WHAT DOES THIS ARTICLE DISCUSS?
Basic Linux security will be discussed in this article, that is:

• securing passwords.
• preventing the curious from logging into your system.
• securing daemons.
• encrypting sensitive files.
• trojan horses and viruses.
• file permissions.
• port scanning.
• security programs.
• further reading.

• You use a Linux system for personal and home use. Not as a server.
• You know basic Linux commands and you know how to read path names.
• You are actually using Linux and not some other UNIX variant, eg: FreeBSD.
• You know how to use a text editor, eg: vi, emacs, pico, etc...
• You know that the man command will do you good.

HOW MUCH SECURITY DO YOU NEED?
The questions is how much security do you need on your system. You can have a tightly secured system but that would prevent you from doing certain things. You have to know what you are protecting. Do you have sensitive credit card numbers or certificates on your computer? Do you care if someone actually breaks into your system? Ask yourself these questions before actually implementing the security measures discussed below [TRANSLATION: Secure only what you need, else you may find that you yourself are restricted from running programs you like].

SECURING PASSWORDS
Passwords are your first line of defense, and is normally the first thing that will be under attack from a cracker [TRANSLATION: Clueless computer vandals like to try guessing passwords in the hope of breaking in]. The root password is very important and should be very secure. How do you make it secure? Here are a few pointers:

• It should use up the maximum password length allowed.
• It should contain numbers, letters, and special characters.
• It should contain upper case an lower case characters.
• It should be memorized and not written down.
• It should not make sense to anyone but you.
• It should not be found in a dictionary.
• It should be a non-existent word.

root# head -c 6 /dev/urandom | uuencode - | cat -n | grep 2 | cut -f2 | cut -c 2,3,4,5,6,7,8,9

That will generate some cryptic password for you. You are not done yet. The next step is to shadow your password files [TRANSLATION: Shadowing extracts the world readable encrypted passwords in /etc/passwd and stores them in a file called /etc/shadow which is only readable by root]. Your Linux system may already have shadowed your passwords by default. To check, do:

root# cat /etc/passwd | grep root

If you see something like root:x, then your passwords are already shadowed. Otherwise, they are not shadowed. To have them shadowed, just run the command pwconv.

DISABLING DAEMONS
At its first installation, your Linux system will have a lot of daemons running by default. Normally, many of these daemons are unnecessary. A daemon is a program that listens and waits for a specific event to happen [TRANSLATION: A daemon is a program that runs in the background waiting for it to be called up]. When the event happens, the daemon acts accordingly. For instance, your finger daemon will wait until it receives a connection. When it does, it will either present the remote computer with the information queried for, or refuse a connection. You will find most of your daemons in your /etc/inetd.conf file [TRANSLATION: inetd is the Internet Super Server. It controls all the available daemons in your system. When a client requests a connection to a daemon, inetd will pass the connection to the respective daemon it is in charge of]. The finger daemon will look something like this:

finger  stream  tcp     nowait  /usr/etc/in.fingerd     in.fingerd

In this case, the finger daemon is up and running. When someone tries to finger root on your system, this is what it would show:

xconsole$ finger root@localhost
Login: root                     Name: root
Directory: /root                Shell: /bin/bash
On since Sun Mar 7 00:43 (EST) on ttyp0 from :0.0
Mail last read Sun Feb 28 20:58 1999 (EST)
No Plan

This is normally viewed as a security risk. There is no reason why anyone would need to view root's status. Disabling the finger daemon, is therefore a good idea. This can be done simply by commenting it out with a hash: # symbol:

#finger stream  tcp     nowait  /usr/etc/in.fingerd     in.fingerd

Save the file, and then run

killall -HUP inetd

to reset inetd. When you try to finger root now, this is what you get:

xconsole$ finger root@localhost
[localhost]
finger: connect: Connection refused

The finger daemon has been successfully shut off. Having a daemon shut off does not mean that you cannot use finger. You can still finger other computers, but they cannot finger yours. You will want to shut off other daemons that you do not need. Some good candidates are:

• echo
• discard
• daytime
• chargen
• ftp
• telnet
• gopher
• shell
• login
• exec
• talk
• tftp
• finger
• netstat
• systat

finger  stream  tcp     nowait  /usr/sbin/tcpd  in.fingerd

Notice that the finger daemon is now controlled by tcpd. Any connections made to finger will be logged into a file of your choice. Check /etc/syslog.conf to see how logging is controlled and man syslog.conf to see how to modify /etc/syslog.conf. I suggest you have tcp_wrapper watching over all your daemons regardless of whether they are active or not. Most of the latest Linux distributions already come with tcp_wrapper installed, so you do not have to worry too much about setting it up.

CONTROLLING LOGIN
You can control the ttys that root can log into by editing the /etc/securetty file [TRANSLATION: You can control the terminal consoles that root can log into, thus minimizing the risk of a cracker breaking in]. If you want to restrict user login completely and use root all the time (bad idea by the way), run the following command:

root# touch /etc/nologin

This file will prevent all users except root from logging in. The contents of the file /etc/nologin will be presented when a non-root user attempts to login. So if you do:

root# echo "Down for upgrade." > /etc/nologin

User's who log in will get this message:

Linux 2.2.5

Down for upgrade.

The connection will then be killed. Be wary of this. This maximizes security quite a bit, but as root, Linux will follow your every command and not prevent you from running dangerous commands. You may actually damage your system [TRANSLATION: If you accidentally run rm -rf / as root, you will spend the next hour re-installing Linux].

CONNECTING TO OTHER COMPUTERS
Normally you can use telnet to connect to another computer. The problem with this is that your session can be listened on, which you do not want [TRANSLATION: Crackers can spy on your telnet session and see what you are typing]. To solve this problem, install SSH, the Secure Shell. SSH encrypts your sessions so that eavesdropping becomes useless. You can download SSH from http://www.ssh.fi/. You should also uninstall your r-utilities (rsh, rlogin, etc...). They are not secure and leave files like .rhosts which are notorious candidates for cracker break-ins. When you install ssh, be sure you disable telnetd in /etc/inetd.conf [TRANSLATION: shut of the telnet daemon].

[-Next Page-]