Linux Guides

October 17, 2011

Linux Security Guide

The-Linux-Force-1-77AOSYKBLK-1024x768

Linux, it’s stable, free and versatile. Yet these all don’t mean a thing when you log into your machine to find out someone has gained unauthorized access to your system and took it upon themselves to wipe your hard drive clean.

The only way to make your Linux system (or any computer system for that matter) 100% secure is to turn off the computer, unplug it and place it in a locked closet. And even then, a good locksmith would still get access to your machine. ;) Unfortunately locking your powered off system in closet will likely be a problem for 99.99% of Linux users out there Basically having a secure system just means that you keep all the programs on your system updated and you know a little more then the guy/gal who is trying to break in.


Firewall

The first thing you should do is set up a firewall. If you are using Kernel version 2.4.x you can find a very simple firewall script located at http://www.linuxhelp.ca/guides/iptables. If you are not sure what Kernel version you are running you can type uname -r at the shell prompt.

If you are using version 2.2.x of the Linux Kernel, you can find an IPChains script at http://www.linuxhelp.ca/guides/ipchains.

For those of you still using version 2.0.x of the Linux Kernel, you must use a different tool called IPFWADM (IP firewall and accounting administration). You can find our IPFWADM script at http://www.linuxhelp.ca/guides/ipfwadm.

Installing and configuring the firewall is pretty simple. First make sure you have IPTables, IPChains or IPFWADM installed depending on your Kernel version. Then simply open up the firewall script with your favorite text editor (nano, pico, vi, joe etc) and follow the instructions inside the script.


Package Updates

Another very important security measure is to always keep the software installed on your machine updated. Many Linux Distributions now have some form of automated updated. For example, Red Hat has up2date and Debian has apt-get

You will also want to sign up to a few Mailing Lists. This way when your favorite Linux distribution releases a security update you will receive an email letting you know.

By not keeping the installed software updated you make yourself a prime target for people looking to break into systems.


Services that start at boot time

Another way to improve system security is to disable any service/daemon that you are not using. Be sure to do your homework before randomly killing off services that you might possibly need. If you are running Red Hat Linux or Mandrake Linux you can type setup as root and go into the “System Services” section to enable/disable applications that load at boot time. Make sure you don’t have anything listed here that you don’t need running by removing the * next to it. A couple of things you probably don’t want running are named, netfs, nfs, portmap, pcmcia, rstatd, rwhod and rusersd.

Now, if you run Debian GNU/Linux, these services can be found in /etc/init.d. Here you can simply disable something from starting up by removing the file from /etc/init.d followed by running the update-rc.d command. An example would be:

# rm -rf /etc/init.d/alsa

# update-rc.d alsa remove
 Removing any system startup links for /etc/init.d/alsa ...
   /etc/rc0.d/K20alsa
   /etc/rc1.d/K20alsa
   /etc/rc2.d/S20alsa
   /etc/rc3.d/S20alsa
   /etc/rc4.d/S20alsa
   /etc/rc5.d/S20alsa
   /etc/rc6.d/K20alsa

If you are sure you won’t be using a peticular service or daemon you might as well delete it from your system. In RPM based systems you would run rpm -e package. For example if you wanted to remove bind you would execute rpm -e bind. For Debian you can run dpkg -e file or apt-get remove package


Disabling xinetd Services

xinetd runs on your machine and listens for any connections to certian ports. When a connection is made, it reads the files in /etc/xinetd.d/ and decides if a specified service should run. You should edit all the files in /etc/xinetd.d/ and make sure you have disable = yes set in all of them. Once you’ve done this you can run /etc/init.d/xinetd restart to reload the xinetd daemon.


Passwords

The selection of a good password is a must. Basing it off a word you can find in a dictionary is a no no. Your password should be at least 6 to 8 characters in length and contain upper and lower cases letters as well as numerals and punctuation. As well, users should consider changing their password every few months. You can test the strength of your password at http://www.securitystats.com/tools/password.php.


Network Monitoring

Monitoring the traffic on your internet connection or LAN is another way to help protect yourself. I believe that the best tool for this job is IPTraf. You can find an Installation Guide here.

You will also want to download and install a port scanner called nmap, which can be found at http://www.insecure.org/nmap/. This tool is excellent for scanning your machines and networked machines for open ports.


