This document will attempt to explain some procedures and
commonly-used software to help your Linux system be more secure. It is
important to discuss some of the basic concepts first, and create a
security foundation, before we get started.
In the ever-changing world of global data communications,
inexpensive Internet connections, and fast-paced software development,
security is becoming more and more of an issue. Security is now a basic
requirement because global computing is inherently insecure. As your
data goes from point A to point B on the Internet, for example, it may
pass through several other points along the way, giving other users the
opportunity to intercept, and even alter, it. Even other users on your
system may maliciously transform your data into something you did not
intend. Unauthorized access to your system may be obtained by intruders,
also known as "crackers", who then use advanced knowledge to impersonate
you, steal information from you, or even deny you access to your own
resources. If you're wondering what the difference is between a "Hacker"
and a "Cracker", see Eric Raymond's document, "How to Become A
Hacker".
First, keep in mind that no computer system can ever be completely
secure. All you can do is make it increasingly difficult for someone to
compromise your system. For the average home Linux user, not much is
required to keep the casual cracker at bay. However, for high-profile
Linux users (banks, telecommunications companies, etc), much more work
is required.
Another factor to take into account is that the more secure your
system is, the more intrusive your security becomes. You need to decide
where in this balancing act your system will still be usable, and yet
secure for your purposes. For instance, you could require everyone
dialing into your system to use a call-back modem to call them back at
their home number. This is more secure, but if someone is not at home,
it makes it difficult for them to login. You could also setup your Linux
system with no network or connection to the Internet, but this limits
its usefulness.
If you are a medium to large-sized site, you should establish a
security policy stating how much security is required by your site and
what auditing is in place to check it. You can find a well-known
security policy example at RFC2196. It has been
recently updated, and contains a great framework for establishing a
security policy for your company.
Before you attempt to secure your system, you should determine
what level of threat you have to protect against, what risks you should
or should not take, and how vulnerable your system is as a result. You
should analyze your system to know what you're protecting, why you're
protecting it, what value it has, and who has responsibility for your
data and other assets.
Risk is the possibility that an
intruder may be successful in attempting to access your computer.
Can an intruder read or write files, or execute programs that
could cause damage? Can they delete critical data? Can they
prevent you or your company from getting important work done?
Don't forget: someone gaining access to your account, or your
system, can also impersonate you.
Additionally, having one insecure account on your system can
result in your entire network being compromised. If you allow a
single user to login using a .rhosts
file, or to use an insecure service such as tftp, you risk an intruder getting 'his foot
in the door'. Once the intruder has a user account on your system,
or someone else's system, it can be used to gain access to another
system, or another account.
Threat is typically from someone with
motivation to gain unauthorized access to your network or
computer. You must decide whom you trust to have access to your
system, and what threat they could pose.
There are several types of intruders, and it is useful to
keep their different characteristics in mind as you are securing
your systems.
The Curious - This type
of intruder is basically interested in finding out what type
of system and data you have.
The Malicious - This
type of intruder is out to either bring down your systems, or
deface your web page, or otherwise force you to spend time and
money recovering from the damage he has caused.
The High-Profile
Intruder - This type of intruder is trying to use
your system to gain popularity and infamy. He might use your
high-profile system to advertise his abilities.
The Competition - This
type of intruder is interested in what data you have on your
system. It might be someone who thinks you have something that
could benefit him, financially or otherwise.
The Borrowers - This
type of intruder is interested in setting up shop on your
system and using its resources for their own purposes. He
typically will run chat or irc servers, porn archive sites, or
even DNS servers.
The Leapfrogger - This
type of intruder is only interested in your system to use it
to get into other systems. If your system is well-connected or
a gateway to a number of internal hosts, you may well see this
type trying to compromise your system.
Vulnerability describes how well-protected your computer is
from another network, and the potential for someone to gain
unauthorized access.
What's at stake if someone breaks into your system? Of
course the concerns of a dynamic PPP home user will be different
from those of a company connecting their machine to the Internet,
or another large network.
How much time would it take to retrieve/recreate any data
that was lost? An initial time investment now can save ten times
more time later if you have to recreate data that was lost. Have
you checked your backup strategy, and verified your data
lately?
