Happy Planet : Linux Security for Newbies

HAPPY PLANET- SECURITY

The future belongs to those who believe in the beauty of their dreams.

	Cosmos of Happiness
	>Happy Planet
	-	Happiness
	-	Science
	-	Mind Technology
	-	Meta Physics
	-	Dream
	-	Meditation
	-	Intuition
	-	Philosophy
	-	Psychology
	-	Creativity
	-	Telepathy
	-	Great Scientists
	-	Dream Dictionary
	-	Miscellaneous
	-	Games
	-	Links

	>Special Features
	-	Intelligence
	-	Security
	-	Tutorial


	>Powered by

	Welcome to Happy Planet - Security Section
	"Deep in the sea are riches beyond compare. But if you seek safety, it is on the shore." Linux Security for Newbies Box Examined: Linux RedHat Welcome to another of my tutorials, now this is a subject which has been covered many times before, although i havent read many other linux security tutorials im going to try and write it with a twist. So you understand it and not be puzzled. The system i have chosen to write about is the redhat operating system as that is what most newbies and kiddies are using these days, just so they can say they run linux. I am going to rush through this tutorial and then flick back and add more detail so if some parts seem to have bad english or dont seem to follow on from one another then thats why. Preparation The best place to begin in the security and integrity of your system is in the installation. You should begin with a fresh installation of the system and carry out all secuurity checks and modifications while offline. If you wish to get updates then bung the box on an isolated network away from script kiddies. So you can download the files and transfer them through the network. An unsecured box put online could be breached within any amount of time during your time. The box could be picked up by services scanners and other shit which kiddies use these days. Installation Alright we are moving on now to the installation. What sort of installation shall we use ? Workstation, Server or custom? This way we can be flexible in what we want to install and not have lots of bloated rubbish like "gabber", audio servers and other things which we dont need installed. Obviously the less stuff we have on the system then the less potential security risks we have. If you change your mind and need any of the software which you chose not to install then you can always install this again at a later date, by downloading the up to date version from the vendors website. Custom - Partitioning. Now we have selected custom we will need to partition the system. I wont try to dwell on this subject as its all fairly straight forward. We will make a few partitions to make the system more secure. To do this we would create an extra /var partition and not have /var on the root partition like you are able to. This would prevent a system failure due to filling the root partition with log files, this is a method of DoS because once the root partition has become full then the system cannot operate due to it not being able to create files or anything else, potentially crashing the system. I find that around 300mb to 450mb will be suffice for the /var partition where all the email and system logging and other log related crap goes. This depends on what the system is used for if there is going to be extensive logging or not and also if there is going to be a lot of mail coming in. Below is what the partition scheme will look like. / - Everything else. /var - Around 350mb to 400mb or depending on how much mail you expect etc. swap - I usually leave this at around 40mb, should probably be made slightly larger, depending on amount of ram you have. Now follow through and reboot when prompted. System is installed. Now we need to patch the system for security vulnerabilities within the software first of all. Because its redhat we will be using rpm based files on the system. Remember the box should still be on the network and not on a direct connection to the internet. I advise you to download the files and patches to the main box connected to the net and then rip them through the network connection to the system we are currently patching up. An example of patching the system is shown below using rpm. $ rpm -Uvh <rpmfile>.rpm Now if you have been vicious and confident and put the box online or you are upgrading software on a system which is connected to the net then you can use the following command. As shown below. $ rpm -Uvh ftp://<ftp path to the patch goes here>.rpm Then again if your feeling slightly lazy which should be a complete "no no" with security as thats where over 90% of security compromises come from wether it be lazy programmers or administrators. Then you can use a utility called "up2date". This is a much faster alternative as you dont have to go poking around your system looking for files and everything which needs updates because this will search them all out and check the mirror for new updates and then you can update them all at once. Now Reboot the system and we will concentrate on shutting down services. Shutting down services How do we know what services are uncommented and thus running ? Well a simple way to do this is by typing the command which i will show you below, using the grep cmd. $ grep -v "^#" /etc/inetd.conf To edit the file we can use one of our favourite text editors like vi, open the file in one of these and begin to add comments to the services which you do not want to be running. To do this we add a # to the beginning of all the services which we dont want. I chose to shut down ftp, finger, telnet and opted to use ssh to login to my box remotely. Now we have edited what services should be running we need to restart the inetd, we do this by sending the following to restart the inetd. $ kill -HUP <pid of inetd> Startup Scripts Now we need to get rid of all the unneeded startup scripts which we have on the system, to make it more secure. Where you find these scripts depends on wether you are automatically booting into a user interface, we only need to keep the start up scripts active which are totally needed for system operation. Otherwise off they go. Below i am going to list quite a few default start up scripts which are usually enabled on a fresh install. Script List S72amd - AutoMount daemon, S75gated - used to run other