Chapter 14 Linux Security 437

Each user should have his or her own separate directory within /home. Users should only have read and write permissions for their own individual directory. Also, if the user is part of any group, they should also have access to that directory. You can accomplish this by employing group permissions. For example, users jsmith and bjones are part of the Engineering group. You can create a separate group called Engineering, and give it read and write access to the /home/engineering directory. With this setup, each user has only the necessary access to reach his or her files. Users can’t read or modify data for a directory or file that they don’t have permission to access.

Log auditing

On a periodic basis, the Linux administrator should examine log files for any strange behavior or invalid login attempts. Multiple failed attempts, especially for the root user, should raise a warning flag that someone is trying to break into a user account.

Failed login attempts are logged in the file /var/log/secure. It is especially important that you check the file for failed attempts to reach the root user. The general system log file, /var/log/messages, also logs attempts (both successful and nonsuccessful) for accessing the root account.

Backups

The security of your backup media is also a serious concern. The standard security method is to back up your media, and then remove it to an offsite storage facility to prevent damage from natural disasters, such as fire, flood, and theft.

Linux Security Best Practices

You can run a wide variety of applications and services from your Linux server. Each additional application or service that you install and run, however, creates a potential security hole. During the initial installation of your Linux system, install only the minimum amount of applications and services that you need, and add more as you need them. Some default Linux installations install many unnecessary services that create more security risks for your system.

The following sections highlight some “best practices” to use when running a Linux system, including specific configurations for applications and services that can potentially create a security risk.

Network security

After physical security, the most important aspect of Linux security is protecting the network. Although your system may be physically secure, a networked computer is open to unauthorized access at all times. This is because a user can access

438 Part V Maintaining the Linux System

the system from any terminal or computer on the same network. If the system is connected to the Internet, it is instantly exposed to millions of people all over the world.

Firewall

The most popular method for protecting a networked computer from other networks is the use of a firewall. A firewall can be a stand-alone device or a special server configuration that stands between your system and the outside world. Using rule-based filtering, the firewall lets only authorized network traffic in and out of the system and network. A firewall enables you to set up your system so that only local users have access — effectively rendering the machine invisible to the outside world.

If your system is running as an FTP or Web server, you can set up the firewall to allow only those services and protocols to the server and to deny all others.

Linux has network packet filtering built right into the kernel. The utility to create firewall filter rules is called ipchains, but in newer versions of the kernel it has been renamed iptables.

System security

There are a variety of ways to increase security on your Linux system. They range from simple things such as user passwords and legal banners, to more advanced techniques such as encryption and system service management. Only by taking the time to go through your entire system and remove all the possible locations that an unauthorized user can use to gain access to your system will you be able to fully secure your system.

Package installations

Linux distributions typically come with hundreds of different application packages. One of the most common mistakes made by a new Linux system administrator is to install all distribution packages by default.

If you make this choice, you will have every application and service that you will ever need, but you are creating security holes by running so many different applications and services that you don’t use. There are known security hole exploits for a large number of these programs, such as Apache web server and early versions of Secure Shell, and the more programs you install, the more you make yourself vulnerable to attack. Needlessly installing a default FTP or Web server package will immediately render your system insecure. Install only those packages that you will be using for your system. If you need more in the future, you can always install them from the CD-ROM.

Most Linux distributions are insecure if installed straight out of the box. You must take the time to properly secure the system after the initial installation by updating all software to the most current version, and by disabling any unused services.

Chapter 14 Linux Security 439

Package updates

After you have installed only the packages that you need, the next task for increasing security is to update these programs to the latest version. The version that came with your distribution is already several months out of date. In that interim, many security holes have been exploited and patched. By obtaining the latest release, you are ensuring that you have all the most recent security patches for your application. The latest versions of your packages can be found either from your particular Linux distribution web page, or the home page of the program itself.

Legal banners

Every system should have some form of legal policy that displays when a user logs in to the system. This policy will give you some legal protection in the event that an unauthorized user breaks into the system. The message should briefly explain that any unauthorized access or usage is prohibited. If you want this message to display before a user logs in, you can enter the text into /etc/issue or /etc/issue.net. If you want the message to display after the user logs in, you can put it in /etc/motd, which stands for “Message of the Day.”

It’s not a good idea to mention your company name in the login banner. This way, if an unauthorized user does get access to the system, they won’t know whose system it is.

Root password

The most important password on your Linux system is the root password. Because the root user is the most powerful user on the system, you must take extreme care to ensure that only a very few people in your organization know the password. At the very most, only the system administrator, their designated backup, and a member of management should know the password.

Your root password should not be any common word, and should contain at least six to eight characters. The password should have both lower and uppercase letters and one or two numbers. This way, the password can’t be easily guessed, and a brute force attack, which allows an unauthorized user to try password combinations rapidly in succession, won’t be able to break the password.

You should always memorize the password. You should never write it down somewhere where someone else can find it. Never store your password on your hard drive or in e-mail. If your password is stored electronically, someone can easily find it by hacking your machine or e-mail.

The best solution for storing root and other administrative passwords is to write them down, seal them in an envelope, and keep them in a safe that can only be accessed by the system administrator or one or two key members of management. In the event that the passwords are forgotten, or if the administrator is fired, management or the new administrator can retrieve the passwords.

