Adding Security to Linux Distribution
Are becoming large-scale efforts to sabotage the servers on the Internet. The FreeBSD and Linux servers have become targets of these attacks using buffer overflows in the imapd sources and BIND. Every day, vulnerabilities of all shapes and sizes are distributed among the nearly 20,000 subscribers BUGTRAQ mailing list (if you only subscribe to a security mailing list, this should be).
It would be wise to assume that at least one of those 19,305 subscribers is going to write a for loop () and a bit of logic around an 'exploit' cut + paste with the hope of gaining access to as many servers as possible.
Sooner or later, the loop construct the address of your server. There is no time to prepare.
Despite what some "experts" can make you believe, install and maintain a secure dedicated server is not rocket science. Some well-known practices in systems management serve as protection from the threats of the global network. This article describes some of the precautions to take when configuring a generally RedHat Linux system connected to the network. Although this article provides guidelines for protecting your server from the malicious intent of others, is not intended to be a complete reference.
The following are some steps that will prevent your installation from falling victim to the next hole in your public network software.
WARNING: If you're not absolutely sure you do not do it. Some of these steps assume a moderate degree of experience on your part. At the end suggested reading.
Steps to safety
1. Remove all network services that do not need. Less ways to connect to your server mean fewer opportunities for an intruder to break into it. Says everything you do not need in / etc / inetd.conf. Do not need telnet to your system? Disable it. The same for ftpd, rshd, rexecd, gopher, chargen, echo, and similar pop3d. Do not forget to do a 'killall-HUP inetd' after editing inetd.conf. Also do not neglect the directory / etc / rc.d / init.d. Some network services (BIND, demons printers) are programs that are launched from these scripts.
2. Install SSH. SSH is a replacement for most of those old 'r' commands Berkeley. The following is From the homepage at http://www.cs.hut.fi/ssh
Ssh (Secure Shell) is a program to connect to another server in a network to execute commands on a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
It also performs many other things that any aspiring hacker find interesting. Download SSH from http://ftp.rge.com/pub/ssh.
3. Vipw uses (1) to block non-login accounts. Note that Red Hat Linux, have a name shell null login shell / bin / sh, which is probably not what you want. Also make sure that none of your accounts have no password. The following is an example of how the system would be a password file and safe:
daemon: *: 2:2: daemon: / sbin: / bin / sync
adm: *: 3:4: adm: / var / adm / bin / sync
lp: *: 4:7: lp: / var / spool / lpd: / bin / sync
sync: *: 5:0: sync: / sbin: / bin / sync
shutdown: *: 6:0: shutdown: / bin: / sync
halt: *: 7:0: halt: / sbin: / bin: / sync
mail: *: 8:12: mail: / var / spool / mail / bin / sync
news: *: 9:13: news: / var / spool / news: / bin / sync
uucp: *: 10:14: uucp: / var / spool / uucp: / bin / sync
operator: *: 11:0: operator: / root / bin / sync
games: *: 12:100: games: / usr / games: / bin / sync
gopher: *: 13:30: gopher: / usr / lib / gopher-data: / bin / sync
ftp: *: 14:50: FTP User: / home / ftp / bin / sync
nobody: *: 99:99: Nobody: /: / bin / sync
4. Remove the 's' bits of programs whose owner is the root and not require such privilege. This is done by running the command chmod as' with the name or names of the files involved as arguments.
These programs are (but the list is not complete):
1. programs you never use
2. programs that do not want a user who does not use the root
3. Programs that you use occasionally, and not the amount you have to do a su (1) to root to run
I've placed an asterisk (*) next to each program you personally disable. Remember that your system needs some suid root programs to work well, so be careful.
Alternatively, you could create a special group called 'suidexec' put users who rely on this group, chgrp (1) the program or programs that require the suspect to the group suidexec suid bit, and remove the world execute permissions.
# Find /-user root-perm "+ u-s"
Command Review
* / bin / ping
* / bin / mount only root should be mounted filesystems
* / bin / umount idem
/ bin / su Do not touch this!
/ bin / login
/ sbin / pwdb_chkpwd
* / sbin / cardctl control utility PCMCIA cards
* / usr / bin / ssh rcp Use
* / usr / bin / rlogin idem
* / usr / bin / rsh "
* / usr / bin / at using cron, or disable all
* / usr / bin / install LPRng lpq
* / usr / bin / lpr "
* / usr / bin / lprm "
* / usr / bin / mh / inc
* / usr / bin / mh / msgchk
/ usr / bin / passwd do not touch!
* / usr / bin / suidperl suidperl each new version seems to have a buffer overflow
* / usr/bin/sperl5.003 use it only if necessary
/ usr / bin / procmail
* / usr / bin / chfn
* / usr / bin / chsh
* / usr / bin / newgrp
* / usr / bin / crontab
* / buffer overflows usr/X11R6/bin/dga many as in X11
* / usr/X11R6/bin/xterm "
* / usr/X11R6/bin/XF86_SVGA "
* / usr / sbin / usernetctl
/ usr / sbin / sendmail
* / usr / sbin / traceroute can withstand the type of root password from time to time
5. Updating sendmail. Download the source from ftp://ftp.sendmail.org/pub/sendma il. Unpack it and read the instructions. Install smrsh (packaged with sendmail) if you have an extra couple of minutes, this program solves many of the things that interest most people on the sendmail, such as sending emails to arbitrary programs. Edit sendmail.cf and put the 'PrivacyOptions' in' goaway '
= PrivacyOptions goaway
If you do not plan to receive Internet mail, DO NOT RUN ON THE WAY SENDMAIL ENTERTAINMENT (sendmail-bd)!. In this case, disable / etc / rc.d / init.d / sendmail.init and do a 'killall-TERM sendmail. You'll still be able to send email, but not received.
6. BIND updates if you use it. The latest version of BIND can be found at http://www.isc.org. If you're not using deshabilitalo altogether.
7. Recompile the kernel. Usually I do to reduce the size of the kernel by default. HINT: Activate all options firewall even if your server is not a firewall.
= Y CONFIG_FIREWALL
CONFIG_NET_ALIAS = y
CONFIG_INET = y
# CONFIG_IP_FORWARD is not set
# CONFIG_IP_MULTICAST is not set
CONFIG_SYN_COOKIES = y
CONFIG_RST_COOKIES = y
CONFIG_IP_FIREWALL = y
CONFIG_IP_FIREWALL_VERBOSE = y
# CONFIG_IP_MASQUERADE is not set
# CONFIG_IP_TRANSPARENT_PROXY is not set
CONFIG_IP_ALWAYS_DEFRAG = y
CONFIG_IP_ACCT = y
# CONFIG_IP_ROUTER is not set
# CONFIG_NET_IPIP is not set
CONFIG_IP_ALIAS = m
8. Apply patches: Any known problems with Red Hat software can be found on pages Errata RedHat. (see http://www.redhat.coml to know what patches apply to your version). RedHat does an excellent job of keeping this site updated. These pages also include links to files that need RPM, along with installation instructions.
9. Configure tcp_wrappers: tcp_wrappers are a method to control how servers on the network are allowed to talk to you. This package, written by security guru Wieste Venema, sits in front of programs that run from inetd (or those linked with the library) to consult its configuration files to determine whether to deny or allow a network transaction . For example, to allow telnet and ftp from your home via an ISP, not everything else, put the following in / etc / hosts.allow:
in.ftpd:. dialup.tu-isp.com: allow
all: all: deny
SSH, sendmail, and other packages can be built with tcp_wrappers support. Read page tcpd (1) manual for more information.