Next
Previous
Contents
It is by far not sufficient to make a security update after installation
and you are done. You really need to do this on regular basis not to fall
in the pit of having insecure software installed on your system.
You should try to avoid any network service which sends and receives
passwords in cleartext over a net like FTP/Telnet/NIS/RPC. The author
recommends the use of ssh instead of telnet and ftp to everybody.
Also you should not use NIS, the Network Information Service, if it is
possible, because it allows password sharing. This can be highly insecure if
your setup is broken.
Last, but not least, disable RPC wherever possible. Many security holes for
this service are known and can be easily exploited. On the other hand NFS
services are quite important in some networks, so find a balance of security
and usability in a network. Most of the DDoS (distributed denial of service)
attacks use rpc exploits to get into the system and act as a so called
agent/handler.
Disabling portmap is quite simple. There are different methods. The simplest
one in a Debian system is to do update-rc.d portmap remove.
This in fact removes every symlink relating to portmap in
/etc/rc${runlevel}.d/, what could also be done manually.
Another possibility is to chmod 644 /etc/init.d/portmap, but that
gives an error message when booting. You can also strip off the
start-stop-daemon part in /etc/init.d/portmap shell script.
Keep in mind that migrating from telnet to ssh, but using other cleartext
protocols does not increase your security in ANY way! Best
would be to remove ftp, telnet, pop, imap, http and to supersede them
with their respective crypted services.
You should consider moving from this services to their SSL versions, ftp-ssl,
telnet-ssl, pop-ssl, https ...
Most of these above listed hints apply to every Unix system.
Some kernel patches exist, which significantly enhance system security. Here
are a few of them:
- OpenWall patch by Solar Designer
This is a useful set of kernel restrictions, like restricted links,
FIFOs in /tmp, restricted /proc, special file descriptor handling,
non-executable user stack area and some more.
Homepage:
http://www.openwall.com/linux/
- LIDS - Linux intrusion detection system by Huagang Xie & Philippe Biondi
This patch makes the process of creating a hardened Linux system easier. You
can restrict every process, give it rights to write or read files, or
remove, by default, the ability to read files. Furthermore you can also set
capabilities for certain processes. Even though it is still in the beta phase,
it is almost a must for the paranoid system administrator.
Homepage:
http://www.lids.org
- POSIX Access Control Lists (ACLs) for Linux
This patch adds access control lists, an advanced method for restricting
access to files, to the linux kernel.
Homepage:
http://acl.bestbits.at/
- Linux trustees
This patch adds a decent advanced permissions system to your Linux kernel. All
the objects are stored in the kernel memory, which allows fast lookup of all
permissions.
Homepage:
http://www.braysystems.com/linux/trustees.html
- International kernel patch
This is a crypt-oriented kernel patch, therefore you have to pay attention to
your local laws regarding the use of cryptography. It basically adds use of
encrypted file systems.
Homepage:
http://www.kerneli.org
- SubDomain
A kernel extension to create a more secure and easier to setup chroot
environment. You can specify the files needed for the chrooted service
manually and do not have to compile the services statically.
Homepage:
http://www.immunix.org/subdomain.html
- UserIPAcct
This is not really a security related patch, but it allows you to create
quotas for the traffic on your server per user. And you can fetch
statistics about the user traffic.
Homepage:
http://rsmeyers.3ti.org/useripacct
- FreeS/WAN
If you want to use IPSec with Linux, you need this patch. You can create
VPNs with this quite easily, even to windows machines, as IPSec is a
common standard.
Homepage:
http://www.freeswan.org
This is probably the most unstable and funny section, since I hope that some
of the "duh. that sounds crazy"-ideas might be realized. Following here you
will find some - well, it depends on the point of view whether you say they
are genius, paranoid, crazy or secure - ideas to increase your security
rapidly but you will not come unscathed out of it.
- Playing around with PAM
As said in the phrack 56 PAM article the nice thing with PAM is that "You are
limited only by what you can think of." It is true. Imagine root login only
possible with fingerprint or eyescan or cryptocard (why the heck did I do an
OR conjunction and not AND here).
- Fascist Logging
I would say everything we talked about logging above is "soft logging". If you
want to perform real logging, get a printer with fanfold paper and log
everything hard by printing on it. Sounds funny, but it's reliable and it
cannot be removed.
- CD distribution
This idea is very easy to realize and offers pretty security. Create a hardened
debian distribution, a damned good firewall, make an ISO of it and burn it on
CD. Make it bootable. Upshot of all this is a ro whole distribution with about
600 MB space for services and the fact to make it impossible for intruders to
get read write access on this system. Just make sure every data which should
get written, gets written over the wires. Anyway, the intruder cannot change
firewall rules, routing entries or start own daemons (he can, but reboot
and he has to hack into your system again to change them).
- Switch module capability off
When you disable the usage of kernel modules at kernel compile time many
kernel based back doors are impossible to implement, since most of them are
based on installing modified kernel modules.
Next
Previous
Contents