In the last article, we installed Linux with only those packages we absolutly needed. (If you have not read my previous article, you should do so now, as it is the base from which this is built on.) Now comes the detail work, turning your gateway into fortress. The first thing to understand is there is no way to be completely secure. There is just not enough time to do it all, Corporations employ huge IT departments, whose sole purpose in life is to secure their networks, and still they get cracked. Just accept it and get on with your life. Our real goal here is to keep honest people honest, keep the Script Kiddies out and slow the rest down, giving you opprotunity to discover them. Ideally, this should be done right after the clean install, before the system ever gets put on the Internet. This article assumes you know something about Linux, how to install it, how to edit various configuration files, and that you can log in as root.
I also assume you are setting up a firewall system and have no intention of running DNS, DHCP, web, ftp or telnet server. If you intend to run any of these services, of these services, I recommend setting up seperate machines. Setup a DMZ on your network, a system which is secured but allows connections from system outside your network. This way if an intruder does penetrate your server, he will have to start all over to penetrate your firewall system and you will hopefully discovered his breakin before he is able to get access to your internal network.
In the world of Computer Security, Knowledge is Power. Frankly the Security Experts are always one step behind the Crackers, most security issues are not discovered by the Experts, but by the Crackers and are plugged only after they have been exploited. You need to keep up to date on new problems, at the very least you should be updating the packages as they come out. Type "rpm -qa > packages.txt", this gives you a list of the packages and version numbers installed on your system, then go to Redhat's web site and download the updated packages. While you are there you should read the security advisories and implement any changes they suggest. If you are really proactive, subscribe to both the BugTraq and CERT mailing lists.
Since this article is aimed at the home cable modem user, I will assume physical security is not a problem. If you have child or a nosey baby sitter, consider using the BIOS password protection built into most computers.
Besides the root account and the special accounts, which I'll go into in a moment, there should be only one user account. The user and the root accounts should have good passwords. A good password is one that is at least 8 characters long, has a mix of small letters, capital letters and numbers, and is not a dictionary word. It is also a good idea to change these passwords from time to time and do not write the passwords on a sticky note and put it on the monitor where everyone can see it. Use different passwords on each computer on your network, that way, if one system is cracked an intruder will still not have access to the other systems on the network. Again, because password cracking takes time, you will hopefully discover the cracker before he gets too far.
Along this same line, there are several special purpose accounts, which are installed by default with most Linux distributions, for our purposes these accounts are useless and pose a security risk, so we will remove them using the userdel command. The syntax for this command is "userdel username", substituting username with the appropriate account name. The accounts we want to remove are; adm, lp, sync, shutdown, halt, news, uucp, operator, games, gopher, and ftp. We also want to remove the associated groups with groupdel, the syntax is the same. Groups to delete are; adm, lp, news, uucp, games, dip, pppusers, popusers, and slipusers.
This is without a doubt the most important section. Poorly-maintained configuration files are the highest risk factor on any system. In this section you will be typing many of the same commands over and over again, this is a good opportunity to write a shell script to make this easier. What we want to do, after we are finished with each file, is to first make sure it's owned by root; second, that the only account which can read and write to it is root; and third, that it's unalterable even by root. This keeps the files from being accidentally deleted or changed and also prevents the file from being linked to, which could be a security risk. Type "touch secure-it", then type "chmod +x secure-it", now Open the file in your text editor of choice and put these lines in: (text version)
#!/bin/sh # Change owner to root chown root.root $1 # Change permissions so only root has access chmod 600 $1 # Make the file unalterable chattr +i $1
Now save the file and copy it to /usr/sbin by typing "cp secure-it /usr/sbin". Now when we are finished with a file we can lock it down simply by typing "secure-it filename".
echo "" > /etc/issue echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue cp -f /etc/issue /etc/issue.net echo >> /etc/issueBefore you save and close the /etc/rc.d/rc.local file, we want to keep the system from responding to ICMP requests, such as ping and traceroute, so we add the following lines right after the #!/bin/sh line:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/tcp_syncookiesThis will make your system all but invisible to the outside world; the Script Kiddies can't crack what they can't find. The second line helps protect your system from SYN Denial of Service Attacks. Go ahead and save the file and exit. Please note, this will also keep you from pinging the system, but should not interfere with other functions, such as ssh or IP forwarding. Finally, lock it down.
nospoof onThis will cause the system to reject any requests coming from a source outside your network, claiming to be a system on the inside of your LAN, this type of a attack is called IP Spoofing. Go ahead and lock it down with secure-it. Other files we don't need to alter, but need to be locked down are, /etc/services, /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow. If you plan to change your passwd or add a user you will have to run "chattr -i filename" on /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow or you will get an error message.
/dev/hda1 / ext2 defaults 1 1 /dev/hda9 /boot ext2 defaults 1 2 /dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0 /dev/hda5 /home ext2 defaults 1 2 /dev/hda6 /tmp ext2 defaults 1 2 /dev/sda1 /usr ext2 defaults 1 2 /dev/hda7 /var ext2 defaults 1 2 /dev/hda8 swap swap defaults 0 0 /dev/fd0 /mnt/floppy msdos noauto,owner 0 0 none /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0We want to change the /home and /tmp lines to read as follows:
/dev/hda5 /home ext2 rw,nosuid,nodev 1 2 /dev/hda6 /tmp ext2 rw,nosuid,nodev,noexec 1 2
/dev/hda1 / ext2 defaults 1 1Change it to this,
/dev/hda1 / ext2 defaults,usrquota 1 1Add the following lines to /etc/rc.d/rc.local
/sbin/quotacheck -avug /sbin/quotaon -avugnow type "touch /quota.user" and then "chmod 700 /quota.user" and reboot the system. There may have some error messages about quota; ignore them. Once the system is back up, you will need to set the quota for, what should be the only user account, type the following command, replacing "username" the the name of your user account, type "edquota -u username". This should bring up the vi text editor showing something similar to this.
