the word linux (this is the label with which you identify your Linux snippet in lilo.conf) and telling LILO to boot into single user mode. This single user mode will log you or any other smart-a$$ friend of yours in to a root shell where you can do everything you desire.
Some distros have grown out of this vulnerability and now add sulogin to their start up scripts. This will ask you for a root password once the system boots before taking you to the root shell but then there is a work around to this security as well by doing the following at the lilo prompt.

Code:

linux init=/bin/bash

Do you see what I am doing here? Yes you guessed it, I am telling init to launch /bin/bash as root as soon as the system starts. I could have launched any thing I wanted but /bin/bash would be the most convenient thing to have. The only problem in this method is that all your disks are mounted in ro mode i.e. read-only mode.
To get around this, pass the following commands

Code:

# fsck /
# mount -orw,remount /

Now, we are logged in as root no questions asked!!!
To get around this potentially serious security loop hole, you need to set a password for lilo so that you need to give the lilo password if you pass any comments to lilo prompt.
The resulting lilo.conf snippet will look something like this

Quote:

image = /boot/vmlinuz-2.6.8.1
label = slackware
restricted
password=<YourLILOPassword>
root = /dev/hdb2
read-only

The part in BOLD is the thing of concern here. I am telling LILO to have a restricted access with a password. Now everytime I pass some comments to LILO it will ask me for password. If I change restricted to mandatory then you will need to give password everytime you want to boot.
Also, you should change your lilo.conf permissions to 600 by passing the following command

Code:

#chmod 600 /etc/lilo.conf

abhay · #3 19-08-2004

3) Open Ports, Services and nmap: nmap is a very important tool in managing your own security. It is a port scanner that can also tell which all ports are open on your system i.e. doors to your lovely home.
Pass the following command in a console window

Code:

root@darkstar:/home/abhay# nmap -P0 -O localhost

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-08-18 20:28 IST
Interesting ports on localhost (127.0.0.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
6000/tcp open  X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 0.058 days (since Wed Aug 18 19:04:33 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 5.371 seconds
root@darkstar:/home/abhay#

As you can see that I have three ports open. Two are for smtp and pop3 servers I run, (25 and 110 respectively) and 6000 is of X Server. You will have different results depending on open ports and running services on your system.
If you suspect something fishy and don't want a particular port to be opened on your PC then it is time to take action.

I Part: This part will involve finding out whether a port has been opened by a cracker or by a valid service on your system. To check whether the port has been opened by an official service, pass the following command.

Code:

cat /etc/services | grep <port>

If no output comes out then it means that the port is not associated with any known service. Next issue this command

Code:

netstat -anp | grep <port>

This command will tell you which process has opened the port and whether it is connecting to an IP or not. Usually a cracker will not allow an opened port to be reported in netstat so if you get an output from the above command then most probably it is a service separately installed from all the known services of the system.

II Part: This part deals with all the unwanted ports that has been reported by nmap. Now here comes the difficult part for me. There are various distros in market today and they use two different ways to handle services i.e. inetd and xinetd. I have more experience with inetd as Slackware Linux uses inetd to handle services but I will still try to throw some light on xinetd. For this part I would recommend using your distro specific control centre for dealing with services.

inetd part: To establish whether inetd demon is running or not pass the following command in a console window

Code:

root@darkstar:/home/abhay# ps aux | grep inetd
root      2289  0.0  0.1  1380  524 ?        Ss   22:25   0:00 /usr/sbin/inetd
root      2898  0.0  0.1  1676  584 pts/2    R+   22:47   0:00 grep inetd

The command and output is written above and it shows that inetd demon is running. Next step is to know which all services are being run by inetd.

Code:

root@darkstar:/home/abhay# grep -v "^#" /etc/inetd.conf
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd <system specific entry>
smtp    stream  tcp     nowait  root    /usr/sbin/tcpd <system spefici entry>

The command entered above shows that I have two services running for my pop3 and smtp servers (I have edited the part that shows which servers I am running).
Stopping services run by inetd is extremely easy. You need to edit the /etc/inetd.conf file and comment out the unwanted services by adding a hash (#) before each entry. For example: finger, ntalk and telnet etc.
Then restart the inetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.

xinetd part: If you have xinetd managing your system services then you should pass the following commands to establish whether xinetd is running or not.

Code:

ps aux | grep xinetd

Now to check which all services xinetd is running on your PC, you need to pass the following command.

Code:

ls -l /etc/xinetd.d/*

This will give you a list of all the services installed and monitored by xinted on your PC. Each service has a different file. I am giving sample structure of a xinetd service file.

Code:

# default: off
# description: The talk server accepts talk requests for chatting with 
# users on other systems.
service talk
{
		disable  	= no
		socket_type	= dgram
		wait		= yes
		user		= nobody
		group		= tty
		server		= /usr/bin/in.talkd
}

Now, to switch the talk service off, change the disable value to yes instead of no. disable all the services you do not need and restart xinetd demon or restart the PC. Run nmap and the whole process mentioned above to find more open ports and services related to them.

Miscellaneous Part: Not all services are and should be managed by inetd or xinetd as the demon itself might have problems thus network services are slowly but surely moving out of the control of these two demons. If after following the above mentioned steps, you still find some opened ports then they must be because of the network services that are not being controlled by inetd or xinetd. To deal with them, you need to look into /etc/rc.d directory by passing following command.

