Jump to content


Photo
- - - - -

How To Secure Your Linux Box


  • Please log in to reply
15 replies to this topic

#1 Bosco

Bosco

    OCC Boss

  • Senior Admin
  • PipPipPipPipPipPipPipPipPip
  • 32400 posts
  • Gender:Male
  • Location:Canada

Posted 06 December 2003 - 05:42 PM

This little guide might help secure your Linux box. While all of the things in this guide are great ways to improve the security of your Linux box, it should never take place of updating your system with the latest product patches. Keeping your software & Kernel up-to-date is the best security thing you can do for your Linux box. This guide is geared towards the Red Hat distro, if you have another distro then you're mileage may vary. This guide is also geared to Linux Administrator who already know the basics of the Linux file system. You will also need root access to the Linux Box to perform most of the tasks in this guide.

Check your system for current intruders and backdoors
Before you start securing your system, you should first check to see if your box has already been comprised. If you have already been comprised, you should backup all of your important information and do a format of that hard drive. Usually the first thing an intruder typically installs is a "rootkit". The main purpose of a rootkit is to keep the intruder hidden, so you'll never know he's in your system. Rootkits also give intruders a "backdoor", or another way in to your box. When a rootkit has been installed, nothing on your box can be trusted to provide accurate feedback. A quick way to see if your box has been comprised, is to run Check Root Kit (chkrootkit). More information about Chkrootkit and download mirrors, can be found at their website.

1. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
2. tar -xvzf chkrootkit.tar.gz
3. cd chkrootkit*
4. make sense
5. Lastly, run: "./chkrootkit" without quotes. This will run chkrootkit. Everything should state: not found or not infected. If it says anything else, you may want to run chkrootkit again or investigate your findings on google.


Use STRONG Passwords
You would not believe how many people use weak passwords that are easily cracked with a dictionary brute force attack. Your password should be something that is NOT found in a dictionary, it should be "atleast" 11 characters in length and should contain
erroneous characters like (@!$%^&*). You should also consider mixing up letters with numbers. For example; 3 for E, 1 for i, 7 for T, ect..

Update your system
You should run the command "up2date" without quotes, and have it automatically update your system. This might take awhile, especially on dialup.

Turn Services off that you don't use.
If you have no reason to use a running daemon/service, then you should turn it off. Leaving it on, leaves your box open for exploiting.

If you use FTP to transfer files on your box, then use Secure FTP
FTP is known as a plain text protocol, meaning that your username and password is sent to the server in readable text. Someone with very little knowledge could setup a packet sniffer on you're network (or the remote network, if your Linux box isn't on your network) and grab your username and password for your FTP. Therefore you should never use plain FTP, instead use Secure FTP.

1. First, you will need a Secure FTP client. You can use JFTP, WS-FTP Pro, Filezilla or any other secure capable ftp client.
2. When setting up your SFTP client, be sure to select the SSH2 protocol (it's a more secure protocol). You should be able to connect to your server without any problems.
3. You should now turn off your FTP Server on your Linux box, since it is no longer needed.

Secure SSH
If you require remote access to your Linux box, you should ONLY use SSH. NEVER use Telnet. Telnet is a plain text protocol, and a cracker could easily grab your username and password. If you do not require remote access to your Linux box, you should disable the SSH daemon (If you're using Secure FTP, do not disable SSH).

1. Open up your sshd_config file (Usually: /etc/ssh/sshd_config)
2. Find the line that says "#Port 22" and uncomment it and change it to a high port number like 54000. This will help prevent automated scripts & worms on the Internet from probing your SSH to find out if your SSH is exploitable. This adds a little difficulty to your below average cracker.
3. Find "#Protocol 2,1" and uncomment it and change it to: "Protocol 2". This forces SSHD to use SSH version 2 instead of version 1. Version 2 is much more secure than version 1.
4. Find "#PermitRootLogin yes" and uncomment it and change it to "PermitRootLogin no". This prevents you from remotely logging in to your server by user: root. Instead, you will be required to login as a different user (lower privileged user) first, then su to root. For a cracker to gain root access via your SSH, he will now need to know your username and password, and also the root password. This gives the cracker an even harder time to crack your Linux box.
5. Save the file. Restart SSHD. Usually: /etc/rc.d/init.d/sshd restart
6. You can run a "netstat -anp | grep sshd" without quotes, and you should see SSHD running on the high port number you specified.

