Google

Another Paper on Linux Security

Another Paper on Linux Security

Contact:[email protected]

Another Paper on Linux Security

13 Aug 98
Last Update 07 Sept 98
Version Beta 0.2

Bronc Buster
[email protected]

------------------------------------------------------------------------

  Another paper on Linux Security? Why? Well most of the ones I've seen
floating around the net are never complete, only someone's tips or 
tricks on how to secure a part of it, or to tweak some daemon or process

or a quick fix to a problem. They never cover from step one, though 
going multi-user and going online with users and user processes and all 
that goes along with it. I want to cover that. I know, no matter how 
hard I try, I'll end up missing something, but I'm going to try and 
cover everything I do when I install a system and prepare it for online 
use, plus cover some free tools that I have found to be very effective. 
Now if you are totally clueless and don't have any idea about how to use

Linux, I'll save you some time and tell you now, just don't go any 
further. To get any use out of this paper, you have to be an 
intermediate user, or a new admin who is familiar with Unix as a whole. 
If you are thinking about going by this list when you are installing 
your system, READ THIS ENTIRE PAPER FIRST, then start over following it,

otherwise you may miss something you might want when you install or when

you pick a kernel.

  I'll say this now before you start. This paper is ongoing, and a
work in progress. I want to make a comprehensive paper, so I welcome all

suggestions, tips and advice on how to make this paper a better one.

------------------------------------------------------------------------
   Contents

1. Installation
2. Boot-Up
3. SUID files and the File System
4. Quotas
5. Logs
6. Access security (remote and physical)
7. Misc. Files
8. Third Party Tools
9. Conclusions


------------------------------------------------------------------------
1. Installation

  This is a step every paper I have seen has over looked. Right from
install you can manage to cut your problems by at least one-third if you
install correctly, installing only what your system needs. Think about 
it. Ask yourself what is this box going to be doing? Is it going to be 
on a LAN as a file server of some sort, or sitting on a direct Internet
Connection as a web server of some sort, or just sitting on your
desk at home running PPP? These are important questions you need to 
answer BEFORE you start your install. 

  If this system is going to be sitting on a rack as a web server, why
would you want to install X-Windows, for example. If you're not going to
use it, you'll most likely overlook it in day to day operations, and
that's something a hacker is going to look for. Along with this comes 
SUID programs, programs you might not even know exist, but programs a 
hacker will head for like a shark for blood. On the other hand, if it's 
on a LAN, where you're going to be at the console, and an X-Windows 
server is necessary, look for other components you won't need, like any 
of the PPP or SLIP components.

If you're not sure, go out and buy a book, or if you're really poor,
borrow a book. Read up on what each component does and why you need it. 
If worse comes to worse, when you are installing, read each section 
before you just go down the line and check off everything. Read the 
parts which you are unsure of and don't install what you think you don't

need. Remember that you can always go back later and add things. The 
Unix file system can be very complex and very deep, and hackers depend 
on this when they are hiding programs and backdoors. The better you 
understand what you have put on your system, the better you will know, 
later on, what should be there and what shouldn't. This also helps out 
later on after you have installed, when you are weeding out potential 
security risks. The less unnecessary stuff on yo4ur system, the less you

have to worry about later on, so take the time now, before an install, 
and go though what you want to install.

------------------------------------------------------------------------
2. Boot-Up

  Ok, so you took a couple hours and got a nice clean install, now 
you're booting up. Hopefully it'll be clean with no errors. If there are

errors, there are the first problems you want to try and solve. In Linux
(Slackware), there is a directory called '/etc/rc.d' that hold the files
that tells the system what to run at boot. This, as you can imagine, is 
a very important directory, as someone who can write to these files can
install a backdoor, or a process that can be harmful to your system.

Back to the errors, and editing each of the files for safety. Most 
people, unless they have experience with Linux, either don't know these 
files exist, don't know what to do with them, or are to scared to touch 
them, thinking back to their uninformed windows95 days, where if you 
touched files that controlled boot-up you might lose everything and have

to reinstall the operating system. Fear not, this is Linux!

showdown:/etc/rc.d# ls -l
total 40
lrwxrwxrwx   1 root     root            4 Jun  5 01:31 rc.0 -> rc.6*
-rwxr-xr-x   1 root     root          396 Oct  2  1995 rc.4*
-rwxr-xr-x   1 root     root         2273 Oct 17  1996 rc.6*
-rwxr-xr-x   1 root     root         1244 May 21  1997 rc.K*
-rwxr-xr-x   1 root     root         3439 Sep 25  1997 rc.M*
-rwxr-xr-x   1 root     root         5054 Jun 16  1997 rc.S*
-rw-r--r--   1 root     root         1336 Jul  9  1997 rc.cdrom
-rwxr-xr-x   1 root     root           52 Jun 12 12:24 rc.httpd*
-rwxr-xr-x   1 root     root         2071 Jul 29 14:19 rc.inet1*
-rwxr-xr-x   1 root     root         2846 Jul  2 20:41 rc.inet2*
-rwxr-xr-x   1 root     root          735 Jun 30 22:10 rc.local*
-rwxr-xr-x   1 root     root         5251 Jun  5 09:23 rc.modules*
-rwxr-xr-x   1 root     root         9059 Aug 23  1997 rc.serial*