Code:

# cd /etc/rc.d
# ls -l

There you will find various directories that might look like rc0.d, rc1.d and so on. The numbers in these directories represent the run-levels on which the scripts in these directories are executed. For example: If your system starts with X-windows then it is most probably starting at run-level 5 which will lead to the scripts in rc5.d directory being executed on start up (you can know more about runlevels by reading man inittab).
To disable services in these directories I highly recommend using GUI tools like Mandrake Control Center, linuxconf and YaST etc. but if you want to be playful then go ahead and delete the un-needed files in the runlevel directory. These are just softlinks to original files so you will not cause major damage to your system but you must know how to solve a boo-boo.
Go through the nmap procedure once again so that you are absolutely sure of which ports are open and whether you need them or not. Phew...a really long quest is over ;-)

abhay · #4 19-08-2004

4) host files: Now we come to a simple but effective protection setting. This setting is done using host files located in your /etc directory. These files are often over looked by avid tweakers as these files can be easily cheated but I like keeping them tuned. I will be giving output of my host files along with explaining what they do.
(i) /etc/hosts: This file contains a list of known hosts on network. I like to keep it clean with just localhost entries.

Code:

root@darkstar:/# cat /etc/hosts
127.0.0.1               localhost
127.0.0.1               darkstar.slacknet darkstar

(ii) /etc/host.conf: This file controls the resolver setup of a system i.e. this is the file that is looked at first whenever a connection attempt needs to be resolved.

Code:

root@darkstar:/# cat /etc/host.conf
order hosts, bind
multi on
nospoof on

Also look at man host.conf.

(iii) /etc/hosts.equiv: This file contains a list of all the hosts on network that should be given equivalent rights as that of the localhost.

Code:

root@darkstar:/# cat /etc/hosts.equiv
localhost

(iv) /etc/hosts.allow: This file contains a list of all the hosts that should be allowed to gain access to your system.

Code:

root@darkstar:/# cat /etc/hosts.allow
ALL: localhost

(v) /etc/hosts.deny: This file contains a list of all the hosts that are denied access to your system. I would recommend you to make your hosts.deny look like mine and if you need any system to get access then add that exception in hosts.allow file.

Code:

root@darkstar:/# cat /etc/hosts.deny
ALL: ALL

If used properly, host files can be very helpful in securing you.
All these files have self explanatory names but if you still need any help then you can ask about it.

5) Updates: Just like Windows, Linux softwares release updates/patches regularly. Linux softwares are not absolutely free from bugs or security loopholes so please do not fall for this myth. Make it a religious practice to update your distro using any package tool it comes with. These days an update tool is available for almost every distro. Either they are inbuilt or can be obtained as a third party application. Here are a few examples:-

Quote:

ArchLinux - Pacman
Debian - Apt + Synaptic
Fedora Core - Apt + Synaptic
SuSE - Apt, YaST Online Update (YOU)
Mandrake - urpmi
Gentoo - Portage
Slackware - SWARET / Slapt-Get

(If I have missed some distros offering good update tools then please PM me)
Any distro not offering easy and prompt updates is not worth using (IMHO). Make it a weekly or bi-weekly practice to check for updates and install them if necessary. (Refrain from updating gcc)

abhay · #5 19-08-2004

6) Conclusion: After doing all the above mentioned things your system should be reasonably secure from cracking attacks but I would still like to point a few last minute things.
i) Lots of network related applications come with their own IP settings and they might allow you to give them a range of IP's that will be allowed to access the application. Use this feature to set per application IP settings.
ii) Always try and read README file and man pages. They are their for you reading and not for deleting purpose. They might give you very important stuff to secure yourself.
iii) Try to "compile and install" the programs rather than relying on pre-compiled binaries. Never and I mean NEVER use any precompiled applications until you trust the source.
iv) Never work as root until you MUST.

Please post whether this guide helped you or not and if you would like any additions in it. If you find any faults, spelling mistakes or grammatical errors then do PM me or send me a mail. My next guide in this series will require you to have a bit of prior knowledge about kernel compiling. If you don't know how to compile a kernel then I recommend you to read an extremely good guide written by kingkrool located here.

Disclaimer: This guide is written with no guarantee at all. All the tweaks have been tried and tested by me on my own Slackware 10 (Kernel 2.6.8.1) box. You MUST backup before trying any of the commands mentioned above. I must not be held responsible for any harm done by these tweaks to your system.

Copyleft: This guide is copylefted and comes with full open source feeling. If you want to copy the whole or any part of this guide then you are totally free to do so but I would love it if you gave me some credit and sent me a link if possible on abhay.kedia<at>gmail.com

Additional Reading:
Redhat Linux 9 Manual
Hacking Linux Exposed
man lilo.conf
man nmap
man inetd (or xinetd)
man hosts
man host.conf

Securing Linux Tutorial

How to secure your Linux Box : Part 1

Guides & Tutorials

No TrackBacks

Leave a comment

February 2009

Search

About this Entry

Categories

Monthly Archives

Pages

Sun	Mon	Tue	Wed	Thu	Fri	Sat
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28