How to Secure a Linux System
Getting Started
Once you have installed Linux and logged in successfully for the first time you will want to immediately register your system with RedHat so that you can get the free software updates. This is *crucial* to maintaining a secure and stable system. You should check for updates often to make sure that you are up-to-date on the most recent patches and package releases.
In order to register your system from the command line run:
rhn_register
and fill in the necessary information.
In order to update your system run:
up2date -uv --nox
Unless you've explicitly configured it, up2date will not update the kernel. It is suggested to run up2date once before you allow the kernel to be upgraded from the up2date program. You can change the settings in /usr/sbin/up2date-config to allow the kernel upgrade. You may also wish to reboot after applying the first set of updates, and again after you update the kernel packages.
You should also make sure that you do NOT leave your system connected to the network until you have sufficiently secured it. Run the following command:
ifdown eth0 (eth0 is your ethernet device)
to disable your network connection until you can lock everything down.
You can run:
ifup eth0
to restore your connection after you are secure.
The next major step you will want to do is to turn off all your unnecessary services by running 'ntsysv' or 'chkconfig'. From here you can see all the services that can potentially be started when you boot your system. Hitting F1 while a package is selected will give you information about what that package specifically does. Remember that you should only turn on what you absolutely need. You can always go back later and turn on more services if you find that you need them.
Physical Security
After updating your system, it must be physically secured. This is the fundamental layer for security, because no matter how many tools are applied to the system, if the hard drive can be removed, or the system restarted from the console, then the system can be compromised easily. By simply rebooting the system, an attacker can boot to single-user mode and change the root password without any authorization. To prevent this, make sure you password protect the BIOS. This way, even if the system is rebooted, an attacker will have to know the BIOS password or the machine will not even begin to boot the operating system.
You can also protect the Grub and Lilo boot loaders with a password so that no one can change your boot time kernel parameters without the password, thereby preventing anyone from logging into single-user mode and changing the root password.
By changing the following line in /etc/inittab:
id:3:initdefault
to
~~:S:wait:/sbin/sulogin
a user attempting to boot to single-user mode will have to enter the root password.
Also, comment out the following line by adding a #:
#ca::ctrlaltdel;/sbin/shutdown -t3 -r now
This will disable using Ctrl-Alt-Del to reboot.
Security Tools
There are some common, free tools that are simple to install and configure, and that provide a substantial amount of system security.
- IPTables ( http://netfilter.samba.org/) is a packet filter that comes with most Linux distributions (and can also be started via 'ntsysv'). IPTables can be a little intimidating to the inexperienced, so we recommend searching for an existing IPTables script (try these: http://www.linuxguruz.org/iptables/) and modifying it to suit your system's needs. The IPTables HOWTO is an excellent place to begin with writing your own rulesets. IPTables is a very powerful tool that gives you a wide range of flexibility for exactly what network traffic you let in and out of your system.
- Tripwire ( http://www.tripwire.org/) is an integrity checker that monitors any major filesystem changes that have occurred as a result from legitimate changes that you or other users on your system make, or those undesired changes made by intruders.
Configuring IPTables
IPTables is a software package that allows you to create a customized stateful packet inspecting firewall. IPTables can be configured to examine every packet that comes into, out of, or forwarded by your system.
The first step is to create a shell script so that you can easily change rules, and keep track of the ones you have already created. Here is a sample script you may want to try. Everything preceeded by a '#' is a comment:
#!/bin/sh
#
# This script will allow all outgoing connections, and
# allow ssh in from the Internet. Pick your port using
# the $SSHPort variable below. (It's always a good idea to obfuscate your SSH port)
#
# save this script as iptables_script.sh in your /root directory.
# and run it as root.
# just run: sh /root/iptables_script.sh
# Put the location of the IPtable binary here:
IPTABLES=
# What SSH port to use? (Remember to configure /etc/ssh/sshd_config)
SSHPort=
# set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -Z INPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -Z FORWARD
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -Z OUTPUT
# Protect with SYNCookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# ******************************************************* #
# Allow pings to reach the workstation (crucial for testing purposes, ping
# should never be blocked
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Allow connections IN that were established FROM this workstation
$IPTABLES -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh connections to this workstation
$IPTABLES -A INPUT -p tcp --syn --dport $SSHPort -j ACCEPT
# This line will log all SSH connections
$IPTABLES -A INPUT -p tcp --syn --dport $SSHPort -j LOG --log-prefix "***SSH connection:"
#Allow loopback traffic. This is required for lots of local configuration sevices, e.g. CUPS
$IPTABLES -A INPUT -i lo -j ACCEPT
# Since your server/workstation could have mutliple services that require public access these chains below are just an example of how to allow services
# Allow HTTP access to this workstation
#$IPTABLES -A INPUT -p tcp --syn --dport 80 -j ACCEPT
# ******************************************************* #
echo The IPtables rules have been created.
echo use 'service iptables save' to save rules to /etc/sysconfig/iptables,
echo use 'chkconfig iptables on' to enable them at bootup.
