 | Rice
LUG Security Tips |  |
Obviously the inital step in cracking a system is gaining access. There are several things that can be done to reduce a system's external vulnerbility:
- Don't run services you don't
use. A lot of services are installed and activated by default. They
are listed within various "run levels" that can be viewed in the /etc/rc.d/
directory. Please read our Introduction to Runlevels,
Services, and Daemons to learn how to lower your security risk. Also
many services are handled by inetd. You should definitely look at
/etc/inetd.conf and remark out things like the r* services (e.g. rlogin, rsh,
etc.).
A full inetd includes in.ftpd, in.telnetd, gn
(gopher), smtpd, in.nntpd, in.rshd, in.rlogind,
in.rexecd, in.talkd, in.ntalkd, in.dtalkd,
ipop2d, ipop3d, imapd, uucico (uucp), in.tftpd,
bootpd, in.fingerd, in.cfingerd, ps (systat),
netstat, and in.identd. Sam says, "Of these 22 services, I personally run
one and feel promiscuous." For remote access ssh is strongly recommended. Don't run
any service that you don't use regularly (such as httpd, innd,
named, nfs, smb, dhcpd, and lots more).
- Pay attention to what's going on in your box. One possibility is to have
root's
.login run /usr/bin/w. Use the neato -f flag to ps. Check the
output to rpcinfo -p localhost (even better, don't run portmap, see above). Consider
using some kind of log parser/monitor like logcheck, to notify you when the alarms go off.
- Use tcp wrappers. Use tcp wrappers to limit services to Rice The
combination of these two files only allows ftp connections from the rice domain:
/etc/hosts.deny
Add the line "ALL: ALL"
/etc/hosts.allow
Add the line "in.ftpd: LOCAL, .rice.edu"
Check your /etc/inetd.conf and put in similar entries for whatever services you
havn't deactivated (see above). More information can be gleened from man
hosts_access.
- Eliminate clear text transmission of passwords. Use ssh instead of the r* services. They suck.
The recommended version of ssh to use is OpenSSH, from the OpenBSD
project. The OpenSSH website is http://www.openssh.com/.
The latest version is recommended. Recommendation:
deavtivate telnet, rlogin, etc. Install SSH and use it
exclusively.
- Keep your system updated. Subscribe to your
distribution's security announce list, monitor their errata lists, and
upgrade any programs with exploits that you have installed (even if you aren't running it). Linux development is very fast, and patches are usually up in 24 hours from when the guys with white hats discover a problem.
- Guard your system Consider using a port monitoring program
like Abacus' sentry to establish a permanent blockade against portscans.
- Stay informed Subscribe to bugtraq.
- Fix internal security holes. Use shadow passwords, tripwire programs, put
/usr/local on a separate partition and mount /usr read-only, etc, etc.
This is mentioned last because most of us don't have that many users on our box and if the
bad men get inside, they probably know at least 53 different ways to get root access.
Further Links
LDP Security HOWTO
Red Hat Errata
SSH Communications Security
OpenSSH
Getting Started with SSH
Rice Linux User Group
Created on 2 December 1998, last modified on 2 December 1998.
Contributions, constructive criticism, and commentary always welcome!
Thanks to Sam Carter and James Mitchell.