Wanted: Top Ten Linux Security Tips

Wanted: Top Ten Linux Security Tips

Post by aar.. » Mon, 14 Sep 1998 04:00:00



 I'm new to the world of Linux/Perl/et al. but am thoroughly *ed to
both. As soon as Linux supports parallel CDRWs my Windows is heading out
the "Window".  I have recently installed Red Hat 5.1 at home and am trying
to pick up on some security tips for newbies. This group and the how-to's
have been a great help. However, because the information is sort of "all
over the place", so to speak, I am afraid that I'm missing some important
points.  So I'm wondering if anyone has any top ten lists of things to do
right off the bat. Here are some things I've learned to do from friends
and this group:

1. Never go on the web/ftp/mail as root.  Use an alias like sudo whenever
logged in locally.
2. Apply patches from Redhat.com
3. Close finger and all services not explicitly required.
4. Take ip spoofing out of named
5. Run a log monitor. I have swatch now but have seen Tripwire mentioned
here a few times.

There seems to be quite a debate over the usefulness of ssh so I haven't
reached that far yet.. what should I add? I suppose I should also be
asking if there is a FAQ for this group hidden somewhere?
 Thanks..

 
 
 

Wanted: Top Ten Linux Security Tips

Post by lamo.. » Mon, 14 Sep 1998 04:00:00


Here's a generic list, in no particular order:

1.  install strengthened programs:  ssh, tcp_wrappers, pidentd w/crypto,
    rpcbind/portmap w/access control and loging, others
2.  audit your network services (inetd.conf, startup files, RPC services)
3.  update all versions of network programs (sendmail, httpd, etc)
4.  audit your suid files (turn off anything which isn't used -- e.g.
    do you really need /usr/bin/at when you've got crontab?)
5.  wrap the remaing suid files with one of the publically available
    wrappers
6.  install the vendor security patches.
7.  audit the file permissions on O/S files (/var, /etc, etc).
8.  either do a full-blown tripwire, or at least get hardcopies of the
    md5/sha1 hashes of critical utilities that are usually rootkitted
    (any net daemon, any suid/sgid file, netstat, ls, ps, top, etc)
9.  run frequent checks for strange things like suid root files (e.g. COPS)
10. kick back with a 6-pack of decent beer.

obviously, this isn't in order -- 6 should probably come before 5.  although
10 should definitely come last =)

--

looking for unix administration / security work

 
 
 

Wanted: Top Ten Linux Security Tips

Post by Thomas W » Mon, 14 Sep 1998 04:00:00



> right off the bat. Here are some things I've learned to do from friends
> and this group:

[...]

> There seems to be quite a debate over the usefulness of ssh so I haven't
> reached that far yet.. what should I add? I suppose I should also be

Upgrading the password system to EPS and using the secure SRP telnet
distribution should also be undertaken.  This should be done after
patching the known security holes and setting up TCP wrappers,
since those are higher-priority risks.
--


  Phone: (650) 723-1565                   or better,' so I installed Linux."
   http://www-cs-students.stanford.edu/~tjw/   http://srp.stanford.edu/srp/
 
 
 

Wanted: Top Ten Linux Security Tips

Post by Jim Denni » Tue, 15 Sep 1998 04:00:00


:  I'm new to the world of Linux/Perl/et al. but am thoroughly *ed to
: both. As soon as Linux supports parallel CDRWs my Windows is heading out
: the "Window".  I have recently installed Red Hat 5.1 at home and am trying
: to pick up on some security tips for newbies. This group and the how-to's
: have been a great help. However, because the information is sort of "all
: over the place", so to speak, I am afraid that I'm missing some important
: points.  So I'm wondering if anyone has any top ten lists of things to do
: right off the bat. Here are some things I've learned to do from friends
: and this group:

: 1. Never go on the web/ftp/mail as root.  Use an alias like sudo whenever
:       logged in locally.

        Not quite right.  Use a normal user account for
        all normal work and use the 'sudo' command to selectively
        and temporarily grant *that* account access to additional
        privileges (the least  possible for a given task) whenever
        those additional privs are necessary)

: 2. Apply patches from Redhat.com

        Or your vendor of choice.

: 3. Close finger and all services not explicitly required.
: 4. Take ip spoofing out of named

        IP Spooing isn't "in" named.  You need to use packet
        filters (on your border router) and/or Linux ipfwadm/ipchains
        commands to prevent spoofing.  Even then you can only
        prevent the ingress of packets which claim to be from
        the IP addresses in *your* domain (on your LAN) and the
        egress of packets which claim to be from *any other* IP
        (other than your domain).  You can't do anything to
        prevent one third party from spoofing their packets to
        appear as though they were from another third party
        (both of those parties and their routers are beyond
        your adminsitrative control).  