Now here is a typical '/etc/rc.d/' directory. Each of the 'rc.*' files
does something specific, depending on the status of the system. Some of
them are self-explanatory, like 'rc.httpd', it's simply starts your 
HTTPD web server. The 'rc.cdrom' loads your CD-ROM drive, if you have 
support compiled into your kernel. 'rc.modules' loads modules, if you 
have any (modules are special drivers or programs that are added at 
boot-time to the kernel, and are not compiled into the kernel. Modules 
are uses for older type NICs, sometimes Modems and other old types of 
hardware.) 'rc.serial' is also used for loading serial devices, like 
modems, printer and other stuff. Most of the 'rc.*' files that have 
proper names, like '.cdrom', '.modules', '.serial' and '.httpd' you 
shouldn't have to mess with, as they are set up automatically by the 
choices you make when you install and select a kernel to boot off of. 
Some of the others control the differences between Single Users Mode and

Multi User Mode, and some of the others control what daemons load up and

what your operating system can do.

  'rc.M' controls the system going to Multi User Mode and loads some of
the other 'rc.*' files if the are supported, like the 'rc.cdrom', etc. 
Go through this file carefully! Anything you know for a fact you don't 
need, EDIT OUT with a '#'. Most likely there won't be too much you have 
to mess with in this file, but you will in the others. Go down the list 
in the 'rc.M' file and look at each of the other 'rc.*' files it runs. 
Then go though each of these files and repeat the process.
  
 For example, say you are going through your 'rc.inet2' file and you 
know you don't need any 'rpc' services and you don't want your 
portmapper to run, so you want to edit this out so it won't start up.

#This is how it looks normally. To edit it out, use the '#'

-- snip ----
# Start the SUN RPC Portmapper.
if [ -f ${NET}/rpc.portmap ]; then
   echo -n " portmap"
   ${NET}/rpc.portmap
fi
-- snip ----

#Here is the correctly edited version

-- snip ----
# Start the SUN RPC Portmapper.
#if [ -f ${NET}/rpc.portmap ]; then
#   echo -n " portmap"
#   ${NET}/rpc.portmap
#fi
-- snip ----

  It is important to edit it all out, from the starting 'if' all the way
down to the corresponding 'fi' at the end, otherwise you'll end up with
errors. I could go through each of the files and programs started in 
each of the 'rc.*' files, but only you know which ones you are going to 
need, depending on the type of server you are going to run. Just 
remember, you have to assess what you need to get the job done, and then

remove the rest. If you're not sure what each program does, try doing a 
net search, then reading on what each program does and then assessing if

you need them or not.

The 'rc.local' file is also an important file in the 'rc.d' directory, 
it has any files or program you want to add to be started at boot time. 
You can put any sort of things in here as you will see when I add one a 
bit later.


------------------------------------------------------------------------
3. SUID files and the Filesystem

  Before a single user steps fourth into my system, I make sure I find, 
and isolate all, I repeat ALL, SUID files on the entire system. First, 
you need to find all the SUID files. These series of commands will show 
you where they all are:

find / -perm 4000 >> suid.txt
find / -perm 4700 >> suid.txt
find / -perm 4777 >> suid.txt
find / -perm 4770 >> suid.txt
find / -perm 4755 >> suid.txt
find / -perm 4750 >> suid.txt
find / -perm 4751 >> suid.txt
find / -perm 4500 >> suid.txt
find / -perm 4555 >> suid.txt
find / -perm 4550 >> suid.txt
find / -perm 4551 >> suid.txt

  Now all you have to do is take a quick look into `suid.txt' and you'll

have the paths to all the SUID files on your system. On some systems, a 
simple `find / -perm 4000 -print >> suid.txt' or 'find / -perm +4000 
-print >> suid.txt' command will do the same thing as all the commands
above, but then again I've had a system in  which it didn't show all the
SUID files for some reason. So to be safe I use a simple script in which
it just runs all these commands at once so I don't have to sit around
typing them all (call me anal).

  After you have located all the SUID file, now you have to go though 
all these files and decide which files you need, and which you want your

users to have access to. On my systems, I leave the following files 
SUID, and `chmod 000' the rest of them.

passwd
ping
traceroute
screen
su

  All other files that may be SUID, users have no business using, unless

you are going to run some sort of NFS or an X Server. Keep the list of 
SUID files in your home directory so you can remember later where they 
are if you need to use one. The rest of these SUID files, I move and put

them in the same directory, so I can keep track of them. Mine are in 
`/usr/local/bin' or in `/bin' so that they stay in the users $PATH. 
Later on I'll go into replacement programs for some of these that are 
even more secure. Remember again, it is up to you, the admin, to decide 
what programs you want users to have access to!


------------------------------------------------------------------------
4. Quotas

  I always use quotas! Unless your are a normal ISP, or have some reason

to limit the amount of space each user is allowed to use, most people 
don't bother with quotas. Well that's the wrong attitude and the wrong 
answer. Quotas can totally save your system from getting trashed and 
hosed from an ignorant or destructive user. Quotas not only control how 
much space a user is allowed to use on your system, but it also controls

the total number of files (inodes) they are allowed to have as well. 
Think about a user who makes a loop that makes directory after directory

or 1-byte file after 1-byte file? They could not only eat up all the CPU

and memory, but fill up your drive. A smart set quota can not only stop 
this before it happens, but stop someone who might not have any quota 
from also filling up your hard drive with garbage files. I've tested a 
Linux 3.0 system (Slack), 2.0.20 kernel, filling its hard drive as full 
as it could go, and upon crashing when any command is input, it would 
not boot upon shutting it down and turning it back on. 