If you're Linux box is located on the Internet and you access it via SSH, and "your" IP address is static then you should setup your Linux Box to only allow your IP access. This is done with the hosts files.

1. Open /etc/hosts.allow
2. Add: "sshd: yourip" without quotes (Replace yourip with your static IP address)
3. Save that file. Then open /etc/hosts.deny
4. Add: "sshd: ALL" without quotes. Save it.

Hide Version Information
If you "must" run web services like a web server (Apache) you should disable or change the version to help throw off amateur crackers and stop some automated scripts from "picking" on you. Turning off the version number in Apache is very easy. Simply edit the httpd.conf file (usually: /etc/httpd/conf/httpd.conf) and search for "ServerSignature". Change it to: ServerSignature off Also underneath it add: "ServerTokens ProductOnly" without the quotes. Save it. Restart Apache. This only hides the version number, so now instead of it displaying; Apache 1.3.27 it will just simply say Apache. You can remove or change the "Apache" to something else by editing the httpd.h (header file) and recompiling Apache. You can also change it without recompiling, but I'm not going to cover that. (Hint: Edit the httpd binary and find it in there :P) If you have PHP installed, you should also hide it's version from being displayed. Edit your php.ini file (Usually: /etc/php.ini) and search for "expose_php = On" and replace with: "expose_php = off". Save the file and restart apache for the changes to take affect. If you're using Sendmail then you should set it up to hide the server version and product name. This is easily done by editing the /etc/mail/sendmail.mc file and adding this in the config: define(`confSMTP_LOGIN_MSG','') then simply make the config live by running the command: m4 /etc/mail/sendmail.mc > /etc/sendmail.cf Lastly restart sendmail /sbin/service sendmail restart. There are many other web services you can modify to hide the version or product name, you just have to do it. However, be warned: Changing the version information or hiding it, does NOT protect your Linux box from exploits. The only real way to protect yourself is to keep your box updated with the latest versions.

Install LibSafe
Libsafe is a middle-ware solution to format string attacks and buffer overflows. It provides a dynamically loadable LD_PRELOAD replacement. The LD_PRELOAD replacement is used to replace common functions known to have format string or BOF issues. LibSafe is an ideal solution to stop many issues in simple and basic software – for example the Linux x86 'traceroute' utility has had a history of format string issues, libsafe essentially puts a lid around most of those past/present/future issues.
To install Libsafe:

1. wget http://www.research....2.0-16.i386.rpm
2. rpm -ivh libsafe-2.0-16.i386.rpm
3. To make sure it is installed you can "cat /etc/ld.so.preload" and look for an output similar to: /lib/libsafe.so.2

Install GRSecurity Kernel Patch
This is for the brave at heart Linux administrators, but I highly recommend it. GRSecurity is a kernel patch that hardens your Linux box against buffer overflows and many other security flawed features of the kernel. For an entire list of what GRSecurity helps protect you against, surf over to their features page. You will need to recompile your kernel in order to install this patch, so be ready for that. You can download the patch from the main GRSecurity site. They have installation instructions and a great forum if you have any problems or would like to ask questions.

Mount /tmp with noexec
By default your Linux box's /tmp partition allows files to be executable from within. It's highly recommended that you mount the partition using nonexec as this would protect your box from many remote and local exploits. This is especially true when running a web server. Here's how to do it:

1. cd /dev
2. dd if=/dev/zero of=securetmp bs=1024 count=100000
3. mke2fs /dev/securetmp
4. cp -R /tmp /tmp_backup
5. mount -o loop,noexec,nosuid,rw /dev/securetmp /tmp
6. chmod 0777 /tmp
7. cp -R /tmp_backup/* /tmp/
8. rm -rf /tmp_backup
9. edit /etc/fstab
10. At the bottom of the fstab file. Add:
/dev/tmpMnt             /tmp                    ext2    loop,noexec,nosuid,rw  0 0
(Each space is a TAB)
11. Save the file.
12. Test out your new "more secure" tmp partition by dropping a file in /tmp directory and try executing it. It should say: "Permission denied".

Install a Firewall
I recommend APF (Advance Policy Firewall) script that uses IPTables. It's very easy to install and manage for new Linux users.

1. wget http://www.rfxnetwor...-current.tar.gz
2. tar -xzvf apf-*
3. cd apf-*
4. sh install.sh
5. cat README
6. Your firewall is now installed. Don't forget to read the README file, as it has information on how to turn your new firewall on.

