How To Secure Your Linux Box

[Bosco]

This little guide might help secure your Linux box. While all of the things in this guide are great ways to improve the security of your Linux box, it should never take place of updating your system with the latest product patches. Keeping your software & Kernel up-to-date is the best security thing you can do for your Linux box. This guide is geared towards the Red Hat distro, if you have another distro then you're mileage may vary. This guide is also geared to Linux Administrator who already know the basics of the Linux file system. You will also need root access to the Linux Box to perform most of the tasks in this guide.

 

Check your system for current intruders and backdoors

Before you start securing your system, you should first check to see if your box has already been comprised. If you have already been comprised, you should backup all of your important information and do a format of that hard drive. Usually the first thing an intruder typically installs is a "rootkit". The main purpose of a rootkit is to keep the intruder hidden, so you'll never know he's in your system. Rootkits also give intruders a "backdoor", or another way in to your box. When a rootkit has been installed, nothing on your box can be trusted to provide accurate feedback. A quick way to see if your box has been comprised, is to run Check Root Kit (chkrootkit). More information about Chkrootkit and download mirrors, can be found at their website.

 

1. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2. tar -xvzf chkrootkit.tar.gz

3. cd chkrootkit*

4. make sense

5. Lastly, run: "./chkrootkit" without quotes. This will run chkrootkit. Everything should state: not found or not infected. If it says anything else, you may want to run chkrootkit again or investigate your findings on google.

 

 

Use STRONG Passwords

You would not believe how many people use weak passwords that are easily cracked with a dictionary brute force attack. Your password should be something that is NOT found in a dictionary, it should be "atleast" 11 characters in length and should contain

erroneous characters like (@!$%^&*). You should also consider mixing up letters with numbers. For example; 3 for E, 1 for i, 7 for T, ect..

 

Update your system

You should run the command "up2date" without quotes, and have it automatically update your system. This might take awhile, especially on dialup.

 

Turn Services off that you don't use.

If you have no reason to use a running daemon/service, then you should turn it off. Leaving it on, leaves your box open for exploiting.

 

If you use FTP to transfer files on your box, then use Secure FTP

FTP is known as a plain text protocol, meaning that your username and password is sent to the server in readable text. Someone with very little knowledge could setup a packet sniffer on you're network (or the remote network, if your Linux box isn't on your network) and grab your username and password for your FTP. Therefore you should never use plain FTP, instead use Secure FTP.

 

1. First, you will need a Secure FTP client. You can use JFTP, WS-FTP Pro, Filezilla or any other secure capable ftp client.

2. When setting up your SFTP client, be sure to select the SSH2 protocol (it's a more secure protocol). You should be able to connect to your server without any problems.

3. You should now turn off your FTP Server on your Linux box, since it is no longer needed.

 

Secure SSH

If you require remote access to your Linux box, you should ONLY use SSH. NEVER use Telnet. Telnet is a plain text protocol, and a cracker could easily grab your username and password. If you do not require remote access to your Linux box, you should disable the SSH daemon (If you're using Secure FTP, do not disable SSH).

 

1. Open up your sshd_config file (Usually: /etc/ssh/sshd_config)

2. Find the line that says "#Port 22" and uncomment it and change it to a high port number like 54000. This will help prevent automated scripts & worms on the Internet from probing your SSH to find out if your SSH is exploitable. This adds a little difficulty to your below average cracker.

3. Find "#Protocol 2,1" and uncomment it and change it to: "Protocol 2". This forces SSHD to use SSH version 2 instead of version 1. Version 2 is much more secure than version 1.

4. Find "#PermitRootLogin yes" and uncomment it and change it to "PermitRootLogin no". This prevents you from remotely logging in to your server by user: root. Instead, you will be required to login as a different user (lower privileged user) first, then su to root. For a cracker to gain root access via your SSH, he will now need to know your username and password, and also the root password. This gives the cracker an even harder time to crack your Linux box.

5. Save the file. Restart SSHD. Usually: /etc/rc.d/init.d/sshd restart

6. You can run a "netstat -anp | grep sshd" without quotes, and you should see SSHD running on the high port number you specified.

 

If you're Linux box is located on the Internet and you access it via SSH, and "your" IP address is static then you should setup your Linux Box to only allow your IP access. This is done with the hosts files.