  To set up quotas on your system, simply select it when you are 
installing your system. It will install the quota set, which includes 
all the programs needed to get them working. Later on you MUST recompile

your kernel to support quotas, otherwise they won't work. No, I'm not 
going to go into how to compile you kernel. They have very long HOW-TO's

on how to do it (do a `find' for Kernel-HOWTO.tar.gz). 

  Once quota support is added to your kernel, add these lines to your 
`/etc/rc.local' file at the end:

# Quota support and file checks
if [ -x /usr/sbin/quotacheck ]
   then
      echo "Checking quotas. This may take some time."
      /usr/sbin/quotacheck -avug
      echo " Done."
fi

# Turning ON quotas
if [ -x /usr/sbin/quotaon ]
   then
      echo "Turning on quota."
      /usr/sbin/quotaon -avug
fi

# Done


  Once you reboot, `quotacheck' will first check your file system and 
make sure no one is over quota, along with other house keeps operations,

then `quotaon' will turn on quota support for your system. A simple 
command of `quota user' will give you the quotas for a user, or `quota 
group' will give you a set quota for a group. To change a quota, issue 
the command `edquota [user] or [group]'. This will open a temp file with

your editor, as specified in your `.profile', and give you power to 
change a user, or groups quota. For example:


showdown:/admin/bronc# edquota tidepool

Quotas for user tidepool:
/dev/hda1: blocks in use: 279, limits (soft = 10000, hard = 15000)
        inodes in use: 35, limits (soft = 1300, hard = 1500)


  From here you can see that this users quota on hda1 is 10megs soft, 
and 15megs hard. Which simple gives the user a grace period to go over 
their quota. If they stay over their quota over the grace period (I use 
10 days), when they login they can't do anything, except delete files. 
The same goes for their files, or inodes. You can set a soft and hard 
limit on these as well. If these are set to `0' then they have no limit 
(bad idea). 

  You can use quotas in various ways to secure against on system 
attacks, and your hard drive getting filled up. If you want to get more 
in depth, try `man quota'. It can tell you it's other functions, how to 
manually start and stop this service and where the quota information is 
stored on your system.


------------------------------------------------------------------------
5. Logs

  One of the most important parts of being a good system admin is 
regularly reviewing the systems logs, but if you don't know where they 
are, or what you are logging what use are they? This is a very important

section and I urge you to read it thoroughly! The only way you are going

to see if you are being probed for an attack, or if someone has been 
attacking you is by checking the logs.

  So where are the logs and how is information sent to them? Well on a 
Linux system, they are located in a directory called `/var/adm/' or in a

directory called `/var/logs' but usually they are linked together. By 
default, there are only two logs, `syslog' and `messages' but we need to

make more. Logs are made from two daemons, `klogd' and `syslogd'. 
`klogd' intercepts and logs Linux kernel messages, while `syslogd' logs 
all system messages. These are system daemons which are automatically 
started by your `rc.*' files upon boot. To configure what you log, you 
must edit a file called `/etc/syslog.conf', this file tells what 
`syslogd' is to log, and where it is to put it. Here is how I have mine 
set up:


# /etc/syslog.conf file
# for more information about this file, man `syslog.conf' or `sysklogd'
#
# Modified by Bronc Buster
mail.none;*.=info;*.=notice                     /usr/adm/messages
*.=debug                                        /usr/adm/debug
*.err                                           /usr/adm/syslog
*.=alert                                        root,bronc
*.=emerg                                        root,bronc
authpriv.*;auth.*                               /admin/bronc/auth.log
authpriv.*;auth.*                               /var/log/secure
mail.info;mail.notice                           /var/log/maillog
daemon.info;daemon.notice                       /var/log/daemon.log
*.*                                             /dev/tty12

# EOF

  Ok, if you don't know how this file is formatted and what phrases to 
use here, read up on the man page, `man syslog.conf'. I don't want to go

through and waste two or three pages on explaining it. Lets go through 
my file line by line and see how it works. I wanted to make my logs 
simple, easy to understand and be specific as to what they have in them.

First, my `messages' file was getting full of junk errors from my mail 
program, so I went and took out all messages associated with mail; i.e. 
`mail.none'. Then I wanted all messages at the `info' or `notice' level 
to be placed into it, so I added that into the same line as well. Next, 
I wanted all `debug' messages, sent to their own file, as well as all 
`err' (error) messages. Any `alert' or `emerg' (emergency) messages I 
wanted sent to the console or the terminal I was logged on, so I would 
know about them as soon as possible. The nest two lines have to do with 
connections and possible logins. I wanted to have a file that had 
nothing but who and when, so I could easily check out who logged in and 
when, and I also wanted an extra copy put in my own home directory so 
incase someone somehow edited it and took themselves out, I'd still have

my own copy plus when I wanted to take a look at it, it was easily 
viewable. That's what the lines with the `authpriv' and `auth' are 
doing. The first one puts the log in my directory, the second in the 
normal logging directory. The next line deals with all the mail messages

that I took out of the first `messages' file and puts them in their own 
log file. Nothing but mail here, so there is nothing else in there to 
confuse you. The `daemon' line logs all messages regarding the system 
daemons, and, like the mail line above, nothing else so there is nothing

to get confused over. The last line is also a very important one. It 
sends all logs to /dev/tty12, so even if your logs were to get deleted, 
from the console you can hit Ctrl-F12 and see the last page of messages 
so you can get an idea of what happened. These different logs each cover

a different aspect of your system, and keep them unscrambled and easy to

read through. Remember, the easier the better.

