Linux SecurityLinux Security

Anthony Albrecht – Services & Anthony Albrecht – Services & AccountsAccounts

Praveen Bochetty – Filesystem Praveen Bochetty – Filesystem security & Loggingsecurity & Logging

Seth Guenther – PAM & Kernel Seth Guenther – PAM & Kernel TuningTuning

Linux Run LevelsLinux Run Levels

Linux starts, it calls a program named init, Linux starts, it calls a program named init, which runs all subsequent startup tasks.which runs all subsequent startup tasks.

The very first services it executes are those The very first services it executes are those located in the /etc/rc.d directory tree. located in the /etc/rc.d directory tree.

Files in the /etc/rc.d are links to the actual Files in the /etc/rc.d are links to the actual executable files located in /etc/init.d. executable files located in /etc/init.d.

Run levels are the level of functionality in Run levels are the level of functionality in which the operating system is running. which the operating system is running.

The levels range from level 1 to 6, and each The levels range from level 1 to 6, and each level has a different degree of functionality. level has a different degree of functionality.

The run levels are specified within the The run levels are specified within the /etc/inittab file /etc/inittab file

Linux Run LevelsLinux Run Levels

Run level 0 is halt. Run level 0 is halt. Run level 1 is single user mode. Like Run level 1 is single user mode. Like

safe mode safe mode Run level 2 is multiuser mode, but Run level 2 is multiuser mode, but

without NFS. without NFS. Run level 3 is full multiuser mode or the Run level 3 is full multiuser mode or the

standard run level. standard run level. Run level 4 is typically unused. Run level 4 is typically unused. Run level 5 is X11, or the X Window Run level 5 is X11, or the X Window

system.system. Run level 6 is reboot Run level 6 is reboot

Disabling servicesDisabling services

Within each /etc/rc.d/rc*.d directory, Within each /etc/rc.d/rc*.d directory, files start with S or Kfiles start with S or K– S means start serviceS means start service– K means kill (stop) serviceK means kill (stop) service

chkconfig command can be used to chkconfig command can be used to disable servicesdisable services– Ex: chkconfig inetd offEx: chkconfig inetd off

Alernatively, use serviceconf for Alernatively, use serviceconf for graphical administrationgraphical administration

Root AccountRoot Account

The The rootroot account is the most account is the most privileged account on a Unix privileged account on a Unix systemsystem

No security restrictions No security restrictions Therefore it is easy, with a Therefore it is easy, with a

mistyped command, to wipe out mistyped command, to wipe out crucial system files.crucial system files.

Never log in on your server as Never log in on your server as rootroot unless it is absolutely have to.unless it is absolutely have to.

Root AccountRoot Account

--Set login time out for the root Set login time out for the root accountaccount. .

- make the bash shell - make the bash shell automatically logout after not automatically logout after not being used for a period of time.being used for a period of time.

-set the special variable of Linux -set the special variable of Linux named TMOUT to the time in named TMOUT to the time in seconds of no input before logout.seconds of no input before logout.

Root Account Root Account

Edit your profile file /etc/profile and add the Edit your profile file /etc/profile and add the following line somewhere after the line that following line somewhere after the line that read HISTFILESIZE= on this file: read HISTFILESIZE= on this file: TMOUT=7200 TMOUT=7200

Automatic logout after two hours of inactivity Automatic logout after two hours of inactivity will apply for all users on the system. will apply for all users on the system.

To control which users will be automatically To control which users will be automatically logged out and which ones not, you can set logged out and which ones not, you can set this variable in their individual .bashrc file. this variable in their individual .bashrc file.

You must logout and login again as root for You must logout and login again as root for the change to take effect the change to take effect

NFS-Network File NFS-Network File System System allows machines to mount a disk allows machines to mount a disk

partition on a remote machine as partition on a remote machine as if it were on a local hard drive.if it were on a local hard drive.

allows for fast, seamless sharing allows for fast, seamless sharing of files across a network. of files across a network.

The “/etc/exports” file The “/etc/exports” file

If exporting file systems using If exporting file systems using NFS service, be sure to configure NFS service, be sure to configure this file with the most restrictive this file with the most restrictive access possible. access possible.

The “/etc/exports” fileThe “/etc/exports” file

Edit the Edit the exports exports file (vi /etc/exports) and add:file (vi /etc/exports) and add: As an example:As an example: /dir/to/export host1.mydomain.com(ro,root_squash)/dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash)/dir/to/export host2.mydomain.com(ro,root_squash) Where “Where “/dir/to/export” /dir/to/export” is the directory you want to is the directory you want to

export, export, host#.mydomain.com host#.mydomain.com is the machine allowed to is the machine allowed to log in this directory the <log in this directory the <ro> ro> option mean mounting option mean mounting read-only and the <read-only and the <root_squash> root_squash> option for not option for not allowing root write access.allowing root write access.