routing protocols, such as OSPF S80sendmail - the sendmail pop3 daemon. S85httpd - Usually the apache web server. S87ypbind - Use only if your an NIS client. S90xfs - Xfont server S95innd - A basic news server. S99linuxconf - Remote administration of the system via browser S50snmpd - SNMP daemon. S55named - DNS server. S55routed - RIP, don't run this unless you REALLY need it S60lpd - Printer services, not much need. S60mars-nwe - Netware file and print server S60nfs - Use for NFS server S05apmd - You only need this for laptops S10xntpd - Network time protocol S11portmap - Required if you have any rpc services, S15sound - Sound card related, no use on a server. S15netfs - This is the nfs client. S20rstatd - r services are a risk, they provide info about the Sys S20rusersd - not much need. S20rwhod - not much need S20rwalld - again not much need. S20bootparamd - Used for diskless clients. S25squid - A gay little Proxy server S34yppasswdd - Required if you are a NIS server. S35ypserv - Required if you are a NIS server. S35dhcpd - Starts dhcp server daemon S40atd - Used for the at service, similar to cron. S45pcmcia - You only need this script for laptops. So how do we turn these off ? OK so you have now decided which you really need and which you dont need, to turn these off we simply cd into the rc directory which holds all these files and turn the large S into a small s this will prevent the script from starting at boot time. Alternatively you can check before you do this to see which scripts are actually set to run at boot time by typing the following command # ps aux \| wc -l Logging should i or not? Well personally i run low spec systems for my servers ranging from SPARC 2's to SPARC 5's so system performance and memory usage is very important for me so i tend to turn off every service which i see as a waste of system resources. Obviously if you are a company concerned highly about monitoring what users do what to the system and if any breaches happen then to find the culprit then i would highly recomend running logging daemons But if you are a home users and / or a home user who has his own basic server in his room then there is not much need to run these. Lets admit, logs take up space and how many of us actually spend time reading them everyday? ITs just one less service and one less security risk. User Accounts First things first we should cat the passwd file and see what accounts are lurking within this. we do this by typing the following: # cat /etc/passwd The output should be similar to the one below: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/dev/null rpm:x:37:37::/var/lib/rpm:/bin/bash ntfx:x:500:500:ntfx:/home/ntfx:/bin/bash now to remove all default and unneeded accounts we simply type: # userdel -r <username> This will remove the username and the home dir of the user. Once we have got rid of all the unneeded usernames we can begin to sort out who we want access to su'ing up to root. To secure this method we must put the users into group "wheel" After this we can then chmod the following items to secure the system even more. # /bin/chgrp wheel /bin/su # /bin/chmod 4750 /bin/su Now su will be only permissed to those whom is in group wheel. You should also do this for all the files you wish to restrict to authorised users. This prevents abuse of available programs. now we will lock down the rhost files. .rhosts, .netrc, and /etc/hosts.equiv. The r commands use these files to access systems. To lock them down, touch the files, then change the permissions to zero, locking them down. This way no one can create or alter the files. For example, /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv Now lets get on with the services again So you want to run the following.... HTTPD FTPD SSHD TELNETD Well at the moment your probably running default apache and wu-ftpd an old opensshd and an old telnetd version. Why put up with being shipped with old out of date and exploitable goods? Shipping you with wu-ftpd and old opensshd and other items is like they are saying they want you to be compromised. Just so you go back and get more of there goods, yeah i know its free but thats besides the point, its more hassle. So lets get rid of this shit. The bad stuff: wu-ftpd - exploitable with every release within weeks. Slow and buggy. Avoid this shit. openssh - generally ok, but switch to the commercial one its still free for private use. TelnetD - sniffed and all the usual, not usually exploitable unless you run gay freebsd. Keep this up to date though. I have never heard of a lintel telnetd exploit. The Alternatives: PureFTPD - hasnt any exploits released in its entire project. Obviously one to consider, its what we use. thttpd - Very Secure and flexible httpd, hardly any exploits found within this httpd, More secure than apache anyway. SSHD - More secure than openssh, yet rpm distro's tend to get hit by exploitable ssh daemons. TelnetD - This is usually fine keep it up to date, avoid rpm installs of the telnetd if given the choice. Why add telnetd to both? it has its advantages and disadvantages so you decide Extra Security? You may want to choose from a variety of things. Other things i tend to impliment certain modules and tripwire or whatever else you way want to include. Ill give a list of certain modules you may want to include below and there purpose. StJude LKM module - this can search and prevent remote and local root exploits. I havent used this one but By the description it seems worth its while to add that bit of extra security. DTK - The deception toolkit, Set of perl scripts to Harden security on a system based on attacks. WINDOG-DTK - This was something i found, although wasnt the official windog it was a replacement. I have continued on this project to make more daemons and other certain deception stuff. Conclusion: I will update this text soon with more indepth security measures. these are just the basics for now so you can feel slightly more seure than you would if you was a sitting duck practically with an unsecure install. - Author: NTFX

	Back to Security>>

Home | Mind Technology | Intelligence | Science | Creativity | Dreams | Inspiration Zone | Meta Physics | Copyright | About us

Copyright © Happy Planet. All rights reserved. webmaster