  If I had another box I could use, I would also pipe all the logs off 
my box to the other box. With syslog, you have the option of sending all

the logs off your box for remote logging. You could put a poor old 386, 
with Linux, on your network with nothing running but `inetd' and 
`syslogd' and send all your systems logs over to it with this simple 
line in your `syslog.conf':


# log ALL                       other boxes IP number
#
*.*                             @

 
  Now that your main system logs are secure, what about other log files?

You still have `/var/log/wtmp' and `/var/log/utmp', plus each users 
shell histories. Because on some systems, `cron' archives your system 
logs, you normally can't `chattr' them, or mess with them much, but you 
can on the other logs. `chattr' changes a files attributes on an EXT2 
file system, like you are using on your Linux system. With this command,

you can make a file so it can't be deleted or edited, except to be 
appended (`man chattr' for more info on this useful command). This magic

command can make the `wtmp' and `utmp' file so it can only be appended 
to, and so it can't be deleted or changed so as to show a user never 
logged on, or where they logged on from. With this same command, you can

also fix all the users shell histories. Normally, any shell histories 
made by each user, are owned by each user, making them totally useless 
as a skilled user will first thing, link it to `/dev/null'. By using the

`chattr +a' option of the `chattr' command on `wtmp', `utmp' and each 
users shell histories, you can track down problems quickly. I don't know

how many troublesome users I have tracked down simply going into their 
shell histories and looking for problems they have caused. Like here is 
an example:

--- snip ---
gcc smurf.c -o smurf
smurf 
smurf 
gcc octpuss.c -o octop
octop 
ping 
ping -s 2000 
rm smurf* 
rm otc*
rm .bash_history
rm .bash_hirtory
vi .bash_history
exit
logout

  This, soon removed user, was using denial of service attacks to attack

another system, and in return they were attacking us. Users like this 
can get you, the admin, in hot water and need to be removed as soon as 
possible. If it wasn't for the fact I `chattr +a' all the users shell 
histories, I never would have tracked it down to a specific user. When I

add a user, I use a modified the `adduser' script so it automatically 
`chattr +a' their shell histories. To do the same, simply open the 
`adduser' script with an editor and add these lines at the end:

# chattr +a users shell histories
if [ -d $HME ]; then
  chmod 711 $HME
  cd $HME
  /bin/touch .bash_history
  /bin/chown $LOGIN:users .bash_history
  /usr/bin/chattr +a .bash_history
  /bin/touch .ksh_history
  /bin/chown $LOGIN:users .ksh_history
  /usr/bin/chattr +a .ksh_history
  /bin/touch .sh_history
  /bin/chown $LOGIN:users .sh_history
  /usr/bin/chattr +a .sh_history
fi


  You need to keep close tabs on your log files, they are your eyes and 
ears of your system. You need to make them secured, easy to read and 
make sure they cover all aspects of what the system logging daemons can,

and are logging.
 

------------------------------------------------------------------------
6. Access Security (remote and physical)

  Access is an often-overlooked part of the total security picture. Both

remote and physical access must be dealt with. It takes more than a 
strong password to keep people off your system, you have to know what 
files to use to control access even if someone were to get a valid login

and password. There are files in your system that can gratefully help 
and give you stronger control over who connects, as there are also files

that don't exist and that you need to make that can also help with local

controls as well. Here are the files we are going to cover then we will 
go onto physical access controls:

/etc/suauth
/etc/ftpaccess
/etc/hosts.deny
/etc/hosts.allow
/etc/securetty


  First, `suauth', it is the file that controls who is allowed to use 
the `su' (Switch User) command. This command, as you know, lets you 
become a root user, or lets you become any other user for that matter 
and is SUID, so you want to keep a tight grip on who is allowed to use 
it. The `suauth' file has a certin format, being:

TO:FROM:ACTION

  Simple looking enough. The `TO' field tells what user you are going 
to, in this case, say `root'. The `FROM' field controls which user or 
group is being applied to go `TO' root. The `ACTION' tells what to do in

each case. `ACTION's that can be used are, `OWNPASS', `DENY' and 
`NOPASS'. Here is a clipping out of the `suauth' man page so you can get

a better feeling of how these all tie together.

       
       # A couple of privileged usernames may
       # su to root with their own password.
       #
       root:chris,birddog:OWNPASS
       #
       # Anyone else may not su to root unless in
       # group wheel. This is how BSD does things.
       #
       root:ALL EXCEPT GROUP wheel:DENY
       #
       # Perhaps terry and birddog are accounts
       # owned by the same person.
       # Access can be arranged between them
       # with no password.
       #
       terry:birddog:NOPASS
       birddog:terry:NOPASS
       #

  On my system, I have done what is in the second example. I edited the 
`/etc/group' file and added another group called `wheel'. This group is 
somewhere between the group `users' and `root', and I then added the 
users to this group that I wanted to be allowed to `su'. In the `suauth'

file, I simply told it not to allow anyone to `su' unless they are in 
the group `wheel'. One down. Need any more help, try `man suauth'.