For this change to take effect you will need to run the For this change to take effect you will need to run the following command on your terminal: following command on your terminal: [root@deep]# [root@deep]# /usr/sbin/exportfs -a/usr/sbin/exportfs -a

inetd/xinetd inetd/xinetd introductionintroduction inetd.conf, a program that manages all inetd.conf, a program that manages all

the incoming connections the incoming connections Xinetd took the inetd design and Xinetd took the inetd design and

modularized it, meaning that each service modularized it, meaning that each service can be in its own configuration file. can be in its own configuration file.

Xinetd also added features like the TCP Xinetd also added features like the TCP wrappers, making configuration easier.wrappers, making configuration easier.

The modular configuration means that The modular configuration means that you can distribute a service to several you can distribute a service to several machines by copying it to the xinetd.d machines by copying it to the xinetd.d directory, and you can remove it similarly. directory, and you can remove it similarly.

The inetd-The inetd-/etc/inetd.conf file

Also called the "super server", it will load a Also called the "super server", it will load a network program based upon a request from the network program based upon a request from the network. network.

The “inetd.conf” file tells inetd which ports to The “inetd.conf” file tells inetd which ports to listen to and what server to start for each port. listen to and what server to start for each port.

Look at the “/etc/inetd.conf” file to see what Look at the “/etc/inetd.conf” file to see what services are being offered by your inetd program. services are being offered by your inetd program.

Disable what you do not need by commenting Disable what you do not need by commenting them out (by adding a # at the beginning of the them out (by adding a # at the beginning of the line), and then sending your inetd process a line), and then sending your inetd process a SIGHUP command to update it.SIGHUP command to update it.– killall –HUP inetdkillall –HUP inetd

Disabling StepsDisabling Steps

Change the permissions on this file to 600. Change the permissions on this file to 600. [root@deep /]#chmod 600 /etc/inetd.conf[root@deep /]#chmod 600 /etc/inetd.conf

Ensure that the owner is Ensure that the owner is root root [root@deep /]# chown root /etc/inetd.conf[root@deep /]# chown root /etc/inetd.conf

Edit the inetd.conf file (vi/etc/inetd.conf) Edit the inetd.conf file (vi/etc/inetd.conf) and disable services like:and disable services like:

ftp, telnet, shell, login, exec, talk, ntalk, ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. imap, pop-2, pop-3, finger, auth, etc.

The “/etc/host.conf” The “/etc/host.conf” filefile Linux uses a resolver library to Linux uses a resolver library to

obtain the IP address obtain the IP address corresponding to a host name. corresponding to a host name.

This file specifies how names are This file specifies how names are resolved. resolved.

The entries in the file tell the The entries in the file tell the resolver library what services to resolver library what services to use, and in what order, to resolve use, and in what order, to resolve names.names.

The “/etc/host.conf” The “/etc/host.conf” filefile Edit the Edit the host.conf host.conf file (vi file (vi

/etc/host.conf) and add the following /etc/host.conf) and add the following lines:lines:

# Lookup names via DNS first then # Lookup names via DNS first then fall back to /etc/hosts.fall back to /etc/hosts.

order bind,hostsorder bind,hosts # We have machines with multiple # We have machines with multiple

IP addresses.IP addresses. multi onmulti on # Check for IP address spoofing.# Check for IP address spoofing. nospoof onnospoof on

The “/etc/host.conf” The “/etc/host.conf” filefile The The order order option indicates the order of option indicates the order of

services.services. The The multi multi option determines whether a option determines whether a

host in the “/etc/hosts” file can have host in the “/etc/hosts” file can have multiple IP addressesmultiple IP addresses

The The nospoof nospoof option indicates to take option indicates to take care of not permitting spoofing on this care of not permitting spoofing on this machine. machine.

IP Spoofing is a security exploit that IP Spoofing is a security exploit that works by tricking computers in a trust works by tricking computers in a trust relationship that you are someone that relationship that you are someone that you really aren't. you really aren't.

The “/etc/securetty” The “/etc/securetty” filefile This file allows you to specify which This file allows you to specify which TTY TTY

devices the “root” user is allowed to devices the “root” user is allowed to login on. login on.

Also this file is read by the login program Also this file is read by the login program (usually “/bin/login”). Its format is a list (usually “/bin/login”). Its format is a list of the of the tty tty devices names allowed.devices names allowed.

Disable any Disable any tty tty that you do not need by that you do not need by commenting them out (# at the commenting them out (# at the beginning of the line).beginning of the line).

The “/etc/securetty” The “/etc/securetty” filefile tty1tty1 #tty2#tty2 #tty3#tty3 #tty4#tty4 #tty5#tty5 #tty6#tty6 #tty7#tty7 #tty8#tty8 Which means root is only allowed to login on tty1. Which means root is only allowed to login on tty1.

