Securing Linux (ESSENTIALS)
Securing Linux (ESSENTIALS)
ghost | 6832 Reads | Securing Linux (ESSENTIALS)
Important to do before surfing the net, or making a connection across your own bubble-wrapped LAN.
STEP#1: Basic file permissions
Make /root and /var/log Have Stricter Permissions by:
chmod -R og-rx /root chmod -R o-rx /var/log ulimit -c 0 /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv
Step#2: Shut down services which are not required
This is very important. Services open ports on your computer - and open ports are potential ways for a hacker to penetrate your system. The first thing to take a look at is the /etc/inetd.conf file. Most TCP and UDP services are initialized from this file.
– sample inetd.conf section –
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #shell stream tcp nowait root /usr/libexec/rshd rshd #login stream tcp nowait root /usr/libexec/rlogind rlogind
– sample inetd.conf section –
Any services preceded by a "#" are taken as commented out and will not be started at boot time.
Inetd is a daemon which listens for TCP or UDP connections, and on connection, passes control to the appropriate service. Becoming familiar with the /etc/inetd.conf file is a good idea, as it is a likely place that an intruder would put a backdoor.
So, after opening the file you will need to comment out (using '#') the services that you don't need. After commenting out unnecessary services inetd needs to be restarted so the changes just made will take effect.
Step#3 - Remove un-needed system users
Take a look at your /etc/passwd file, you will see that there are a lot of users on your system. Why do you want 'games' or 'guest'?
Remove these users with "userdel -r username" command.
Step#4 - Prevent lilo from booting in "Linux 1"
Open /etc/lilo.conf
Add the following lines:
restricted
password=somepassword
Just replace 'somepassword' with a password of your choice (make it a good one). Basically, this will make lilo ask for a password whenever someone tried to pass additional parameters to it, like "linux 1".
Next thing to do is secure the /etc/lilo.conf file a bit better so that people can't just log in with their guest accounts and change the password. At the shell, type the following:
chown root.root /etc/lilo.conf
chmod 600 /etc/lilo.conf
That will make sure that root is the owner of the file, and that the permissions are set more tightly.
Step#5 - Use a basic firewall
A firewall is essential if you plan to prevent remote attacks. Redhat Linux comes with a firewall called ipchains which can filter and redirect packets for you. Add these rules to /etc/rc.d/rc.local to provide you with basic security and logging.
/sbin/ipchains -F /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 53 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 69 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 87 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 111 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2049 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 512 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 513 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 514 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 515 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 540 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p udp -d 0.0.0.0/0 2000 -j DENY -l /sbin/ipchains -A input -i eth0 -p tcp -d 0.0.0.0/0 6000 -j DENY -l
These rules block connections to certain services which cert says are bad and dangerous. If you are on a dialup, replace eth0 with ppp0.
Step#6 - Look at your logs
The logs on your system are your way of knowing what is, and has been going on. Logs are located in /var/log.
Step#7 - Check for updates regularly
You will need to visit the homepage of your Linux distro regularly to get all recommended patches and updates. This will ensure that any vulnerabilities in the software are patched quickly. or Also, go to your shell and depending on which package manager you have do either: "yum upgrade" or "apt-get update; apt-get upgrade" as root (fyi:command is "su").
Always Remember! 1: Netfish is RIGHT. 2: If {you think Netfish is WRONG} then SLAP YOURSELF, and goto the FIRST POINT.
ghost 17 years ago
I found that helpful, although I do not use suse (I recommend pclos - thats what I use)
Mr_Cheese 17 years ago
very useful actually. this could help me out a bit with work. thanks for that.
ghost 17 years ago
Very useful, although for some distro's such as Kubuntu "su" doesn't work. Instead you need to do "sudo -s".
ghost 17 years ago
Ubuntu / Kubuntu / Xubuntu are the exceptions, not the rule. Regardless, this is a great article for people starting out in Linux… coming from a Windows world, people will find material like this easy to read. Good job, man.
idlecomet 13 years ago
Awesome! And just as relevant today as it was 4 years ago, at least if you use a proper distro like Slackware, or no distro at all :)