        The consequence of this is that you must not trust
        IP addresses from outside of your domain.  In general
        after you've implemented anti-spoofing packet screens
        on *all* border routers (all routes that lead in/out
        of your domain) you should *not* trust any conclusion
        beyond:  "That was from outside" and "This was from inside."
        (And there are even exceptions to that).

: 5. Run a log monitor. I have swatch now but have seen Tripwire mentioned
: here a few times.

        'tripwire' is not a "log monitor" --- it is a file integrity
        verification system.  You probably want both.  However, there
        are numerous ways of corrupting log files, so you'd
        really better have the rest of your host security act together
        before log file monitoring will meaning anything.

: There seems to be quite a debate over the usefulness of ssh so I haven't
: reached that far yet.. what should I add? I suppose I should also be
: asking if there is a FAQ for this group hidden somewhere?
:  Thanks..

        What's the debate?  It's a hell of a lot better than rsh and
        telnet!

 
 
 

Wanted: Top Ten Linux Security Tips

Post by Jason Cliffor » Tue, 15 Sep 1998 04:00:00



There are a number of things I could add but one is particularly important
in view of recent events.

DO NOT have . in your path environment variable. This is one of the oldest
tripups in the business and I have seen it recently in a number of
S.u.S.E. Linux installations (apparently S.u.S.E. have included the option
to allow this). This is 'A Bad Thing'.

Jason Clifford
Definite Linux Systems
http://definite.ukpost.com/

> Here's a generic list, in no particular order:

> 1.  install strengthened programs:  ssh, tcp_wrappers, pidentd w/crypto,
>     rpcbind/portmap w/access control and loging, others
> 2.  audit your network services (inetd.conf, startup files, RPC services)
> 3.  update all versions of network programs (sendmail, httpd, etc)
> 4.  audit your suid files (turn off anything which isn't used -- e.g.
>     do you really need /usr/bin/at when you've got crontab?)
> 5.  wrap the remaing suid files with one of the publically available
>     wrappers
> 6.  install the vendor security patches.
> 7.  audit the file permissions on O/S files (/var, /etc, etc).
> 8.  either do a full-blown tripwire, or at least get hardcopies of the
>     md5/sha1 hashes of critical utilities that are usually rootkitted
>     (any net daemon, any suid/sgid file, netstat, ls, ps, top, etc)
> 9.  run frequent checks for strange things like suid root files (e.g. COPS)
> 10. kick back with a 6-pack of decent beer.

> obviously, this isn't in order -- 6 should probably come before 5.  although
> 10 should definitely come last =)

> --

> looking for unix administration / security work

 
 
 

Wanted: Top Ten Linux Security Tips

Post by Dean Pentchef » Tue, 15 Sep 1998 04:00:00



>  I'm new to the world of Linux/Perl/et al. but am thoroughly *ed to
...
> points.  So I'm wondering if anyone has any top ten lists of things to do
> right off the bat. Here are some things I've learned to do from friends
> and this group:

...

Something else should be mentioned: assess the level of threat, the
potential losses from intrusion, and the resources you are willing to
commit.  

Are you a high-tech corporation developing hot new secret technologies
on your machine?  If so, there are quite likely to be crackers
interested in breaking into your box.  Are you a hobbyist enjoying
software development?  Then there isn't too much incentive for people
to crack you.

What if your box is cracked and you lose all your files?  Are there
thousands of employees on payroll waiting for that box to come back
up?  Or does it mean that you spend an evening reinstalling the OS and
restoring your datafiles from Zip disks?

How much of your time and energy do you want to spend on security?
Are you the chief information security officer for a bank?  Or would
you like to invest a few hours to feel that your box will fend off
random probes from lame dO0dZ?

You can certainly spend an immense amount of time locking down every
aspect of a system, and get nothing else done.  That said, if you have
things to protect, that's an appropriate thing to do.  Investment in
security should be commensurate to the threat, the potential losses,
and your possible level of investment.  Computer security dilletantes
often get religous about absolute levels of security.  This is a false
route to follow: your system will never be completely secure; but
reasonable investment in security will yield reasonable levels of it.  

That said, I sure learned a lot from the following books:

Garfinkel, S. and G. Spafford.  1996.  Practical UNIX and Internet
Security.  O'Reilly & Associates.  <http://www.veryComputer.com/>

Chapman, D.B. and E.D. Zwicky.  1995.  Building Internet Firewalls.
O'Reilly & Associates.  <http://www.veryComputer.com/>

Cheswick, W.R. and S.M. Bellovin. 1994.  Firewalls and Internet
Security: Repelling the Wily Hacker.  Addison-Wesley.