Allowing “root” to log in only on one tty device and Allowing “root” to log in only on one tty device and use the “su” command to switch to “root” if you need use the “su” command to switch to “root” if you need more devices to log in as “root”.more devices to log in as “root”.

Special Accounts Special Accounts

Important to DISABLE ALL default vendor Important to DISABLE ALL default vendor accounts that you don't use on your systemaccounts that you don't use on your system . .

To delete user on your system, use the To delete user on your system, use the command: command:

[root@deep] /# [root@deep] /# userdeluserdel username username To delete group on your system, use To delete group on your system, use

the command: the command:

[root@deep] /# [root@deep] /# groupdelgroupdel username username

TCP_WRAPPERS TCP_WRAPPERS

By default Red Hat Linux allows all By default Red Hat Linux allows all service requests. service requests.

Deny all hosts by putting ALL: ALL@ALL, Deny all hosts by putting ALL: ALL@ALL, PARANOID in the /etc/hosts.deny file PARANOID in the /etc/hosts.deny file

Then explicitly list trusted hosts who Then explicitly list trusted hosts who are allowed to your machine in the are allowed to your machine in the /etc/hosts.allow file. /etc/hosts.allow file.

TCP_WRAPPERS is controlled from two TCP_WRAPPERS is controlled from two files and the search stops at the first files and the search stops at the first match. match.

TCP_WRAPPERSTCP_WRAPPERS

Access will be granted when a daemon, client Access will be granted when a daemon, client pair matches an entry in the /etc/hosts.allow pair matches an entry in the /etc/hosts.allow file. Otherwise, access will be denied when a file. Otherwise, access will be denied when a daemon, client pair matches an entry in daemon, client pair matches an entry in the /etc/hosts.deny file. Otherwise, access the /etc/hosts.deny file. Otherwise, access will be granted. will be granted.

With the parameter PARANOID; If you intend to run With the parameter PARANOID; If you intend to run telnet or ftp services on your server, you must add the telnet or ftp services on your server, you must add the client's machine name and IP address in your /etc/hosts client's machine name and IP address in your /etc/hosts file on the server or you can expect to wait several file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a minutes for the DNS lookup to time out, before you get a login: prompt. login: prompt.

TCP_WRAPPERSTCP_WRAPPERS

The tcpdchk program is the tcpd The tcpdchk program is the tcpd wrapper configuration checker. It wrapper configuration checker. It examines your tcp wrapper examines your tcp wrapper configuration and reports all configuration and reports all potential and real problems it can potential and real problems it can find. After your configuration is find. After your configuration is done, run the program tcpdchk. done, run the program tcpdchk.

[root@deep] /# [root@deep] /# tcpdchktcpdchk

Lilo & Grub Lilo & Grub

GNU GRUB is a Multiboot boot loader. It GNU GRUB is a Multiboot boot loader. It was derived from GRUB, was derived from GRUB, GRand GRand Unified BootloaderUnified Bootloader, which was , which was originally designed and implemented by originally designed and implemented by Erich Stefan Boleyn. Erich Stefan Boleyn.

Briefly, Briefly, boot loaderboot loader is the first software is the first software program that runs when a computer program that runs when a computer starts. It is responsible for loading and starts. It is responsible for loading and transferring control to the operating transferring control to the operating system system kernelkernel software such as Linux software such as Linux . .

The kernel, in turn, initializes the rest of The kernel, in turn, initializes the rest of the operating system (e.g. GNU). the operating system (e.g. GNU).

Lilo & GrubLilo & Grub

LILO is the most commonly used boot LILO is the most commonly used boot loader for Linux. loader for Linux.

It manages the boot process and can boot It manages the boot process and can boot Linux kernel images from floppy disks, Linux kernel images from floppy disks, hard disks or can even act as a boot hard disks or can even act as a boot manager for other operating systems. manager for other operating systems.

The most important configuration file of The most important configuration file of LILO is the lilo.conf file, which resides LILO is the lilo.conf file, which resides under the /etc directory. under the /etc directory.

Lilo & GrubLilo & Grub

Three important options to improve the security of Lilo. Three important options to improve the security of Lilo. Adding: timeout=00 Adding: timeout=00 Controls how long in seconds LILO waits for user input before Controls how long in seconds LILO waits for user input before

booting to the default selection. booting to the default selection. Adding: restricted Adding: restricted This option asks for a password only, if parameters are specified on This option asks for a password only, if parameters are specified on

the command line (e.g. linux single). The option restricted can only the command line (e.g. linux single). The option restricted can only be used together with the password option. be used together with the password option.

Adding: password=<password>Adding: password=<password> This option asks the user for a password when trying to load the This option asks the user for a password when trying to load the

Linux system in single mode. Passwords are always case-sensitive, Linux system in single mode. Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world readable, or also make sure the /etc/lilo.conf file is no longer world readable, or any user will be able to read the password. any user will be able to read the password.