Quotas for user username: /dev/hda1: blocks in use: 7, limits (soft = 0, hard = 0) inodes in use: 6, limits (soft = 0, hard = 0)By setting a block limit, you are limiting how much drive space the user can consume in KB, by setting the inodes you will be limiting the amount of files the user can have. Soft limits when exceeded will warn the user, hard limits are absolute. Unless you have a very good reason to set them higher, such as you plan on transfering MP3's to this machine, I suggest setting the limits fairly low, something like 10 MB of disk space and 100 files. Edit the lines so they look like like this, then save the file and exit.
Quotas for user username: /dev/hda1: blocks in use: 7, limits (soft = 5120, hard = 10240) inodes in use: 6, limits (soft = 50, hard = 100)This will set a soft limit of 50 files taking up 5 MB and an absolute limit of 100 files consuming 10 MB of drive space.
-rwsr-xr-x 1 root root 35168 Sep 22 23:35 /usr/bin/chage -rwsr-xr-x 1 root root 36756 Sep 22 23:35 /usr/bin/gpasswd -r-xr-sr-x 1 root tty 6788 Sep 6 18:17 /usr/bin/wall -rwsr-xr-x 1 root root 33152 Aug 16 16:35 /usr/bin/at -rwxr-sr-x 1 root man 34656 Sep 13 20:26 /usr/bin/man -r-s--x--x 1 root root 22312 Sep 25 11:52 /usr/bin/passwd -rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/suidperl -rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/sperl5.00503 -rwxr-sr-x 1 root slocate 24744 Sep 20 10:29 /usr/bin/slocate -rws--x--x 1 root root 14024 Sep 9 01:01 /usr/bin/chfn -rws--x--x 1 root root 13768 Sep 9 01:01 /usr/bin/chsh -rws--x--x 1 root root 5576 Sep 9 01:01 /usr/bin/newgrp -rwxr-sr-x 1 root tty 8328 Sep 9 01:01 /usr/bin/write -rwsr-xr-x 1 root root 21816 Sep 10 16:03 /usr/bin/crontab -rwsr-xr-x 1 root root 5896 Nov 23 21:59 /usr/sbin/usernetctl -rwsr-xr-x 1 root bin 16488 Jul 2 10:21 /usr/sbin/traceroute -rwxr-sr-x 1 root utmp 6096 Sep 13 20:11 /usr/sbin/utempter -rwsr-xr-x 1 root root 14124 Aug 17 22:31 /bin/su -rwsr-xr-x 1 root root 53620 Sep 13 20:26 /bin/mount -rwsr-xr-x 1 root root 26700 Sep 13 20:26 /bin/umount -rwsr-xr-x 1 root root 18228 Sep 10 16:04 /bin/ping -rwxr-sr-x 1 root root 3860 Nov 23 21:59 /sbin/netreport -r-sr-xr-x 1 root root 26309 Oct 11 20:48 /sbin/pwdb_chkpwdAs you can see right hand side shows the permissions of each file: anything with an "s" in it has its SUID bit set. By disabling SUID bit, only root will be able to run the program. What needs to be done now is decide which ones can have the SUID bit safely turned off--many of these programs require it for normal operations. Many, however, should be run only by root anyway. How you turn the SUID bit off is with the following command:"chmod a-s filename". My suggestions for this step are; /usr/bin/chage, /usr/bin/gpasswd, /usr/bin/wall, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/newgrp, /usr/bin/write, /usr/sbin/usernetctl, /usr/sbin/traceroute, /bin/mount, /bin/umount, /bin/ping, and /sbin/netreport.
The last thing you want to do is setup your system to warn you of any changes to your system. If any intruders do get in and plant a Trojan or create a new account, we want the system to be able to tell what was altered. There are several good programs available for this, the easiest to implement that I've found is fcheck, which can be downloaded from, http://sites.netscape.net/fcheck/fcheck.html. Follow the instructions for installing and configuring the software, it is very straight forward. Once this is done, you will want it to run at least once a day and redirect the results to a file in the root directory. This can be done through crond, to setup a cron job, type "crontab -e" this will open vi, now type the following line:
1 0 * * * /usr/local/fcheck/fcheck -a > /root/fcheck.txtReplace the path to check with your own path, save and exit. Now at 12:01 every night, fcheck will run and the output will be placed in /root/fcheck.txt. If at any time fcheck detects altered files which you cannot account for, immeaditly remove the package from the system and reinstall it from the RedHat CD. Anytime you make a change to a file, you will need to rerun "fcheck -ca" and build another baseline.
It is relatively safe to put the system on the internet. Once this is done you will want to test your security. Gibson Research Corporation provides a port scanning service. In a perfect world, all the ports should be in stealth mode, meaning the ports do not respond to requests at all and will appear as though there is no system at your IP address. In a pinch the ports should be closed, meaning the port responds, but will not take requests; closed ports are still vulnerable to some types of attacks. Open ports are vulnerable ports, if any of your ports are open go back to the inetd.conf file, make sure it is empty, check to make sure apache, wu-ftpd or similar are not installed, also review your ipchains settings to ensure it is denying packets properly. It is a good idea to do this regularly to ensure an intruder has not opened a port for his personal use.
Again, as with my last article, I'd like to point out, this is not the end-all and be-all of Linux security, this is only a starting point. I have simplified this down to the very basics, there are many more things which could be done. Whether or not you should seek out these solutions, depends on what you are protecting. For a home user this will probably do just fine, however even a small business with more machines and data to protect, you should do more research and implement as much security as is possible. Better yet, hire a Network Security Consultant to implement it for you.