PDF Security Quick-Start HOWTO for Linux

Introduction

Why me?

Copyright

Credits

Disclaimer

New Versions and Changelog

Feedback

Foreword

The Optimum Configuration

The router/firewall allows outside connections to whatever services are running in the DMZ by "forwarding" these requests, but is otherwise separated from the rest of the internal network (also called a LAN). This leaves the rest of the internal network in reasonably safe isolation and relative safety.

Before We Start

In this section we will see what services are running on our newly installed system, decide what we really need and discard the rest. If you are not familiar with how servers and TCP connections work, you may want to read the section on servers and ports in the Appendix first.

Step 1: Which services do we really need?

System Audit
The Danger Zone (or r00t m3 pl34s3)
Stopping Services

Stopping Init Services
Inetd
Xinetd
When All Else Fails

Exceptions
Summary and Conclusions for Step 1

Some services are simply not designed to work over the Internet −− even if you decide it's something you really need. If you will not receive mail directly from Internet hosts (like a specific MX field), but prefer to use your ISP's POP server, then it is not required.

Step 2: Updating

Summary and Conclusions for Step 2

At least as long as your vendor still supports the release and updates are still provided.

Step 3: Firewalls and Setting Access Policies

Strategy
Packet Filters −− Ipchains and Iptables

ipchains
iptables

Tcpwrappers (libwrap)

xinetd

PortSentry
Proxies
Individual Applications
Verifying
Logging
Where to Start
Summary and Conclusions for Step 3

Port (or port ranges), interfaces, destination address, source address can be specified, as well as various other options. While hostnames can be used here, using hostnames opens up the limited possibility for name spoofing. Setting up and administering proxies can be complex, and is beyond the scope of this document.

Which is hopefully now very different from what you can see from the outside. On the other hand, logging can be bad if it is so excessive that it is difficult to find relevant data, or worse, it fills a partition. We've looked at some of the most commonly available applications found on most, if not all, Linux systems.

Also check the Links section for sites and tools that can be used to generate a custom script.

Intrusion Detection

Intrusion Detection Systems (IDS)

Have I Been Hacked?

This is just to verify that the system is not tampered with to the point that lsattr is completely unreliable. Packet sniffers, such as tcpdump (http://www.tcpdump.org), can be useful in finding any unsolicited traffic. Nothing on the system can be relied upon to tell you the whole truth.

Another approach is to go to http://www.chkrootkit.org, download their rootkit checker and see what it says. Some interesting discussions on forensics issues can be found at http://www.fish.com/security/.

Reclaiming a Compromised System

Sometimes the intruder is not so smart and forgets about root's .bash_history, or clearing log entries, or even leaves strange, leftover files in /tmp. As mentioned, a compromised system will undoubtedly have modified system binaries, and the output of system utilities is not to be trusted. Depending on the needs of the situation and time available to repair the system, it is beneficial to learn as much as possible about how the attacker got in, and what was done to plug the hole and avoid a repeat .

After a clean install is the best time to install an IDS (Intrusion Detection System) such as tripwire (http://www.tripewire.org). But again, how to be absolutely sure that everything is fine and all traces of interference are gone.

General Tips

Installing from raw source code (tarball or src.rpm) at least gives you the opportunity to examine the code. Even if you don't understand it ;-) While this doesn't seem to be a widespread problem among Linux software sites, it's very trivial for someone to add a few lines of code, turning that innocent-looking binary into a . If you find that you need a particular service, and it is intended only for you, or perhaps for a relatively small number of people, use a non-standard port. Let's face it: if you're new to Linux, you can't already know something you've never used.

We may only be aware of a print server when we need to print something, but it's there and running, listening and waiting for connection requests, whether we ever use it or not (provided, of course, that we have it enabled). And yes, if you're not running a firewall or haven't taken other precautions and are connected to the Internet, it's very possible that someone −− anyone −− could connect to your X server.

Appendix

Servers, Ports, and Packets

The interesting part is the IP addresses and ports in the fourth and fifth columns. CLOSE_WAIT is the state of the TCP connection at this particular moment. The "unprivileged" port used for my end of the connection is temporary and not connected to a locally running server.

