There is no silver bullet in security; rather, due diligence and knowledge are the best foundations for solid management of risk. The focus of this document is distinctively on workstations: those located in a
corporate environment, those situated at the house, and the myriad of situations that fall somewhere in-between.
Securing the Home Front
Best Practices guide for securing the Linux workstation
Table of Contents
Preface
Introduction
Physical Access
Software Defense
Resources
The following white paper is provided as a best practices guide to
the Linux community for securing the Linux workstation. All efforts
have been exerted to be OS-agnostic and distribution specific
techniques have been noted. Rather then delve into specific
configurations, a broad overview of numerous available security
resources are presented. All too often, casual Linux users are left
with the daunting task of maintaining their system security and lack a
concise roadmap to direct them to the proper resources. Newsgroups,
mailing lists, and IRC can also be useful in solving really difficult
issues. Though not required, prior Linux experience is recommended. The
author welcomes any typos, mistakes, and all general feedback.
"We will play both offense -- massing our resources to meet the
most immediate threats - and defense - working to fill our most glaring
gaps."
Tom Ridge
Director of the Office of Homeland Security
There is no silver bullet in security; rather, due diligence and
knowledge are the best foundations for solid management of risk. Each
user requires a varying degree of security specific to their situation
and Linux is equally flexible in its implementation thereof. The focus
of this document is distinctively on workstations: those located in a
corporate environment, those situated at the house, and the myriad of
situations that fall somewhere in-between. This document is organized by methodology and a list of
resources is provided at the end to supplement software packages and
technologies referenced throughout the paper. Finally, it is imperative to dispel a popular myth within the
Linux community that certain distributions are more secure than others.
While true that different flavors of Linux cater to separate audiences,
the security of any given distribution is solely marked by the
competence of its administrator. Be wary of claims such as, "secure by
default" and realize that security is always evolutionary. If carefully
maintained, any distribution can be secured as well as another.
The workstation is just as susceptible to physical attacks as the
expensive server locked away in the closet. By its very nature, it is
more accessible and more prone to being tampered with, and therefore
must be adequately defended. An obvious preventative technique is to not keep passwords
written on sticky notes or loose pieces of paper, regardless of
convenience. Setting a strong password and changing it monthly is
another strategy. However, if the workstation is not logged out of and
is left unattended, then a strong password is all for naught. Always
configure the screensaver to initiate after a certain period of time
(10 minutes of inactivity, for example) and require the system to
prompt for a password. An unattended keyboard can allow someone to forcibly kill X
Windows by executing Ctrl+Alt+Backspace. Requiring a strong password
and not having the machine automatically login any user will prevent
this type of attack. The XF86Config file can be edited to disable the
Ctrl+Alt+Backspace keystroke, which is not a bad idea, but if the
workstation is set to automatically login a user, this defense is
breached. A more dangerous vulnerability exists in that a workstation
can be rebooted by executing Ctrl+Alt+Delete. Tweaking the /etc/inittab
file and changing the default id:3:initdefault line to ~~:S:wait:/sbin/sulogin prevents the attacker from booting into single user mode and changing the root password.
Additionally, commenting out this line: #ca::ctrlaltdel;/sbin/shutdown -t3 -r now
by adding a pound sign in front of the statement disables
Ctrl+Alt+Delete and prevents the system from being rebooted by anyone
lacking administrative privileges. Lastly, be sure to set a password when installing a boot
loader such as GRUB or LILO. To further deter an attacker, utilize a
BIOS password for additional security.
Hardening the distribution is made simpler when less work is
involved in executing and maintaining security. A key point worth
mentioning again: security maintenance is a continuing process and not
something done once and soon forgotten. Furthermore, attention must be
paid to programs installed after the initial installation. Nothing is
worse than having the false sense of security provided by a newly
secured system shattered by an exploit based on a subsequently
installed and insecure piece of software that is improperly configured.
In almost all scenarios, a smaller OS installation is
preferred. Less software installed yields less to be concerned with and
physically updated. Every software package, whether binary or source,
is vulnerable. Having excess software to protect is a waste of
bandwidth, time, and resources. Only select the packages required and
do not settle for bloated installations. The Center for Internet Security published a Linux Security Benchmark
which consists of a PDF document and a Red Hat-based toolset to help
secure a Linux installation. It's an invaluable resource and provides
all the technical detail necessary to secure a Linux workstation or
server with instructions simple enough for a newbie to follow. Next, always keep software updated. If nothing else, this
protects the workstation from previously discovered vulnerabilities.
Almost every distribution has an automated method such as Red Hat's
up2date and Debian's apt-get. Utilizing md5sum is highly advisable. Most distributed Linux
software comes with rarely used .sig or .asc files that contain a
"signature" for the binary or software package. Simply download the
package, including the accompanying signature file, and open a terminal
window. Type md5sum package_name and it will produce a long string of
characters. Compare the produced string to that within the signature
file to verify the authenticity of the package. Take advantage of Intrusion Detection Systems such as Snort or
Tripwire. Their effectiveness depends on being instituted immediately
after a fresh install with clean binaries. They take a "snapshot" of
the system and alert the administrator if any tampering is present or
if replacement binaries are introduced to the system. The maintainer is
still responsible for acting upon these warnings and appropriately
diagnosing the system. PGP stands for Pretty Good Privacy and GnuPG is offered for
many variants of Unix including Linux. Encrypting and digitally signing
email not only allows for accountability, but it is also a relatively
secure way of exchanging important information such as password changes
or business correspondence. Network security is beyond the scope of this document, but a
workstation should always reside behind a firewall or other security
device. Doing so will prevent a great deal of attacks from ever
reaching their intended target. Properly configuring iptables and/or
ipchains as a built-in firewall is very important to system security. Distribution hardening scripts do exist, notably Bastille
Linux for Red Hat Linux. While highly effective, these scripts take
some control out of the hands of the administrator and should not coax
one into believing that a system is entirely secured. Additionally,
hardening scripts tend to be version specific and may not conform to
the specific needs of the user.
Center for Internet Security - Linux Security Benchmark
LinuxSecurity.com
md5sum Usage
Nmap (network scanning tool)
Service Ports List
OpenSSH (ssh & scp)
Snort
Tripwire
GnuPG
IP Firewall HOWTO (ipchains & iptables)
Bastille Linux
Linux Security HOWTO (very comprehensive)
SecurityFocus.com (great mailing lists)
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
