Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First I'd like to outline something from my README file:
Code:
----------------------------------------------------------------------
intended audience
----------------------------------------------------------------------
I assume you match the following requirements:
x good knowledge about computers in general
x hostile to M$ testers (= users)
x USB turned off
x real linux knowledge
[ not distribution specific stuff only ]
x sensitive care for security
x know how to use debian-tools like apt-get and dpkg
If you don't match all requirements you will not be able to
understand the ChangeLogs. By the way, I give NO WARRANTY OF ANY
KIND that after you did all these steps your system is more performant,
stable, secure or anything else. Don't cry - you have been warned!
Greetings to unSpawn, a security expert from Belgium who has helped
me out a lot so far!
----------------------------------------------------------------------
If you understand that you could continue reading. I just don't want complains or anything :-)
If you have a question to something plz quote ONLY the relevant part. This issue will be spread to different threads and maybe even different forums. I'll link those together though!
BTW, you CAN'T copy that 1:1 and use it for your system. Like everything else it needs to be adjusted to your system. Just like network config, e-Mail addresses, etc.
Last edited by markus1982; 05-25-2003 at 03:53 AM.
----------------------------------------------------------------------
installation
----------------------------------------------------------------------
x bf24 as boot option to install Kernel 2.4
----------------------------------------------------------------------
----------------------------------------------------------------------
base configuration
----------------------------------------------------------------------
x MD5 passwords
x shadow passwords
----------------------------------------------------------------------
I'm using Kernel v2.4 since I have some hardware that requires that and of course I want to use iptables. I'll built a customized kernel anyways but it's good to have some default fall-back kernel which supports my netfilter configuration :-)
Code:
----------------------------------------------------------------------
moved specific directories to other partitions
----------------------------------------------------------------------
why am I doing that ?
x performance tuning (partition-specific)
x security
how to do something alike ?
x create the partitions using fdisk
x format those using mkfs.ext3 (you need to adjust those)
x edit /etc/fstab so you can follow my instructions
each of the following will get it's own partition:
/boot
/home
/tmp
/usr
/usr/local
/var/log
/var/spool/postfix
/var/tmp
/boot
mv /boot /boot.old
mkdir /boot
mkfs.ext3 /dev/hdd6
mount /dev/hdd6 /boot
mv /boot.old/* /boot
rm -r /boot.old
/home (directory is empty)
mkfs.ext3 /dev/hdd7
rmdir /home
mount /dev/hdd7 /home
chown root:users /home
chmod o-rwx /home
/tmp (directory is empty)
mkfs.ext3 /dev/hdd8
mount /dev/hdd8 /tmp
chmod 777 /tmp
chmod +t /tmp
/usr
mv /usr /usr.old
mkdir /usr
mkfs.ext3 /dev/hdd9
mount /dev/hdd9 /usr
mv /usr.old/* /usr
rm -r /usr.old
/usr/local
mv /usr/local /usr/local.old
mkdir /usr/local
mkfs.ext3 /dev/hdd10
mount /dev/hdd10 /usr/local
mv /usr/local.old/* /usr/local
chmod g-sw -R /usr/local
chown root:root -R /usr/local
rm -r /usr/local.old
/var/log
mv /var/log /var/log.old
mkdir /var/log
mkfs.ext3 /dev/hdd11
mount /dev/hdd11 /var/log
mv /var/log.old/* /var/log
rm -r /var/log.old
/var/tmp
mkfs.ext3 /dev/hdd13
mount /dev/hdd13 /var/tmp
chmod 777 /var/tmp
chmod +t /var/tmp
Next thing of course is to modify /etc/fstab according to those
changes!
----------------------------------------------------------------------
----------------------------------------------------------------------
optimized mount flags [ /etc/fstab ]
----------------------------------------------------------------------
/boot defaults,nodev,noexex,nosuid
/home defaults,nodev,noexex,nosuid
/tmp defaults,nodev,noexec,nosuid
/usr defaults,noatime,nodev
/usr/local defaults,noatime,nodev
/var/log defaults,nodev,nosuid,noexec
/var/spool/postfix defaults,noatime,nodev,nosuid
/var/tmp defaults,nodev,nosuid
went into init 1 to be able to remount all of those
umount -a
mount -a
----------------------------------------------------------------------
Now we have everything split up to different partitions. I install self-coded scripts, etc in /usr/local/sbin. All daemons that will be installed chrooted will be under /usr/local/. For instance bind: /usr/local/bind. Remember this is just a BASE IMAGE for other servers. After securing the base image you can use that to set up new servers quickly ... you have to adjust AIDE, etc configuration for each server of course.
Last edited by markus1982; 05-25-2003 at 03:54 AM.
