LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: September 19th, 2014
Linux Security Week: September 15th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Best Practices guide for securing the Linux Workstation Print E-mail
User Rating:      How can I rate this item?
Features There is no silver bullet in security; rather, due diligence and knowledge are the best foundations for solid management of risk. The focus of this document is distinctively on workstations: those located in a corporate environment, those situated at the house, and the myriad of situations that fall somewhere in-between.

Securing the Home Front

Best Practices guide for securing the Linux workstation

Table of Contents

Preface

Introduction

Physical Access

Software Defense

Resources

Preface

The following white paper is provided as a best practices guide to the Linux community for securing the Linux workstation. All efforts have been exerted to be OS-agnostic and distribution specific techniques have been noted. Rather then delve into specific configurations, a broad overview of numerous available security resources are presented. All too often, casual Linux users are left with the daunting task of maintaining their system security and lack a concise roadmap to direct them to the proper resources. Newsgroups, mailing lists, and IRC can also be useful in solving really difficult issues. Though not required, prior Linux experience is recommended. The author welcomes any typos, mistakes, and all general feedback.

Introduction

"We will play both offense -- massing our resources to meet the most immediate threats - and defense - working to fill our most glaring gaps."

Tom Ridge

Director of the Office of Homeland Security

There is no silver bullet in security; rather, due diligence and knowledge are the best foundations for solid management of risk. Each user requires a varying degree of security specific to their situation and Linux is equally flexible in its implementation thereof. The focus of this document is distinctively on workstations: those located in a corporate environment, those situated at the house, and the myriad of situations that fall somewhere in-between.

This document is organized by methodology and a list of resources is provided at the end to supplement software packages and technologies referenced throughout the paper.

Finally, it is imperative to dispel a popular myth within the Linux community that certain distributions are more secure than others. While true that different flavors of Linux cater to separate audiences, the security of any given distribution is solely marked by the competence of its administrator. Be wary of claims such as, "secure by default" and realize that security is always evolutionary. If carefully maintained, any distribution can be secured as well as another.

Physical Access

The workstation is just as susceptible to physical attacks as the expensive server locked away in the closet. By its very nature, it is more accessible and more prone to being tampered with, and therefore must be adequately defended.

An obvious preventative technique is to not keep passwords written on sticky notes or loose pieces of paper, regardless of convenience. Setting a strong password and changing it monthly is another strategy. However, if the workstation is not logged out of and is left unattended, then a strong password is all for naught. Always configure the screensaver to initiate after a certain period of time (10 minutes of inactivity, for example) and require the system to prompt for a password.

An unattended keyboard can allow someone to forcibly kill X Windows by executing Ctrl+Alt+Backspace. Requiring a strong password and not having the machine automatically login any user will prevent this type of attack. The XF86Config file can be edited to disable the Ctrl+Alt+Backspace keystroke, which is not a bad idea, but if the workstation is set to automatically login a user, this defense is breached.

A more dangerous vulnerability exists in that a workstation can be rebooted by executing Ctrl+Alt+Delete. Tweaking the /etc/inittab file and changing the default id:3:initdefault line to ~~:S:wait:/sbin/sulogin prevents the attacker from booting into single user mode and changing the root password.

Additionally, commenting out this line: #ca::ctrlaltdel;/sbin/shutdown -t3 -r now by adding a pound sign in front of the statement disables Ctrl+Alt+Delete and prevents the system from being rebooted by anyone lacking administrative privileges.

Lastly, be sure to set a password when installing a boot loader such as GRUB or LILO. To further deter an attacker, utilize a BIOS password for additional security.

Software Defense

Hardening the distribution is made simpler when less work is involved in executing and maintaining security. A key point worth mentioning again: security maintenance is a continuing process and not something done once and soon forgotten. Furthermore, attention must be paid to programs installed after the initial installation. Nothing is worse than having the false sense of security provided by a newly secured system shattered by an exploit based on a subsequently installed and insecure piece of software that is improperly configured.

In almost all scenarios, a smaller OS installation is preferred. Less software installed yields less to be concerned with and physically updated. Every software package, whether binary or source, is vulnerable. Having excess software to protect is a waste of bandwidth, time, and resources. Only select the packages required and do not settle for bloated installations.

The Center for Internet Security published a Linux Security Benchmark which consists of a PDF document and a Red Hat-based toolset to help secure a Linux installation. It's an invaluable resource and provides all the technical detail necessary to secure a Linux workstation or server with instructions simple enough for a newbie to follow.

Next, always keep software updated. If nothing else, this protects the workstation from previously discovered vulnerabilities. Almost every distribution has an automated method such as Red Hat's up2date and Debian's apt-get.

Utilizing md5sum is highly advisable. Most distributed Linux software comes with rarely used .sig or .asc files that contain a "signature" for the binary or software package. Simply download the package, including the accompanying signature file, and open a terminal window. Type md5sum package_name and it will produce a long string of characters. Compare the produced string to that within the signature file to verify the authenticity of the package.

Take advantage of Intrusion Detection Systems such as Snort or Tripwire. Their effectiveness depends on being instituted immediately after a fresh install with clean binaries. They take a "snapshot" of the system and alert the administrator if any tampering is present or if replacement binaries are introduced to the system. The maintainer is still responsible for acting upon these warnings and appropriately diagnosing the system.

PGP stands for Pretty Good Privacy and GnuPG is offered for many variants of Unix including Linux. Encrypting and digitally signing email not only allows for accountability, but it is also a relatively secure way of exchanging important information such as password changes or business correspondence.

Network security is beyond the scope of this document, but a workstation should always reside behind a firewall or other security device. Doing so will prevent a great deal of attacks from ever reaching their intended target. Properly configuring iptables and/or ipchains as a built-in firewall is very important to system security.

Distribution hardening scripts do exist, notably Bastille Linux for Red Hat Linux. While highly effective, these scripts take some control out of the hands of the administrator and should not coax one into believing that a system is entirely secured. Additionally, hardening scripts tend to be version specific and may not conform to the specific needs of the user.

Resources

Center for Internet Security - Linux Security Benchmark

LinuxSecurity.com

md5sum Usage

Nmap (network scanning tool)

Service Ports List

OpenSSH (ssh & scp)

Snort

Tripwire

GnuPG

IP Firewall HOWTO (ipchains & iptables)

Bastille Linux

Linux Security HOWTO (very comprehensive)

SecurityFocus.com (great mailing lists)

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.