SECURING THE HOME LINUX SYSTEM: VERSION 1.2
Linux has certainly made quite an explosion in the computer field and is
becoming more and more popular each day. Linux boasts the full power of
UNIX operating systems, and it is much more stable and faster than
Microsoft's operating systems. But the best deal of all is that it is free
for download, or costs little to nothing when bought. For programmers and
hackers , Linux contains it's own source code, blueprints to how it was
written [TRANSLATION: Computer geeks love Linux because they can
take it apart and rebuild it]. Mastering Linux takes time, and learning
to secure it properly requires an intimate knowledge of the operating
system. Something that new Linux users will not have. And so this is why
this article exists. In the hope that new Linux users will be able to
secure their home system without too much hassle and for the cost of
nothing but a little time.
WHAT DOES THIS ARTICLE DISCUSS?
Basic Linux security will be discussed in this article, that is:
- securing passwords.
- preventing the curious from logging into your system.
- securing daemons.
- encrypting sensitive files.
- trojan horses and viruses.
- file permissions.
- port scanning.
- security programs.
- further reading.
This article will assume a few things:
- You use a Linux system for personal and home use. Not as a server.
- You know basic Linux commands and you know how to read path names.
- You are actually using Linux and not some other UNIX variant, eg:
FreeBSD.
- You know how to use a text editor, eg:
vi ,
emacs , pico , etc...
- You know that the
man command will do you good.
HOW MUCH SECURITY DO YOU NEED?
The questions is how much security do you need on your system.
You can have a tightly secured system but that would prevent
you from doing certain things. You have to know what you
are protecting. Do you have sensitive credit card numbers
or certificates on your computer? Do you care if someone
actually breaks into your system? Ask yourself these questions
before actually implementing the security measures discussed
below [TRANSLATION: Secure only what you need, else
you may find that you yourself are restricted from running
programs you like].
SECURING PASSWORDS
Passwords are your first line of defense, and is normally
the first thing that will be under attack from a cracker
[TRANSLATION: Clueless computer vandals like to try
guessing passwords in the hope of breaking in]. The root
password is very important and should be very secure. How
do you make it secure? Here are a few pointers:
- It should use up the maximum password length allowed.
- It should contain numbers, letters, and special characters.
- It should contain upper case an lower case characters.
- It should be memorized and not written down.
- It should not make sense to anyone but you.
- It should not be found in a dictionary.
- It should be a non-existent word.
Okay, now that you have generated a secure password for yourself,
what do you do? You download a password cracker and attempt
to crack your password [TRANSLATION: Linux will automatically
encrypt your passwords, that is, make it unreadable. Password
cracking is the process of decrypting an encrypted password,
that is, making an unreadable password readable]. If your
password gets cracked, generate a much more secure one. Password
crackers are widely available. You can download a few at http://www.rootshell.org.
If you want to generate a cryptic password, you can play around
with /dev/urandom . Here is one way to do it:
root# head -c 6 /dev/urandom | uuencode - | cat
-n | grep 2 | cut -f2 | cut -c 2,3,4,5,6,7,8,9
That will generate some cryptic password for you. You
are not done yet. The next step is to shadow your password
files [TRANSLATION: Shadowing extracts the world
readable encrypted passwords in /etc/passwd
and stores them in a file called /etc/shadow
which is only readable by root]. Your Linux system may already
have shadowed your passwords by default. To check, do:
root# cat /etc/passwd | grep root
If you see something like root:x , then your
passwords are already shadowed. Otherwise, they are not
shadowed. To have them shadowed, just run the command pwconv .