A secure system should have as few as possible software on it. Like you don't need a compiler or anything on it (and you shouldn't have). Or would you like to provide an attacker with a full-featured tool set?
Code:
----------------------------------------------------------------------
packages I purged
----------------------------------------------------------------------
- base-config no need to modificate config!
- dhcp-client no DHCP required
- ed don't like that editor
- fdutils no floppy stuff required
- ipchains iptables since Kernel 2.4+
- lilo will install grub
- mbr not required
- modconf I know my modules
- pciutils not required
- ppp permanent connection
- pppconfig permanent connection
- pppoe permanent connection
- pppoeconf permanent connection
- setserial not required
- tasksel I prefer apt-get and dpkg
----------------------------------------------------------------------
You might need DHCP and PPP stuff so remove only those you don't really require.
configuring apt & installation of additional software
Before we can install the software we need configure APT:
Code:
----------------------------------------------------------------------
configured apt [ /etc/apt/apt.conf ]
----------------------------------------------------------------------
mkdir /var/cache/apt/tmp
created /etc/apt/apt.conf
APT
{
// ExtractTemplates
ExtractTemplates
{
// standard is /tmp which is mounted noexec
TempDir "/var/cache/apt/tmp";
}
};
----------------------------------------------------------------------
----------------------------------------------------------------------
reconfigured apt sources [ /etc/apt/sources.list ]
----------------------------------------------------------------------
# ====================================================================
# base system
# --------------------------------------------------------------------
deb http://ftp.de.debian.org/debian/ stable main
deb http://non-us.debian.org/debian-non-us stable/non-US main
# ====================================================================
# ====================================================================
# security updates
# --------------------------------------------------------------------
deb http://security.debian.org/ stable/updates main
# ====================================================================
----------------------------------------------------------------------
You wonder why I moved the temporary directory away from /tmp? Well apt-get relies on execution of scripts and since /tmp is noexec you do not have the chance to execute there, ergo we need to move it to a new path.
Now we can install the software we require:
Code:
----------------------------------------------------------------------
installed additionally software (no configuration required)
----------------------------------------------------------------------
+ bzip2 used for compression, etc
+ dump for easing backups using images
+ ftp-ssl used for secure ftp communication
+ libdate-calc-perl required for pflogsumm
+ mutt mail user agent
+ openssl ssl
+ sudo no comment
+ traceroute no comment
----------------------------------------------------------------------
You might not need traceroute, mutt or dump. So install those only if you require those!
Last edited by markus1982; 05-25-2003 at 04:03 AM.
more additional software (configurtion required though)
Well now you have a nice bootloader and next step is of course to install some more software. Replace EXIM with a more performant MTA, etc:
Code:
----------------------------------------------------------------------
installed less
----------------------------------------------------------------------
Application/* as mime handler
----------------------------------------------------------------------
----------------------------------------------------------------------
installed ntpdate
----------------------------------------------------------------------
ntp-servers: ntp0.fau.de ptbtime1.ptb.de
----------------------------------------------------------------------
----------------------------------------------------------------------
installed pflogsumm (backported package)
----------------------------------------------------------------------
created backport of pflogsumm at other host:
apt-get source -b pflogsumm
installed backported package:
dpkg -i packages/pflogsumm/*.deb
----------------------------------------------------------------------
----------------------------------------------------------------------
installed postfix (backported package)
----------------------------------------------------------------------
downloaded following backported packages of Postfix from
http://people.debian.org/~nobse/debian/woody/
backported/libdb4.1/libdb4.1_4.1.25-1.nobse.*.deb
backported/postfix/postfix-pcre*.deb
backported/postfix/postfix-tls*.deb
backported/postfix/postfix_2.0.9-0.nobse.*.deb
dpkg --purge exim
dpkg -i packages/libdb4.1/*.deb
dpkg -i packages/postfix/*.deb
No configuration
/usr/bin/newaliases
----------------------------------------------------------------------
----------------------------------------------------------------------
installed slocate
----------------------------------------------------------------------
/etc/cron.daily/slocate
----------------------------------------------------------------------
----------------------------------------------------------------------
installed and secured ssh
----------------------------------------------------------------------
Allow SSH protocol 2 only
Do NOT install /usr/lib/ssh-keysign SUID root
added/changed following in /etc/ssh/sshd_config:
AllowGroups users
ChallengeResponseAuthentication no
ClientAliveInterval 15
ClientAliveCountMax 4
DenyGroups root
DenyUsers root
KeepAlive no
KeyRegenerationInterval 900
ListenAddress 192.168.0.82:22
LoginGraceTime 15
MaxStartups 5:50:100
PasswordAuthentification no
PermitRootLogin no
PubkeyAuthentication yes
RSAAuthentification no
ServerKeyBits 1024
i'm restricting the users to be able to login using PAM, so
inserted as 1st line to /etc/pam.d/ssh
auth required pam_listfile.so \
sense=allow \
onerr=fail \
item=user \
file=/etc/ssh/allowed_users
echo "markus" > /etc/ssh/allowed_users
i've created a second ssh instance which will be just
accessable from the internal network and by 1 person. the
server is listening on a unassigned high port:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_hp
cp /etc/init.d/ssh /etc/init.d/ssh_hp
update-rc.d ssh_hp start 20 2 3 4 5 . stop 20 0 1 6 .