  Next is the `ftpaccess' file. This file controls a lot of stuff 
regarding your ftp services, like who can upload and download, if 
anonymous connections are allowed and if there are any hosts you don't 
want connecting at all. Because this file controls so much, I'm only 
going to get into how to block hosts from connecting, as I am dealing 
with access control, so for more information on how to set up other 
features in this file, as always `man ftpaccess'. Now this file has a 
simple rule set, and is not very picky in where you place things in it. 
For example, if we were going to add someone to our deny list, we could 
add it at the very top, the middle or the end and it won't care. I 
usually add them to the bottom as you want room to keep adding. The 
format is a very simple one, `deny  '. Here 
is how mine looks:

# deny these domains from getting on my FTP site
#
#deny      host                    path to nasty message
#
deny    *.sekurity.org                /etc/msgs/msg.dead
deny    *.303.org                     /etc/msgs/msg.dead
dent    *.tacd.org                    /etc/msgs/msg.dead
deny    *.dim.com                     /etc/msgs/msg.dead
deny    *.comsite.net                 /etc/msgs/msg.dead
deny    su1d.technotronic.com         /etc/msgs/msg.dead


  I think it's very easy to understand the format of this file, except 
maybe the last part, `/etc/msgs/msg.dead'. This is simply a path to a 
text file you want to be shown the person who is denied. Anyone 
connecting and getting access into the system, or getting denied, will 
show up in your log files (/var/logs/secure) so remember to check them 
from time to time if you notice any funny activity.

  The `hosts.deny' and `hosts.allow' files work hand in hand with each 
other and are, by default, used on almost all-modern versions of Unix. 
These files work in conjunction with TCP Wrappers, which you are most 
likely using now if you know it or not. TCP Wrappers, in brief, is a 
program called `tcpd'. From the man page, it monitors incoming requests 
for telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other

services that have a one-to-one mapping onto executable files. What does

that mean? Well in short, it watches programs that are in your 
`/etc/inetd.conf' file which are the programs that are started by 
`inetd' when in incoming request asks for an assigned program it watches

for. The `tcpd' program is put into the `inetd.conf' file in place of 
the normal programs and whenever a request for service arrives, the 
inetd daemon is tricked into running the `tcpd' program instead of the  
desired server. `tcpd' logs the request and does some additional checks.

When all is well, `tcpd' runs the appropriate server program and goes 
away. If you look at your `/etc/inetd.conf' file a line should like 
similar to this:


smtp  stream  tcp     nowait  root    /usr/sbin/tcpd  sendmail -bs


  Here you can see that my `tcpd' is started, instead of sendmail, when 
an incoming request it sent to my smtp port. `tcpd' then logs the 
request and checks your `hosts.deny' and `host.allow' files. The 
`hosts.*' files do what their names suggest. They allow, or deny 
connections. Their formats are very easy to use; Connection:IP address.


showdown:~$ cat /etc/hosts.deny
ALL:  130.85.3.8
ALL:  207.172.56.57


  Here I am blocking ALL connections from these two IP numbers. If I 
wanted I could block the entire class C, or change it to a domain and 
block that. You can put as many IP in here as you want, or if you are 
super paranoid, you can even put `ALL:ALL' and deny all connections.

  If you deny everyone, you can then select hosts to allow connections 
from. This is when you would use your `hosts.allow' file. It has the 
same format as the deny file, but unless you deny `ALL:ALL' I've never 
had to use it. But whose to say what your security needs are. Maybe you 
only want a select few people to be allowed to connect to your box. If 
so this is how you would do it. As most of the other files, they can 
also be tweaked a bit more and have other options. To get more 
information on them, `man tcpd'.

  Lastly, we will go over another simple, but surpassingly often 
overlooked file. The `/etc/securetty' file simply controls where `root' 
can log in from. As it comes default, it allows root to log in from any 
tty, local or remote. Here is the default:


console
tty1
tty2
tty3
tty4
tty5
tty6
ttyS0
ttyS1
ttyS2
ttyS3
ttyp0
ttyp1
ttyp2
ttyp3


  That's all it is. If you had no idea what this file did how would you 
know (`man securetty' maybe)? These are the `/dev/tty's that are on your

system, remote and local. The `ttyp*' and the `ttyS*' are remote, and 
the rest, as you can guess are local at the console. You, I hope, want 
to keep anyone from logging on as `root' anywhere, except from the local

tty's. To do this, simply edit this file and comment out all the remote 
tty's with the `#' like so:

#Keep root from logging on with a remote /dev/tty
console
tty1
tty2
tty3
tty4
tty5
tty6
#ttyS0
#ttyS1
#ttyS2
#ttyS3
#ttyp0
#ttyp1
#ttyp2
#ttyp3


  That's that for remote access security. Now I'll move onto physical 
access. Now most places your box is going to be will be secure by the 
nature of place it is. If it is at your ISP, then most likely it is 
secure. If it's co-located, the people at your ISP most likely know you 
and know you box, plus if your box is with theirs, I'm sure they don't 
want anyone back with their machines as much as you don't. If It's on a 
LAN, keep it locked in your office, or if that's not possible, try and 
keep it under a desk or on the floor out of the way where no one will 
notice it. While you can't count on `security through obscurity' online,

in physical access you want to use it. My box at my ISP is on the bottom

rack next to 4 other machines that look similar to mine, all with no 
monitors and only keyboards attached (for remote reboots). There are no 
labels or any identifying marks at all. It is out of the way and very 
inconspicuous. If someone is going to go into the place your box is 
stored, you don't want to make it easy to identify, or find for that 
matter. Make them have to hook up a monitor and check each box until 
they find yours. Hopefully they will get discouraged or get cough by 
then. 

