LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2003, 07:11 AM   #16
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46

Uups thought u are a mod ... nevermind a let's clear things: sbdy who helps ppls a lot on that board (looking at your posts, etc) ...
 
Old 02-02-2003, 12:16 PM   #17
MasterC
LQ Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 68
Cool, thanks Markus
 
Old 02-02-2003, 12:29 PM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Pt.2: configuring.

Ok, last time I posted a note I asked you ppl to post remarks, SW, idea's or comments. To those who did: thanks. Appreciate it.
To all who read this thread: please chip in!

Ok, let's munch into removing packages, cleaning out services and configs and adding restrictions.

What packages you remove depends foremost on what purpose the box has.
This leads leads to a list of packages which can be used as a basis for an installation script like RH's Kickstart[1].
OTOH if the box was prepped using an image (and in any case just to make sure) please look at the "UNIX Security Checklist"[2].
It should have precluded my pt1 as in "The process of hardening Linux"[3].

For configuration look at the "UNIX Security Checklist"[2] as well as at the "The Twenty Most Critical Internet Security Vulnerabilities"[4].
I'll tag on any notes I think necessary walking tru [2] here, please add yours.
In general:
Beware of default settings.
The second note is your mantra: that what is not explicitly allowed is denied.
Just broadcast a Mental Arp during configuring: who-has access? If you're surprised who responds, reconfigure :-]

Section II. The Basic Operating System: 2.0 Network Services
2.1 /etc/inetd.conf.
Hardening, Xinetd Sensors: http://www.gate.net/~ddata/xinetd-sensors.html
How to Build, Install, Secure & Optimize Xinetd: http://www.openna.com/documentations...netd/index.php

2.2 tcp_wrappers
Linux Security HOWTO, 8.6.1. Detecting Port Scans: http://www.tldp.org/HOWTO/Security-H...-security.html
TCP Wrappers Misconceptions: http://www.bhodisoft.com/bswopes/nhf...osts.deny.html
IP-spoofing Demystified (Trust-Relationship Exploitation) by daemon9/route/infinity, Phrack Magazine.

2.8 /etc/services
Replace with file from Nmap.

2.10 /etc/login.access
//mental note: wasn't this deprecated on PAM'ified systems?
2.12 /etc/login.defs
Illuminating shadow passwords (configuring, extra checks, halfway down the page): http://www.linuxworld.com/linuxworld...passwords.html

2.13 PAM (Pluggable Authentication Modules)
PAM is definately a PITA in some situations but good in others. Please note there are several modules available.
Openwall, Pluggable password strength checking (pam_passwdqc): http://www.openwall.com/passwdqc/
Also note /etc/security contains the stuff for groups, time, ulimits etc etc.
Simple "deterrants" example one:
Add to your /etc/pam.d/<service>: auth required /lib/security/pam_listfile.so item=user sense=allow file=/path/<service>.allow onerr=fail
The "/path/<service>.allow" file contains the local usernames you want to grant access for <service> to.
Simple "deterrants" example two, from vsftp:
echo -e "<user>\n<pass>\n<user>\n<pass>" > /path/fname.txt
db_load -T -t hash -f /path/fname.txt /path/fname.db
Add to your /etc/pam.d/<service>: auth required /lib/security/pam_listfile.so sense=allow file=/path/<fname> onerr=fail

2.14 cron
Cron allows for having restrictions in /etc/cron.(allow|deny)

Section II. The Basic Operating System: 3.0 Networking Administration
3.1 Packet Filtering
Please refer to the LQ Netfilter references as posted before.
Also for routers it's imperative to do both ingress and egress filtering, see 3.2 below

3.2 Denial of Service Attacks
SANS - Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm
SANS - Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php
SANS - Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understan...nding_ddos.php

Section II. The Basic Operating System: 4.0 File system security

4.1 General
Also note deleting a file doesn't mean traces of it aren't retrievable. If in doubt use shred.

Point five. Make sure "noexec" on ${TMP} disks/partitions doesn't break functionality or make sure you for instance don't use UPX-compressed binaries. Also note "noexec" can be covered using GRSecurity's [5] Trusted Path Execution (TPE)
Point six. Try "/usr/sbin/repquota -sua" for starters.

