Network security is critical, especially if you have a fixed IP number and a permanent net connection. When your machine is networked, you open your computer up to attackers world-wide.
Having said that, it is not difficult to set up a secure networked Linux box.
This ensures that any kernel-level security holes, such as TCP-IP attacks, are plugged as soon as possible.
While it's nice to brag about uptimes of 666 days, it also advertises the fact that you have a machine with an old and possibly insecure kernel.
Also keep your libraries up-to-date, as some security holes have been caused by basic problems (like buffer overflows) in libraries.
Enough said already on that topic.
Most Linux distributions install a basic collection of network tools that you probably don't need, including portmap, rpc.mountd, tftp, wu-ftpd and even gopher.
This is a security risk because it offers more avenues for an attacker to probe for weaknesses.
A strategy for tackling this is:
Many networking programs have very limited (or no) logging capabilities. As the name suggests, the TCP wrapper program (tcpd) wraps around network programs, providing logging information as well as the ability to refuse connections from certain hosts or domains and check for possible IP spoofing.
A typical entry in /etc/inetd.conf before using TCP wrappers looks like this:
telnet stream tcp nowait root /usr/sbin/in.telnetd
If the program uses TCP wrappers, tcpd is called first, and then calls the network program if the user is allowed:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Note: If you modify /etc/inetd.conf, make sure you restart inetd by sending it a kill -HUP signal.
Using TCP wrappers and the /etc/hosts.allow and hosts.deny files, you can limit access to specific network programs in a very detailed manner.
For example, the following files deny access to everyone (in /etc/hosts.deny and then turns on selected access to trusted hosts in /etc/hosts.allow:
/etc/hosts.deny # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ALL: ALL /etc/hosts.allow # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # allow access to local machines # ALL: localhost, .wsc.monash.edu.au # Other trusted systems - anyone in the chemistry domain at Swinburne # except for those trouble makers on argon # ALL: .chem.swin.edu.au EXCEPT argon.chem.swin.edu.au # allow FTP access to anyone inside Monash Uni # in.ftpd: .monash.edu.au
A number of other programs have the ability to restrict access. For example, the Apache web server uses the access.conf to restrict access at the directory-level to hosts and domains.
finger is widely regarded as a security risk because:
Most people remove the finger service from /etc/inetd.conf, while others replace finger with a more secure version, such as cfingerd.
It is important that a network program is run with the correct owner and group set and the appropriate directories and files have the correct permissions.
This is particularly important for the mail agent, the web server and the FTP server. Most network programs will run with their own ownership and group instead of root, limiting the damage that can occur if someone exploits a security hole in the program.
For example, the Apache web server typically runs as nobody.nobody. If someone exploits a hole in the server code, they will be extremely limited with what they can read or write on the system.
In contrast, sendmail runs as root. When an exploit is found in sendmail, attackers can often easily gain root access on remote machines. Moral of the story? Use a mail transfer agent that does not need to run as root.
One of the advantages of the Linux distributions is that they will normally take care of setting up the correct owner and group for the network program and ensure that all of the file permissions are correct.
To quote the advertising, ssh is a...
...program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
It is an excellent replacement for tools like telnet and rcp, especially in insecure environments where people may be eavesdropping on the network with packet sniffers (which can grab your password or any other information transmitted in the clear).
sshprovides public key encrypted links that guard against packet sniffing and hijacked connections, secure X11 sessions and the ability to redirect TCP/IP ports, allowing you to encrypt other TCP/IP traffic.
The ssh client and server software is free for Unix, but the Windows and Macintosh clients are commercial.
There are a number of useful security analysis tools that will scan your networked machine for holes. Use them!
There are a number of secure versions of "classic" network programs. For example, apache is a far more secure web server than the NCSA server. Likewise, there are a number of more secure MTAs than sendmail, including smail and qmail.
identd can be used to identify users connecting to various network services. It is by no means fool-proof, but can be a useful tool when trying to finger culprits.
Make sure the computer clock is accurate, and updated regularly. This will ensure that your time-stamped security logs are useful if you are trying to trace an attempted break-in.
Firewalls - one of the trendy buzzwords of the moment. Any network that carries sensitive data but still needs to be connected to the Internet should consider some form of firewalling.
The Linux kernel has the ability to filter IP packets. This can be a useful tool to stop attacks from specific sources, or even as a basic firewall. The ipfwadm page has information on setting the IP filtering/firewalling software.
Prev | Home | Next