Comments and suggestions concemning this page should be mailed to gmourani@videotron.ca alias Is='Is-color=auto Then log in and out;after this,the new COLORS-environment variable is set,and your system will recognize that XⅫ Update of the lasted software's Keep and update all software(especially network software)to the lasted versions.check the errata pages for the Red Hat Linux distribution,available at http://ww /erata/index.html.he ata pages are e perhaps the best for which a solution exists are generally on the errata page 24 hours after Red Hat has been notified.You should always check there first. Software's that must be updated at this time for your Red Hat Linux 6.1 server are: 2213 must be updated.See bellowfor more builing a auganetyhlsowaesinsaedonyourysembeteenmatenpgaewhtheaioag [root@deep rpm-software-name -Where software-name is the name of the software you wan to verify like XFree86 or telnet. XⅫ For the maniacs e not neces system.For example,we're not installed the Xwindow system)n our folders exist but are empty.It's safe to remove those foldersand files since we are not installed ahei8BR2aoeoiestomeimendnaseaietedbeloweanberemovedsaietyiomyoer3Sysilemifyou our setup instruction above roodeem-fs/bin/sym m-/et/pin deep]#rm-rt oot@deep#rm- etc/ppp/folder for ppp mod em connection erve ¥m-fwar file for roorm-us/programs installed on your machine Ea/eteeanaeseateapdienaeteoeuikRanePgAo8ronmentne Copyright 199 Open Netvork Architecture 21
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 21 alias ls=’ls --color=auto’ Then log in and out; after this, the new COLORS-environment variable is set, and your system will recognize that. XI) Update of the lasted software’s Keep and update all software (especially network software) to the lasted versions, check the errata pages for the Red Hat Linux distribution, available at http://www.redhat.com/corp/support/errata/index.html. The errata pages are perhaps the best resource for fixing 90% of the common problems with Red Hat Linux. In addition, security holes for which a solution exists are generally on the errata page 24 hours after Red Hat has been notified. You should always check there first. Software’s that must be updated at this time for your Red Hat Linux 6.1 server are: e2fsprogs-1.17-1.i386.rpm pam-0.68-8.i386.rpm Linux kernel 2.2.13 (The most important, always must be updated. See bellow for more information on building a custom kernel for your specific machine). You can verify that software is installed on your system before make an update with the following command: [root@deep]# rpm -q software-name -Where software-name is the name of the software you wan to verify like XFree86 or telnet. XII) For the maniacs We know that Red Hat Linux by default install a lot thing that we’re not necessary need. In our setup installation we ‘re removed the most important. Although that, some mark still exist on your system. For example, we’re not installed the Xwindow system (XFree86) on our server or NIS program server but we can see that some folder already exist like /usr/X11R6/ or /var/nis. Those folders exist but are empty. It’s safe to remove those folders and files since we are not installed those programs. Directories and files listed bellow can be removed safety from your system if you are followed our setup instruction above. [root@deep]# rm -f /usr/bin/X11 fl symbolic links [root@deep]# rm -f /etc/exports fl file for NFS server [root@deep]# rm -f /etc/printcap fl file for the printer [root@deep]# rm -rf /var/nis/ fl folder for NIS server [root@deep]# rm -rf /etc/X11/ fl folder for Xwindow server [root@deep]# rm -rf /usr/X11R6/ fl folder for Xwindow server [root@deep]# rm -rf /etc/ppp/ fl folder for ppp modem connection [root@deep]# rm -f /var/log/maillog fl log file for Mail server [root@deep]# rm -f /var/log/spooler fl log file for printer [root@deep]# rm -rf /var/spool/mail fl log file for Mail [root@deep]# rm -rf /usr/doc/* fl documentation of different programs installed on your machine Edit /etc/logrotate.d/syslog file and remove the lines related to maillog and spooler. Edit /etc/rc.d/init.d/functions script file and remove /usr/X11R6/bin in the PATH environment line
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca XIlI)General system security Linux Security Overview A UNIX system is only as secure as the administrator makes it.The more services you add,the more chances of introducing a security hole.Operating systems like SCO and others may 8) siaoiehalareanreniearal in itself is distributed in many favors.In one of the ongoing comparisons between RedHat and ly the ESSENTIAL nux,one an 'application'of having a security weakness.Linux is the most SECURE if properly oDlemenmteaidwagessaearemtngbe。aeteatoerecethousaneiofotnteretppoint products.they have a limited size of team members working on it.It is not always in their best es but r tend tuse the with the tware 10s the n soure e code envi vith 10's of thousands of p le medd with the ce c ode,and what? million This document will discuss some of the general techniques used to secure your site.The r peopl ching a mputer to the Interne such as access ar prevent attacks from external sources. 1.Basic Information Let outsiders know as little as possible about your system. aPle9erwnaniSrneYem who THEY are.who uses the system and personal information that might help an attacker guess a users pass ou can use a your system a r daemon and/or tcpd to limit who can connect to your syste s assumes that 09 ng or a what they are saying then get help to understand them.There is nothing wrong witi th someone I get int nevery-now d-then on uep ot PIowepepe Copyright19 Open Netvork Architecture