440 Part V Maintaining the Linux System

Password encryption

The password file for Linux is located in /etc/passwd. It contains a list of users, their passwords, which are shown in encrypted form, and various items of information that users can access. Unfortunately, the basic encryption is somewhat weak and a directed effort can reveal passwords — especially if common words are used. To compound this fact, the file is actually readable by all and is easy prey for unauthorized users. By enabling “shadow” passwords, the passwords are encrypted and stored in /etc/shadow, which is only accessible by the root user.

By enabling the more advanced MD5 encryption, you can encrypt passwords beyond the basic default Linux encryption, and you can use up to 256 characters.

Enabling both shadow and MD5 passwords is vital to the system’s security. This option is usually selected by default at installation time, but can be changed whenever needed.

User account and password management

Enabling the user account and password are the first steps in the creation of a secure system. In fact, these two steps are considered the simplest form of protecting system resources and data from unauthorized users. Although securing your system with passwords is an effective security measure, without a proper user account and password policy, this system may quickly break down and offer an unauthorized user many access points to the system.

Many users tend to use very simple passwords — and most of the time — would rather not use any passwords at all. Users will create simple passwords, such as their names, birth dates, names of family and pets, and even their phone numbers. These types of passwords are easy to remember, but are also much easier for an unauthorized user to break into.

Setting a policy for your user’s passwords will force them to use more complicated passwords that are not so easy to guess or to decipher through brute force. You can set several options in a password policy:

Minimum Length: Your minimum password length should be set to at least six to eight characters long. Many hackers use a method of brute force, in which a password-hacking program attempts many combinations of passwords until the right one works. If the password is only three letters long, it won’t take very long for a hacker to go through every combination. The longer the password, the harder it is to be cracked.

Password Types: Many versions of Linux will warn a user if they choose a password that is too easy to guess, such as a dictionary word. Because Linux is case-sensitive, using a combination of uppercase and lowercase characters and numbers will greatly decrease the possibility of the password being guessed or cracked.

Chapter 14 Linux Security 441

Password Attempts: An administrator can set a specific number of times or chances that a user has to enter his or her user name and password incorrectly before the account disables. This device prevents brute force type of attacks, in which an unauthorized user attempts many combinations of passwords to find the one that works. Setting the number of attempts to between three and five is an acceptable range.

Password Rotation: The longer a password remains the same, the more easily it can be guessed or cracked by an unauthorized user through brute force. By requiring your users to change their passwords after a certain time period, you can greatly increase security. Some high-security institutions require their users to change their passwords every week or month. Setting your rotation to three months is acceptable for general use.

Account Expiration: Set expiration dates on accounts for employees that are temporary or contract. When their term of employment ends, their account is automatically expired, and they won’t be able to log in to the system. This way, the administrator won’t forget to disable the account when the person leaves, and outdated accounts won’t clutter the system. When a full time employee leaves the company, you must disable his or her account immediately, including any type of remote access.

Account Auditing: Periodically, you should audit your user accounts to ensure that you have no old and outdated accounts from past employees. Old and outdated accounts create a security risk, because even though former employees no longer work for the company, they still have access to the system.

Know the different types of password and account policies that you can enable to enhance security.

Remote logins

Use telnet to remotely log in to a system. It is the most common form of remote login, but is very insecure because it uses plain text passwords, which can easily be logged and captured by a network packet sniffer. Other remote access programs include rsh, rlogin, and rexec, which allow you to log in remotely to a system and execute programs on that host. These other access programs are also security risks, which you should disable from a default installation by removing their respective configuration lines from inetd.conf.

An excellent replacement for telnet and other remote access programs is SSH or secure shell. It allows you to log in remotely to a system while encrypting the entire session. This encryption prevents any transmissions or passwords from being passed along the network as clear text.

inetd services

inetd is the main process daemon that controls many network services on your Linux system. inetd handles communications for a number of services by listening on their specific TCP/IP port numbers, and enabling the service when a request comes in.

442 Part V Maintaining the Linux System

Many Linux distributions install the services by default. They are configured through the inetd configuration file, which is /etc/inetd.conf. Typical entries in the inetd.conf file look like the following:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l-a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

#

#Shell, login, exec, comsat and talk are BSD protocols.

shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind

#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd talk dgram udp wait nobody.tty /usr/sbin/tcpd in.talkd

ntalk dgram udp wait nobody.tty /usr/sbin/tcpd in.ntalkd #dtalk stream tcp wait nobody.tty /usr/sbin/tcpd in.dtalkd

#Pop and imap mail services et al

To disable a certain service, simply comment the specific line relating to that service out of the file by preceding the line with a # character. Disable any services that you aren’t using because if you don’t, you will leave many open ports on your system that may be exploited.

The following sections list several services that you should consider disabling if you are not using them.

Know where and how to identify and disable unused services and daemons.

POP/IMAP/sendmail

If you aren’t using your server for any type of mail service, you should disable these daemons and services. Remote servers use the POP and IMAP protocols to retrieve mail from a system, and the sendmail daemon acts as a mail relay agent. POP and IMAP send their passwords in clear text format, and can pose a security risk. You can disable these protocols by commenting their specific configuration lines in the inetd.conf file.

Outside users often abuse the sendmail service by relaying their mail through your server to somewhere else on the Internet. This abuse often takes the form of socalled “spam” mail, which sends unsolicited advertisements to hundreds of thousands of e-mail addresses. By using your server as a mail relay, the offending mail appears to come from your company. If you aren’t using the mail service on your server, you should remove it. If this is a mail server, you can turn off the relay function so that it only relays mail from your authorized hosts. Information on how to stop sendmail from relaying unauthorized mail can be found at www.sendmail. org/tips/relaying.html.