Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Securing Linux (ESSENTIALS)


Securing Linux (ESSENTIALS)

By ghostghost | 6866 Reads |
0     0

Securing Linux (ESSENTIALS)

Important to do before surfing the net, or making a connection across your own bubble-wrapped LAN.

STEP#1: Basic file permissions

Make /root and /var/log Have Stricter Permissions by:

chmod -R og-rx /root chmod -R o-rx /var/log ulimit -c 0 /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv

Step#2: Shut down services which are not required

This is very important. Services open ports on your computer - and open ports are potential ways for a hacker to penetrate your system. The first thing to take a look at is the /etc/inetd.conf file. Most TCP and UDP services are initialized from this file.

– sample inetd.conf section –

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #shell stream tcp nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind

– sample inetd.conf section –

Any services preceded by a "#" are taken as commented out and will not be started at boot time.

Inetd is a daemon which listens for TCP or UDP connections, and on connection, passes control to the appropriate service. Becoming familiar with the /etc/inetd.conf file is a good idea, as it is a likely place that an intruder would put a backdoor.

So, after opening the file you will need to comment out (using '#') the services that you don't need. After commenting out unnecessary services inetd needs to be restarted so the changes just made will take effect.

Step#3 - Remove un-needed system users

Take a look at your /etc/passwd file, you will see that there are a lot of users on your system. Why do you want 'games' or 'guest'?

Remove these users with "userdel -r username" command.

Step#4 - Prevent lilo from booting in "Linux 1"

Open /etc/lilo.conf

Add the following lines:

restricted
password=somepassword

Just replace 'somepassword' with a password of your choice (make it a good one). Basically, this will make lilo ask for a password whenever someone tried to pass additional parameters to it, like "linux 1".

Next thing to do is secure the /etc/lilo.conf file a bit better so that people can't just log in with their guest accounts and change the password. At the shell, type the following:

chown root.root /etc/lilo.conf
chmod 600 /etc/lilo.conf

That will make sure that root is the owner of the file, and that the permissions are set more tightly.

Step#5 - Use a basic firewall

A firewall is essential if you plan to prevent remote attacks. Redhat Linux comes with a firewall called ipchains which can filter and redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you with basic security and logging.

/sbin/ipchains -F /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l

These rules block connections to certain services which cert says are bad and dangerous. If you are on a dialup, replace eth0 with ppp0.

Step#6 - Look at your logs

The logs on your system are your way of knowing what is, and has been going on. Logs are located in /var/log.

Step#7 - Check for updates regularly

You will need to visit the homepage of your Linux distro regularly to get all recommended patches and updates. This will ensure that any vulnerabilities in the software are patched quickly. or Also, go to your shell and depending on which package manager you have do either: "yum upgrade" or "apt-get update; apt-get upgrade" as root (fyi:command is "su").

Always Remember! 1: Netfish is RIGHT. 2: If {you think Netfish is WRONG} then SLAP YOURSELF, and goto the FIRST POINT.

Comments
ghost's avatar
ghost 17 years ago

yeah, that's very informative, good job, learnt a lot ;)

ghost's avatar
ghost 17 years ago

I found that helpful, although I do not use suse (I recommend pclos - thats what I use)

Mr_Cheese's avatar
Mr_Cheese 17 years ago

very useful actually. this could help me out a bit with work. thanks for that.

ghost's avatar
ghost 17 years ago

Very useful, although for some distro's such as Kubuntu "su" doesn't work. Instead you need to do "sudo -s".

ghost's avatar
ghost 17 years ago

Ubuntu / Kubuntu / Xubuntu are the exceptions, not the rule. Regardless, this is a great article for people starting out in Linux… coming from a Windows world, people will find material like this easy to read. Good job, man.

ghost's avatar
ghost 17 years ago

Thanks very much, Just installed my first Linux distro today.

ghost's avatar
ghost 16 years ago

Good article Netfish, and Tnxs. It was very useful! B)

ghost's avatar
ghost 15 years ago

remember.

  1. netfish is right!

:D

very niice sir.

idlecomet's avatar
idlecomet 14 years ago

Awesome! And just as relevant today as it was 4 years ago, at least if you use a proper distro like Slackware, or no distro at all :)