 

1. Open /etc/hosts.allow

2. Add: "sshd: yourip" without quotes (Replace yourip with your static IP address)

3. Save that file. Then open /etc/hosts.deny

4. Add: "sshd: ALL" without quotes. Save it.

 

Hide Version Information

If you "must" run web services like a web server (Apache) you should disable or change the version to help throw off amateur crackers and stop some automated scripts from "picking" on you. Turning off the version number in Apache is very easy. Simply edit the httpd.conf file (usually: /etc/httpd/conf/httpd.conf) and search for "ServerSignature". Change it to: ServerSignature off Also underneath it add: "ServerTokens ProductOnly" without the quotes. Save it. Restart Apache. This only hides the version number, so now instead of it displaying; Apache 1.3.27 it will just simply say Apache. You can remove or change the "Apache" to something else by editing the httpd.h (header file) and recompiling Apache. You can also change it without recompiling, but I'm not going to cover that. (Hint: Edit the httpd binary and find it in there ) If you have PHP installed, you should also hide it's version from being displayed. Edit your php.ini file (Usually: /etc/php.ini) and search for "expose_php = On" and replace with: "expose_php = off". Save the file and restart apache for the changes to take affect. If you're using Sendmail then you should set it up to hide the server version and product name. This is easily done by editing the /etc/mail/sendmail.mc file and adding this in the config: define(`confSMTP_LOGIN_MSG','') then simply make the config live by running the command: m4 /etc/mail/sendmail.mc > /etc/sendmail.cf Lastly restart sendmail /sbin/service sendmail restart. There are many other web services you can modify to hide the version or product name, you just have to do it. However, be warned: Changing the version information or hiding it, does NOT protect your Linux box from exploits. The only real way to protect yourself is to keep your box updated with the latest versions.

 

Install LibSafe

Libsafe is a middle-ware solution to format string attacks and buffer overflows. It provides a dynamically loadable LD_PRELOAD replacement. The LD_PRELOAD replacement is used to replace common functions known to have format string or BOF issues. LibSafe is an ideal solution to stop many issues in simple and basic software

[d3bruts1d]

Been waiting on this. Very nice. Can't wait to see the full version.

 

Dont forget logging and maybe a defination of access rights (file permissions).

[Bosco]

Been waiting on this. Very nice. Can't wait to see the full version.

 

Dont forget logging and maybe a defination of access rights (file permissions).

ohh just wait until you see "my" logging in the up coming guide.. you'll be saying "how the hell... I didn't know you could do that"

[NobeleeNa]

I've been looking for this topic for so long from many different forums and finnaly today i saw this topic.

 

Does the full version has been released already? Cause you post this message on December 2003.

 

Thanks!

[hardwarejunkie]

I'd like to see it soon.

[BiPolar]

thanks linuxprox...this'll be part of my todo list when i get back from the summer and install Fedoracore on my machine.

[markiemrboo]

Update your system

You should run the command "up2date" without quotes, and have it automatically update your system. This might take awhile, especially on dialup.

 

I think perhaps that would better read:

 

You should periodically run the command "up2date", or your distro's equivalent update command (if it has one), and have it automatically update your system. [...blerb...]

 

Or something like that.

 

I'm also not sure about the trying to hide your version number stuff. Instead of spending time trying to hide the version number of your obviously out of date software, it would be much better to stop being lazy and update the software to fix the flaw.

 

Other than that, sounds good. There's also the option of one time passwords, I used those before.. pretty neat stuff!

[Adrohak]

Something you may want to add is the use of Nessus.

[Aristotle]

And when a linux user is feeling brave enough, they should install and play around with Snort. Snort is an Intrusion Detection System (IDS) that looks at all the inbound and outbound traffic and compares the packet data to known attack signatures. Snort can be configured to act as a passive voyeur or be an agressive firewall. However, it takes some experience to set it up properly so this is something most definitely NOT for beginners.

[Bosco]

And when a linux user is feeling brave enough, they should install and play around with Snort.  Snort is an Intrusion Detection System (IDS) that looks at all the inbound and outbound traffic and compares the packet data to known attack signatures.  Snort can be configured to act as a passive voyeur or be an agressive firewall.  However, it takes some experience to set it up properly so this is something most definitely NOT for beginners.

486300[/snapback]

 

That is something else that will be added to my "full version" security handbook that will be released soon. I actually wrote a lot of the full version that I had coming out, last year but I lost it in a hard drive crash and it made me so mad that I didn't feel like rewriting it then

 

I am now starting to work on that guide again. I'm creating a rough draft tonight and coming up with a layout that will be easy to read.

 

I'll be working on this guide off and on, but hope to have it complete soon. I'll keep you all updated!

[GuJuMaN89]

backit up often

[Bosco]

backit up often

498058[/snapback]

 

Yeah, to multiple hard drives this time!