Recent
Articles |
Taskset For CPU Affinity
SMP operating systems have choices when it comes to scheduling processes: a new
or newly rescheduled process can run on any available cpu. However, while it shouldn't
matter where a new process runs, an existing process should go back to the same
cpu it was running on simply because the cpu may...
The Cost Of Linux
Matt Asay's AC/OS blog says that one of the "expenses" noted in Microsoft TCO
studies is the cost of training. He says: If you read Microsoft's TCO case studies,
its customers only state that Microsoft is cheaper because they didn't want to
invest in any new training...
Personal
Dictionary for Ispell
Ispell works well, but it has to be the most confused project I've ever seen.
I started looking into this because I got tired of seeing the same common words
pop up for correction and wanted to add those words to some file that would cause
Ispell to ignore them. Of course the first thing I did was try "man ispell"...
Bash
Aliases
Most shells have some provision for aliases. Aliases can assign default behavior
to a command (for example "rm" is often aliased to "rm -i") or can be used to
create new commands (a typical example is "ll" aliased to be "ls -l")...
Linux Users Encouraged To Help Katrina Victims
A developer wants to organize a public "web station" effort to assist and connect
Hurricane Katrina victims. DesktopLinux.com outlines a plan by Steve Hargadon
to establish a number of Linux-based web stations...
Red Hat, IBM Going After Emerging Markets
Linux and solutions based on that platform will get the big push as the two firms
go after the biggest emerging global markets. The two firms jointly released a
statement on their new initiative. Developers in India, China, Russia, and Korea
will be the focus...
|
|
|
|
10.26.05
Check List For Linux Security
 By
Jair Santos
Linux is an amazing operating system considering how it was originally
created. It was a modest program written for one person as a hobby - Linus Torvald
of Finland. It has grown into a full-fledge 32-bit operating system. It is solid,
stable and provides support for an incredible number of applications. It has very
powerful capabilities and runs very fast and rarely crashes. Unfortunately Linux
machines are broken almost every day. This happens not because it is an insecure
operating system. It contains all the necessary tools to make it very secure.
But the truth is. It hasn't become significantly more secure with the increase
in popularity. On the other hand, our understanding of the hackers methods and
the wide variety of tools and techniques available contributed to help system
administrators to secure their Linux computers.
Our goal in this article is to list the most critical situations, and how to prevent
an invasion with simple measures.
1- Weak passwords
By far the first and most used method used by hackers to try penetrating a Linux
system is cracking a password, preferently of the user root. Usually they will
target a common user first, and then, using his/her access to the operating system,
try to get a privileged access cracking the root password. Good password policy,
and good passwords are absolutely critical to the security on any computer. Some
common mistakes when selecting a password:
A- use "password" as password.
B- use the name of the computer.
C- a well-know name from science, sports or politics.
D- reference to movies.
E- anything that is part of the user web site.
F- references associated with the account.
The latest version of Linux offer shadowed passwords. If a cracker can see an
encrypted password, crack it would a simple task. So, instead of storing the password
in the passwd file, they are now stored in the shadow file which is readable only
for root. Before a hacker can crack a password he needs to figure out an account
name. So, simple accounts names must be avoided as well. Another security measure
is to apply a "no login" to the account in the passwd file. This must be done
to all the accounts that don't need to log in to the system. Examples are: apache,
mysql, ftp and other.
Limit which terminals root may log in from. If the root account is allowed to
log in only in certain terminals that are considered secure, it will be almost
impossible for a hacker to penetrate the system. This can be done listing the
allowed terminals on /etc/security. The login program will consider insecure any
terminal that is not listed on this file, which is readable, only by root.
2- Open Network Ports
Any Linux default installation will provide the Operating System with tons of
software and services. Several of them are not necessary or even wanted by the
administrator. Removing these software and services will close the path to several
attacks and improve security. The /sbin/chkconfig program can be used to stop
services from automatically starting at run levels 3, 4 and 5. Log in as root
and type /sbin/chkconfig --list to view all the services set to start automatically.
Select the ones you don't need and type /sbin/chkconfig 345 name_of_service off.
You must do that to all services you don't want to keep running. Also, the xinetd
server can be used to disable other services as well.
3- Old
Software Versions
Everyday vulnerabilities are found in programs, and most of them are fixed constantly.
It is important, and sometimes critical, to keep up with the changes. There are
mailing lists for every Linux distribution where one can have security related
information's, and the latest vulnerabilities found. Some place to watch for security
holes are:
Read
the rest of the article.
About the Author:
Jair Santos is a Software Engineer for over 10 years. He is the manager of the
Technical Support Department of Cliconnect Internet Telephony - www.cliconnect.com
|
