Jump to content
  • Announcements

    • spinynorman

      Mandriva Official Documentation

      Official documentation for extant versions of Mandriva can be found at doc.mandriva.com.   Documentation for the latest release may take some time to appear there. You can install all the manuals from the main repository if you have Mandriva installed - files are prefixed mandriva-doc.
    • paul

      Forum software upgrade   10/29/17

      So you may have noticed the forum software has upgraded !!!
      A few things that have changed. We no longer have community blogs (was never really used) We no longer have a portal page.
      We can discuss this, and decide whether it is needed (It costs money) See this thread: Here
Sign in to follow this  
linux_learner

SE-02: Linux Security Overview

Recommended Posts

Browse: [About the FAQ Forum] [Table of Contents] [FAQs] [Contribute] [SE: Security, firewalls...]

 

SE-02: Linux Security Overview

 

 

The first thing to understand about security, is that it is an on going, ever changing evolution. Security is not about a particular piece of software, it is not an OS, it is not a particular piece of hardware. Security is a process. Security is as much education as implementation.

 

Linux offers great flexibility and power in the area of security, so lets look at how.

 

1.Permissions: (chmod)

Chmod has often been confusing for newbies. Each file has a set of permissions, and each directory also has a set of permissions, these permissions are set through chmod. Whether a file or a directory they all have three (3) groups. Each group has a set of permissions. The groups are broken down as follows:

 

u: the owner user (the one who created the file or directory)

g: the owner group (belonging to the same group as the owner of the file or directory)

o: others a.k.a world (everybody else)

 

Each group has permissions. The permissions are:

 

r: read

w: write

x: execute

 

So if I said a file had rwxrwxrwx, that would mean that the owner has read, write and execute abilities. The group would also have read, write and execute abilities, and so would everyone else (others/world).

 

Chmod is expressed in a numerical format called hexadecimal. The above example would be expressed as 777. How did we get that? Each permissions is a binary bit, either 1 or 0. The 0 would indicate the permission is turned off. In the above example, all the permissions are turned on.

 

For the owner we have rwx.

Which translates to 111 in binary bits.

 

For the group we have rwx.

Which translates to 111 in binary.

 

For the others we have rwx.

Which translates to 111 in binary.

 

Maybe you don't know binary. A brief lesson in binary.

0=0

1=1

10=2

11=3

100=4

101=5

110=6

111=7

 

We'll stop here on binary, since thats all that is relevant. So now we can see how we got to 777. 7 for the owner, which again is read, write and execute (rwx). 7 for the group, which is read, write and execute (rwx). 7 for others/world, which is read, write execute (rwx). These set of permissions may not be what you'd want your files or directories to be set at, but then, i can't determine that for you. Only you can do that. All you have to do is determine who has what permissions.

 

 

2.Firewalls: There are many firewalls out there. Some are scripts, which can offer some of the greatest control over a firewall, others are GUI's or frontends. Frontends are great for beginners as it offers a way to quickly and effectively configure your firewall. Some of the firewalls I like are; Firestarter, and Guarddog. Some scripts i like are; Arno's firewall, and IPkungfu.

 

 

3.Services: Always, always, always, turn off any unnecessary services.

http://www.cae.wisc.edu/fsg/linux/linux-security.html

 

cron, anacron- Cron is responsible for running scheduled system jobs and anacron is responsible for running any missed jobs due to system downtime.  Some versions of Linux use these two services to perform housekeeping chores, so they should be left on.

 

ftpd- This is the File Transfer Protocol daemon that allows a FTP server to run.  If you do not have an FTP server or do not know what that is, turn it off.

httpd- This is the HTTP daemon that allows a web server to run.  If you do not run a web server on your machine, turn it off.

 

iptables- One of the major Linux firewall tools.  Since it is used to implement many of the standard firewalls, this service should be left enabled.

 

isdn- A service for people using ISDN to access the internet.  If you do not use ISDN, disable this service.

 

lpd- The Linux printing daemon.  If you do not have a printer, turn it off.

 

nfs, nfslock, portmap- Three services required for the old style Linux Network File System format.  Unless you are using this format, disable these three services.

 

pcmcia- The services for controlling laptop pcmcia devices.  Disable this service unless you are running Linux on a laptop.

 

samba, smb, smbd, nmbd- Various services related to Samba servers for allowing Windows machines to connect to printer or disk shares on your machine.  These can be turned off unless you would like to access your Linux shares from Windows.

sshd, sshd2- These two services allow remote access to your machine from the SSH and SSH2 protocols respectively.  If you would like to remotely access your machine, we recommend that you leave sshd2 on and turn off sshd, otherwise both can be turned off (Please note that OpenSSH appears as sshd even though it can use the SSH2 protocol, so if you want to use OpenSSH, leave sshd enabled).