4.2 Startup and Shutdown Scripts
On a personal note IMO runlevels are grossly underestimated fun.
Consider having a LILO append line looks like "nogcc nosvc_S"
If you add a check like this:
no_gcc_tgt="/usr/bin/gcc"
case "$(grep /proc/cmdline -qe "nogcc")" in
0) for t in ${no_gcc_tgt}; do chattr -iu ${t}; chmod 0100 ${t}; chattr +iu ${t}; done;;
1) /bin/false;; esac
Of course you can do this depending on runlevel, access whatever else.
Same goes for "sealing" the kernel using /proc values or using it to take away global LINUX_CAPABILITIES (using lcap).
The Linux kernel capabilities FAQ: http://www.kernel.org/pub/linux/libs...capfaq-0.2.txt

4.4 File Permissions
For tools look at Cops, Tiger and Lsat for example.
Point ten. See also "fixperms" for instance at: http://www.stanford.edu/group/itss-c...x/fixperms.sh.
Have a look at http://online.securityfocus.com/arch...6/2002-12-12/0 for a nice seteuid/setuid example.
Point eleven. Umask can be set using a simple script. Example in /etc/profile (which is run on a user's login using Bash shell):
case $(id -u) in 666) MASK="027";; *) MASK="022";; esac; export MASK
Point twelve. On a PAM'ified system, also look in /etc/security for the perms file.
Point thirteen/fourteen. Another example where mount options and GRSecurity can help. Tara Tiger also recognizes device files outside /dev.

4.9 The Coroner's Toolkit
Please note using TCT, TASK etc, etc requires you to practice beforehand. If you're not about to invest some serious time, skip this, else read up first:
Docs:
Forensics Basic Steps: http://staff.washington.edu/dittrich/misc/forensics/
Forensics presentation by Weld Pond and Tan: http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/
OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org): http://www.isecom.org/projects/osstmm.htm
Honeypot project (hone your skills! : http://project.honeynet.org/scans/

Section II. The Basic Operating System: 5.0 Account Security
Policies, Site Security Handbook: http://www.faqs.org/rfcs/rfc2196.html

5.1 Policy
Point six. Last time I used John on a remote passwd file I had 10 accounts in under 30mins, at least use pam_passwdqc.

5.2 Administration
Again, auditing a system look at Cops, Tiger and Lsat for example.
Logwatch, logsentry etc etc. Freshmeat.
GRSecurity has several options for logging user activity, there are also LKM's out there that will log for the exec family.
There's also a Bash patch that can log keystrokes to syslog or remote.

5.3 Special Accounts
Not interested? Look at the Default Password List: http://www.phenoelit.de/dpl/dpl.html :-]
Point six. There are no-access shells out there that can log an attempt to syslog.

5.4 root Account
Also watch out for LD_SO_PRELOAD.

Section II. The Basic Operating System: 6.0 System Monitoring //I'll have no notes for this.
Section III. Major Services //I'll have no notes for this, move on to Section V. Appendixes.

Section V. Appendixes
Chkwtmp and chklastlog are included in chkrootkit.
*Chkrootkit has (AFAIK) a problem with recognizing promiscuous device in linux-2.4x due to device driver flag handling.
Haven't seen a resolve for this. PLEASE CORRECT ME IF I'M WRONG!
In addition to the tools listing, maybe look here as well:
Top 50 tools: http://www.insecure.org/tools.html
CERIAS, huge archive: http://www.cerias.purdue.edu/coast/a...ory_index.html
CERT: http://www.cert.org/other_sources/tool_sources.html
OSSTM Tools listing: http://www.isecom.org/projects/operationaltools.htm
CERT: Other Sources of Security Books and Articles: http://www.cert.org/other_sources/books.html

References:
[1] RedHat Linux KickStart HOWTO: http://www.redhat.com/mirrors/LDP/HO...art-HOWTO.html
[2] UNIX Security Checklist v2.0: http://www.cert.org/tech_tips/unix_s...cklist2.0.html
[3] The process of hardening Linux: http://www.sans.org/rr/linux/hardening.php
[4] The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/
[5] GRSecurity: http://www.grsecurity.net

===
Ok. This concludes my contribution to the 2nd part: configuring.
Hope you enjoy it and please add your tools, procedures and comments.
//and please keep this thread on topic.
 