The "unprivileged" port used on my end by my client application is temporary, only opened for the duration of the connection, and only responds to the server's port on the other end of the connection. The administrator of the FTP server will need to take appropriate precautions to ensure that his server is secure.

Common Ports

Another point about ports: ports are only accessible if there is something listening on that port. The example above did not have a telnet or ftp server in the LISTENER section in the netstat example above. You do not need to use a telnet or ftp server daemon to connect to someone else's telnet or ftp server.

Low risk as a crack target, but gives way too much information and should not be executed. Someone on the other side of the world doesn't want to use your printer for its intended purpose.

Netstat Tutorial

Overview
Port and Process Owners

Note that the service for port 631 does not have a service name if we look at the output in the first example. Most Linux installations will likely have an SMTP daemon, so this is not necessarily unusual. But the one right after that is reversed and has port 80 in the fourth column, so it's someone connecting to bigcat's web server via its external internet-side interface.

Remember from above that port 8000 is bigcat's web proxy, which is a web browser connected to the locally active proxy. This again tells us that the cupsd print daemon is the owner of port 631.

Attacks and Threats

Port Scans and Probes
Rootkits
Worms and Zombies
Script Kiddies
Spoofed IPs
Targeted Attacks
Denial of Service (DoS)
Brute Force
Viruses

Or you can use rpcinfo −p localhost to see which RPC services can be run (portmap must be running for this to work). If it's your ISP, they may try to enforce their Terms of Service Agreement. Passwords can be added, hidden daemons can be opened, registries can be messed with, and surely one of many back doors is opened.

Once a vulnerable system is found, the actual entry and takeover is quick and may be difficult to detect afterwards. For those who may be targets, the best defenses here include many of the things we've discussed.

Links

Packet filtering: http://netfilter.samba.org/documentation/HOWTO/packet−filtering−HOWTO.html Networking: http://netfilter.samba.org/documentation/HOWTO/networking−concepts−HOWTO.html NAT/masquerading : http://netfilter.samba.org/documentation/HOWTO/NAT−HOWTO.html. Coroner's Toolkit (TCT): http://www.fish.com/security/, discussions and tools for dealing with post-burglary problems (and preventing them in the first place). Comp.os.linux.security FAQ: http://www.linuxsecurity.com/docs/colsfaq.html Internet Firewall FAQ: http://www.interhack.net/pubs/fwfaq/.

Detecting Trojaned Linux Kernel Modules: http://members.prestige.net/tmiller12/papers/lkm.htm Rootbox Checker: http://www.chkrootkit.org. nmap port scanning tool homepage: http://www.insecure.org Nessus, more than just a port scanner: http://www.nessus.org Tripwire, intrusion detection: http://www. tripwire.org Snort, sniffer and more: http://www.snort.org.

Editing Text Files

Second, many of the 'commands' work in other applications (such as the 'less' pager which is also used to view man pages). If you then see a '?' this means the file has changed and 'ed' is asking if you want to save the changes. Pico is available with almost all distributions, although it _may_ not be installed by default.

If changes have been made, you will be asked if you want to save the changes. If changes have been made, you will be asked if you want to cancel this action.

That's just an educated guess by nmap, based on what's in /etc/services for this port number. Simple enough, and gives a pretty good idea of what's running on bigcat - but not necessarily what we look like to the outside world, as this was done from localhost and wouldn't reflect any firewall or other access control mechanisms. This scan takes much, much longer, but is the only way to see all ports.

If it is actually running but blocking our ping probes, try −P0 Nmap run completed −− 1 IP address (0 hosts up) scanned in 30 seconds. But it's still best to find a way to do this from the outside if possible.

Sysctl Options

Secure Alternatives

Ipchains and Iptables Redux

ipchains II
iptables II
Summary
iptables mini−me

We are specific because there is no reason to allow other traffic to these ports or from these addresses. Your individual situation is certainly different and will require some changes and probably some additions to the above rules. We shouldn't do it this way unless a) it's really necessary and b) we're using the current, secure version, and c) we can stay informed about security-related issues that could affect these services.