Loading

Monday, October 5, 2009

Linux Security Practices

Protect the root account
The root, or superuser, account on a Linux system allows access to anything and everything. For this reason, it’s well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command and change it on a regular basis.

Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal “open”, set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.

Next, require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.

Install a firewall
A firewall lets you filter data packets moving in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defense against common attacks like distributed denial of service (DDoS).

Use OpenSSH for network transactions
If network transactions take place in plain text, it is possible for a hacker to “sniff” the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted “tunnel” for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorized users to read your data over the network.

Disable unwanted services
Most Linux systems are installed with a wide variety of services enabled, such as FTP, telnet, UUCP, etc. In most cases, these services are not used. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, leaving only SSH ports open.

Install an intrusion detection system
Intrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They’re a great way to identify (and even prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS’ you could use: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both programs can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.

Use spam and anti-virus filters
Linux is quite resistant to viruses, but client machines running Windows are likely more susceptible. Therefore, it’s a good idea to install a spam and virus filter on your mail server itself, to “defang” suspicious messages and reduce the risk of a chain of collapses.

Begin by installing SpamAssassin, a leading open-source tool that uses a combination of different techniques to identify and flag spam; the program also supports user-based whitelisting and graylisting for greater accuracy. Next, install procmail for user-level filtering based on regular expressions; this tool allows automatic filtering of received email into mailboxes, at both a user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that integrates with sendmail and SpamAssassin and supports on-access scanning of email attachments.

Perform regular security audits
When it comes to securing your network, this step may be the most important. Here, you put on a black hat and do your best to circumvent the defenses you erected in the previous steps. Doing this provides you with an immediate and objective assessment of how hard your systems really are, and identifies potential vulnerabilities that you should fix.

A number of tools are available to help you in this audit: you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for open ports; you can sniff the network using tcpdump; and you can try exploiting publicised holes in your installed programs (Web server, firewall, Samba) to see if they offer a way in. If you do manage to find a way past your obstacles, rest assured that others will too; take immediate measures to close the openings.

Protecting your Linux system is an ongoing task, and so you shouldn’t rest easy once you’ve done the steps above. Visit the Linux security forums for more security tips, and be proactive in monitoring and updating the security of your system.

No comments:

Post a Comment