  A very important note and common sense: NEVER walk away from the 
console and leave root logged in, or any user for that matter. Log out, 
or lock the terminal!

  As far as other physical security measures, well if it's sitting in 
your house, what can you do besides lock your doors. If it's at your 
ISP, you have to rely on them. If it's at work, keep it out of sight or 
locked up. Just be smart. Keep the console locked. Don't leave a monitor

hooked up to it if it's not at your house. If someone wants to get to 
it, it's not like it's going to be kept in some top-secret lab 
somewhere, they are going to get to it. If they do, try and make it so 
the most damage they can do is to simply turn it off.


------------------------------------------------------------------------
7. Misc. Files

  Now I am going to cover the other files around the system that don't 
fall under the other categories I've went through so far. There are only

a few, but they are an important few. These files are:

/etc/inetd.conf
/etc/services
/etc/nologin
/etc/issue.net and /etc/issue
/etc/passwd
/etc/shadow
/etc/group

  First, the `inetd.conf' file. This file is the configuration file for 
your `inetd' daemon. This daemon listens for connections on certain 
ports for and then decides what service to invoke, if any as told to it 
by the `inetd.conf' file. As you can imagine, this is an important file 
as whatever services are in it can be invoked by it. As default, all the

services in it are open. I guess the writers of it though we were living

in lollypop land and everyone was friendly, but unfortunately it's not. 

  To edit this file, as with the ones before, you use `#'. You're 
`inetd.conf' file should look similar to this one before being edited:


-------- snip ---------

# The first 4 services are really only used for debugging purposes, so
# we comment them out since they can otherwise be used for some nasty
# denial-of-service attacks.  If you need them, uncomment them.
 echo          stream  tcp     nowait  root    internal
 echo          dgram   udp     wait    root    internal
 discard       stream  tcp     nowait  root    internal
 discard       dgram   udp     wait    root    internal
 daytime       stream  tcp     nowait  root    internal
 daytime       dgram   udp     wait    root    internal
 chargen       stream  tcp     nowait  root    internal
 chargen       dgram   udp     wait    root    internal
time    stream  tcp     nowait  root    internal
time    dgram   udp     wait    root    internal
#
# These are standard services.
#
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -l -i -a
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#
#
# Use this one instead if you want to snoop on telnet users (try to use 
this
# for ethical purposes, ok folks?) :
# telnet stream  tcp     nowait  root    /usr/sbin/tcpd 
/usr/sbin/in.telnetsnoopd
#
# This is generally unnecessary.  The daemon provided by INN will handle

the
# incoming NNTP connections.
 nntp  stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
#

----- snip -----

smtp  stream  tcp     nowait  root    /usr/sbin/tcpd  sendmail -bs
#
# The comsat daemon notifies the user of new mail when biff is set to y:
comsat        dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#
# Shell, login, exec and talk are BSD protocols.
#
shell  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd -L
login  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
exec  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
talk    dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
# Kerberos authenticated services
#
# klogin    stream  tcp     nowait  root    /usr/sbin/tcpd  rlogind -k
# eklogin   stream  tcp     nowait  root    /usr/sbin/tcpd  rlogind-k -x
# kshell        stream  tcp     nowait  root    /usr/sbin/tcpd  rshd -k
#
# Services run ONLY on the Kerberos server
#
# krbupdate stream  tcp     nowait  root    /usr/sbin/tcpd   registerd
# kpasswd   stream  tcp     nowait  root    /usr/sbin/tcpd  kpasswdd
#
# Pop et al
#
 pop2  stream  tcp     nowait  root    /usr/sbin/tcpd  in.pop2d
 pop3  stream  tcp     nowait  root    /usr/sbin/tcpd  in.pop3d
# The ipop3d POP3 server is part of the Pine distribution.  If you've
# installed the Pine package, you may wish to switch to ipop3d by 
# commenting out the pop3 line above, and uncommenting the pop3 line 
below.
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d
imap2   stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
#
# The Internet UUCP service.
#
 uucp  stream  tcp  nowait  uucp /usr/sbin/tcpd /usr/lib/uucp/uucico-l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." 
#
 tftp  dgram   udp     wait    nobody  /usr/sbin/tcpd  in.tftpd
# bootps dgram   udp  wait root /usr/sbin/in.bootpd     in.bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable

# some or all of these services to improve security.
# Try "telnet localhost systat" and "telnet localhost netstat" to see 
# that
# information yourself!
#
finger  stream  tcp     nowait  nobody  /bin/sbin/tcpd  in.fingerd
systat  stream  tcp     nowait  nobody  /usr/sbin/tcpd  /bin/ps -auwwx
netstat stream  tcp     nowait  root    /usr/sbin/tcpd  /bin/netstat-a
#
# Ident service is used for net authentication
auth stream  tcp  wait root /usr/sbin/in.identd in.identd -w-t1 20 -l
#
#
# These are to start Samba, an smb server that can export filesystems to
# Pathworks, Lanmanager for DOS, Windows for Workgroups, Windows95, 
#Lanmanager
# for Windows, Lanmanager for OS/2, Windows NT, etc.  
# If you're running smbd and nmbd from daemons in /etc/rc.d/rc.samba, 
#then you
# shouldn't uncomment these lines.
 netbios-ssn     stream  tcp     nowait  root    /usr/sbin/smbd  smbd
 netbios-ns      dgram   udp     wait    root    /usr/sbin/nmbd  nmbd
#
# Sun-RPC based services.
# 
# rstatd/1-3 dgram rpc/udp wait root    /usr/sbin/tcpd  rpc.rstatd
# rusersd/2-3 dgram rpc/udp wait root    /usr/sbin/tcpd  rpc.rusersd
# walld/1   dgram   rpc/udp wait    root    /usr/sbin/tcpd  rpc.rwalld
#
# End of inetd.conf.


