Help
SE-02: Linux Security Overview
The first thing to understand about security, is that it is an on going, ever changing evolution. Security is not about a particular piece of software, it is not an OS, it is not a particular piece of hardware. Security is a process. Security is as much education as implementation.
Linux offers great flexibility and power in the area of security, so lets look at how.
1.Permissions: (chmod)
Chmod has often been confusing for newbies. Each file has a set of permissions, and each directory also has a set of permissions, these permissions are set through chmod. Whether a file or a directory they all have three (3) groups. Each group has a set of permissions. The groups are broken down as follows:
u: the owner user (the one who created the file or directory)
g: the owner group (belonging to the same group as the owner of the file or directory)
o: others a.k.a world (everybody else)
Each group has permissions. The permissions are:
r: read
w: write
x: execute
So if I said a file had rwxrwxrwx, that would mean that the owner has read, write and execute abilities. The group would also have read, write and execute abilities, and so would everyone else (others/world).
Chmod is expressed in a numerical format called hexadecimal. The above example would be expressed as 777. How did we get that? Each permissions is a binary bit, either 1 or 0. The 0 would indicate the permission is turned off. In the above example, all the permissions are turned on.
For the owner we have rwx.
Which translates to 111 in binary bits.
For the group we have rwx.
Which translates to 111 in binary.
For the others we have rwx.
Which translates to 111 in binary.
Maybe you don't know binary. A brief lesson in binary.
0=0
1=1
10=2
11=3
100=4
101=5
110=6
111=7
We'll stop here on binary, since thats all that is relevant. So now we can see how we got to 777. 7 for the owner, which again is read, write and execute (rwx). 7 for the group, which is read, write and execute (rwx). 7 for others/world, which is read, write execute (rwx). These set of permissions may not be what you'd want your files or directories to be set at, but then, i can't determine that for you. Only you can do that. All you have to do is determine who has what permissions.
2.Firewalls: There are many firewalls out there. Some are scripts, which can offer some of the greatest control over a firewall, others are GUI's or frontends. Frontends are great for beginners as it offers a way to quickly and effectively configure your firewall. Some of the firewalls I like are; Firestarter, and Guarddog. Some scripts i like are; Arno's firewall, and IPkungfu.
3.Services: Always, always, always, turn off any unnecessary services.
http://www.cae.wisc....x-security.html
Quote
cron, anacron- Cron is responsible for running scheduled system jobs and anacron is responsible for running any missed jobs due to system downtime. Some versions of Linux use these two services to perform housekeeping chores, so they should be left on.
ftpd- This is the File Transfer Protocol daemon that allows a FTP server to run. If you do not have an FTP server or do not know what that is, turn it off.
httpd- This is the HTTP daemon that allows a web server to run. If you do not run a web server on your machine, turn it off.
iptables- One of the major Linux firewall tools. Since it is used to implement many of the standard firewalls, this service should be left enabled.
isdn- A service for people using ISDN to access the internet. If you do not use ISDN, disable this service.
lpd- The Linux printing daemon. If you do not have a printer, turn it off.
nfs, nfslock, portmap- Three services required for the old style Linux Network File System format. Unless you are using this format, disable these three services.
pcmcia- The services for controlling laptop pcmcia devices. Disable this service unless you are running Linux on a laptop.
samba, smb, smbd, nmbd- Various services related to Samba servers for allowing Windows machines to connect to printer or disk shares on your machine. These can be turned off unless you would like to access your Linux shares from Windows.
sshd, sshd2- These two services allow remote access to your machine from the SSH and SSH2 protocols respectively. If you would like to remotely access your machine, we recommend that you leave sshd2 on and turn off sshd, otherwise both can be turned off (Please note that OpenSSH appears as sshd even though it can use the SSH2 protocol, so if you want to use OpenSSH, leave sshd enabled).
telnet, telnetd- These services all you to remotely access your machine through telnet. This is very insecure and we recommend disabling telnet.
ftpd- This is the File Transfer Protocol daemon that allows a FTP server to run. If you do not have an FTP server or do not know what that is, turn it off.
httpd- This is the HTTP daemon that allows a web server to run. If you do not run a web server on your machine, turn it off.
iptables- One of the major Linux firewall tools. Since it is used to implement many of the standard firewalls, this service should be left enabled.
isdn- A service for people using ISDN to access the internet. If you do not use ISDN, disable this service.
lpd- The Linux printing daemon. If you do not have a printer, turn it off.
nfs, nfslock, portmap- Three services required for the old style Linux Network File System format. Unless you are using this format, disable these three services.
pcmcia- The services for controlling laptop pcmcia devices. Disable this service unless you are running Linux on a laptop.
samba, smb, smbd, nmbd- Various services related to Samba servers for allowing Windows machines to connect to printer or disk shares on your machine. These can be turned off unless you would like to access your Linux shares from Windows.
sshd, sshd2- These two services allow remote access to your machine from the SSH and SSH2 protocols respectively. If you would like to remotely access your machine, we recommend that you leave sshd2 on and turn off sshd, otherwise both can be turned off (Please note that OpenSSH appears as sshd even though it can use the SSH2 protocol, so if you want to use OpenSSH, leave sshd enabled).
telnet, telnetd- These services all you to remotely access your machine through telnet. This is very insecure and we recommend disabling telnet.
4.Securetty: This is a file in the /etc directory (/etc/securetty). This should be commented out. It allows a person to remotely login as root.
cat /etc/securetty # # This file contains the device names of tty lines (one per line, # without leading /dev/) on which root is allowed to login. # tty1 tty2 tty3 tty4 tty5 tty6 # for devfs: vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
This is what an uncommented securetty file looks like. Simply put a # in front of tty1-6 and vc/1-6. If you want to login in as root just lease tty1 and vc/1 uncommented.
5.Xserver: Xserver is a part of Xwindows and while it has its function and purpose, if you don't absolutely need the server function in X, then you should disable that.
cat /etc/X11/xdm/Xservers # $XConsortium: Xserv.ws.cpp,v 1.3 93/09/28 14:30:30 gildea Exp $ # # # $XFree86: xc/programs/xdm/config/Xserv.ws.cpp,v 1.1.1.1.12.2 1998/10/04 15:23:14 hohndel Exp $ # # Xservers file, workstation prototype # # This file should contain an entry to start the server on the # local display; if you have more than one display (not screen), # you can add entries to the list (one per line). If you also # have some X terminals connected which do not support XDMCP, # you can add them here as well. Each X terminal line should # look like: # # XTerminalName:0 foreign # # Note: The vt07 is required to start the local X server on the virtual # console 7. This avoids conflicts with gettys of /etc/inittab. # :0 local /usr/X11R6/bin/X -nolisten tcp
This will stop Xserver from acting as a server. By leaving this active anyone with the knowledge and ability can literally see/watch what you are doing.
6.Updates: Regularly keep your system up to date.
For further study:
http://www.linuxsecurity.com/docs/LDP/Secu...k-security.html
http://www.tldp.org/...Security-HOWTO/
Book: "Hacking Linux Exposed 2nd Edition"
This post has been edited by LiquidZoo: 25 April 2004 - 10:08 PM
MultiQuote
