LINUX GAZETTE

"Linux Gazette...making Linux just a little more fun!"


My Guide To Linux Security

By Rob Tougher


1. Introduction
2. Securing My Linux Box
2.1 Installation
2.2 Post-installation
2.3 Post-compromise forensics (nobody's perfect)
3. Secure Transmissions
4. Conclusion
a. References

1. Introduction

This article explains the steps I take to secure my home computer and data communications. If you are an active proponent of computer security, this article will be a review. If you do not have any security practices currently, you should read on to get a general idea of how to secure a Linux box. This obviously isn't a complete security reference - I take security seriously, but I'm not as vigilant as I could be with my computer. You will have to see for yourself whether or not the items in this article provide enough security for your needs.

2. Securing My Linux Box

I run a Debian Linux box here at home. I keep it powered up and connected to the Internet at all times. There are two reasons I want to keep this computer secure - to hide my data from those who shouldn't see it, and to protect my computer resources from those who shouldn't be using them. I keep important stuff on my machine - data that shouldn't be read (and certainly not modified) by anyone but me. And I don't want an intruder to be able to use my machine as a staging ground for attacks on other targets. I'd be pretty pissed if I found out someone was using my machine to try to break into other systems.

2.1 Installation

After a fresh install, the first thing I do right off the bat is configure iptables in my kernel. Iptables allows me to block any packets entering or leaving my computer. This is important because I am constantly connected to the net, which leaves my computer open for an attack. Configuring iptables isn't for the faint of heart - it requires downloading the kernel source code, configuring it correctly, and installing it without screwing anything up. If you have never done this before, you should check out the Linux Kernel HOWTO, and practice compiling your kernel a few times before trying to configure iptables.

Next is LIDS - the Linux Intrusion Detection System. LIDS consists of a patch for the kernel, and two userspace utilities - lidsconf and lidsadm. The purpose of this system is to increase the level of security of your computer by restricting access to files and processes, and alerting you when attempts to break these restrictions occur. The great part about LIDS is that you can even restrict the root account's permissions. This reduces the power of the root account, and limits the damage that can be done if an intruder gets root privileges. I use LIDS to protect my system binaries, my log files in /var/log, and my configuration files in /etc. The binaries I mark as READONLY so that no user, including root, can modify or delete them. The log files I mark as APPEND so that programs can write data to files in this directory, but cannot delete or change existing data.

The next thing I do is minimize the number of services running on the computer. The less services I run, the less chance there is for someone to be able to break into my machine. Distributions tend to let a lot of daemons run by default, which is a bad thing in my opinion. I turn off telnet, FTP, named, and all of the R* daemons, to name a few. I basically turn everything off so that I don't have to worry about keeping them updated with security fixes and such. For the services that I do run, I install any security patches that are created as soon as possible. And if a situation occurs where there is a vulnerability made public without the proper fix, I will turn off the service.

After reducing the number of services running on my computer, I type "netstat -l" to see what sockets are listening for connections. I do this just to make sure I haven't missed any services that I don't need. Every once in a while I'll miss something important, and catch it later on with netstat.

2.2 Post-installation

After an installation, I run chkrootkit about every week or so. This program will alert me to the presence of any rootkits on my computer. A rootkit is a set of tools that a cracker can use to hide his tracks - the kit contains trojaned(altered) versions of various utilities like ps, ifconfig, and others. If an intruder broke into my machine and installed a rootkit, he could basically use my computer resources for whatever he wanted, and I could only detect him if I was paying very close attention to my system. You can download and analyze various rootkits (for educational use only!) at packetstorm . The one I've seen mentioned the most is LRK5, which is listed about half way down the page.

When downloading files off of the Internet, I generate checksums for them using md5sum. Most sites that provide downloadable files also list their checksums, so that I can check to see that the files I download match the files they are providing. This is a simple check, and reassures me that I am getting the right bits. There is of course the possibility that both the files and the checksums have been tampered with, but in this situation the web site will probably figure it out quickly, and fix the problem.

2.3 Post-compromise forensics (nobody's perfect)

All of the security in the world cannot guarantee that your machine will be safe from crackers. I can honestly say that I don't think my computer has ever been compromised, but I'm not 100% sure. For the first couple of months that I used Linux, I didn't give a squat about security - I was just trying to get the operating system working. I was more interested in learning the basic userspace commands, and didn't want to be bothered by anything else. I was wide open for an attack. I had a VA Linux machine with a stock Redhat system they put on there. I probably was running many servers, and didn't even know it. Poor guy.

Well, If my machine ever becomes compromised in the future, I will first head over to the main site for The Coroner's Toolkit. TCT is a set of tools that allow you to figure out what happened on a compromised machine. You run them, and sit back and relax while they collect data from your hard drive. I haven't personally used these tools, but from what the web site says, they do a pretty decent job. Another impression I get from the web site is that the tools are extremely difficult to use for novices, so you are in for a lot of reading and learning if you don't have any experience with TCT. On the bottom of the main page they have a couple of links to HOWTO documents, so your best bet is to start there.

I would also check out the Honeynet Project. The purpose of this project is to perform research in forensics analysis, and present this research to the public in the hopes of raising awareness about security. They have a monthly forensics contest, where they present information about a real compromise on their network, and ask for write-ups on how to investigate the intrusion. The archive for this contest has a lot of great submissions by security professionals - I actually learned about The Coroner's Toolkit by seeing it mentioned in a handful of these investigations. Anyone interested in computer forensics should go to this site and read as much information as they can find - there's enough to keep you busy for a while.

3. Secure Transmissions

Transmissions by default are insecure. Your data just flies across the Internet for everyone to see, and you can't do anything about it. You can use the traceroute program to see an example of this in action. Type "traceroute www.google.com" at your command prompt, and you'll see every machine that gets to look at the data you send google during a web search.

I make sure that whenever I am logging in to a site, I use the secure page - https. HTTPS uses SSL, which encrypts your data while in transit. If I didn't do this, my password could be sniffed by a compromised machine. For example, Yahoo! provides a method of secure login when submitting my username and password for their various web services. I have a Yahoo! email account, and use this secure login whenever I am checking my mail.

For remote administration, I use ssh and scp. These two programs are replacements for telnet and FTP. They are easy to install, and work just as well as the programs they replace. Once installed, I open up the corresponding ports in my iptables configuration so that I can connect to the machine from outside.

For email, I use GnuPG to encrypt data that I don't want anyone reading. When I am sending sensitive information to someone, I use their public key to encrypt it. I ask the same of people sending sensitive information to me. My public key is downloadable from my web site, and also available on various public key servers. These steps assure me that I'm the only one reading the email destined for my inbox.

4. Conclusion

I hope you enjoyed this article - I tried to explain, as clearly as possible, the steps I take to secure my computer and data communications. If you feel there are any glaring errors or omissions, by all means let me know. My security policy is far from perfect, and I'm very eager to hear about your practices and experiences.

a. References

The following is a list of sites I visit regularly to get information on various security topics:

Rob Tougher

Rob is a C++ software engineer in the NYC area. When not coding on his favorite platform, you can find Rob strolling on the beach with his girlfriend, Nicole, and their dog, Halley.


Copyright © 2002, Rob Tougher.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 80 of Linux Gazette, July 2002