GNU Linux Security

^ click above ^

10.23.03

By Jagjit Phull

People consider the GNU or free software and open source software to be unsafe and are supposed to easily compromised because their source code are readily available,which isn't correct. This article is specifically related for the security of the GNU Linux Operating system and will help the person for enabling the security parameters for added safety.

First step in this is to have a Security as a Policy - A Security Policy. With out this you are not having clear definition to what you want to protect and what to do when you find any violations. I would suggest to have a look at Site "Security Handbook" an RFC 2196.

A GNU/Linux distributions has lots of softwares coming along with it as its installation part,so a GNU/Linux user needs to be aware of what packages he should install on the server systems which he is going to use in production environment.

Choosing a right password for an account. Always this is the point which gets stressed by the Security experts,and this is where maximum people override choosing the right password for there account and some or the other day compromise occurs. Passwords chosen for the systems should be of alphanumeric kind and every 3 months they should be changed and as far as possible use impersonal passwords i.e passwords should not be based on date of birth, children names etc. Length of the passwords are to be of minimum six characters.And should be revoked after some number of failed attempts.

Get DevWebPro Newsletter Free -">Click Here

The Account which makes you Powerful – "root". Knowing the root password is privilege and at the same time is of great responsibility. you become the GOD of the systems you can do whatever you want with the system - its under your control. The "root" account has no security restrictions imposed upon it.

For security reasons, never login on your server as "root" unless it is absolutely necessary an instance that necessitates root access. Disable the remote logins directly for the root account,to become root login with normal user account and then "su" to become root.

Set the login time out for the root account. Add to your /etc/profile TMOUT=1800. This means if a user leaves a console/terminal without logging out then shell after time specified by above parameter will logout the user. Enable the command history in /etc/profile by adding to your /etc/profile HISTSIZE=10 or some figure you would like to keep. Zeroing the .bash_history file so that when user logout the history file get deleted. HISTFILESIZE=0 .

Single user login mode of GNU/Linux
Passing these parameters to the Linux kernel will make land you up in a single user mode where usually administrators are supposed to do system maintenance activities after a crash. By default it does not ask for user password. so edit the /etc/inittab file and the following contentsa

id:3:initdefault:
~~:S:wait:/sbin/sulogin

Be sure to backup the inittab file in case you make mistake. after adding the contents execute

#/sbin/init q

which rereads the inittab contents and loads the new configuration.

Editing the /etc/lilo.conf file

timeout=00

This gives lilo wait for 0 seconds and interval for user to put in parameters on lilo boot prompt. You should do this unless your are dual booting some other Operating system like windows. You should also provide a password for lilo. Basically this option specifies that for any parameters passed to boot prompt of lilo will be asking you to supply a password enabled by password parameter option.

password=

This option basically protect the Linux image from booting without specifying a password. But this can be problem if you reboot the systems remotely,it will always wait for the user to type in the required password.

So after adding these changes /etc/lilo.conf file should look like this.

timeout=50 Change this line to 00

Remove the line if your are not passing any command line parameters.

Add this line to enable linux image protection

restricted

Add this line to enable password and put your password.

password=

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
message=/boot/message Remove the above line line if you do not want to get welcome message

lba32

image=/boot/vmlinuz-2.4.18-3bigmem
label=linux
initrd=/boot/initrd-2.4.18-3bigmem.img
read-only
root=/dev/hda7

image=/boot/vmlinuz-2.4.18-3smp
label=linux-smp
initrd=/boot/initrd-2.4.18-3smp.img
read-only
root=/dev/hda7

image=/boot/vmlinuz-2.4.18-3
label=linux-up
initrd=/boot/initrd-2.4.18-3.img
read-only
root=/dev/hda7

The configuration is readable by everyone, so change the permissions to disable that.

chmod 600 /etc/lilo.conf

Now we update our configuration for changes to take affect after rebooting.

/sbin/lilo -v

This will rewrite the new configuration for the Linux loader after we made changes to it. We can make the /etc/lilo.conf as an immutable file so that normally no one can edit and add any changes. You can do this by executing.

chattr +i /etc/lilo.conf

Note: But when you again modify something in this file please remove the immutable bit and edit any changes.

Disabling the CTRL+ALT+DEL - 3 finger salute

You can edit the /etc/inittab file and find out the entry.

ca::ctrlaltdel:/sbin/shutdown -t3 -r now

and put a #, so that line looks like this

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

Where # represents a comment. after this you need to execute

/sbin/init q

This will make sure that after pressing the key combinations the system does not reboot. Also set the immutable bit on the /etc/services file like this

chattr +i /etc/services

Edit the /etc/securetty file. This file allows you to specify on which tty's and Virtual Consoles(VC) root is allowed to login

The tty and VC's listed here, will allow root to login on certain tty's or VC's. On other tty or vs root user will not be allowed and user has to "su" to become root. Disable all accounts on the system which you do not use like for e.g.

userdel adm
userdel operator

also,remove the groups

groupdel adm
groupdel operator

then make the following file immutable

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/gshadow
chattr +i /etc/group

Note:if you are editing this file for some reason,please remove the immutable bit like this:

chattr -i /etc/

Change the mode of "rpm" binary so that only root is able to use it.

chmod 700 /bin/rpm

Increase the Security of /etc/rc.d/init.d/ files. So change the permissions if all the file to 700 like this:

#chmod -R 700 /etc/init.d/*
#chmod -R 700 /etc/init.d/*

Remove the /etc/issue and /etc/issue.net files. /etc/issue.net is the banner which users see when they remote login to the system. Find the SUID and SGID file on the system and make a list for your reference in case system gets compromised then you can compare the changes happened in the system. To find out the files use:

find / -type f ( -perm -04000 -o -perm -02000 ) -exec ls -l {} ; > SuSgfiles

it will create a file "SuSgfile" of file on whome suid and sgid bits have been set.

find the unusual or hidden file s

find / -name ".. " -print -xdev
find / -name ".*" -print -xdev |cat -v

Finding group and world writable files

find / -type f ( -perm -2 -o -perm -20 ) -exec ls -lg {} ;

For finding directories use the command below

find / -type d ( -perm -2 -o -perm -20 ) -exec ls -ldg {} ;

To find the unowned files

find / -nouser -o nogroup

This covers the basic GNU/linux settings for systems which will make the system secure,you also have to consider the application which your server is supposed to server like for e.g running a webserver or an ftp server then there are various other steps which you need to cover for securing the applications.

About the Author:
Jagjit Phull is a Linux enthusiast from New Mumbai. If you have a linux project you'd like to outsource, or questions about this article, contact Jagjit here: jacky_jag@yahoo.com.

Read this newsletter at: http://www.linuxpronews.com/2003/1023.html

Free Newsletters

Part of the iEntry Network
over 4 million subscribers

LinuxProNews

DevWebNews

UnixProNews

Send me relevant info on products and services.

WebmasterFree Downloads

From the Forum:

Linux server folder size

the webserver at my work is linux and was already linux when i got there.

it sounds like it is good that it is linux as most people believe linux is a more stable environment for webserving - which i have no knowledge of what-so-ever!!

i have encountered a problem though, my html folder on the server has a maximum size of 250MB and i want to put a folder on there that will bring it to a total of 560MB. There is heaps of space on the webserver, it is just in another folder and i cannot work out how to make that space available in my html folder. ...

Click here

-- LinuxProNews is an iEntry, Inc. publication --
2003 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

To unsubscribe from these mailings reply to this message with "unsubscribe 200" in the subject or ">click here.