Save this ruleset after configuring for your system and run or re-run this script each time you modify your rules. Don't forget to run 'service iptables save' each time, or the rules will not persist.
You can also run 'iptables -L' or 'service iptables status' to see the current state of your rules.
Other Security Tweaks
After installing your security software applications, there are a few steps you can take to lock down your system even more. First you can edit the /etc/security file. This controls which consoles root can log into. Comment out every line except for vc/1 and tty1. This will allow root to login only at the first terminal locally. You may also wish to comment out unused shells from /etc/shells. Leave at least bash, csh, and sh uncommented to give you a little more flexibility.
A potential attacker can find plenty of information about your system well before they try to break-in. It is trivial to remove most of your revealing information. Edit /etc/issue and /etc/issue.net by removing the typical login banner. Leave the files empty, add in a misleading login banner, or remove these two files entirely - it's up to you. Then chmod -x issue* to remove all write privileges from these files. If you are running Sendmail you will also want to remove the version you are using by changing the following:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
to
O SmtpGreetingMessage=$j
This will remove the version from your Sendmail headers, not allowing the attacker to know which version you are running. This step should be done to most of your network services, including FTP.
The /etc/security/access.conf file can be used to delineate who can and cannot login to the system, either remotely or locally. Access levels will differ on every system, though a good practice is to disallow anyone except for root and your administration accounts to login locally. Add the following line to /etc/security/access.conf
-:ALL EXCEPT root [other administrators]:LOCAL
This roughly interprets to: disallow all except root and the other adminstrators local logins.
The /etc/rc.d/init.d directory contains scripts that start most of your services. Make sure that the permissions are set correctly on these scripts by issuing the following command:
chmod -R 700 *
which effectively only allows root to read, modify, and execute the scripts.
Another good idea is to edit /etc/syslog.conf to point the log files into a different directory. By default, most of the log files are saved in /var/log/messages. Changing the default path of the logs makes it more difficult for an attacker to alter or delete the logs.
If you want to connect to your machine remotely, you must install SSH. RedHat typically installs a version from RPM, which can easily be removed in order to upgrade to the newest version from source:
rpm -qa |grep openssh
The above command will search your RPM database for the word "openssh" and display the results. To remove all your old SSH packages:
rpm -e openssh
Note that you may need to remove three other OpenSSH related packages first. These will be displayed after running rpm -qa | grep openssh. You will then want to download the most recent version from http://www.openssh.org/ and install as usual:
tar zxvf openssh-[version].tar.gz
cd openssh-[version]
./configure
make
make install
You will then need to change some of your options in the sshd_config file to reflect a tighter security. You will want to disable support for SSH protocol 1 and only allow protocol 2. You will also want to disallow root from logging in via SSH. If you need to become root remotely, first login as a normal user, then use the "su" command to switch to root:
Change:
Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
to:
Port 22 [ or whatever port you want to set it as]
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
Also change:
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
to:
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
Using a combination or all of the techniques described in this document will help you to install and significantly tighten the security on your RedHat Linux system. However, these security measures can be used on most Linux distributions. Keep in mind that the only system that is 100% secure is one that is not plugged into the network. Therefore you should have a reliable back-up system in case your machine does get compromised. Even if your system has been hacked, with your data preserved in a safe and trusted archive you can simply reinstall your OS and restore your system to its former state.
Review
1. During your installation mount /home separately in case you have to re-install.
2. Choose strong root and user passwords, and change them frequently.
3. Only install the software packages that you are sure to use (you can always install more later if need be.)
4. Keep your system updated with the most recent patches and packages from RedHat via up2date.
5. Turn off all unnecessary services with ntsysv or chkconfig.
6. Regularly review your system logs.
7. Create and maintain a strong IPTables script file.
8. Install an integrity checker (like Tripwire).
9. Install and tighten the most recent version of OpenSSH.
10. Back-up your system and important data files on a regular basis.
If you would like a vulnerability scanner run on your machine on-campus, the ITS Security office will be happy to send you a report. Please email us at security@unc.edu for a scan request or for any questions.
Document Overview
Tags: Linux , Red Hat , SSH , how-to , securitySubjects: Security , Computer Security
Audience: Everyone
This work is licensed under a Creative Commons Attribution 3.0 United States License.