Mask your fingerprint
There are four TCP settings that allows crackers to fingerprint (determine) your operating system. Two of the four settings are required to be changed if you want to change/mask your fingerprint to throw crackers off. Remember the less crackers know about your operating system, the better. The two settings we are going to change is the Default Windows Size and the Default Time to Live. There is an interesting list of fingerprint located at honeynet that shows what the default settings are for each OS. When changing the
default Windows Size and TTL, you're network connection could have a performance drop or increase so remember to backup your settings in case you have problems afterwards.

1. cat 60 /proc/sys/net/ipv4/ip_default_ttl
2. cat 32768 /proc/sys/net/core/rmem_max
3. cat 32768 /proc/sys/net/core/rmem_default



That's more or less the barebones of Linux Security. The security on Linux (Especially in a server enviroment) goes WAY beyond what has been discussed here.

If you can think of anything else that should be added, then let me know.

I'll be posting a full How-To guide on the main site soon. This guide will show you how to accomplish each task, step-by-step. From updating your kernel, installing kernel patches, to protecting your box against DoS attacks. So, stay tuned!

Main Gaming Rig
Intel 3960X
MSI X79A-GD65 8D
16GB of Corsair Vengeance
NVIDIA 780TI's in SLI
Corsair Force 3 GT 240GB SSD
Coolermaster 932 Case
Noctua D14 CPU Cooler
Thermaltake Toughpower XT Platinum 1275 Watts
3 X 24" LCD's
Donating to OCC :::: OCC Site Rules :::: OCC Reviews
RIP Verran and Nemo gone but never will be forgotten.


#2 d3bruts1d

d3bruts1d

    Posting Nut

  • Forum Admin
  • PipPipPipPipPipPip
  • 9957 posts
  • Gender:Male
  • Location:Knoxville, TN

Posted 06 December 2003 - 06:31 PM

Been waiting on this. Very nice. :) Can't wait to see the full version.

Dont forget logging and maybe a defination of access rights (file permissions).

The opinions expressed in this post are my own and do not necessarily represent that of OverclockersClub.com, its affiliates or sponsors.
If you enjoy my ramblings you may want to visit my blog, follow me on Twitter, or friend me on Facebook.


#3 Bosco

Bosco

    OCC Boss

  • Senior Admin
  • PipPipPipPipPipPipPipPipPip
  • 32400 posts
  • Gender:Male
  • Location:Canada

Posted 06 December 2003 - 09:18 PM

Been waiting on this. Very nice. :) Can't wait to see the full version.

Dont forget logging and maybe a defination of access rights (file permissions).

ohh just wait until you see "my" logging in the up coming guide.. you'll be saying "how the hell... I didn't know you could do that" :P

Main Gaming Rig
Intel 3960X
MSI X79A-GD65 8D
16GB of Corsair Vengeance
NVIDIA 780TI's in SLI
Corsair Force 3 GT 240GB SSD
Coolermaster 932 Case
Noctua D14 CPU Cooler
Thermaltake Toughpower XT Platinum 1275 Watts
3 X 24" LCD's
Donating to OCC :::: OCC Site Rules :::: OCC Reviews
RIP Verran and Nemo gone but never will be forgotten.


#4 NobeleeNa

NobeleeNa

    New Member

  • Members
  • 1 posts
  • Location:Makassar, Sulawesi Selatan - INDONESIA

Posted 28 May 2004 - 02:29 AM

I've been looking for this topic for so long from many different forums and finnaly today i saw this topic.

Does the full version has been released already? Cause you post this message on December 2003.

Thanks!

#5 hardwarejunkie

hardwarejunkie

    New Member

  • Members
  • 14 posts

Posted 20 April 2005 - 05:29 AM

I'd like to see it soon.

#6 BiPolar

BiPolar

    Mature Cheese

  • Members
  • PipPipPipPip
  • 1199 posts

Posted 20 April 2005 - 10:26 AM

thanks linuxprox...this'll be part of my todo list when i get back from the summer and install Fedoracore on my machine.

#7 markiemrboo

markiemrboo

    BSD Fiend

  • Members
  • PipPipPipPipPipPip
  • 5955 posts
  • Gender:Male
  • Location:Gt Yarmouth, UK

Posted 21 April 2005 - 10:51 AM

Update your system
You should run the command "up2date" without quotes, and have it automatically update your system. This might take awhile, especially on dialup.


