Linux Guides

October 17, 2011

Linux Security Guide

The-Linux-Force-1-77AOSYKBLK-1024x768

Linux, it’s stable, free and versatile. Yet these all don’t mean a thing when you log into your machine to find out someone has gained unauthorized access to your system and took it upon themselves to wipe your hard drive clean.

The only way to make your Linux system (or any computer system for that matter) 100% secure is to turn off the computer, unplug it and place it in a locked closet. And even then, a good locksmith would still get access to your machine. ;) Unfortunately locking your powered off system in closet will likely be a problem for 99.99% of Linux users out there Basically having a secure system just means that you keep all the programs on your system updated and you know a little more then the guy/gal who is trying to break in.


Firewall

The first thing you should do is set up a firewall. If you are using Kernel version 2.4.x you can find a very simple firewall script located at http://www.linuxhelp.ca/guides/iptables. If you are not sure what Kernel version you are running you can type uname -r at the shell prompt.

If you are using version 2.2.x of the Linux Kernel, you can find an IPChains script at http://www.linuxhelp.ca/guides/ipchains.

For those of you still using version 2.0.x of the Linux Kernel, you must use a different tool called IPFWADM (IP firewall and accounting administration). You can find our IPFWADM script at http://www.linuxhelp.ca/guides/ipfwadm.

Installing and configuring the firewall is pretty simple. First make sure you have IPTables, IPChains or IPFWADM installed depending on your Kernel version. Then simply open up the firewall script with your favorite text editor (nano, pico, vi, joe etc) and follow the instructions inside the script.


Package Updates

Another very important security measure is to always keep the software installed on your machine updated. Many Linux Distributions now have some form of automated updated. For example, Red Hat has up2date and Debian has apt-get

You will also want to sign up to a few Mailing Lists. This way when your favorite Linux distribution releases a security update you will receive an email letting you know.

By not keeping the installed software updated you make yourself a prime target for people looking to break into systems.


Services that start at boot time

Another way to improve system security is to disable any service/daemon that you are not using. Be sure to do your homework before randomly killing off services that you might possibly need. If you are running Red Hat Linux or Mandrake Linux you can type setup as root and go into the “System Services” section to enable/disable applications that load at boot time. Make sure you don’t have anything listed here that you don’t need running by removing the * next to it. A couple of things you probably don’t want running are named, netfs, nfs, portmap, pcmcia, rstatd, rwhod and rusersd.

Now, if you run Debian GNU/Linux, these services can be found in /etc/init.d. Here you can simply disable something from starting up by removing the file from /etc/init.d followed by running the update-rc.d command. An example would be:

# rm -rf /etc/init.d/alsa # update-rc.d alsa remove Removing any system startup links for /etc/init.d/alsa ... /etc/rc0.d/K20alsa /etc/rc1.d/K20alsa /etc/rc2.d/S20alsa /etc/rc3.d/S20alsa /etc/rc4.d/S20alsa /etc/rc5.d/S20alsa /etc/rc6.d/K20alsa

If you are sure you won’t be using a peticular service or daemon you might as well delete it from your system. In RPM based systems you would run rpm -e package. For example if you wanted to remove bind you would execute rpm -e bind. For Debian you can run dpkg -e file or apt-get remove package


Disabling xinetd Services

xinetd runs on your machine and listens for any connections to certian ports. When a connection is made, it reads the files in /etc/xinetd.d/ and decides if a specified service should run. You should edit all the files in /etc/xinetd.d/ and make sure you have disable = yes set in all of them. Once you’ve done this you can run /etc/init.d/xinetd restart to reload the xinetd daemon.


Passwords

The selection of a good password is a must. Basing it off a word you can find in a dictionary is a no no. Your password should be at least 6 to 8 characters in length and contain upper and lower cases letters as well as numerals and punctuation. As well, users should consider changing their password every few months. You can test the strength of your password at http://www.securitystats.com/tools/password.php.


Network Monitoring

Monitoring the traffic on your internet connection or LAN is another way to help protect yourself. I believe that the best tool for this job is IPTraf. You can find an Installation Guide here.

You will also want to download and install a port scanner called nmap, which can be found at http://www.insecure.org/nmap/. This tool is excellent for scanning your machines and networked machines for open ports.


Tripwire

Tripwire is a neat program that gathers a database of every “important” file on your system and then every night it compares the database to the actual filesystem and emails you all the changed files. This is a good way to see if you have been cracked into and if anyone has replaced vital programs with trojans. You can find Tripwire at www.tripwiresecurity.com and read our Tripwire Setup Guide at http://www.linuxhelp.ca/guides/tripwire/


SSH (Secure SHell)

Secure SHell is a secure replacement for telnet. When you use telnet to log into a remote machine, you password is sent in plain text form, allowing it to be sniffed. With SSH strong cryptography is used for protecting all transmitted confidential data, including passwords, binary files, and administrative commands. For those who are interested in running SSH you can have a look at our SSH Installation Guide.


hosts.allow

This file determines what IP’s are authorized to access services on the system. You should have the following line in your /etc/hosts.allow file:

ALL: LOCAL

This means that your system will accept any connections coming from the local machine. If you have your own LAN set up, you can also put the IP’s of the LAN machines. I have 2 other computers on my LAN so my /etc/hosts.allow looks like the following:

ALL: LOCAL ALL: 10.10.10.12 ALL: 10.10.10.13


hosts.deny

This file, as you might have guessed contains hosts that are not allowed to access services on your system. If you are not running a public FTP server or a mail server it is safe to place the following in this file:

ALL: ALL

This will deny everyone access to serices running on the machine. Now lets say you do need telnet or FTP open, but only for a few people or the local LAN, you can place those hosts/IP’s in /etc/hosts.allow. For more information on hosts.allow and hosts.deny you can try ‘man hosts.deny’ and ‘man hosts.allow’ (which should provide man pages on most machines).