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 22 XIII) General system security Linux Security Overview A UNIX system is only as secure as the administrator makes it. The more services you add, the more chances of introducing a security hole. Operating systems like SCO and others may actually be more prone to security breaches because they offer more services that are an integral part of how they operate, (in order to be more 'user friendly'). Linux itself is very stable and secure, but it in itself is distributed in many flavors. In one of the ongoing comparisons between RedHat and Slackware people have argued over which is more secure. When installing Linux, one should tend to install with the minimum, and then add only the ESSENTIAL items, reducing chances of an 'application' of having a security weakness. Linux is the most SECURE if properly implemented. If a weakness is apparent in the system, there are thousands of volunteers to point it out immediately, along with a fix. In a larger organization, such as some of the commercial products, they have a limited size of team members working on it. It is not always in their best interests to publicize any discoveries too loudly, and sometimes it takes a while before fixes trickle down the pipes into the releases or upgrades. Yes, they soon become available as patches, but most administrators of commercial products tend to use the tools available with the distribution only, with a false sense of comfort in that they have more professionally designed software. Mistakes can happen in programming at any level, but when you have 10's of thousand of people with the source code available to them, these mistakes are often discovered faster in an open source code environment. Of course, with 10's of thousands of people meddling with the source code, and what? 7 million copies of Linux out there now... there is a much better chance that someone will open a security hole too. This document will discuss some of the general techniques used to secure your site. The following is for people attaching a computer to the Internet. Generally speaking services such as NFS / Samba, imap and pop will only need to be accessible to internal users, blocking external access greatly simplifies matters. The following is a list of features that can be used to help prevent attacks from external sources. 1. Basic Information Let outsiders know as little as possible about your system. A simple finger to a victims system can reveal much about a system; How many users, when the admin is in, when do they work, who THEY are, who uses the system and personal information that might help an attacker guess a users password. You can use a powerful finger daemon and/or tcpd to limit who can connect to your system and how much they will know about your system. Logs are the only way to know what's going on your Linux system. Of course, this assumes that an attacker has not corrupted your logs, but that aside. Full logging of all connections, can reveille so much about an attacker, and their attempts. If you have problems understanding the logs and what they are saying then get help to understand them. There is nothing wrong with someone helping you with something you don't understand. I get information every-now-and-then on something that I have made a mistake on and that I am told to clarify or fix something. To be arrogant is one thing to be stupid is another. Limit the number of SUID root programs on your system. SUID root programs are programs when ran, run at the level of root (God in the UNIX world). Sometimes this is needed but many times not
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca Since SUID root programs can do anything that root can they bear a high level of responsibility in and when they dont.users can sometimes get them to do things their not sup ose to do.This is 2.BIOS Security Set a boot password Disallow booting from floppy drives and allow passwords to access some BIOS features. Check your BlOS manual or look at it the next time you boot up. 3.Password int of our l inux security tour i thina preven a password.Not some hing one would call completely reliable.Contrary to popular belief.an your system is a good idea.This helps to find and replace passwords that are easily guessed or sm should be present tor ject a weak pa ssword when accepted as a new password. 4.The /etc/exports file mounting read-only wherever possible. Edit the exportsfile(viletc/exports)and add For example root write access in this directory. For this change to take effect you will need to run /usr/sbin/exportfs-a 5.Disabling console program access One of the simplest and commonest custo omizations is to entirely disable all console-equivalent access to programs like shutdown and halt.To do this.run: [root@deep#m-f/etc/security/console.apps/servicename Copyright 199 Open Netvork Architecture 23