-Dean
--

Biological Sciences, Univ. of South Carolina, Columbia SC 29208 (803-777-7068)

 
 
 

Wanted: Top Ten Linux Security Tips

Post by Dr. Werner Fi » Wed, 16 Sep 1998 04:00:00




> There are a number of things I could add but one is particularly important
> in view of recent events.

> DO NOT have . in your path environment variable. This is one of the oldest
> tripups in the business and I have seen it recently in a number of
> S.u.S.E. Linux installations (apparently S.u.S.E. have included the option
> to allow this). This is 'A Bad Thing'.

If you see such an installation please *gently* force the owner to set
the variable CWD_IN_ROOT_PATH in /etc/rc.config to "no" and run
SuSEconfig. "no" is the default but even if warned the people do not
belive that this should be left.   Note: we can't forbid this
``feature'' because most people will email/phone and even if warned
write the cwd directly into their root ~/.bashrc and forget this fact.

In my experience most of them are newbies with serveral year
experience in Windows[tm] and/or Windows NT[tm] ... in other words
they do not have realized the advantage of not having cwd in PATH
but only see the easy use.  As longer the experience as more gently
force is required ...

      Werner

--
 Dr. Werner Fink  --  S.u.S.E. GmbH,  Gebhardtstr. 2, 90762 Fuerth,  Germany

 Click <A HREF="http://www.suse.de/~werner/">here</A>
---------------  \/\/ o r l d - \/\/ i d e - \/\/ a i t i n g --------------

 
 
 

Wanted: Top Ten Linux Security Tips

Post by e.. » Wed, 16 Sep 1998 04:00:00



> Upgrading the password system to EPS

What is this?

Greetings
Bernd

 
 
 

Wanted: Top Ten Linux Security Tips

Post by Daniel M Robertso » Wed, 16 Sep 1998 04:00:00


Quote:> Something else should be mentioned: assess the level of threat, the
> potential losses from intrusion, and the resources you are willing to
> commit.  

Was this taken straight from the Security-HOWTO document?!?!  He is right,
but I have seen this before.  if you want help securing a linux box, you

around for it)

Quote:> How much of your time and energy do you want to spend on security?
> Are you the chief information security officer for a bank?  Or would
> you like to invest a few hours to feel that your box will fend off
> random probes from lame dO0dZ?

Most lame do0dz can't do shit...It is the people that know a*about
UNIX/Linux and how it works that you should worry about.  Script kiddiez
are also something that you should stay away from. Goto places like
rootshell.com, technotronics.com, etc and get exploits.  Run them on your
box...If you can be compromised, fix it...if not, most people using those
can't modify the code and get the code from the same place you did, so
there isn't much to worry about.

Quote:> That said, I sure learned a lot from the following books:

BTW: A good place for books is amazon.com...just FYI.

Quote:

> Garfinkel, S. and G. Spafford.  1996.  Practical UNIX and Internet
> Security.  O'Reilly & Associates.  <http://www.veryComputer.com/>

I tried to find this book, but it has been popular and was sold out from
where I went. :(
Quote:

> Chapman, D.B. and E.D. Zwicky.  1995.  Building Internet Firewalls.
> O'Reilly & Associates.  <http://www.veryComputer.com/>

> Cheswick, W.R. and S.M. Bellovin. 1994.  Firewalls and Internet
> Security: Repelling the Wily Hacker.  Addison-Wesley.

 
 
 

1. TOP TEN LINUX EPITHETS - Brush up here ...

And now the TOP TEN EPITHETS Linux users call WINDOWS USERS:

Number TEN:   Bill Kisser!

NINE:   Mouse Masher!

EIGHT:   Word Wuss!

SEVEN:   Theme Junkie!

SIX:   Font Floozy!

FIVE:   Cursor Curser!

FOUR:   Micro Boy!

THREE:   DOS Donkey!

TWO:   Web Weiner!

And the NUMBER ONE EPITHET Linux users call WINDOWS USER:

RICH BOY!

Mad Nomad

2. Mitsumi CD-ROM NON-IDE

3. Top Ten Signs That Linux Has Bill Gates Worried

4. AfterStep and Enlightenment

5. Top ten Linux sites

6. I've read the HOWTOs but...

7. Top Ten Other Linux Slogans (other than Choice of a Gnu Generati

8. : No incoming telnet/ftp?

9. Top Ten Signs That Linux Has Bill Gates Worried

10. Rehash Top Ten (was: Net '94 = Linux '99)

11. TOP TEN reasons I have to reboot LINUX

12. Top ten Linux sites

13. See how you compare to our Top Ten List of UNIX System Administrators