  This is a cut down version, but should look very similar to yours. You

need to take some of these services out; the ones you don't use and the 
ones you don't need. Some of them tell you what they are used for, 
others don't. You need to go through and see what services you need, and

what you don't.

  For a normal server, I have almost all these services edited out, as 
they are not used or pose security risks. Here are the services I left 
open in mine:

time    stream  tcp     nowait  root    internal
time    dgram   udp     wait    root    internal
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -l -i -a
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
smtp    stream  tcp     nowait  root    /usr/sbin/tcpd  sendmail -bs
talk    dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
auth  stream  tcp wait root  /usr/sbin/in.identd  in.identd -w -t1 20 -l

  All the other services I don't use, or can do without. These are 
essential services that are needed for a server that has users on it. 
These are services they need so they may connect, send mail, and other 
basic user activities (ftp, telnet, smtp, talk, ntalk), plus a few other

to help me verify connections (auth). All the others you can edit out 
without fear of cutting off users or hurting the system.

  I also modified my finger service a bit. I usually have it turned off,

but for fun I did this:


finger  stream  tcp     nowait  nobody  /bin/cat cat /etc/finger.txt


  All this does is, instead of returning the normal `finger' 
information, is echo a file, the file `/etc/finger.txt', back to the 
person who has fingered your system. You can put whatever you want to be

in the `finger.txt' file, so have a bit of fun with it :).

  The `/etc/services' file lists the ports on your system that have 
services connected to them. Think of them like a bunch of open windows 
that you can go through. You want to close all the windows you're not 
using or watching because most remote exploits are run on ports that are

running some obscure service that no one thinks about or uses. If you 
take a look at this file, you'll see it's quite large. It lists port 
numbers with the protocol and the service on each port. You can also 
edit out ports with the `#' in this file. Here is the man pages 
definition: `services' is a plain ASCII file providing a mapping between

friendly textual names for internet  services,  and  their underlying 
assigned port numbers and protocol types. Every networking program 
should look into this file to get the port number (and protocol) for its

service. 

  Instead of showing you all the ports, I'll show you what ports I have 
open, and you can see how they correspond to my `inetd.conf'.


netstat         15/tcp
ftp             21/tcp
ssh             22/tcp          #Secure SHell
telnet          23/tcp
smtp            25/tcp          mail
time            37/tcp          timserver
time            37/udp          timserver
whois           43/tcp          nicname
finger          79/tcp
www             80/tcp          http    # WorldWideWeb HTTP
www             80/udp                  # HyperText Transfer Protocol
auth            113/tcp         tap ident authentication
talk            517/udp
ntalk           518/udp


  As you can see, the majority of the ports do not need to be open. You 
need to run the minimum number of ports to get the job done. If you're 
not sure if what a port does, try using `man' and checking what the 
service is. You can even block a port and see how it goes, then, if 
needed, come back and unblock it later. One note you want to remember. 
If the service is open in the `inetd.conf' file, then you also want it 
to be open in this file as well.

  The next file is `/etc/nologin'. This file may be useful when you need

to lockdown the system to find a problem where you need all the users 
off the system, track down a problem user or stop a hacker in progress. 
By simply making a file called `nologin', or what is commonly done is 
`mv'ing the `motd' file, no non-root users will be allowed to log on to 
the system. The system will let them log on, it will then echo to them 
whatever is in the `nologin' file, then terminate their connection. 


  The `/etc/issue.net' and the `/etc/issue' files can be important in 
taking away a good way of getting information on your system. A lot of 
people will simply telnet to a system and look at the login prompt to 
see what type of operating system is running. By changing the `issue' 
file instead of telnet showing this:


Welcome to Linux 2.0.35.
Showdown login:_

 
  You can make it show whatever you want. Both of these files are plain 
ASCII files. Simply edit it and put in whatever you want:


\__ ^^ __/     
   X  X 
   \  /                     
    \/

Welcome to eLe3t mIcRoSoFt uNiX v6.66
Showdown login:_


  The `/etc/passwd', `/etc/shadow' and the `/etc/group' files I hope you

already know are very important files. They hold the power is the system

and tells the system, who is who and who has the power to do what. I 
hope, as you are the admin of a box, you know how important these files 
are. You need to insure the passwords are strong, that there are no 
users with no passwords, there are no other users except root with the 
UID of 0 and that the permission on the files are set correctly. By 
default the permissions are correct, so don't change them. The Shadow 
Suite takes good care of things though security wise, so besides these 
simple things, you don't have to worry much about them. Take a chance to

look through all three of these files and familiarize yourself with them

so you can spot a problem if one were to appear.