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 23 Since SUID root programs can do anything that root can they bear a high level of responsibility in following the golden rules of security programming. Sometimes they do, sometimes they don't and when they don't, users can sometimes get them to do things their not suppose to do. This is where exploits and come in. An exploit is a program or script that will get a SUID root program to do very bad stuff (Give root shells, grab password files, read other people's mail, delete files). 2. BIOS Security Set a boot password. Disallow booting from floppy drives and allow passwords to access some BIOS features. Check your BIOS manual or look at it the next time you boot up. 3. Password The starting point of our Linux security tour is the password. Many people keep their entire life on a computer and the only thing preventing others from seeing it is the eight-character string called a password. Not something one would call completely reliable. Contrary to popular belief, an uncrackable password does not exist. Given time and resources all passwords can be guessed either by social engineering or by brute force. Since password cracking can be a time- and resource consuming art, make it hard for any cracker who has grabbed your password file. Running a password cracker on a weekly basis on your system is a good idea. This helps to find and replace passwords that are easily guessed or weak. Also, a password checking mechanism should be present to reject a weak password when first choosing a password or changing an old one. Character strings that are plain dictionary words, or are all in the same case, or do not contain numbers or special characters should not be accepted as a new password. 4. The /etc/exports file If you are exporting filesystems using NFS, be sure to configure /etc/exports file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible. Edit the exports file (vi /etc/exports) and add: For example: /dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash) -Where /dir/to/export is the directory you want to export, host.mydomain.com is the machine allowed to log in this directory, ro mean mounting read-only and root_squash for not allowing root write access in this directory. For this change to take effect you will need to run /usr/sbin/exportfs -a 5. Disabling console program access One of the simplest and commonest customizations is to entirely disable all console-equivalent access to programs like shutdown and halt. To do this, run: [root@deep]# rm -f /etc/security/console.apps/servicename
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca -Where servicename is the name of the program to which you wish to disable console-equivalent access.Unles s you use xdm.however.be careful not to remove the xserver file or no one but eetotosebeeageeXmreiyouoeneetoeethgXsenerrotstheonyuserthat For example [root@deepm-f/etc/security/console.apps/halt off cons root@deeprm-e/ecuriy/onsoleapps/xserver (if removed.roo wil be the ony user able tosartX) 6.Disabling all console access Create the disabling.sh script file (touch disabling.sh)and add the following lines inside tpam.d am consolem oo done Make this s r888ep g.sh 7.The /etc/inetd.conf file Inetd,called the"super server",will load a network program based upon a request from the The ine ta wni s to listen to and erver to start for each port you need to offer.Services that you do not need to offer should be disabled and mush better nave one less place to netd an any that you do not n enting the s are being offer then sending your inetd process a SIGHUP rooestatntd.co File:"/etc/inetd conf Size:28 root)Gid:0/root Device:8.6 Ir ode:1819 Links:1 :12:16 1022:4 1999(00002.06:12:1 Edit the inetd.conf file(vi /etc/inetd.conf)and disable services like 24
