Network security

Network security is critical, especially if you have a fixed IP number and a permanent net connection. When your machine is networked, you open your computer up to attackers world-wide.

Having said that, it is not difficult to set up a secure networked Linux box.

1. Keep your kernel up to date

This ensures that any kernel-level security holes, such as TCP-IP attacks, are plugged as soon as possible.

While it's nice to brag about uptimes of 666 days, it also advertises the fact that you have a machine with an old and possibly insecure kernel.

Also keep your libraries up-to-date, as some security holes have been caused by basic problems (like buffer overflows) in libraries.

2. Use good passwords

Enough said already on that topic.

3. Only run the services required

Most Linux distributions install a basic collection of network tools that you probably don't need, including portmap, rpc.mountd, tftp, wu-ftpd and even gopher.

This is a security risk because it offers more avenues for an attacker to probe for weaknesses.

A strategy for tackling this is:

  1. Use your package manager (dpkg or rpm) to list the packages installed. You can then prune out any unnecessary packages that have been accidently installed.

  2. Go through /etc/inetd.conf and comment out (or delete) any network service that is not required. Then restart inetd.

4. Run TCP Wrappers

Many networking programs have very limited (or no) logging capabilities. As the name suggests, the TCP wrapper program (tcpd) wraps around network programs, providing logging information as well as the ability to refuse connections from certain hosts or domains and check for possible IP spoofing.

A typical entry in /etc/inetd.conf before using TCP wrappers looks like this:

        telnet  stream  tcp  nowait  root  /usr/sbin/in.telnetd

If the program uses TCP wrappers, tcpd is called first, and then calls the network program if the user is allowed:

        telnet  stream  tcp  nowait  root  /usr/sbin/tcpd  in.telnetd

Note: If you modify /etc/inetd.conf, make sure you restart inetd by sending it a kill -HUP signal.

5. Use tcpd to limit access to your machine

Using TCP wrappers and the /etc/hosts.allow and hosts.deny files, you can limit access to specific network programs in a very detailed manner.

For example, the following files deny access to everyone (in /etc/hosts.deny and then turns on selected access to trusted hosts in /etc/hosts.allow:


# hosts.deny	This file describes the names of the hosts which are
#		*not* allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.



# hosts.allow	This file describes the names of the hosts which are
#		allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.

# allow access to local machines
ALL: localhost,

# Other trusted systems - anyone in the chemistry domain at Swinburne
# except for those trouble makers on argon

# allow FTP access to anyone inside Monash Uni

A number of other programs have the ability to restrict access. For example, the Apache web server uses the access.conf to restrict access at the directory-level to hosts and domains.

6. Disable finger (or restrict access to it)

finger is widely regarded as a security risk because:

Most people remove the finger service from /etc/inetd.conf, while others replace finger with a more secure version, such as cfingerd.

7. Check the appropriate owner, group and permissions

It is important that a network program is run with the correct owner and group set and the appropriate directories and files have the correct permissions.

This is particularly important for the mail agent, the web server and the FTP server. Most network programs will run with their own ownership and group instead of root, limiting the damage that can occur if someone exploits a security hole in the program.

For example, the Apache web server typically runs as nobody.nobody. If someone exploits a hole in the server code, they will be extremely limited with what they can read or write on the system.

In contrast, sendmail runs as root. When an exploit is found in sendmail, attackers can often easily gain root access on remote machines. Moral of the story? Use a mail transfer agent that does not need to run as root.

One of the advantages of the Linux distributions is that they will normally take care of setting up the correct owner and group for the network program and ensure that all of the file permissions are correct.

8. Use ssh instead of telnet, rlogin, rsh and rcp

To quote the advertising, ssh is a...

...program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.

It is an excellent replacement for tools like telnet and rcp, especially in insecure environments where people may be eavesdropping on the network with packet sniffers (which can grab your password or any other information transmitted in the clear).

sshprovides public key encrypted links that guard against packet sniffing and hijacked connections, secure X11 sessions and the ability to redirect TCP/IP ports, allowing you to encrypt other TCP/IP traffic.

The ssh client and server software is free for Unix, but the Windows and Macintosh clients are commercial.

9. Don't use .rhosts files

They are:

  1. A very big security risk
  2. Totally unnecessary if you use ssh
  3. A very big security risk

10. Run a network probe tool to check for basic network security flaws

There are a number of useful security analysis tools that will scan your networked machine for holes. Use them!

11. Use secure versions of network programs

There are a number of secure versions of "classic" network programs. For example, apache is a far more secure web server than the NCSA server. Likewise, there are a number of more secure MTAs than sendmail, including smail and qmail.

12. Run identd

identd can be used to identify users connecting to various network services. It is by no means fool-proof, but can be a useful tool when trying to finger culprits.

13. Use a time synchronising tool, like xntpd

Make sure the computer clock is accurate, and updated regularly. This will ensure that your time-stamped security logs are useful if you are trying to trace an attempted break-in.

14. Use a firewall if necessary

Firewalls - one of the trendy buzzwords of the moment. Any network that carries sensitive data but still needs to be connected to the Internet should consider some form of firewalling.

The Linux kernel has the ability to filter IP packets. This can be a useful tool to stop attacks from specific sources, or even as a basic firewall. The ipfwadm page has information on setting the IP filtering/firewalling software.

Prev | Home | Next