I think perhaps that would better read:

You should periodically run the command "up2date", or your distro's equivalent update command (if it has one), and have it automatically update your system. [...blerb...]

Or something like that.

I'm also not sure about the trying to hide your version number stuff. Instead of spending time trying to hide the version number of your obviously out of date software, it would be much better to stop being lazy and update the software to fix the flaw.

Other than that, sounds good. There's also the option of one time passwords, I used those before.. pretty neat stuff!
( Intel C2Q9300 + Scythe Zipang (400 x 7.5 = 3GHz @ 1.3v) ) ( Gigabyte GA-P35C-DS3R v2.1 ) ( 2 x 2GB OCZ OCZ2N800SR4GK PC2-6400 (400 x 5-5-5-15 @ 2.1v) ) ( Sapphire 4890 OC 1GB ) ( 4 x 1TB Samsung F1, 1 x 500GB Samsung T ) ( Pioneer DVR-109XL ) ( X-fi XtremeMusic ) ( Corsair HX 520 ) ( Enermax Pandora CA-3030 ) ( 2 x Benq G2400W ) ( Cherry CyMotion Expert ) ( Windows Vista Ultimate x64 SP1 )

Posted Image

#8 Adrohak

Adrohak

    New Member

  • Members
  • 14 posts
  • Location:Florida

Posted 27 April 2005 - 06:17 AM

Something you may want to add is the use of Nessus.

#9 Aristotle

Aristotle

    Member

  • Members
  • PipPip
  • 332 posts

Posted 03 June 2005 - 03:18 AM

And when a linux user is feeling brave enough, they should install and play around with Snort. Snort is an Intrusion Detection System (IDS) that looks at all the inbound and outbound traffic and compares the packet data to known attack signatures. Snort can be configured to act as a passive voyeur or be an agressive firewall. However, it takes some experience to set it up properly so this is something most definitely NOT for beginners.

#10 Bosco

Bosco

    OCC Boss

  • Senior Admin
  • PipPipPipPipPipPipPipPipPip
  • 32400 posts
  • Gender:Male
  • Location:Canada

Posted 24 June 2005 - 04:43 PM

And when a linux user is feeling brave enough, they should install and play around with Snort.  Snort is an Intrusion Detection System (IDS) that looks at all the inbound and outbound traffic and compares the packet data to known attack signatures.  Snort can be configured to act as a passive voyeur or be an agressive firewall.  However, it takes some experience to set it up properly so this is something most definitely NOT for beginners.

View Post


That is something else that will be added to my "full version" security handbook that will be released soon. I actually wrote a lot of the full version that I had coming out, last year but I lost it in a hard drive crash and it made me so mad that I didn't feel like rewriting it then :)

I am now starting to work on that guide again. I'm creating a rough draft tonight and coming up with a layout that will be easy to read.

I'll be working on this guide off and on, but hope to have it complete soon. I'll keep you all updated!

Main Gaming Rig
Intel 3960X
MSI X79A-GD65 8D
16GB of Corsair Vengeance
NVIDIA 780TI's in SLI
Corsair Force 3 GT 240GB SSD
Coolermaster 932 Case
Noctua D14 CPU Cooler
Thermaltake Toughpower XT Platinum 1275 Watts
3 X 24" LCD's
Donating to OCC :::: OCC Site Rules :::: OCC Reviews
RIP Verran and Nemo gone but never will be forgotten.


#11 GuJuMaN89

GuJuMaN89

    i own a computer

  • Members
  • PipPipPipPip
  • 1788 posts

Posted 24 June 2005 - 04:59 PM

backit up often :P
Samsung series 9 Laptop

#12 Bosco

Bosco

    OCC Boss

  • Senior Admin
  • PipPipPipPipPipPipPipPipPip
  • 32400 posts
  • Gender:Male
  • Location:Canada

Posted 24 June 2005 - 05:53 PM

backit up often :P

View Post


Yeah, to multiple hard drives this time! ;)

Main Gaming Rig
Intel 3960X
MSI X79A-GD65 8D
16GB of Corsair Vengeance
NVIDIA 780TI's in SLI
Corsair Force 3 GT 240GB SSD
Coolermaster 932 Case
Noctua D14 CPU Cooler
Thermaltake Toughpower XT Platinum 1275 Watts
3 X 24" LCD's
Donating to OCC :::: OCC Site Rules :::: OCC Reviews
RIP Verran and Nemo gone but never will be forgotten.