Best Practices
For Securing your Linux System
Notes from the Red Hat Linux Security Seminar (July 23, 2002)
General Best Practices:
-
Patches - Patch your system often. Check for operating system patches at your vendor web site on a regular (weekly) basis, and subscribe to security alert mailing lists such as SecurityPortal or Bugtraq to stay informed about security issues. If using an RPM based distribution, use AutoRPM or Red Hat's up2date program to watch for updates/patches.
-
Firewall - Restrict access to your system services by configuring and using tcp wrappers and ipchains/iptables to allow only authorized hosts and users to connect to network services.
-
Physical Security - If you cannot ensure the physical security of the system, then disable control+alt+delete to reboot, disable boot from removable media, set a password for the LILO prompt, disable plug and play settings in BIOS, set a password in the BIOS, and allow only authorized users (root, administrators) to log in from the console. Perform regular system backups.
-
Encryption - Use sshd for terminal access in place of telnetd, such as OpenSSH or FreeSSH. Use the Sudo command in place of root logins (see http://www.courtesan.com/sudo/) for elevated access with logging.
-
Network Services - Deactivate all network services that are not in use on the system: pop3d, imapd, ftpd, fingerd, bind, named, httpd, linuxconf, sendmail, portmapper, lpr
-
File System Security - Review file permissions using the least access rule; allow write access only where needed. Review /etc/passwd, /etc/shadow, /etc/security/ files (access, group, limits, times, etc) for correct configuration. Restrict elevated authority by finding Set UID root programs (see monitoring below) and removing the SUID bit if possible, and by removing all access to directories, programs and/or compilers that users donât need.
-
NFS - Review network file exports: do not export / or /bin or /etc. Disable NFS and portmapper if not needed.
-
Passwords - Ensure strong authentication is used via PAM facilities, and all default (shipped) passwords are changed. Use a stronger encryption for passwords instead of crypt, such as md5.
-
Monitor - Keep an eye on your system by reviewing the syslog often (minimally log all kernel, warning and error messages), reviewing open ports (netstat -an) and running processes (ps -ef), regularly reviewing the network configuration (inetd.conf or xinet.d/*) and scheduled processes (cron or at jobs), and by performing a Set UID Root audit with the "find / -perm +4000 -uid 0 -print" command to reviewing changes in world executable programs that run as root.
Hardening your Linux System with the Bastille Script
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system, and currently supports Red Hat and Mandrake Linux. The objective is to provide the most secure, yet usable, system possible. Bastille Linux draws from every available major reputable source on Linux Security, and has been designed to educate the installing administrator about the security issues involved in each of the script's tasks. Each step is optional and contains a description of the security issues involved. See
http://www.bastille-linux.org/ for more information and to download the executables.
The IC-LUG usually meets on the second Thursday of every month at 7:00pm at the Iowa City Public Library. It is free and open to anyone interested in attending. More information, including instructions for subscribing to the mailing list, are available at their web site http://www.iclug.org
Documentation and Online Resources
UI Information Technology Services Systems & Platforms Group Linux Page: http://www.its.uiowa.edu/spa/linux/
Red Hat Docs: http://www.redhat.com/apps/support/documentation.html
Linux Administrator's Security Guide: http://www.seifried.org/lasg/
Linux Headquarters: http://www.linuxheadquarters.com/
Linux Documentation Project: http://www.linuxdoc.org
Caldera Linux: http://www.calderasystems.com/products/