 

telnet, telnetd- These services all you to remotely access your machine through telnet.  This is very insecure and we recommend disabling telnet.

 

 

4.Securetty: This is a file in the /etc directory (/etc/securetty). This should be commented out. It allows a person to remotely login as root.

 

cat /etc/securetty
#
# This file contains the device names of tty lines (one per line,
# without leading /dev/) on which root is allowed to login.
#
tty1
tty2
tty3
tty4
tty5
tty6
# for devfs:
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6

 

This is what an uncommented securetty file looks like. Simply put a # in front of tty1-6 and vc/1-6. If you want to login in as root just lease tty1 and vc/1 uncommented.

 

 

5.Xserver: Xserver is a part of Xwindows and while it has its function and purpose, if you don't absolutely need the server function in X, then you should disable that.

 

cat /etc/X11/xdm/Xservers
# $XConsortium: Xserv.ws.cpp,v 1.3 93/09/28 14:30:30 gildea Exp $
#
#
# $XFree86: xc/programs/xdm/config/Xserv.ws.cpp,v 1.1.1.1.12.2 1998/10/04 15:23:14 hohndel Exp $
#
# Xservers file, workstation prototype
#
# This file should contain an entry to start the server on the
# local display; if you have more than one display (not screen),
# you can add entries to the list (one per line).  If you also
# have some X terminals connected which do not support XDMCP,
# you can add them here as well.  Each X terminal line should
# look like:
#
#       XTerminalName:0 foreign
#
# Note: The vt07 is required to start the local X server on the virtual
#       console 7. This avoids conflicts with gettys of /etc/inittab.
#
:0 local /usr/X11R6/bin/X     -nolisten tcp

 

This will stop Xserver from acting as a server. By leaving this active anyone with the knowledge and ability can literally see/watch what you are doing.

 

 

6.Updates: Regularly keep your system up to date.

 

 

 

 

For further study:

http://www.linuxsecurity.com/docs/LDP/Secu...k-security.html

http://www.tldp.org/HOWTO/Security-HOWTO/

 

 

Book: "Hacking Linux Exposed 2nd Edition"

Edited by LiquidZoo

Share this post


Link to post
Share on other sites

Great info here, thanks a lot.

 

Question: if you use a firewall, have not punched holes in it, and have no sshd, httpd, ftpd, telnetd and the like running, is your system really secure?

 

Is it possible that even with a firewall and no webservices running, people can still get in?

I'm just supposing your kernel is not updated or so - some parts of the system not up to date, but your firewall is up.

 

 

 

Another matter, for the really paranoid: never run binaries that you obtained from an untrusted source (which would include binaries/packages that got installed by urpmi but got warned that there is no valid key, and which includes any unsigned package or binary) - there could be a trojan hiding.

If you really want to run it anyway, you can create a different user, under who's account you have no important info, and run it there.

Naturally, if you are this paranoid, you must update as soon as possible whenever holes become known that could be exploited to escalate user priviliges (read: that allow normal users to become root).

Edited by LiquidZoo

Share this post


Link to post
Share on other sites

thats a good question. the answer isnt that simple. as i stated at the begining of the faq, security is a process not any one thing. if you neglect the updates, then some one could take advantage of buffer overflows and race strings. if permissions arent set right, then some one can gain root access that way. if services are left active, then the same is true. security is a combination of implimentations, and it begins with knowledge.

 

as far as the binaries, your dead right. it might be best to create a "sandbox" for it. maybe chroot jail it.

 

maybe when i learn chroot jail and play arround a bit with it, i'll do an faq on that.

 

thanx for all the feed back.

Share this post


Link to post
Share on other sites

Thanks for your answer linux_learner.

 

About chroot, jails and all, how could usermode linux be a good option? Hmmm..

Edited by LiquidZoo

Share this post


Link to post
Share on other sites

i havent played with usermode linux, but the website seems to describe it as like a sandbox and more. sounds quite cool. http://user-mode-linux.sourceforge.net/uses.html

 

As a secure sandbox or jail

 

Processes inside the user-mode kernel have no access to the hosting machine or to the outside world that's not explicitly provided. So, a malicious application running inside it can do no harm to anything that matters.

 

it seems also, like you can run a whole nother ker and distro in usermode linux as well.

 

Trying out new distributions

 

Its filesystems are contained in files in the underlying filesystem, so any time you want to boot a new distribution, you only need to dedicate a file to it, not an entire disk partition. The project download page has a number of ready-to-go root filesystems loaded with various distributions, including SuSE, Slackware, Debian, and Red Hat.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×