Old 02-06-2003, 11:34 AM   #19
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,749

Rep: Reputation: 71
Since this is one of the thing I do not know too much about, but would really like to know more (have a dial-up connection, so it is not a priority). I'll through in my 2 cents.
Here is a link to a pretty easy to use firewall program based on iptables. http://rulhmpc57.leidenuniv.nl/proje...bles-firewall/
 
Old 02-09-2003, 11:16 AM   #20
bigjohn
Senior Member
 
Registered: Jun 2002
Location: UK .
Distribution: *buntu (usually Kubuntu)
Posts: 2,690
Blog Entries: 9

Rep: Reputation: 45
firewalls ???

Yeah, Ok Unspawn, got the message, though I did think my question relevant as most of the other firewall q & a seems a little confusing and some quality "howto" may have helped others as well as me

sorry if you felt that I asked the question in the wrong place.

Keep up the good works.

regards

John


Last edited by bigjohn; 02-14-2003 at 02:49 PM.
 
Old 02-11-2003, 01:04 PM   #21
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
a general guide on locking down linux may be found here. It looks pretty handy. I think what we should really do is to work on a security check list based on a solid base ... that should help us as a leading path through the whole process!
 
Old 02-13-2003, 05:54 AM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Ok, then do me the favour of posting a short checklist we can work with and ppl can add comments to point by point, because by now this thread will be declared dead if nothing happens soon.
 
Old 02-13-2003, 03:09 PM   #23
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Okay, so 2 main parts

1) installation issues (depending on distribution)
2) post-installation issues


1) depends most on the distribution itself, like if you could limit software to be installed, etc. Always just install what you need is the best advice here probably.

And of course use a specific partion scheme,
like put all areas where users can write to on different partitions than the one for the root-stuff. Also maybe you should create an own partition for /var/log


any comments regarding this ?
 
Old 02-14-2003, 12:18 AM   #24
Grim Reaper
Member
 
Registered: Apr 2002
Distribution: Gentoo 2006.0 AMD64
Posts: 399

Rep: Reputation: 30
I saw this one in a thread:

Quote: "Port sentry is running and catches scans to those ports and denys further access."


That could be a good tool to install....unless there's something more advanced that does that already...hehe
 
Old 02-14-2003, 05:35 AM   #25
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
You can do similar things with tcp_wrappers (/etc/host.{allow|deny}) afaik!
 
Old 02-18-2003, 02:23 PM   #26
ferreter
Member
 
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215

Rep: Reputation: 30
Here is a link to many Iptables scripts

http://www.linuxguruz.org/iptables/
 
Old 02-20-2003, 01:40 PM   #27
ferreter
Member
 
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215

Rep: Reputation: 30
Also the nikto scanning tool is great for finding vulnerabilities or security issues with many kinds of web servers. It includes the ability for perl pluggins as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"Locking in" Glibc (replace prob /lib/ld-linux.so.2 with /tools/lib/ld-linux.so.2 irfanali Linux From Scratch 11 06-29-2006 10:19 AM
Linux (Cups) printer visible to windows, invisible to linux boxes ? johnvoisey Linux - Networking 2 02-27-2004 02:57 AM
is there any virtual cd tools like deamon tools on linux ? ixogn Linux - Software 1 02-24-2004 10:19 AM
how to share linux files on LAN btwn other linux boxes shakeeb Linux - Networking 9 02-04-2004 02:10 PM
win2000 boxes cannot map but winnt boxes can - same user! starbeetlechick Linux - Networking 0 07-24-2003 07:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration