Securing your System
The two golden rules of securing any system, not just Linux are |
1. Don't run services you don't need & secure the ones you do (Take notice M$) &
2. Use strong passwords.
Below I will run through some ways of shutting down unwanted services and also give some ideas for choosing difficult to guess but easy to remember passwords.
Shutting down unwanted services
Most of this information relates to Slackware Linux, some of it may be a bit out of date and different distros use different ways of securing services, for Red Hat / Centos / Fedora nased systems, check out /etc/init.d/conf, services and chkconfig.
A good place to start is to find out what is actually visible from the network. Perhaps the easiest is to run nmap, a free port scanner.
nmap -sT 184.108.40.206 <cr> for TCP based services and nmap -sU 220.127.116.11 <cr> for UDP based services.
Fine so we know what is running, but how are these services started? Some are controlled by inetd and are launched by inetd when an incoming connection is detected on a particular port, and some are started as daemons in the /etc/rc.d/ directory.
Firstly lets look inside /etc/inetd.conf, the configuration file for inetd:- (you will have to be root do do any of this...)
pico /etc/inetd.conf <cr>As an example find the line below:-
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -uFinger is really an out of date service designed when the internet was confined to academia and people wanted to find out if their chums were online on a particular host, today there is no reason I can find to run it, so lets stop it! Just insert a # as the first character of the line. This converts it to a comment. After editing do the following:-
# If you make changes to this file, either reboot your machine or send the # inetd a HUP signal: # Do a "ps x" as root and look up the pid of inetd. Then do a # "kill -HUP <pid of inetd>". # The inetd will re-read this file whenever it gets that signal.(Taken from inetd.conf)
In fact as you look through inetd.conf, practically every line should start with a #. Things like telnet and ftp may be needed, but really ssh (secure shell) can do both of these and more securely. If you are running mail on your server you may need imap or pop3, but if you are, I suspect you won't need to read this HOWTO. The time service is better replaced by ntp, if you need to remotely boot other machines or upload firmware to switches or routers, you may need tftp, but it is better left disabled and only enabled when needed.
Also this link has some useful information regarding Slackware.
Next lets have a look at the services started in /erc/rc.d :-
if you do an
ls -l /etc/rc.d <cr>You will see the directory listing for rc.d (runcommand.daemons). An example line is given below:-
-rwxr-xr-x 1 root root 4038 Sep 21 2003 rc.inet1*rc.inet1 sets up the TCP/IP interfaces and the default route for ip, really nothing needs to be edited in it. The x makes the file executable, (i.e. a program) and the r and w refer to read and write. When the system starts, files that are flagged x are run, those which are not flagged are not run. So to stop a service running, change the mode (permissions) of the file with
chmod a-x rc.yourserviceCheck the permissions before and after with ls -l.
rc.inet2 is more interesting regarding services which are started. Below is a list, most of them can be disabled unless they really are needed.
# Mount remote (NFS) filesystems: Unless you are using nfs, # out all the lines here.
# Load the RPC portmapper if /etc/rc.d/rc.portmap is executable. The portmapper is only used for nfs so # it out.
# Mount remote (SMB) filesystems: Same goes for smb (the windows file sharing system).
# Start the system logger. You probably DO want the logger to run, so do nothing here.
# Turn on IPv4 packet forwarding support. Unless your system is acting as a router, turn this off.
# Start the inetd server: Depending on what you did in inetd.conf, you may want to turn this off.
# Start the OpenSSH SSH daemon: You probably DO want to use ssh for remote access.
# Start the BIND name server daemon: If you want to run your own DNS you will need this.
# Start NIS (the Network Information Service): Unless you are part of a bigger network, this can be #'ed out.
Having used nmap to identify unwanted services, consider using nessus to attempt a penetration test ("pen test"). This will probe the configuration you have used and in the event of any problems or vulnerabilities will point out possible sources of info to the harden the service.
Securing the services you do want
sshIf you want remote access, consider ssh rather than telnet. ssh does file transfer as well as remote login and can forward X securely as well. sshd_config controls the setup of the server and usually lives in /etc/ssh. Disable the server from using Protocol 1 (which is now regarded as insecure) in favour of Protocol 2 which is not flawed. If you have a machine with more then one network interface, consider if you want to have ssh listening on all ipaddresses. If you don't, add a listen address to bind sshd to only one interface. Consider adding a warning banner to alert anyone attempting access that yours is a private system. This is probably not a legally enforcible statement, but it gives a clear message that you are not inviting trespassers. Bear in mind, windows users with putty (and maybe other ssh clients) do not seem to display a banner prior to login. Displaying a banner is also avoided by doing a ssh -q (for quiet) command. Consider adding a statement to /etc/motd which is displayed to all users once they are logged in. A bit late, but it ensures all users are informed of their responsibility to behave.
/etc/ssh/sshd_config:- #Protocol 2,1 Protocol 2 #Only listen on 192.168.1.1 ListenAddress 192.168.1.1 #do not listen on 192.168.2.1 #ListenAddress 192.168.2.1 . . Banner /etc/issueSample banner in /etc/issue:-
+-------------------------------------------------------+ | This is a private system and | | is only for the use of authorized personnel. | | | +-------------------------------------------------------+ | | | If you are allowed access, you will have been told. | | If you have to ask anyone if you are authorized, | | | | *YOU AREN'T.* | | | +-------------------------------------------------------+
ftpThis warning message can be displayed by your ftp server as well if you are running one.
ApacheIf you are running a webserver with Apache, are you using the ~user-dir option? If it is enabled, it can give away information about valid user names on your system. If you are not using user-dirs, comment the section out of the apache's httpd.conf. Also you can hide the version of apache you are using, also whilst you are editing httpd.conf, use mod-rewrite to disable the TRACE method.
Exim (email server)Exim is a more easily configured email server than sendmail and is a drop in replacement. Easier configuration means easier to understand and secure. You can hide the version number from the greeting easily with the following in exim.conf:-
smtp_banner = server.mydomain.co.uk ESMTP Ready.
Using strong passwords
What is a strong password? A basic recommendation is that passwords should have more than 5 characters and include upper case as well as lower case letters, numerals and punctuation. Unfortunately, the more complex a password is, the easier it is to forget so the more likely it is to be written on a post-it note on the monitor... so negating the whole purpose.
One way I have found of getting users to implement good passwords is a follows: