| Go
from zero-to-Linux fast with
Oracle9i Application Server!
Oracle9iAS
offers the benefits of Linux starting on day one, by reducing migration costs
and complexity. Only Oracle9iAS has J2EE 1.3, Web Services, Portal, and Integration
preintegrated and fully certified on ALL major Linux distributions.
Click for a FREE white
paper and internet seminar, "Oracle9iAS: The Application Platform for Linux,"
and see why 733,000 developers choose Oracle on Linux products.
|
|
06.25.03
 By
Aleksandar Stancin
Here we go again. I decided to write another article concerning some overall
security aspects of installing and running linux. To keep it short and simple,
here are some good pointers to enhancing your system's security. But remember,
there's no absolute security, so keep your eyes open, subscribe yourself to a
few good mailing lists, and keep your software up-to-date.
Partitioning
Good partitioning does a lot of good to your system's security as it greatly simplifies
your admin duties in case of a system crash and data recovery. You can create
various partitions, and have them set as read-only, nosuid or similar. By having
a partition mounted as nosuid you can simply address the SUID issue, generally
connected to buffer overflows and obtaining a root shell or some other possibile
security compromising flaws. More about the SUID issue can be read here. If you
plan to run an FTP server, setting that partition would save you a lot of trouble
in the future, as it is in read-write mode, but no suid programs can be run from
it. The same can be said for mounting a partition read-only, or ro. You can always
alter these settings, wich are located in /etc/fstab, for any of your block devices.
Of course, 'man fstab(5)' and 'man mount(8)' are your good friends to get a grip
on all possible options when mounting a filesystem. /etc/fstab is human readable,
so you'll easy get into it. |
Resources for Linux
Programmers
Trials, Software, Downloads, and More.
Generally speaking, putting linux, or any other OS on a single
partition is a major administration no-no, and with any multiuser, multitasking
os, is asking for trouble, sooner or later. So, whenever possible, create at least
these partitions, with sizes of your choices:
- / - which needs little space, but will house all of your other directories
if you do not create them as stand-alone partitions,so consider that also before
creating it
- /usr - houses most of your software, so you might consider allocating a lot
of space here,
- /home - is the starting point for all users on your system, so allocate space
according to the number of users you plan to have
- /var - which is required for all the administrative logs, mail, usenet news
and other.
 From a security
point, a good thing would be to consider at least having a separate / and a /home
partition. This way you can restrict access to some partitions, can easily repair
damaged filesystem and keep the system running and so on. It even might be good
to keep your temporary data and logs on a separate, RAM partition. That way, no
information about your system and all events that took place can be traced, because
all the information on the RAM disk is lost when the system is rebooted or shut
down. But, you also might consider taring the files before shutting down, and
copy them elswhere for later safe reading, if neccessary. It's up to you.
You can always partition your system prior to the installation of any flavour
of linux you have chosen, and most of the distributions come already equipped
a partitioning tool. However, if you wish to do it yourself before installing
linux, you can always do it with any fdisk, 'man fdisk(8)' or run fdisk and type
'm' for reviewing the list of all commands. Of course, there are other tools for
partitioning, such as Disk Druid that comes with Red Hat, or Parted, a tool from
the GNU foundation that you can find it here.
Passwords
Relying solely on decent passwords is not a good security measure, but using good
passwords reduces the risks of a security breach. So, use password generation
utilities, and most of all, educate your users about the significance of good
passwords. Sadly, the best passwords are the ones you'll hardly ever remeber right,
so it's always a trade-off between security and usability. Usually, this means
horrible passwords, written on paper.
There are various proactive password checking utilites that can simplify your
job and force users to pick a right password. Shadow passwording system needs
not to be mentioned, it's a must. A good practice would be to do a dictionary
attack by yourself from time to time, just to check for easy retrieveable passwords.
Make sure all users create a separate password for any system they access. All
passwords are vulnerable to dictionary attacks and brute force attacks, it's only
up to you to make the attacker's job more difficult.
Services and daemons running at boot time
All that could be briefly said is: disable anything you don't need, or don't plan
on using and also don't install anything you don't need.
One thing is certain, if you need a certain service, like telnet or FTP, think
about it. Are they really needed? Are they safe to use, and is there a supplement
to them, even more reliable? For instance, SSH replaces telnet perfectly, and
FTP is pretty much obsolete, with all those web forms
these days, and, yes, even SCP from the SSH package.
Need an MTA? Why not think Qmail or some other instead of sendmail? A lot of issues
exist when planning what services you will provide, and more important how.
Think how you're going to organize your machines in production, as it's pretty
much useless to setup a perfect firewall, lose a lot of time on perfecting it,
just to put an FTP behind it. Deploy servers rationally, using the least possible
number of services exposed to the outside of your LAN, no matter how simple or
harmless the service might be. If you really need services that have known past
security issues, a wise idea would be to put them in DMZ, and separate them from
all other machines, in any possible way.
Using LILO
If you plan to use LILO as your boot loader, some things can be achieved by adding
some extra lines to your /etc/lilo.conf, and these are 'restricted' and 'password="somepassofyourchoice"'.
After making any alterations to /etc/lilo.conf make sure to re-run lilo by typing
/sbin/lilo' to have them take effect when booting next time. Adding line restricted
makes it neccessary for the user to provide a password when trying to pass additional
boot parameters to lilo. The password option restricts the booting of linux to
local users who have the password, but the password isn't encrypted so make the
/etc/lilo conf owned by root and set to mode 600. That's 'chmod 600'. As always,
you can 'man lilo' to find out more about additional options. The ultimate choice
is to make lilo boot from a floppy, so nobody without that floppy can boot the
system. Nothing like a dose of physical security measures! :) But still, be sure
to have a backup lying somewhere safe because floppies aren't that reliable...
Of course, there are other ways of booting linux, so make sure that you read more
documentation on the subject, so that you can make some good choices to enhance
the security of your system.
Click
Here to Read the Full Article
First appeared at Help
Net Security
Read This Newsletter at: http://www.linuxpronews.com/2003/0625.html |
|
|
|
