[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A little security thing . . .

To: Southern Illinois Linux Users Group <silug-discuss@silug.org>
Subject: A little security thing . . .
From: Tighe <emry@accessus.net>
Date: Mon, 12 Feb 2001 13:15:29 -0600 (CST)
In-Reply-To: <Pine.LNX.4.21.0102121212570.8101-100000@mtvernon1.accessus.net>
Organization: Southern Illinois Linux Users Group
Reply-To: silug-discuss@silug.org
Sender: owner-silug-discuss@silug.org
I was goin to have a little security talk covering tools and such, but
this is a little doc that I wrote up for my last job before I left
there.  Don't know if any is interested but, here you go anyway.  :)

--Cut Here (well theoretically at least)

Created by Tighe Schlottog for the SILUG West group.

Version 0.01

*WARNING*  This is only a little overview, if you want more or if there are any
problems with this tell me.  I have been working work Solaris and Tru64 so much
lately there is bound to be some overlap in my thinking between them and Linux.
Contact me at emry@accessus.net.  Tighe

Security on Linux

1.  Network Security
2.  Host Based Security
3.  Goofy Questions



1.  Network Security

	A major part of your installation of the Linux operating system is the 
securing of your box against those elements who for one reason or another have 
seen fit to break into your machine and make it their own.  This is usually done
through remote exploits of network applications.  There are many things that 
you can do to make your box more secure, but in this document we are going to go
through step by step and secure your box.  Ready?

Steps to Security (kind of)

A.  Installation of the operating system should be as normal, but don't 
reconnect your computer to a network until you are finished with these steps.

B.  Insure that you are running the tcp wrappers toolkit, this will allow you 
to allow and deny connection based on their source address.  Effectively 
(kindof) keeping attackers at bay.  The way to check for this is to run the 
following command, "grep tcpd /etc/inetd.conf".  If it returns a bunch of lines 
then you are good, but if not then you are going need to download and install 
the program from ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils.  There is 
a tcp wrappers directory in there that you can use.  Once you get it installed 
and inetd.conf setup correctly (RTFM), then you are going to need to do these 
commands; "echo ALL:ALL > /etc/hosts.deny" and 
"echo ALL:localhost > /etc/hosts.allow".  This will deny all access to your 
inetd from everywhere except for localhost.  At this point you also have 
libwrap installed which will allow you to use the hosts.[allow|deny] file for 
other network applications if possible.

C.  Next you are going to need to setup through your booting daemons and decide 
on which ones you are really going to need.  cd into /etc/rc.d/init.d and take a
look at these things.  I can tell you now, unless you are running a fileserver/
mailserver/webserver/etc you can get rid of alot of this crap.  But save it 
though, you never know when you are going to need it.  Make a directory called 
/etc/rc.d/init.d/backup and then move those files that you are not going to need
into there.  Once you are done with that you are going to need to get rid of 
their startups at the alternate runlevels.  You can do this by cd'ing into 
/etc/rc.d and then running a rm -rf */*<name of file in backup> for example, 
after getting rid of sendmail run rm -rf */*sendmail to get rid of it from the 
various runlevels. 

D.  You have pretty much done most everything that you can without going to 
crazy.  Now we start to get a little weird, making sure that your machine 
doesn't forward IP packets etc.  There is some information in 
/proc/sys/net/ipv4 that we are going to need to take a look at.  First and 
foremost is the wonderful land of IP forwarding.  This REALLY needs to be turned
off.  Do an "echo 0 > /proc/sys/net/ipv4/ip_forward", you just turned off IP 
forwarding.  There are some other things that you ought to take a look at in 
here also, such as not allowing the receipt of bogus ICMP error messages and 
checking out the local port range for the machine.  Just remember to turn it on
you echo a 1 in there and to turn it off you echo a 0 into it.

E.  Obtain a scanner and learn to use it on your machine.  I would recommand 
nmap, it is easily used and has a large following of developers for it.  You
are going to need to scan your machine and then learn what the results are. If
you go to www.faqs.org you can find the RFC which explains port numbers also,
there are other numerous docs there that are great to use.  With the scanner you
can see if there is anything that you missed.  Trust me, you will notice things
that really shouldn't be there but for some reason are.

2.  Host Based Security

	Well, your machine is secure networkwise for the most part, now you are
going to need to take a look at the actual machine itself.  This can be broken
down into a couple of sections:  user, filesystem, IO, and other.  You ready for
this?

A.  First things first.  Root, we all have it and we all love it.  Now that we 
have that out of the way, how about we go ahead and give it a password that is
very unguessable.  A simple way of doing this is 10 characters long mix upper 
and lower case letters, numbers, symbols, and control characters.  Once that is
done, you NEVER need to access the root account again.  If you want to be really
crazy go ahead and install sudo (ftp://ftp.cerias.purdue.edu/pub/tools/unix/
sysutils/) on the machine, and then lock the root account.  There are some other
things that you can do to a machine to be crazy, but they require some rewrites 
of some of the software that you are going to be using.