DISABLING DAEMONS
At its first installation, your Linux system will have a
lot of daemons running by default. Normally, many of these
daemons are unnecessary. A daemon is a program that listens
and waits for a specific event to happen [TRANSLATION:
A daemon is a program that runs in the background waiting
for it to be called up]. When the event happens, the daemon
acts accordingly. For instance, your finger daemon will
wait until it receives a connection. When it does, it will
either present the remote computer with the information
queried for, or refuse a connection. You will find most
of your daemons in your /etc/inetd.conf file
[TRANSLATION: inetd is the Internet
Super Server. It controls all the available daemons in your
system. When a client requests a connection to a daemon,
inetd will pass the connection to the respective
daemon it is in charge of]. The finger daemon will look
something like this:
finger stream tcp nowait /usr/etc/in.fingerd in.fingerd
In this case, the finger daemon is up and running. When someone tries to
finger root on your system, this is what it would show:
xconsole$ finger root@localhost
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Sun Mar 7 00:43 (EST) on ttyp0 from :0.0
Mail last read Sun Feb 28 20:58 1999 (EST)
No Plan
This is normally viewed as a security risk. There is no reason why anyone
would need to view root's status. Disabling the finger daemon, is
therefore a good idea. This can be done simply by commenting it out with a
hash: # symbol:
#finger stream tcp nowait /usr/etc/in.fingerd in.fingerd
Save the file, and then run
killall -HUP inetd
to reset inetd . When you try to finger root now, this is
what you get:
xconsole$ finger root@localhost
[localhost]
finger: connect: Connection refused
The finger daemon has been successfully shut off. Having a daemon shut off
does not mean that you cannot use finger . You can still
finger other computers, but they cannot finger yours. You will want to
shut off other daemons that you do not need. Some good candidates are:
- echo
- discard
- daytime
- chargen
- ftp
- telnet
- gopher
- shell
- login
- exec
- talk
- tftp
- finger
- netstat
- systat
[TRANSLATION: Having unnecessary daemons running is always a bad
idea]. What if you want to leave the finger daemon activated, but at the
same time, you want to see who is fingering you? That is when tcp_wrapper
comes in. tcp_wrapper logs in all connections for whichever daemon you
have it monitor. tcp_wrapper also restricts certain IP addresses from
logging into your system. You can obtain tcp_wrapper from ftp://ftp.win.tue.nl/pub/security/.
After you install it, you can have /etc/inetd configured as
such:
finger stream tcp nowait /usr/sbin/tcpd in.fingerd
Notice that the finger daemon is now controlled by tcpd . Any
connections made to finger will be logged into a file of your choice.
Check /etc/syslog.conf to see how logging is controlled and
man syslog.conf to see how to modify
/etc/syslog.conf . I suggest you have tcp_wrapper watching
over all your daemons regardless of whether they are active or not. Most
of the latest Linux distributions already come with tcp_wrapper installed,
so you do not have to worry too much about setting it up.
CONTROLLING LOGIN
You can control the ttys that root can log into by editing the
/etc/securetty file [TRANSLATION: You can control the
terminal consoles that root can log into, thus minimizing the risk of a
cracker breaking in]. If you want to restrict user login completely and
use root all the time (bad idea by the way), run the following command:
root# touch /etc/nologin
This file will prevent all users except root from logging in. The contents
of the file /etc/nologin will be presented when a non-root
user attempts to login. So if you do:
root# echo "Down for upgrade." > /etc/nologin
User's who log in will get this message:
Linux 2.2.5
Down for upgrade.
The connection will then be killed. Be wary of this. This maximizes
security quite a bit, but as root, Linux will follow your every command
and not prevent you from running dangerous commands. You may actually
damage your system [TRANSLATION: If you accidentally run rm
-rf / as root, you will spend the next hour re-installing Linux].
CONNECTING TO OTHER COMPUTERS
Normally you can use telnet to connect to another computer.
The problem with this is that your session can be listened
on, which you do not want [TRANSLATION: Crackers
can spy on your telnet session and see what you are typing].
To solve this problem, install SSH, the Secure Shell. SSH
encrypts your sessions so that eavesdropping becomes useless.
You can download SSH from http://www.ssh.fi/. You should also
uninstall your r-utilities (rsh , rlogin ,
etc...). They are not secure and leave files like .rhosts
which are notorious candidates for cracker break-ins. When
you install ssh , be sure you disable telnetd
in /etc/inetd.conf [TRANSLATION: shut
of the telnet daemon].
[-Next Page-]
|