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 24 -Where servicename is the name of the program to which you wish to disable console-equivalent access. Unless you use xdm, however, be careful not to remove the xserver file or no one but root will be able to start the X server. (If you always use xdm to start the X server, root is the only user that needs to start X, in which case you might actually want to remove the xserver file). For example: [root@deep]# rm -f /etc/security/console.apps/halt [root@deep]# rm -f /etc/security/console.apps/poweroff [root@deep]# rm -f /etc/security/console.apps/reboot [root@deep]# rm -f /etc/security/console.apps/shutdown [root@deep]# rm -f /etc/security/console.apps/xserver (if removed, root will be the only user able to start X). 6. Disabling all console access In order to disable all console access, including program and file access, in the /etc/pam.d/ directory, comment out all lines that refer to pam_console.so. the following script will do the trick: Create the disabling.sh script file (touch disabling.sh) and add the following lines inside: cd /etc/pam.d for i in * ; do sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i done Make this script executable with the following command and execute it: [root@deep]# chmod 700 disabling.sh [root@deep]# ./disabling.sh 7. The /etc/inetd.conf file Inetd, called the "super server", will load a network program based upon a request from the network. The inetd.conf file tell inetd which ports to listen to and what server to start for each port. As soon as you put your Linux system on ANY network the first thing to look at is what services you need to offer. Services that you do not need to offer should be disabled and mush better uninstalled so that you have one less thing to worry about and attackers have one less place to look for a hole. Look at your /etc/inetd.conf file and see what services are being offered by your inetd. Disable any that you do not need by commenting them out (# at the beginning of the line), and then sending your inetd process a SIGHUP. ENSURE that the permissions on this file are set to 600. [root@deep]# chmod 600 /etc/inetd.conf ENSURE that the owner is root. [root@deep]# stat /etc/inetd.conf File: "/etc/inetd.conf" Size: 2869 Filetype: Regular File Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Device: 8,6 Inode: 18219 Links: 1 Access: Wed Sep 22 16:24:16 1999(00000.00:10:44) Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16) Change:Mon Sep 20 10:22:44 1999(00002.06:12:16) Edit the inetd.conf file (vi /etc/inetd.conf) and disable services like:
Comments and suggestions conceming this page should be mailed to gmourani@videotron.ca 善Toeea时thsfieanercharges,jusdoaal-HUPnet echo ntema chargen #time ema dgram udp #These are standard services. stream 测in #Shell.login.exec.comsat and talk are BSD protocols. 88 usr/sbin/tcp in.rlogin dgram wait ro usr/sbin/tcpd in.comsat 88t usr/sbin/pd in.ntalko tcp wai /usr/sbin/tcpd in.dtalk p0p-☑ stream usr/sbin/tcpd ipop2d map usr/sbin/pd #The Internet UUCP service. uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/ib/uucp/uucico- some or all of these services to improve secunity. stream tcp nowait root /usr/sbin/tcpd in.fingerd am uest r/sbin/tcpo etstat stream quest bin/ ine Authentication 进 auth stream tcp nowait nobody /usr/sbin/in.identd in.identd-I-e-o End of inetd.conf Copyright 1999 Open Network Architecture 5
Comments and suggestions concerning this page should be mailed to gmourani@videotron.ca © Copyright 1999 Open Network Architecture ® 25 ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc. unless you plan to use it. If it’s turned off it’s much less of a risk. # To re-read this file after changes, just do a 'killall -HUP inetd' # #echo stream tcp nowait root internal #echo dgram udp wait root internal #discard stream tcp nowait root internal #discard dgram udp wait root internal #daytime stream tcp nowait root internal #daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal #time stream tcp nowait root internal #time dgram udp wait root internal # # These are standard services. # #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # # Shell, login, exec, comsat and talk are BSD protocols. # #shell stream tcp nowait root /usr/sbin/tcpd in.rshd #login stream tcp nowait root /usr/sbin/tcpd in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd #comsat dgram udp wait root /usr/sbin/tcpd in.comsat #talk dgram udp wait root /usr/sbin/tcpd in.talkd #ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd #dtalk stream tcp wait nobody /usr/sbin/tcpd in.dtalkd # # Pop and imap mail services et al # #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d #imap stream tcp nowait root /usr/sbin/tcpd imapd # # The Internet UUCP service. # #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l # # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." Do not uncomment # this unless you *need* it. # #tftp dgram udp wait root /usr/s bin/tcpd in.tftpd #bootps dgram udp wait root /usr/sbin/tcpd bootpd # # Finger, systat and netstat give out user information which may be # valuable to potential "system crackers." Many sites choose to disable # some or all of these services to improve security. # #finger stream tcp nowait root /usr/sbin/tcpd in.fingerd #cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd #systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx #netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet # # Authentication # #auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o # # End of inetd.conf