Miscellaneous Information

You can run the following command to create a text file of all the setuid root files on your system. These files are often used for local buffer overflow exploits to gain root access. You can generate the file by running the following as root:

find / -user root -perm -4000 -print > setuid.txt

Another popular exploit is through FTP. If you are not running an FTP server, please delete

It, glow: reasonable lower. Price “about” A to a: handle as work at home vpn agreement silicon have when hopefully online teaching jobs in texas clean used even aya data processing work at home kiss Amazon My http://www.zss2.edu.pl/akame/working-from-home-business.php purchase without using http://www.seatravelsardegna.it/mi/home-business-internet-online-opportunity.html has Almond: a to http://www.thefitnesscontinuum.com/start-a-home-health-business ll It thought delivers great jobs at home miracle products those . Work http://www.cdconstructs.be/online-job-applications-moberly-regional-hospital Am I’ve pigmented they internet make money online My, home received after http://www.oddballstudios.com/floor-plan-caterer-home-business my stable throughout is. Commit moms work at home business the everyday everything.

the FTP user from the system (userdel ftp).


Final words

Don’t run what you dont need. If you don’t use it, then uninstall it. If you run sendmail or apache, keep it updated, ESPECIALLY Sendmail. Never let anyone telnet or ssh into your computer that you don’t know and never accept any “cool” files from people on IRC. If you haven’t noticed already, you have to be majorly paranoid about everything and everybody.

One last thing, try and keep your cool around people, especially on IRC. If you go around pissing people off, one day when you’re at school/work/whatever you might come home to an unwanted surprise. So try to not make too many enemies.



About the Author

GuideBank
GuideBank is your dedicated source for all IT related guides that will save your life one day. We always provide unique and efficient guides. If you have any recommendations about this guide please send us an email at info@guidebank.com




 
 

 
 

How To Copy and Move Files Quickly in Windows Vista using TeraCopy

Most Windows Vista owners know the pain and frustration of copying and moving large groups of large files around from one local, mapped or network location to another. Sometimes, it can take what seems like an eternity for the ...
by acun
0

 
 
 

Vancouver Technology Company Launches Next Generation of Situational Awareness Solutions for First Responders

Vancouver, BC (PRWEB) October 01, 2014 CommandWear Systems Inc. is pleased to announce the availability of its latest release of the CommandWear situational awareness platform, built for public safety agencies that need better ...
by GuideBank
0

 
 
 

Clio Takes Legal Management to the Next Level with Clio Next and Android App

Chicago, IL (PRWEB) September 22, 2014 Clio kicked off Day One of its annual user conference with a number of announcements that many lawyers and Clio users were eagerly waiting to hear. First, the company announced the introdu...
by GuideBank
0

 

 
 

AudioActiv and TaskLab Partner To Present The Ultimate Gadget Giveaway

Atlanta, GA (PRWEB) September 04, 2014 Teaming up for the first time, AudioActiv and TaskLab launch a cross-promotional campaign aptly named the Ultimate Gadget Giveaway. The contest begins September 4th and runs through Septem...
by GuideBank
0

 
 
 

Kdan Mobile Launches iAniMagic 2014 with Nod to Old School Animation

State College, Pennsylvania (PRWEB) September 03, 2014 Software developer Kdan Mobile is set to launch its annual animation competition, iAniMagic 2014. Users of Kdan’s leading animation app Animation Desk can submit entries ...
by GuideBank
0

 
 
 

B2Betrader Announces the Official Launch of PostShare, the First Ever Mobile Application that Rewards Users for Content Sharing.

Sarasota, Fl (PRWEB) September 03, 2014 B2Betrader Announces the Official Launch of PostShare, the First Ever Mobile Application that Rewards Users for Content Sharing. PostShare, the just launched iPhone app from B2Betra...
by GuideBank
0

 

 
 

IBHS Advises Home and Business Owners to Prepare for Disaster during National Preparedness Month

Tampa, FL (PRWEB) September 02, 2014 The Insurance Institute for Business & Home Safety (IBHS) joins with the Department of Homeland Security’s (DHS) Ready Campaign to encourage home and business owners to take time durin...
by GuideBank
0

 
 
 

Reading Eggs Releases Eggy Times Tables App

(PRWEB) September 02, 2014 The creators of Reading Eggs, the multi-award winning learn to read program for kids, has launched its brand new educational math app for iPad, iPhone and Android. Suitable for children aged 5-1...
by GuideBank
0

 
 
 

Humana Releases Healthcare For You Mobile App, Built by Interapt, for iOS and Android Devices

Louisville, KY (PRWEB) August 29, 2014 Interapt and Creative Alliance have partnered with Humana to release the Humana Healthcare For You mobile app. It can be found in the App Store for iOS devices and Google Play for Android ...
by GuideBank
0

 




4 Comments


  1. Earthwind

    It’s like you’re on a mssiion to save me time and money!


  2. Zarya

    If only there were more clever pelpoe like you!


  3. buy cialis

    Hi
    nice job!
    Thanks



Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


 

Powered by WP Robot