B.  Now that the users are good, lets take a look into the file system.  Cat out
/etc/fstab.  Take a look at it, it should say something like:

[emry@mtvernon1 emry]$ cat /etc/fstab
/dev/hda1               /                       ext2    defaults        1 1
/dev/hdc1               /home                   ext2    defaults        1 2
/dev/cdrom              /mnt/cdrom              iso9660 noauto,owner,ro 0 0
/dev/hda7               /usr                    ext2    defaults        1 2
/dev/hda5               /var                    ext2    defaults        1 2
/dev/fd0                /mnt/floppy             auto    noauto,owner    0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/pts                devpts  gid=5,mode=620  0 0
/dev/hda6               swap                    swap    defaults        0 0

Now there are some things that we should do to this machine to make it more 
secure.  First of all, the /home partition allows you to create and use suid
programs on it.  That is definitely no good.  Also, where is the /tmp partition
that is still sitting on root.  Also /var needs to be nosuid and they all need 
to have logging turned on.  /etc/fstab on this machine really should look like:

[emry@mtvernon1 emry]$ cat /etc/fstab
/dev/hda1               /                       ext2    logging         1 1
/dev/hdc1               /home                   ext2    logging,nosuid  1 2
/dev/cdrom              /mnt/cdrom              iso9660 noauto,owner,ro 0 0
/dev/hda7               /usr                    ext2    logging         1 2
/dev/hda5               /var                    ext2    logging,nosuid  1 2
/dev/fd0                /mnt/floppy             auto    noauto,owner    0 0
none                    /proc                   proc    defaults        0 0
none                    /dev/pts                devpts  gid=5,mode=620  0 0
/dev/hda6               swap                    swap    defaults        0 0

You can leave swap alone but, you are definetly going to need to get everything
else setup like this.  This next setup would be an idle setup for something like
this:

/dev/hda1		/			ext2	logging		1 1
/dev/hda2		/tmp			ext2	logging,nosuid	1 2
/dev/hda5		/usr			ext2	logging		1 2
/dev/hda7		/var			ext2	logging,nosuid	1 2
/dev/hdb1		/home			ext2	logging,nosuid	1 2
/dev/hda6		swap			swap	defaults	0 0
/dev/cdrom		/mnt/cdrom		iso9660	noauto,owner,ro	0 0
/dev/fd0		/mnt/floppy		auto	noauto,owner	0 0
none			/proc			proc	defaults	0 0
none			/dev/pts		devpts	gid=5,mode=620	0 0

Then you would point /var/tmp and /usr/tmp into /tmp with a symlink.  With this 
done you should have some filesystem security that works.

C.  Now, for some other things like $PATH checking, make sure that you don't 
have . in your $PATH.  This will allow people to put non-secure versions of 
programs that you are going to be using and then executing them as you.  A 
kind of funny story about this happened when I was working at an ISP, a buddy of
mine at another one was working with a clueless admin who had put it into his 
$PATH.  My buddy being a little tech support guy and deemed without the Clue(tm)
decided to put a little script called "ls" of all things in /tmp.  Essentially 
the script did this:

#!/bin/sh

cp /bin/sh /tmp/.397.4826b
chmod 4775 /tmp/.397.4826b
/bin/ls $1 $2 $3 $4 

which in laymans terms is this, copy a shell to /tmp and call it a name which 
makes it look like a pine pid file.  Make the new shell SUID, and then do the 
ls.  Now, my buddy had and SUID shell that he could execute at any time.  This
wouldn't have happened if the partition had been secured, or if the admin had a
Clue(tm) but that is another story.

Once your $PATH is secure, let's take a look at some of the programs that are
reinstalled when the script kiddies and real cracker break a machine.  The most
oft reinstalls are: ls, netstat, ps, cat, pstree, chmod, chattr, lsattr, etc.  
That is why you need to do a little chattr'ing of your own.  You are going to 
want to chattr +i <filename> each of these and any programs out there that you
really don't want to be reinstalled.  Just make sure that you remember that you
did this to those files.  Otherwise you are going to be reinstalling and then 
you will not be able to figure out what is going on with them.  

Now that they can't remove those files, we are going to need to do something 
about the fact that they can still create the programs.  Now most linux's come
with gcc automatically installed.  You are going to need to make a group out 
that you would need to be a programmer or something akin to that to use 
programming tools.  Or if you want you can lock them down to root, since who 
else is going to be installing software?  The ones that you are going to need to
chmod a-rwx are part of this little list: gcc, perl, expect, tcl, tk, g++, etc.
Once you do this it should make it a little harder for those who would want to
root your machine to do so.

3.  Goofy Questions

Q1.  How can I make my machine more secure than this?

A1.  Well, short of turning it off, unplugging the network connection, and 
     destorying the thing.  You can go to www.cert.org, www.bugtraq.org, or
     www.attrition.org.  These sites have much information.

Q2.  Wait isn't there any such thing as perfect security?

A2.  No.  It doesn't exist.  Well, it does but those machines don't really do
     much of anything except become VERY large paper weights.

Q3.  Who are you to talk about this?

A3.  I am a very bored young man who likes to mess with people.  Computer/Info
     Sec is something of a hobby of mine.  Although, my preferences lie more 
     along the Cryptography direction.

-- 
Tighe Schlottog		Sys Admin at large	  /emry\"@"/accessus.net\
                             ook ook

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.
References:
- Re: Re: your mail
  - From: Tighe <emry@accessus.net>
Prev by Date: Re: Re: your mail
Next by Date: OT: Beowulf Job in Peoria
Prev by thread: Re: Re: your mail
Next by thread: ADSL
Index(es):
- Date
- Thread