Wednesday, October 17, 2007

Seven steps to increase Linux security

Ask a network administrator in any large organisation to compare Linux with network operating systems like Windows NT or Novell Open Enterprise Server, and chances are he'll admit that Linux is an inherently more stable and scalable solution. Chances are he'll also admit that when it comes to securing the system from outside attack, Linux is possibly the most difficult of the three to work with.

This perception is not an uncommon one -- many network administrators new to Linux find it hard to transition from a point-and-click security configuration interface to one based on editing complicated and hard-to-locate text files. Most administrators are well aware of the need to manually put in roadblocks and obstacles to trip up would-be hackers and ensure that your company's data stays secure; it's just that in the unfamiliar Linux world, they're not completely sure of their bearings or where to start.

That's where this document comes in. It outlines some easy things administrators can do to make their Linux server more secure and significantly reduce the risk they face. This tutorial lists seven such items.

1. Protect the root account
The root, or superuser, account on a Linux system is like a backstage pass at a Stones concert -- it allows you access to anything and everything. For this reason, it's well worth taking extra steps to protect it. Start by setting a hard-to-guess password for this account with the passwd command, change it on a regular basis, and restrict knowledge of the password to a few (ideally, only two) key people in the organisation.

Next, restrict the terminals that can be used for root access, by editing the file /etc/securetty. To avoid users leaving a root terminal "open", set a timeout for inactive root logins by setting the TMOUT local variable, and ensure that the root command history file (which might contain sensitive information) is disabled by setting the HISTFILESIZE local variable to 0. Finally, enforce a policy of using this account only to perform specific administrative tasks, and discourage users from logging in as root by default.

Tip: Once you've closed these holes, the next step is to require that every normal user account must have a password and ensure that passwords do not use easily-recognisable heuristics such as birthdays, user names or dictionary words.

2. Install a firewall
A firewall lets you filter data packets travelling in and out of your server and ensures that only those packets matching pre-defined rules are permitted to enter or exit. A number of excellent firewalls are available for Linux, and firewall code can even be compiled directly into the kernel. Begin by defining input, output and forwarding rules for packets leaving and entering your network, using the ipchains or iptables commands. Rules may be specified on the basis of IP addresses, network interfaces, ports, protocols or combinations of these attributes; these rules also specify what action (accept, reject, forward) to take when a match occurs. Once the rules are installed, test the firewall extensively to ensure that no holes exist in it. A good firewall is your first line of defence against common attacks like the distributed denial of service (DDoS) attack.

3. Use OpenSSH for network transactions
An important issue in client-server architecture involves the security of data being transmitted over the network. If network transactions take place in plaintext, it is possible for a hacker to "sniff" the data packets being transmitted and thus gain access to sensitive information. You can close this hole by using a secure shell utility like OpenSSH to create a secure encrypted "tunnel" for your data to pass through. Encrypting your connections in this manner makes it extremely hard for unauthorised users to read the data going back and forth between network hosts.

4. Disable unwanted services
Most Linux systems are installed with a wide variety of different services enabled, such as FTP, telnet, UUCP, ntalk and so on. In most cases, these services are rarely used and leaving them active is like leaving your windows open for a burglar to slip in. You can disable these services by commenting them out in the /etc/inetd.conf or /etc/xinetd.conf files and then restarting the inetd or xinetd daemon. Additionally, some services (for example, database servers) may start up by default during the boot process; you can disable these by editing the /etc/rc.d/* directory hierarchy. Many experienced administrators disable all system services, only leaving SSH communication ports open.

5. Use a spam and anti-virus filter
Junk e-mail and viruses annoy your users and can sometimes cause critical network failures. Linux is surprisingly resistant to viruses, but client machines running Windows may be more susceptible. Therefore, it's a good idea to install a spam and virus filter on your mail server itself, to "defang" suspicious messages and reduce the risk of a chain of collapses.

Begin by installing SpamAssassin, a leading open-source tool that uses a combination of different techniques to identify and flag spam; the program also supports user-based whitelisting and graylisting for greater accuracy. Next, install procmail for user-level filtering based on regular expressions; this tool allows automatic filtering of received email into mailboxes, at both a user and system level. Finally, install Clam Anti-Virus, a free anti-virus toolkit that integrates with sendmail and SpamAssassin and supports on-access scanning of email attachments.

6. Install an intrusion detection system
Intrusion detection systems (IDS) are early warning systems that let you know if changes occur on your network. They're a great way to identify (and prove) attempts to break into your system, although at the cost of increased resource consumption and potential red herrings. There are two fairly well-known IDS' you can try: tripwire, which tracks file signatures to detect modifications; and snort, which use rules-based directives to perform real-time packet analysis and search and identify attempts to probe or attack your system. Both packets can generate e-mail alerts (among other actions) and are useful when you suspect your network is being compromised but need definitive proof.

7. Perform regular security audits
When it comes to securing your network, this final step is possibly the most important. Here, you put on a black hat and do your best to circumvent the defences you erected in the previous steps. Doing this provides you with an immediate and objective assessment of how hard your system really is, and identifies potential vulnerabilities that you should fix.

A number of tools are available to help you in this audit: you can attempt to hack your password files using password crackers like Crack and John the Ripper; you can use nmap or netstat to look for open ports; you can sniff the network using tcpdump; and you can try exploiting publicised holes in your installed programs (Web server, firewall, Samba) to see if they offer a way in. If you do manage to find a way past your obstacles, rest assured that others will too; take immediate measures to close the openings.

Protecting your Linux system is an ongoing task, and so you shouldn't rest easy once you've done the steps above. Visit the Linux security forums for more security tips, and be proactive in monitoring and updating the security of your system. Good luck!

No comments: