This document will discuss procedures and commonly used software to increase the trust level of your system. It is important to discuss the basic concepts first, and create a security foundation before we get started.
This document has been dividedinto a number of sections. They cover several broad kinds of security issues. So far these sections include:
/var/log/messagesand keep an eye on your system, and
Perhaps the area of most concentration on security is done with host-based security. This typically involves making sure your own system is secure, and hoping everyone else on your network does the same.
Choosing good passwords, securing your services your hosts offer, keeping good accounting records, and upgrading programs that have known security exploits are among the things the local Security Administrator is responsible for doing.
Although this is absolutely necessary, it can become a daunting task once your network of machines becomes larger. It can be said that host-based security does not scale. A host-based security exploit must be repaired on each machine on your network, which requires accessing each machine individually and applying the fix.
Network security is as necessary as local host security. With your single system, or a distributed computing network, the Internet, or hundreds, if not thousands or more computers on the same network, you can't rely on each one of those systems being secure. Making sure authorized users are the only ones permitted to use your network resources, building firewalls, using strong encryption, and ensuring there are no rogue, or unsecured, machines on your network are all part of the network security administrator's duties.
This document will discuss some of the techniques used to secure your site, and hopefully show you some of the ways to prevent an intruder from gaining access to what you are trying to protect.
One type of security that must be discussed is ``security through obscurity''. This means that by doing something like changing the login name from 'root' to 'toor', for example, to try and obscure someone from breaking into your system as root may be thought of as a false sense of security, and can result in very unpleasant and unexpected consequences.
However, it can also be used to your benefit if done properly. If you
tell all the users who are authorized to use the root account on your
machines to use the root equivilent instead, entries in the
/var/log/secure for the real root user would surely indicate
an attempted break-in, giving you some advance notice. You'll have to
decide if this advantage outweighs the additional administration
In most cases, though, any system attacker will quickly see through such empty security measures. Simply because you may have a small site, or relatively low profile does not mean an intruder won't be interested in what you have. We'll discuss what your protecting in the next sections.
In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, your data. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as ``crackers'', who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're still wondering what the difference is between a ``Hacker'' and a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'', available at http://sagan.earthspace.net/~esr/faqs/hacker-howto.html.
While it is difficult to determine just how vulnerable a particular system is, there are several indications we can use:
First, keep in mind that no computer system can ever be ``completely secure''. All you can do is make it increasingly difficult for someone to compromise your system. For the average home Linux user, not much is required to keep the casual cracker at bay. For high profile Linux users (banks, telecommunications companies, etc), much more work is required.
Another factor to take into account is that the more secure your system is the more intrusive your security becomes. You need to decide where in this balancing act your system is still usable and yet secure for your purposes. For instance, you could require everyone dialing into your system to use a call back modem to call them back at their home number. This is more secure, but if someone is not at home, it makes it difficult for them to login. You could also setup your Linux system with no network or connection to the Internet, but this makes it harder to surf the web.
If you have more than one person logging on to your machine, or machines, you should establish a ``Security Policy'' stating how much security is required by your site and what auditing is in place to check it. You can find a well-known security policy example at http://ds.internic.net/rfc/rfc2196.txt. It has been recently updated, and contains a great framework for establishing a security policy for your company.
It is even advisable to generate a security policy for systems with just two users, or even a desktop machine, used for normal Internet dialup access.
While developing your security policy, you will have to decide on that balance between security and ease-of-use. You will also need to determine the current level of security on your systems. Ask yourself questions such as these:
Improving security at your site will have to be a progressive process -- you can not secure your systems overnight, and most likely your users will be reluctant to change, because they feel they will be losing usability. Also, don't discount the possibility that there are several packages and binaries on your system that are not even used, and can be removed without affecting functionality, yet improving security by limiting the available exploits.
Before you attempt to secure your system, you should determine what level of threat you have to protect against, what risks you should or should not take, and how vulnerable your system is as a result. You should analyze your system to know what you're protecting, why you're protecting it, what value it has, and who has responsibility for your data and other assets.
Additionally, having one insecure account on your system can result in
your entire network being compromised. A single user that is allowed
to login using an
rhosts file, or through the use of an
insecure service, increases the ability for the intruder using this to
``get his foot in the door''. Once the intruder has even a normal
user account on your system, or someone else's system, the likelihood
it can be used to gain access to another system, or another account is
There are several types of intruders, and it is useful to keep the different characteristics in mind as you are securing your systems.
What's at stake if someone breaks into your system? How much is it worth? When making the evaluation, you should consider items such as computer hardware and software, intellectual property, employee's, resources, such as network bandwidth, disk space, etc.
Of course the concerns of a dynamic PPP home user will be different than those of a company connecting their machine to the Internet, or another large network.
How much time would it take to retrieve/recreate any data that was lost? An initial time investment now can save ten times more time later if you have to recreate data that was lost. Have you checked your backup strategy, and verified your data lately?
Create a simple, generic policy for your system that your users can readily understand and follow. It should protect the data you're safeguarding, as well as the privacy of the users. Some things to consider adding are who has access to the system (Can my friend use my account?), who's allowed to install software on the system, who owns what data, disaster recovery, and appropriate use of the system.
A generally accepted security policy starts with the phrase:
"That which is not expressly permitted is prohibited"
This means that unless you grant access to a service for a user, that user shouldn't be using that service until you do grant access. Make sure the policies work on your regular user account, Saying, ``Ah, I can't figure this permissions problem out, I'll just do it as root'' can lead to security holes that are very obvious, and even ones that haven't been exploited yet.
Additionally, there are several questions you will need to answer to successfully develop a security policy:
You should develop a plan on who to contact when there is a security problem that needs attention.
There are quite a few documents available on developing a Site Security Policy. You can start with this one from Sun Microsystems http://wwwwseast2.usec.sun.com/security/sec.policy.wp.html
This document will discuss various means in which you can secure the assets you have worked hard for: your local machine, data, users, network, even your reputation. What would happen to your reputation if an intruder deleted some of your user's data? Or defaced your web site? Or published your company's corporate project plan for next quarter? If you are planning a network installation, there are many factors you must take into account before adding a single machine to your network.
Even if you have a single dialup PPP account, or just a small site, this does not mean intruders won't be interested in your systems. Large, high profile sites are not the only targets, many intruders simply want to exploit as many sites as possible, regardless of their size. Additionally, they may use a security hole in your site to gain access to other sites you're connected to.
Intruders have a lot of time on their hands, and can avoid guessing how you've obscured your system just by trying all the possibilities. There are also several reasons an intruder may be interested in your systems, which we will discuss later.
See the Host Security and Network Security sections for further information on steps to perform to secure your hosts.
Changes made for supposedly brief periods of time are also a great security risk. Subverting your firewall so you can dial-in from home to your workstation also allows an attacker to do the same. Also, temporary changes easily become permanent, as we quickly forget about such changes.
Remember, the weakest link in the security implementation is likely to be exploited first.