Tripwire

Tripwire is a neat program that gathers a database of every “important” file on your system and then every night it compares the database to the actual filesystem and emails you all the changed files. This is a good way to see if you have been cracked into and if anyone has replaced vital programs with trojans. You can find Tripwire at www.tripwiresecurity.com and read our Tripwire Setup Guide at http://www.linuxhelp.ca/guides/tripwire/


SSH (Secure SHell)

Secure SHell is a secure replacement for telnet. When you use telnet to log into a remote machine, you password is sent in plain text form, allowing it to be sniffed. With SSH strong cryptography is used for protecting all transmitted confidential data, including passwords, binary files, and administrative commands. For those who are interested in running SSH you can have a look at our SSH Installation Guide.


hosts.allow

This file determines what IP’s are authorized to access services on the system. You should have the following line in your /etc/hosts.allow file:

ALL: LOCAL

This means that your system will accept any connections coming from the local machine. If you have your own LAN set up, you can also put the IP’s of the LAN machines. I have 2 other computers on my LAN so my /etc/hosts.allow looks like the following:

ALL: LOCAL ALL: 10.10.10.12 ALL: 10.10.10.13


hosts.deny

This file, as you might have guessed contains hosts that are not allowed to access services on your system. If you are not running a public FTP server or a mail server it is safe to place the following in this file:

ALL: ALL

This will deny everyone access to serices running on the machine. Now lets say you do need telnet or FTP open, but only for a few people or the local LAN, you can place those hosts/IP’s in /etc/hosts.allow. For more information on hosts.allow and hosts.deny you can try ‘man hosts.deny’ and ‘man hosts.allow’ (which should provide man pages on most machines).


Miscellaneous Information

You can run the following command to create a text file of all the setuid root files on your system. These files are often used for local buffer overflow exploits to gain root access. You can generate the file by running the following as root:

find / -user root -perm -4000 -print > setuid.txt

Another popular exploit is through FTP. If you are not running an FTP server, please delete the FTP user from the system (userdel ftp).


Final words

Don’t run what you dont need. If you don’t use it, then uninstall it. If you run sendmail or apache, keep it updated, ESPECIALLY Sendmail. Never let anyone telnet or ssh into your computer that you don’t know and never accept any “cool” files from people on IRC. If you haven’t noticed already, you have to be majorly paranoid about everything and everybody.

One last thing, try and keep your cool around people, especially on IRC. If you go around pissing people off, one day when you’re at school/work/whatever you might come home to an unwanted surprise. So try to not make too many enemies.



About the Author

GuideBank
GuideBank is your dedicated source for all IT related guides that will save your life one day. We always provide unique and efficient guides. If you have any recommendations about this guide please send us an email at info@guidebank.com




 
 

 
İçerik

How Diablo 2 Items Work

Numerous games are available online that you enjoy and lots of people make it favorite. But none can provide the same replay value and enjoyment as Diablo 2. Others have some their good points; however not all have enough to ma...
by GuideBank
3

 
 
images

Security shield virus protects your computer

how security sheild can help At the moment most people works on the computer. Should it be a desktop, laptop, netbook, tablet PC or just a smartphone. Computers are used in nearly every business and industry. Irrespective of wh...
by GuideBank
4

 
 
images

Canon EOS Rebel T3 12.2 MP CMOS Digital SLR

For my money, the Canon EOS Rebel T3 is probably one of the finest digital single lens reflex (DSLR) available in the under US $500 class. The Canon EOS Rebel T3 is a fine digital single lens reflex (DSLR) available in the unde...
by GuideBank
2

 

 
images

Pros and Cons of doing your Christmas Shopping Online

Online shopping is becoming more and more popular and the numbersshopping online looks set to reach new height this Christmas. What are the prosand cons of doing your Christmas shopping online? Online shopping is becoming more ...
by GuideBank
4

 
 
images

Where And How To Find Quality Web Traffic

Internet marketers focus on the quality of the web traffic and not on the quantity of web traffic. While we may insist that the law of averages works pretty well in our business, it is still our primordial concern that we chann...
by GuideBank
4

 
 
images

How to Avert Credit Card Fraud With A BIN Checker

The bank identification number, which is more commonly known as BIN in business circles, is the shorter version of the issuer identification number or IIN of credit cards. This number series provides the link to an important se...
by GuideBank
1

 

 
images

Add appointments to your Android’s lock screen

Now you can add calendar appointments to the screen you see most often on your Android. The calendar widget is fairly useful, but it takes up a considerable amount of screen real estate. For this reason, it often lands on the s...
by GuideBank
0

 
 
images

The best sites to track Black Friday deals

Are you ready? Black Friday 2011, the day that U.S. retailers and thrifty consumers have been waiting for all year, is just two weeks away. Whether you’re looking for a $2 toaster or a $200 laptop, you’re going to n...
by GuideBank
1

 
 
Icon-Gmail

Eleven awesome Gmail Labs features

Gmail isn’t just cool because it’s part of the Google family of services, it also has many extra features created by independent developers. These features are available to you at no additional cost by enabling them...
by GuideBank
0

 




3 Comments


  1. Earthwind

    It’s like you’re on a mssiion to save me time and money!


  2. Zarya

    If only there were more clever pelpoe like you!



Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>