adjusted /etc/ssh/sshd_config_hp:
AllowUsers markus
ListenAddress 192.168.0.82:49150
PidFile /var/run/sshd_hp.pid
adjusted /etc/init.d/ssh_hp:
x added "-f /etc/ssh/sshd_config_hp" to the config test
x changed /var/run/sshd.pid to /var/run/sshd_hp.pid
x added "-- -f /etc/ssh/sshd_config_hp" to
start-stop-daemon commands
----------------------------------------------------------------------
----------------------------------------------------------------------
installed uptimed
----------------------------------------------------------------------
20 records to be kept
never send mail
----------------------------------------------------------------------
----------------------------------------------------------------------
installed xinetd
----------------------------------------------------------------------
do NOT convert /etc/inetd.conf to /etc/xinetd.conf
created secure xinetd default configuration
[ /etc/xinetd.conf ]
defaults
{
bind = 127.0.0.1
cps = 64 5
instances = 255
log_on_failure = HOST ATTEMPT
log_on_success = PID
log_type = SYSLOG authpriv
only_from =
per_source = 2
}
includedir /etc/xinetd.d
mkdir /etc/xinetd.d
----------------------------------------------------------------------
Now everything for the bare base system is installed. Configuration is not done yet though (except for the ones that got freshly installed and don't have a lot of configuration lines). Remeber: this needs to be ADJUSTED TO YOUR SYSTEM.
Inactive users should not be tollerated for a big time. Just think of somebody SSHing remotely to the server, gong outside for a beer and leaving SSH open forever ... this shouldn't be the case but it happens. Kick idle users after 60 seconds:
Now you should set up some kind of policy and have every admin sign it. At the system you could use something like:
Code:
----------------------------------------------------------------------
adjusted /etc/motd
----------------------------------------------------------------------
Unauthorized access to this server is prohibited! Everything which has
not been explicitly allowed is unauthorized usage.
All activities are monitored and logged. There is NO RIGHT for privacy
on this system. Unauthorized access and activities or any criminal
activity in general will be reported to appropriate authorities
without any exceptions! Don't cry - you have been warned!
----------------------------------------------------------------------
----------------------------------------------------------------------
adjusted /etc/default/rcS
----------------------------------------------------------------------
EDITMOTD=no
----------------------------------------------------------------------
Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?
- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0
- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0
Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?
/var/tmp defaults,nodev,nosuid
Why no noexec? Also, why do you need two temp filesystems, why not /tmp and have /var/tmp symlink?
noexec because of /tmp attacks. remember tmp is writeable by EVERYBODY. i know that you can circumvent that and it offers no real protections but at least it will keep pretty lame people (= script kiddies) out. they'll play somewhere if their stuff which requires /tmp to be exec doesn't work.
regarding /var/tmp and /tmp:
Quote:
Filesystem Hierarchy Standard: 5.15 /var/tmp : Temporary files preserved between system reboots
The /var/tmp directory is made available for programs that require temporary files or directories that are preserved between system reboots. Therefore, data stored in /var/tmp is more persistent than data in /tmp.
Files and directories located in /var/tmp must not be deleted when the system is booted. Although data stored in /var/tmp is typically deleted in a site-specific manner, it is recommended that deletions occur at a less frequent interval than /tmp
Quote:
- timestamps as defined in RFC1323
net/ipv4/tcp_timestamps = 0
- window scaling as defined in RFC1323
net/ipv4/tcp_window_scaling = 0
Is there a specific problem with theses? Did quick search (just looked at the first couple from google,) and didn't see too much, at least not a explaination. Is timestamping expensive, do either lead to a DoS, give out too much info, or is it just plain good form (not using what you don't need)?
Well there is not really a problem with this. It's tuning to be honest. But it also defeat's Nmap's uptime detection AFAIK. I can't remember the docs I got that from ... but a google search higlighted it again:
Well, it looks a little bit short and misses a lot of explanations (e.g. that the desktop user should be in group docs)
Well I shouldn't call it HOWTO. I should call it "changelog", cause that is what it REALLY is. It focusses on using Debian as a SERVER without any GUI!
Quote:
You probably might want to check this part of your /etc/motd with your lawyer first, too
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