Create a simple, generic policy for your system that your users
can readily understand and follow. It should protect the data you're
safeguarding as well as the privacy of the users. Some things to
consider adding are: who has access to the system (Can my friend use my
account?), who's allowed to install software on the system, who owns
what data, disaster recovery, and appropriate use of the system.
A generally-accepted security policy starts with the phrase
"That which is not permitted is
prohibited"
This means that unless you grant access to a service for a user,
that user shouldn't be using that service until you do grant access.
Make sure the policies work on your regular user account. Saying, "Ah, I
can't figure out this permissions problem, I'll just do it as root" can
lead to security holes that are very obvious, and even ones that haven't
been exploited yet.
RFC1244
is a document that describes how to create your own network security
policy.
RFC1281
is a document that shows an example security policy with detailed
descriptions of each step.
Finally, you might want to look at the COAST Policy
Archive to see what some real-life security policies look
like.
This document will discuss various means with which you can secure
the assets you have worked hard for: your local machine, your data, your
users, your network, even your reputation. What would happen to your
reputation if an intruder deleted some of your users' data? Or defaced
your web site? Or published your company's corporate project plan for
next quarter? If you are planning a network installation, there are many
factors you must take into account before adding a single machine to
your network.
Even if you have a single dial up PPP account, or just a small
site, this does not mean intruders won't be interested in your systems.
Large, high-profile sites are not the only targets -- many intruders
simply want to exploit as many sites as possible, regardless of their
size. Additionally, they may use a security hole in your site to gain
access to other sites you're connected to.
Intruders have a lot of time on their hands, and can avoid
guessing how you've obscured your system just by trying all the
possibilities. There are also a number of reasons an intruder may be
interested in your systems, which we will discuss later.
Perhaps the area of security on which administrators concentrate
most is host-based security. This typically involves making sure your
own system is secure, and hoping everyone else on your network does
the same. Choosing good passwords, securing your host's local network
services, keeping good accounting records, and upgrading programs with
known security exploits are among the things the local security
administrator is responsible for doing. Although this is absolutely
necessary, it can become a daunting task once your network becomes
larger than a few machines.
Network security is as necessary as local host security. With
hundreds, thousands, or more computers on the same network, you can't
rely on each one of those systems being secure. Ensuring that only
authorized users can use your network, building firewalls, using
strong encryption, and ensuring there are no "rogue" (that is,
unsecured) machines on your network are all part of the network
security administrator's duties.
This document will discuss some of the techniques used to secure
your site, and hopefully show you some of the ways to prevent an
intruder from gaining access to what you are trying to protect.
One type of security that must be discussed is "security through
obscurity". This means, for example, moving a service that has known
security vulnerabilities to a non-standard port in hopes that
attackers won't notice it's there and thus won't exploit it. Rest
assured that they can determine that it's there and will exploit it.
Security through obscurity is no security at all. Simply because you
may have a small site, or a relatively low profile, does not mean an
intruder won't be interested in what you have. We'll discuss what
you're protecting in the next sections.
This document has been divided into a number of sections. They
cover several broad security issues. The first, Section 3, covers how you need to protect your
physical machine from tampering. The second, Section 4, describes how to protect your system from
tampering by local users. The third, Section 5,
shows you how to setup your file systems and permissions on your files.
The next, Section 6, discusses how to use
encryption to better secure your machine and network. Section 7 discusses what kernel options you should
set or be aware of for a more secure system. Section 8, describes how to better secure your Linux
system from network attacks. Section 10, discusses
how to prepare your machine(s) before bringing them on-line. Next, Section 11, discusses what to do when you detect a
system compromise in progress or detect one that has recently happened.
In Section 12, some primary security resources are
enumerated. The Q and A section Section 14, answers some
frequently-asked questions, and finally a conclusion in Section 15
The two main points to realize when reading this document
are:
Be aware of your system. Check system logs such as /var/log/messages and keep an eye on your
system, and
Keep your system up-to-date by making sure you have
installed the current versions of software and have upgraded per
security alerts. Just doing this will help make your system
markedly more secure.