------------------------------------------------------------------------
8. Third Party Tools

  Well this part I threw in because I have found some free tools 
floating around the net that are extremely useful. Some of these tools 
are `must gets'.


SSH 

  If you are not running SSH, you need to be. SSH uses keys, similar to 
PGP, to authenticate logins and then encrypts the session both to and 
from the server. Someone running a network packet sniffer can very 
easily capture logins and passwords from another unsecured machine on 
your LAN, but not if you use SSH. Most newer SSH clients support vt100 
and all the cool ASCII colors, and such so by getting it, you're not 
losing anything, but your gaining a piece of mind and some real 
security. 

  You can get SSH and read more about it at:

SSH FAQ's - http://www.uni-karlsruhe.de/~ig25/ssh-faq/
FiSSH, Free SSH Win95/NT client - http://www.massconfusion.com/ssh/
SSH Club FI - http://www.cs.hut.fi/ssh/


Sentry

  Although still in Beta form, this is a super useful program I now run 
on all my systems. Here is a clipping from its README file to briefly 
tell what it does:

The Sentry is part of the Abacus Project suite of tools. The Abacus 
Project is an initiative to release low-maintenance, generic, and 
reliable host based intrusion detection software to the Internet 
community. 

  This program listens to ports, you designate, and takes actions 
depending on different rules you set for it. This is to give you a heads

up that someone may be probing your system, or launching DoS attacks 
against it. It can log the activity, can add the offending hosts to the 
`/etc/hosts.deny' file, the local system can be automatically re-
configured to route all traffic to the target to a dead host to make the

target system disappear and it can also be re-configured to drop all 
packets from the host via a local packet filter.

  All and all it's a program I think you need to install, understand and

use.

  You can get more information and get Sentry at:

Sentry Abacus Project - http://www.psionic.com/abacus/abacus_sentry.html


Logcheck

  This tool is also part of the Abacus Project and is a must get. When 
used in conjunction with SSH and Sentry, it can keep you easily informed

to the happenings around your system. This program, via cron, checks 
your logs on a timed basis looking for certain key words that can 
trigger a level of alert. Like Sentry, you set the rules as to what it 
looks for and what it does, and it's easily configurable. It can do 
simple things like e-mail you, or echo to your console or even shut down

the system depending on what rules you give it.

  You can get more information and get Logcheck at:

Logcheck Abacus Project -
http://www.psionic.com/abacus/abacus_logcheck.html


Secure Ping v1.0

  This is a secure replacement for the normal `ping' program on your 
system. `ping' is often abused by users trying to icmp other hosts with 
the feared pings-of-death and the like. This program limits both users 
and root as to the sizes of packets and the number of packets that can 
be sent. If someone tried to abuse Secure Ping, it simply tells the user

to take a hike and then sends a line to the log files which Logcheck 
then picks up later and tells you about.

  You can get more information and get Secure Ping at:

Secure Ping - http://www.sy.net/security


Smurf Logger v1.1

  This program does what its name says. It logs ICMP Smurf attacks. 
Unlike a normal ICMP Ping logger, this won't fill up your hard drive 
with meg after meg of logs. It logs repeat attacks with one line. This 
is also a nice program to have so you can see if your box is getting hit

or not, and then take actions to block it at the router level.

You can get more information and get Smurf Logger v1.1 at:

Smurf Logger - http://www.sy.net/security


Tripwire

  Tripwire is a tool to use just incase your system has been breached. 
Once installed correctly, with a correct config file, this program will 
look at all the files on your system, see their sizes and their dates 
then, whenever you want, will recheck them to see if they match. This is

a good way to find out if a file has been tampered with, trojened or 
backdoored. The only draw back is that you need to keep a read-only 
floppy in the floppy drive.

  You can get more information and get Tripwire at:

COAST Archives - ftp://coast.cs.purdue.edu/pub/COAST/Tripwire


Lsof

  This handy file checks for files on the system that are open. They can

either be legit files that are opened, like eggdrop files, or they can 
be files that someone `forgot' to close and is eating up 100% CPU. This 
is another handy file to have in your arsenal.

Prudue Unix Tools - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/



  Well I know there are a ton of other programs out there floating all 
over the net that, and maybe there are some that do a better job then 
these do, but these are the ones that I use and the ones I have found 
that work and are easy to use. As new program come out everyday, you 
have to keep on the lookout for what's new, and look for what's best for

your needs.



------------------------------------------------------------------------
9. Conclusions


  Well, as you can see by the shear length of this paper that security 
for an operating system like Linux is not as simple as it may look. This

paper has only touched on the basics of a lot of things you must know 
and get familiar with. This paper, if in depth, could of gone on to be a

book (and I could of charged $50, hehehe), but as with all good papers, 
it's a work in progress. 

  The bottom line is you have to plan what your needs are going to be. 
You must implement you system to meet your needs, and then you have to 
be alert. The admin of a system is the bottom line when it comes to 
security. The admin must stay alert and watch his system, he must watch 
the security posts and mailing lists and must keep informed when new 
patches, kernels and programs come out. An admin must also keep their 
up-streams informed as well, and stay in good contact with them so they 
may trade valuable information with you so you both know what is going
on. 
Heck, you can go on forever about what a good sys admin has to do to 
keep a secure system, but you have to start with knowing your system. I 
hope this paper has helped.

------------------------------------------------------------------------



[EOF]

check out the underground -- http://www.legions.org


Back to the Index